Re: [squid-users] LDAP against eDirectory refresh required

From: B K <[email protected]>
Date: Wed, 18 Oct 2006 10:03:48 +1000

It appears I have a different problem, but still all related.

The groups are read from my BannedUsers group to enforce Internet usage
blocks, however users remain banned even when taken out of the group. This
is not related to a TTL, as I have come in after an over night and my users
are still blocked.

This is my code below: I may have provided more code than necessary but I
wanted to show you the order in which I have everything setup incase this
was the issue.

auth_param basic program /usr/sbin/squid_ldap_auth -Z -D cn=admin,o=novell
-w admin -b o=novell -s sub -f "(&(objectclass=User)(cn=%s))" -h 172.18.0.10
-p 389
external_acl_type ldap-group %LOGIN /usr/sbin/squid_ldap_group -Z -D
cn=admin,o=novell -w admin -b o=novell -s sub -f
"(&(objectclass=User)(cn=%u)(groupMembership=%g)) -h 172.18.0.10 -p 389
auth_param basic children 5
auth_param basic realm Squid Proxy Server Project (Beta)
auth_param basic credentialsttl 60 seconds

*****************

acl password proxy_auth REQUIRED
acl admins proxy_auth admin
#acl anonymisers dstdomain "/usr/local/squid/anonymous"
acl anonymisers url_regex "/usr/local/squid/anonymous"

#acl mime rep_mime_type -i ^application/octet-stream$
#Above code provides some resistance to downloading of files (example
executables). Interfered with me downloading msn messenger.

acl mime rep_mime_type -i ^application/x-msn-messenger$
#Above code provides a total block solution for msn live messenger

acl mime rep_mime_type -i ^application/zip$
#acl mime rep_mime_type -i ^application/x-shockwave-flash$
#acl mime rep_mime_type -i ^application/pdf$
#acl mime rep_mime_type -1 ^image/jpegs$
#acl mime rep_mime_type -i ^application/x-javascript$

#acl fileupload req_mime_type -i ^multipart/form-data$
#acl javascript rep_mime_type -i ^application/x-javascript$

#acl banned external ldap-group BannedUsers
acl banned external ldap-group cn=BannedUsers,ou=Users,o=novell

#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
#acl MyNetwork src 172.18.0.0/16

*******************************

#Default:
# http_access deny all
#
#Recommended minimum configuration:
#
# Only allow cachemgr access from localhost
http_access allow manager localhost
http_access deny manager
# Deny requests to unknown ports
http_access deny !Safe_ports
# Deny CONNECT to other than SSL ports
http_access deny CONNECT !SSL_ports
#
# We strongly recommend to uncomment the following to protect innocent
# web applications running on the proxy server who think that the only
# one who can access services on "localhost" is a local user
#http_access deny to_localhost
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS

# Example rule allowing access from your local networks. Adapt
# to list your (internal) IP networks from where browsing should
# be allowed
#acl our_networks src 192.168.1.0/24 192.168.2.0/24
#http_access allow our_networks
http_access allow localhost

#Allow access to MyNetwork Range of hosts 172.18.0.0
#http_access allow MyNetwork
http_access allow admins
http_access deny anonymisers
http_access deny !banned
http_access allow password

Does anyone have any ideas ?

Cheers,

>From: Henrik Nordstrom <henrik@henriknordstrom.net>
>To: B K <b.kot@hotmail.com>
>CC: squid-users@squid-cache.org
>Subject: Re: [squid-users] LDAP against eDirectory refresh required
>Date: Tue, 17 Oct 2006 23:43:12 +0200
>
>tis 2006-10-17 klockan 22:58 +1000 skrev B K:
>
> > My groups are dynamic, constantly changing but I think what is happening
>is
> > ldap is reading it once, or caching the ldap queries. Is this possible?
>
>Squid has a cache on it's external acls. Default is one hour. See the
>external_acl_type directive where you define your ldap group helper.
>
>Regards
>Henrik

><< signature.asc >>

_________________________________________________________________
Research and compare new cars side by side at carpoint.com.au
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F833884&_t=54321&_r=hotmail_endtext&_m=EXT
Received on Tue Oct 17 2006 - 18:03:57 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Nov 01 2006 - 12:00:04 MST