I’m trying to configure squid3 (on Debian server) to block certain (mostly social media) websites based on the LDAP (age) group the users are in. The devices are apple ipads, safari is used as web browser, and apps are installed with the Mobile Iron multiuser platform. The device will be shared among users of multiple groups, so i must FORCE the user to reauthenticate every 30 minutes.
The problem we have now is that when a user authenticates correctly, the credentials never expire. For testing purposes I’ve set the ttl to 1 minute now, but after I authenticate a user successfully I never get a new challenge. My current config: ----- authenticate_ttl 1 minute auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b "dc=mydomain,dc=eu" -f uid=%s -h 10.11.12.13 auth_param basic children 5 auth_param basic realm Web-Proxy auth_param basic credentialsttl 5 minutes acl ldap-auth proxy_auth REQUIRED external_acl_type ldapgroup ttl=60 %LOGIN /usr/lib/squid3/squid_ldap_group -b "dc=mydomain,dc=eu" -f (&(objectClass=inetOrgPerson)(uid=%u)(memberOf=cn=%g,ou=subou,ou=mainou,dc=mydomain,dc=eu)) -h 10.11.12.13 acl ldapgroup-age9- external ldapgroup leeftijdsgroep_tot_9_jaar acl ldapgroup-age12- external ldapgroup leeftijdsgroep_tot_12_jaar acl ldapgroup-age13- external ldapgroup leeftijdsgroep_tot_13_jaar acl ldapgroup-age18- external ldapgroup leeftijdsgroep_tot_18_jaar acl ldapgroup-age18+ external ldapgroup standaard_leeftijdsgroep acl facebook dstdomain .facebook.com # Deny access to facebook if not in 18+ or 18- (=16-18)group http_access deny facebook !ldapgroup-age18+ !ldapgroup-age18- !ldap-auth —— I’ve tried also other http_access allow/deny rules, following different tutorials i found online, but that did not change anything. Can anyone spot the problem in my config, or is it just the ipad that caches the correct credentials and automatically uses these on next challenges?? When it is a caching issue, what other options do i have to force the user to enter his credentials again after a fixed period of time? Thanks in advance for your help.
