On Mon, Feb 17, 2014 at 9:45 AM, Wim Ramakers <wim.ramak...@lucine-os.be> wrote: > I’m trying to configure squid3 (on Debian server) to block certain (mostly > social media) websites based on the LDAP (age) group the users are in. > The devices are apple ipads, safari is used as web browser, and apps are > installed with the Mobile Iron multiuser platform. The device will be shared > among users of multiple groups, so i must FORCE the user to reauthenticate > every 30 minutes. > > The problem we have now is that when a user authenticates correctly, the > credentials never expire. For testing purposes I’ve set the ttl to 1 minute > now, but after I authenticate a user successfully I never get a new challenge. > My current config: > ----- > authenticate_ttl 1 minute > > auth_param basic program /usr/lib/squid3/squid_ldap_auth -v 3 -b > "dc=mydomain,dc=eu" -f uid=%s -h 10.11.12.13 > auth_param basic children 5 > auth_param basic realm Web-Proxy > auth_param basic credentialsttl 5 minutes > acl ldap-auth proxy_auth REQUIRED > > external_acl_type ldapgroup ttl=60 %LOGIN /usr/lib/squid3/squid_ldap_group -b > "dc=mydomain,dc=eu" -f > (&(objectClass=inetOrgPerson)(uid=%u)(memberOf=cn=%g,ou=subou,ou=mainou,dc=mydomain,dc=eu)) > -h 10.11.12.13 > acl ldapgroup-age9- external ldapgroup leeftijdsgroep_tot_9_jaar > acl ldapgroup-age12- external ldapgroup leeftijdsgroep_tot_12_jaar > acl ldapgroup-age13- external ldapgroup leeftijdsgroep_tot_13_jaar > acl ldapgroup-age18- external ldapgroup leeftijdsgroep_tot_18_jaar > acl ldapgroup-age18+ external ldapgroup standaard_leeftijdsgroep > > acl facebook dstdomain .facebook.com > # Deny access to facebook if not in 18+ or 18- (=16-18)group > http_access deny facebook !ldapgroup-age18+ !ldapgroup-age18- !ldap-auth > —— > > I’ve tried also other http_access allow/deny rules, following different > tutorials i found online, but that did not change anything. > Can anyone spot the problem in my config, or is it just the ipad that caches > the correct credentials and automatically uses these on next challenges?? > When it is a caching issue, what other options do i have to force the user to > enter his credentials again after a fixed period of time? > > Thanks in advance for your help.
I will say that I don't know a lot about different parts of Squid, so not sure about this, but would it have something to do with the authenticate_cache_garbage_interval, default is an hour. (http://www.squid-cache.org/Versions/v3/3.1/cfgman/authenticate_cache_garbage_interval.html) I don't know if the authentication hangs around if it is greater than the ttl or not. Just a suggestion and I am guessing others will have a better answer than me. -- Scott Mayo Mayo's Pioneer Seeds PH: 573-568-3235 CE: 573-614-2138
