Re: [squid-users] Using multiple groups, multiple access list on W2K? from Serassio Guido on 2005-01-05 (squid-users)

From: Serassio Guido <guido.serassio@dont-contact.us>
Date: Wed, 05 Jan 2005 12:17:23 +0100

Hi,

At 22.55 04/01/2005, James Bruce wrote:

>Hello List,
>I'm a newb to squid and this list, I need a little help. I have
>squid/2.5.STABLE7-NT installed on a W2K server with the latest patches.
>
>The goal is to have multiple groups with different levels of internet access
>for each group. Also let everyone have full internet access during lunch
>12-1pm. Last but not least use active directory authentication.
>
>I am able to add windows authentication for my proxy. I created a local
>group called ProxyUsers on the w2k server, that group consist of the domain
>group called RestrictedUsers. More groups will be created later
>(AccountingRestricted, SalesRestricted, Unrestristed, etc...) For now I'm
>using one group (for testing). If employees are not in that domain group
>(RestrictedUsers) they do not have internet access and if they are, a login
>box appears. So I know this works with the active directory authentication.
>
>This is were I'm stuck. We will need to have multiple groups that need more
>access then others. Which will require multiple access list I know. I guess
>my question is how do you associate certain access-lists for certain groups
>with authentication. I included my squid.conf to give you a basic idea of
>what I have. I know it's not the cleanest but it's working so far :) If
>anyone has a link or advice, please let me know. Sorry if this is such a
>newb question.

You must use External ACL with the win32_check_group.exe helper.
See the win32_check_group.txt file that you can find in the binary
distribution for more details.

According to the example in the documentation, you can define many ACLs as
you need:

acl AccountingRestricted external NT_global_group AccountingRestricted
acl SalesRestricted external NT_global_group SalesRestricted
acl Unrestricted external NT_global_group Unrestricted

The group that can be specified in win32_ntlm_auth.exe command line is a
quick shortcut for simple installations, without using External ACLs, is
not suitable for complex configurations.

Regards

Guido

-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Gorizia, 69 10136 - Torino - ITALY
Tel. : +39.011.3249426 Fax. : +39.011.3293665
Email: guido.serassio@acmeconsulting.it
WWW: http://www.acmeconsulting.it/
Received on Wed Jan 05 2005 - 04:17:27 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST