A few things to check:
Make sure you have an acl for authentication, eg
acl password proxy_auth REQUIRED
so that Squid can pass a username to squid_ldap_group.
Look at squid_ldap_auth if you don't already have an authentication helper.
Your filters are OK with ldapsearch, but you can also use squid_ldap_group
from the command line to be really sure.
Your http_access lines don't need "AND", and your time acls should be
9:15-11:45, not h9:m15-h11:m45.
Check the cache.log file regularly as you experiment with different
configurations.
I think you're on the right track, if you can get it working with just
http_access allow day morning
then go a step further and use authentication
http_access deny !password
http_access allow day morning
then, once that's working, combine it all with the external acl checks
http_access deny !password
http_access allow day morning earlymorningtea
http_access allow day evening sundowner
Good luck
Gerard
On Wed, 22 Jan 2003 21:51, Dieter Kluenter wrote:
> Hi,
> I'm trying to design a complex set of acl's with quid_ldap_group.
> My present setup
>
> external_acl_type ldap_group1 %LOGIN path/to/squid_ldap_group -f <filters>
> -h <host> -Z
> external_acl_type ldap_group2 %LOGIN path/to/squid_ldap_group ......
>
> acl day time M-F
> acl morning time h9:m15-h11:m45
> acl evening time h15:m30-h18:m30
> acl earlymorningtea ldap_group1 EarlyMorningTea
> acl sundowner ldap_group2 SunDowner
>
> http_access allow day AND morning AND earlymorningtea
> http_access allow day AND evening AND sundowner
>
> In this setup EarlyMorningTea and SunDowner are attribute values. The
> defined filters are ok with ldapsearch, but still I can't get access,
> while a simple design with only one acl works fine, i.e.
> http_access allow earlymorningtea
> and only one definition of an external_acl_type gives a login, when
> connecting a URL.
>
> -Dieter
Received on Wed Jan 22 2003 - 15:46:45 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:47 MST