[squid-users] Integrating multiple active directory groups with squid access lists to create a dynamic white list

From: Samuel Anderson <sam_at_idsdoc.com>
Date: Thu, 7 Nov 2013 15:17:05 -0700

So I have multiple active directory groups that I’m attempting to
integrate into squid. I have categorized URL lists located in

"/etc/squid/whitelists/"

When I add a user to a specific group in active directory I want squid
to then allow that user to browse any website that is listed in the
whitelist. Each user will be a member of multiple groups and will need
to be able to access multiple whitelists depending on their role.
Currently what I have will allow the user to browse the websites as
long as there are a member of ONLY ONE of the groups, but if I add the
user to both groups then they can’t see anything! I will get an access
denied page for all websites including the ones that are listed in the
whitelists. In total I have around 50 categories that I would like to
implement. Below is what I currently have listed in my squid.conf
file.

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#

# AD communication
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b
"DC=domain,DC=local" -D "CN=SQUID,OU=domain Service
Accounts,DC=domain,DC=local" -w "*********" -f sAMAccountName=%s -h
10.0.0.***,10.0.0.***,10.0.0.***
auth_param basic children 5
auth_param basic realm Please enter your domain credentials to continue
auth_param basic credentialsttl 1 hour

# AD group membership commands
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group
-R -b "DC=domain,DC=local" -D "CN=SQUID,OU=domain Service
Accounts,DC=domain,DC=local" -w "*********" -f "(&(objectclass=person)
(sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL domain
Groups,DC=domain,DC=local))" -h 10.0.0.***,10.0.0.***,10.0.0.***

acl NEWS external ldap_group NEWS
acl SHOPPING external ldap_group SHOPPING

acl rule1 url_regex -i "/etc/squid/whitelists/news/domains"
acl rule2 url_regex -i "/etc/squid/whitelists/shopping/domains"

http_access deny NEWS !rule1
http_access deny SHOPPING !rule2
http_access allow all

-- 
CONFIDENTIALITY NOTICE:
This e-mail and any attachments are confidential. If you are not an 
intended recipient, please contact the sender to report the error and 
delete all copies of this message from your system.
Received on Thu Nov 07 2013 - 22:17:21 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 08 2013 - 12:00:20 MST