Hello, I have defined 3 ldap groups:
Internet_no_limit Internet_limited Internet_no_access and I have 2 whitelists - first is for HTTP sites (whitelist.http.txt) and second is for HTTPS (whitelist.https.txt). I have problems with second group (Internet_limited). User can login and see allowed HTTP sites. But he can't see HTTPS sites. I got: 1079022800.399 0 192.168.132.151 TCP_DENIED/403 4266 CONNECT www.oracle.com:443 test NONE/- text/html in access.log. It's my config: auth_param basic children 30 auth_param basic realm squid ldap auth auth_param basic credentialsttl 2 hours auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b dc=int,dc=domain,dc=lv -D "cn=arturs korneevs,ou=Active,ou=firm,dc=int,dc=domain,dc=lv" -w secret -f "(&(samaccountname=%s)(objectclass=user))" server_ip # ldap group's name "Internet_no_limit" external_acl_type ldap_nolimit %LOGIN /usr/local/squid/libexec/squid_ldap_group -b ou=other,ou=groups,ou=hansabanka,dc=int,dc=hbl,dc =lv -B dc=int,dc=domain,dc=lv -D "cn=arturs korneevs,ou=active,ou=hansabanka,dc=int,dc=hbl,dc=lv" -w secret -F "(&(samaccountname=%s) (objectclass=user))" -f "(&(cn=%g)(member=%u)(objectclass=group))" server_fine # ldap group's name "Internet_limited" external_acl_type ldap_limited %LOGIN /usr/local/squid/libexec/squid_ldap_group -b ou=other,ou=groups,ou=firm,dc=int,dc=domain,dc =lv -B dc=int,dc=hbl,dc=lv -D "cn=arturs korneevs,ou=active,ou=firm,dc=int,dc=domain,dc=lv" -w secret -F "(&(samaccountname=%s) (objectclass=user))" -f "(&(cn=%g)(member=%u)(objectclass=group))" server_ip # ldap group's name "Internet_no_access" external_acl_type ldap_noaccess %LOGIN /usr/local/squid/libexec/squid_ldap_group -b ou=other,ou=groups,ou=firm,dc=int,dc=domain,d c=lv -B dc=int,dc=domainl,dc=lv -D "cn=arturs korneevs,ou=active,ou=firm,dc=int,dc=domain,dc=lv" -w secret -F "(&(samaccountname=%s )(objectclass=user))" -f "(&(cn=%g)(member=%u)(objectclass=group))" server_ip cl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # unregistered ports acl CONNECT method CONNECT http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost acl our_networks src 192.168.0.0/16 acl blockedsites url_regex -i "/usr/local/squid/etc/block.txt" acl do_not_cache url_regex -i "/usr/local/squid/etc/dontcache.txt" acl acl_nolimit external ldap_nolimit Internet_no_limit acl acl_limited external ldap_limited Internet_limited acl acl_noaccess external ldap_noaccess Internet_no_access acl acl_whitelist_http url_regex -i "/usr/local/squid/etc/whitelist.http.txt" acl acl_whitelist_https url_regex -i "/usr/local/squid/etc/whitelist.https.txt" acl acl_protocol_http proto HTTP acl acl_protocol_https proto HTTPS http_access deny blockedsites deny_info ERR_NOT_IN_WHITELIST blockedsites no_cache deny do_not_cache http_access deny acl_noaccess http_access allow our_networks acl_limited acl_whitelist_http acl_protocol_http http_access allow our_networks acl_limited acl_whitelist_https acl_protocol_https http_access deny acl_limited deny_info ERR_NOT_IN_WHITELIST acl_limited http_access allow our_networks acl_nolimit http_access deny all whitelist.https.txt looks like that: www.oracle.com whitelist.http.txt looks like that: www.oracle.com Where is my mistake? Many thanks !
