[squid-users] Force LDAP groups to de-authenticate?

[Dan Purgert]

I'm setting up a squid proxy with LDAP user/group authentication, and so 
far have been able to sort out the problems I've run into with a little 
help from google and caches of the various squid mailing lists. 

Currently, it's in a mostly working state for nearly everything (i.e. 
user authentication, allowed/blocked based on what group a user belongs 
to, client pc auto-updates, etc.).  However, I can't figure out how to 
force a user to re-authenticate after a set interval of time (say 30 
mintues).


Essentially, the idea is that the "less-privileged" users (i.e. the 
students) can get to the sites that they need for their day-to-day school 
work, but that their permissions should be able to be elevated for a set 
amount of time in the event the teacher deems it OK.  

Right or wrong, the administration doesn't want to go with one of the 
"big boys" in web filters, so I need to kick the users and force a re-
auth, as this is for a school environment. It's small (only 10-15 
students at one time), but the students have already figured their way 
around the previous filter that was installed before my time.


I know closing the browser clears out all the authentication tokens ... 
but hoping there's a way I can do this from the backend so there's no 
need to play those "okay, now close all your browsers" type games if a 
student gets the elevated permissions.


Leads have pointed me to 

 - auth_param basic credentials_ttl <N> minutes

 - authenticate_ttl <N> minutes

 - authenticate_cache_garbage_interval <N> minutes

Though I don't seem to be able to grasp the concept of getting them to do 
what I want (if it's possible)


Thanks!