I have successfully setup a squid server authenticating to kerberos/ntlm/ldap to a samba4 server and they all work just fine (its such a beautiful thing!!! :D)
I am now starting to make my ACLs and I want one particular group of users to have unrestricted access.
The thing is, when I add my user to the AD group Internet Irrestrito and open up my browser it works, I remove my user from the group and it still can access the internet, if I do a squid -k reconfigure, and reload the website or reopen the browser, then it denies my access as it should have done before.
Given that I cant just go reloading squid every single time I change a user group, what do I need to do so that squid will recognize changes in the user's groups without reloading it?
I've changed the ttl on the ldap auth to a really low setting (right now its set to 5 hours) and same situation happens. Also, on an old squid box they have here in the company the same ttl of 5 hours is there and once we change the user from that old network ldap server the user only needs to restart his browser and its done!
Here is my squid.conf
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
acl localnet src fc00::/7 # RFC 4193 local private network range
acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
http_access allow localhost manager
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
auth_param negotiate program /usr/local/squid/libexec/negotiate_wrapper -d --ntlm /usr/local/squid/libexec/ntlm_auth --diagnostics --helper-protocol=squid-2.5-ntlmssp -- domain=testserver.LAN --kerberos /usr/local/squid/libexec/negotiate_kerberos_auth -d -s HTTP/servidor-005.testserver.lan@testserver.LAN
auth_param negotiate children 10
auth_param negotiate keep_alive off
auth_param ntlm program /usr/local/squid/libexec/ntlm_auth --diagnostics --helper- protocol=squid-2.5-ntlmssp --domain=testserver.LAN
auth_param ntlm children 10
auth_param ntlm keep_alive off
auth_param basic program /usr/local/squid/libexec/basic_ldap_auth -d -R -b "dc=testserver,dc=lan" -D squid@testserver.lan -W /usr/local/squid/etc/ldappass -f sAMAccountName=%s -h servidor-001.testserver.lan
auth_param basic children 5
auth_param basic credentialsttl 5 hours
auth_param basic realm testserver Proxy Server
external_acl_type internet_irrestrito %LOGIN /usr/local/squid/libexec/ext_ldap_group_acl -R -K -b "cn=Users,dc=testserver,dc=lan" -D squid@testserver.lan -W /usr/local/squid/etc/ldappass -f "(&(objectclass=person)(sAMAccountName=%u) (memberof=cn=Internet Irrestrito,cn=Users,dc=testserver,dc=lan))" -h servidor- 001.testserver.lan
acl auth proxy_auth REQUIRED
acl Irrestrito external internet_irrestrito Internet\ Irrestrito
http_access allow Irrestrito auth
http_access deny !auth
http_access allow localhost
http_access deny all
http_port 3128
cache_mgr ti@testserver.com.br
access_log /usr/local/squid/var/logs/access.log squid
coredump_dir /usr/local/squid/var/cache/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
Any ideas are welcome, I had no success searching over the web for the last two days :(
