On Mon, Feb 17, 2014 at 9:45 AM, Wim Ramakers <wim.ramakers_at_lucine-os.be> wrote:
> I’m trying to configure squid3 (on Debian server) to block certain (mostly social media) websites based on the LDAP (age) group the users are in.
> The devices are apple ipads, safari is used as web browser, and apps are installed with the Mobile Iron multiuser platform. The device will be shared among users of multiple groups, so i must FORCE the user to reauthenticate every 30 minutes.
>
> The problem we have now is that when a user authenticates correctly, the credentials never expire. For testing purposes I’ve set the ttl to 1 minute now, but after I authenticate a user successfully I never get a new challenge.
> My current config:
> -----
> authenticate_ttl 1 minute
>
> auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b "dc=mydomain,dc=eu" -f uid=%s -h 10.11.12.13
> auth_param basic children 5
> auth_param basic realm Web-Proxy
> auth_param basic credentialsttl 5 minutes
> acl ldap-auth proxy_auth REQUIRED
>
> external_acl_type ldapgroup ttl=60 %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=mydomain,dc=eu" -f (&(objectClass=inetOrgPerson)(uid=%u)(memberOf=cn=%g,ou=subou,ou=mainou,dc=mydomain,dc=eu)) -h 10.11.12.13
> acl ldapgroup-age9- external ldapgroup leeftijdsgroep_tot_9_jaar
> acl ldapgroup-age12- external ldapgroup leeftijdsgroep_tot_12_jaar
> acl ldapgroup-age13- external ldapgroup leeftijdsgroep_tot_13_jaar
> acl ldapgroup-age18- external ldapgroup leeftijdsgroep_tot_18_jaar
> acl ldapgroup-age18+ external ldapgroup standaard_leeftijdsgroep
>
> acl facebook dstdomain .facebook.com
> # Deny access to facebook if not in 18+ or 18- (=16-18)group
> http_access deny facebook !ldapgroup-age18+ !ldapgroup-age18- !ldap-auth
> ——
>
> I’ve tried also other http_access allow/deny rules, following different tutorials i found online, but that did not change anything.
> Can anyone spot the problem in my config, or is it just the ipad that caches the correct credentials and automatically uses these on next challenges?? When it is a caching issue, what other options do i have to force the user to enter his credentials again after a fixed period of time?
>
> Thanks in advance for your help.
I will say that I don't know a lot about different parts of Squid, so
not sure about this, but would it have something to do with the
authenticate_cache_garbage_interval, default is an hour.
(http://www.squid-cache.org/Versions/v3/3.1/cfgman/authenticate_cache_garbage_interval.html)
I don't know if the authentication hangs around if it is greater than
the ttl or not. Just a suggestion and I am guessing others will have
a better answer than me.
-- Scott Mayo Mayo's Pioneer Seeds PH: 573-568-3235 CE: 573-614-2138Received on Mon Feb 17 2014 - 16:31:05 MST
This archive was generated by hypermail 2.2.0 : Mon Feb 17 2014 - 12:00:05 MST