[squid-users] [SOLVED] Force LDAP groups to de-authenticate?

Dan Purgert dan at djph.net
Fri Jul 10 17:57:58 UTC 2015


On Fri, 03 Jul 2015 18:08:49 +0000, Dan Purgert wrote:

> I'm setting up a squid proxy with LDAP user/group authentication, and so
> far have been able to sort out the problems I've run into with a little
> help from google and caches of the various squid mailing lists.
> 
> Currently, it's in a mostly working state for nearly everything (i.e.
> user authentication, allowed/blocked based on what group a user belongs
> to, client pc auto-updates, etc.).  However, I can't figure out how to
> force a user to re-authenticate after a set interval of time (say 30
> mintues).
> 
> 
> Essentially, the idea is that the "less-privileged" users (i.e. the
> students) can get to the sites that they need for their day-to-day
> school work, but that their permissions should be able to be elevated
> for a set amount of time in the event the teacher deems it OK.
> 
> Right or wrong, the administration doesn't want to go with one of the
> "big boys" in web filters, so I need to kick the users and force a re-
> auth, as this is for a school environment. It's small (only 10-15
> students at one time), but the students have already figured their way
> around the previous filter that was installed before my time.
> 
> 
> I know closing the browser clears out all the authentication tokens ...
> but hoping there's a way I can do this from the backend so there's no
> need to play those "okay, now close all your browsers" type games if a
> student gets the elevated permissions.
> 
> 
> Leads have pointed me to
> 
>  - auth_param basic credentials_ttl <N> minutes
> 
>  - authenticate_ttl <N> minutes
> 
>  - authenticate_cache_garbage_interval <N> minutes
> 
> Though I don't seem to be able to grasp the concept of getting them to
> do what I want (if it's possible)
> 
> 
> Thanks!


Thanks to everyone who sorted my incorrect understanding with the ttls / 
garbage intervals.  

Have finally gotten a response from the decision makers, and they're OK 
with the explicit time limits for allowing "not school" type websites, so 
that's the route we're going to pursue.



More information about the squid-users mailing list