[squid-users] Squid 2.5.STABLE9 - squid_ldap_auth - squid_ldap_group - problems with ACLs

From: <[email protected]>
Date: Tue, 19 Apr 2005 17:30:06 -0300 (BRT)

Hi,

     I reaaly need help.
     I am trying to set a Squid cache but I had no success for days.
     I have already tried a lot of settings, but couldn't get what I desire.
     I get an Access Denied or an Forward denied.

     I would like to know if somebody can help me.
     What do I want and what do I have?

     I have three groups of users: direc, func, aluno. ( Will be more )
     Each group of users have a group at my LDAP, with the corresponding
users inside. All users are in the ldap. ldap_auth and ldap_group are
working, because I could get the right answers from LDAP.

     For each group of users I have two files with forbidden and allowed
sites, like this: ( to use with url_regex )
     -porn_direc.txt --> forbidden sites for group direc. ( forbidden )
     -noporn_direc.txt --> exceptions sites for group direc.( allowed )

     I already have a porn.txt and noporn.txt, for generic uses.

     I have a set of different networks that must use my proxy.
     Like this:
     -our_networks src 192.168.13.0/24 192.168.15.0/24
     -coord src 192.168.17.0/24

     I want to authenticate everybody from coord, but not for our_networks.
     Everybody from our_networks cannot access porn.txt but can access
noporn.txt. They must not be authenticated or checked with
ldap_group.

     Everybody from coord must be authenticated with ldap_auth, checked
with ldap_group and respect porn_group.txt and noporn_group.txt at
the same time. I mean, all conditions must be respected.

     I am using squid-2.5.STABLE9, with all patches available.

     Following is the only setting I got working, but not solve my problem
and have a problem when the request uses https. ( no authentication )

     Please, if somebody have some setting that works like this, help me.

     Thank you for your attention and forgive for my bad english.

Cassio Freitas
Brazil
--------------------------
http_access allow manager localhost
http_access deny manager

# Deny requests to unknown ports
http_access deny !Safe_ports

# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend to uncomment the following to protect innocent
# web applications running on the proxy server who think that the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
# Exampe rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#
auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -v3 -h \
tuxserver.unipam.edu.br -p 389 -s sub -b ou=people,dc=unipam,dc=edu,dc=br \
-u uid -D cn=nssldap,ou=DSA,dc=unipam,dc=edu,dc=br -w ding_dong_libnss_2 \
-f uid=%s
auth_param basic children 15
auth_param basic realm Digite o usuario e a senha
auth_param basic credentialsttl 2 hours
#
external_acl_type ldapgroup concurrency=25 %LOGIN \
/usr/local/squid/libexec/squid_ldap_group -v3 -h tuxserver.unipam.edu.br -p\
389 -B ou=people,dc=unipam,dc=edu,dc=br -b ou=groups,dc=unipam,dc=edu,dc=br\
-D cn=nssldap,ou=DSA,dc=unipam,dc=edu,dc=br -w ding_dong_libnss_2 -f \
(&(objectClass=posixGroup)(gidNumber=%a)(memberUid=%v))
#
acl porn_aluno url_regex "/usr/local/squid/etc/porn_aluno.txt"
acl noporn_aluno url_regex "/usr/local/squid/etc/noporn_aluno.txt"
acl porn_diretor url_regex "/usr/local/squid/etc/porn_diretor.txt"
acl noporn_diretor url_regex "/usr/local/squid/etc/noporn_diretor.txt"
acl porn_func url_regex "/usr/local/squid/etc/porn_func.txt"
acl noporn_func url_regex "/usr/local/squid/etc/noporn_func.txt"
acl porn_veredas url_regex "/usr/local/squid/etc/porn_veredas.txt"
acl noporn_veredas url_regex "/usr/local/squid/etc/noporn_veredas.txt"
acl porn_prof url_regex "/usr/local/squid/etc/porn_prof.txt"
acl noporn_prof url_regex "/usr/local/squid/etc/noporn_prof.txt"
#
acl ldap-auth proxy_auth REQUIRED
acl ldap-group-diretor external ldapgroup 600
acl ldap-group-prof external ldapgroup 601
acl ldap-group-func external ldapgroup 602
acl ldap-group-aluno external ldapgroup 603
acl ldap-group-veredas external ldapgroup 604
acl our_networks src 192.168.13.0/24 192.168.2.0/24 192.168.18.0/24 \
192.168.3.0/24
#
http_access deny !our_networks
http_access deny !ldap-auth
http_access allow !porn_diretor ldap-group-diretor
http_access allow noporn_diretor ldap-group-diretor
http_access allow !porn_prof ldap-group-prof
http_access allow noporn_prof ldap-group-prof
http_access allow !porn_func ldap-group-func
http_access allow noporn_func ldap-group-func
http_access allow !porn_aluno ldap-group-aluno
http_access allow noporn_aluno ldap-group-aluno
http_access allow !porn_veredas ldap-group-veredas
http_access allow noporn_veredas ldap-group-veredas
#
# And finally deny all other access to this proxy
http_access deny all
Received on Tue Apr 19 2005 - 14:22:08 MDT

This archive was generated by hypermail pre-2.1.9 : Sun May 01 2005 - 12:00:04 MDT