[squid-users] how do you set acls based on group membership

Hi,
I'm new to the list, so my apologies if this has been asked a million
times already. I've spent a few days scouring the FAQ's and web for
references and I'm completely stuck.

I'm a trying to setup an ACL based on group membership in my squid
configuration. I'd be grateful if someone could help me out, as I'm
soo confused I recon I'm lost altogether :)

I'm trying to set it up so that standard users are members of a group
called "InternetAccess" which limits access to certain blocked sites
like hotmail, yahoomail, and that type of thing. In addition I'm
looking to have a an ACL that allows a user to bypass the normal
access controls, and have full open access to the web, if they are a
member of group "InternetBypass".

In the older version of squid I would do this by setting an ACL based
on the users hostname and their IP address. But as most new machines
are DHCP based it's no longer feasible to work this way. I now need to
be able to control the access based on membership of an AD2003 group.

I have my squid server configured with samba and NTLM authenticating
against AD2003. All appears to be configured correctly from various
userid look ups. I have running all the variations of "wbinfo" from
the command line and all are returning the information that I expect.
e.g If I run "wbinfo -n 'InternetAllowed'" I get back the correct SID
of the group. And the squid logs are picking up the userid's in the
access.log file.

I've so far kinda managed to the get "InternetAccess" group working.
In squid I have the following (relevant) lines setup in my config:
(lines may get wrapped from my mail client)
=====Starts=======
external_acl_type ad_group ttl=0 concurrency=5 %LOGIN
/usr/local/squid/libexec/wbinfo_group.pl
<<...>>
auth_param ntlm program /usr/local/samba/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 30
auth_param ntlm max_challenge_reuses 0
auth_param ntlm max_challenge_lifetime 2 minutes
auth_param ntlm use_ntlm_negotiate off
<<..>>
acl AllowedUsers external ad_group InternetAllowed
http_access allow AllowedUsers
<<..>>
======ENDS===========

It appears to be working right to this point, but I've tried dozens if
not hundreds of various possibilities to setup the InternetBypass
section but cannot get it to work. Hence my query to you squid guru's.

Squid Version - 2.5-Stable12
Samba Version - 3.01.21rc2

Any suggestions you could provide would gratefully be appreciated
Thanks in advance.
PD
Received on Mon Jan 09 2006 - 09:25:07 MST