Re: [squid-users] Squid 2.6 - Deny all users in a specific Active Directory OU (not group)

From: Henrik Nordström <>
Date: Tue, 18 May 2010 21:31:36 +0200

tis 2010-05-18 klockan 14:33 +1000 skrev Kris Glynn:

> I would like to know if it is possible to deny/allow based on a specific OU in Active Directory.

Yes. The squid_ldap_group helper can do this by simply searching for the
user again below that OU and denying access if found.

external_acl_program ldap_service_accounts %LOGIN /usr/lib/squid_ldap_group -R -b "OU=Service Accounts,dc=company,dc=internal" -D username -w password -f "(&(sAMAccountName=%u)(objectClass=Person))" -h
acl ldap_service_accounts external ldap_service_accounts X
http_access deny ldap_service_accounts

If you have many of these OUs that you want to match then the -g option
to squid_ldap_group may be handy, enabling you to add the OU part via
the acl line. But is a little tricky if the OU contains spaces as in
your "OU=Service Accounts" (requries an acl include file).

Received on Tue May 18 2010 - 19:31:39 MDT

This archive was generated by hypermail 2.2.0 : Wed May 19 2010 - 12:00:06 MDT