RE: [squid-users] Squid 2.6 - Deny all users in a specific Active Directory OU (not group)

From: Kris Glynn <>
Date: Wed, 19 May 2010 10:54:27 +1000

Thank you very much Henrik.

A few things I would like to mention.

1. You specify using "external_acl_program" but I assume you mean "external_acl_type"
2. What does the "X" mean in this acl line "acl ldap_service_accounts external ldap_service_accounts X"

Again, thanks for the prompt response.


- Kris Glynn: (07) 3295 3987 - 0434602997

-----Original Message-----
From: Henrik Nordström []
Sent: Wednesday, 19 May 2010 5:32 AM
To: Kris Glynn
Subject: Re: [squid-users] Squid 2.6 - Deny all users in a specific Active Directory OU (not group)

tis 2010-05-18 klockan 14:33 +1000 skrev Kris Glynn:

> I would like to know if it is possible to deny/allow based on a specific OU in Active Directory.

Yes. The squid_ldap_group helper can do this by simply searching for the
user again below that OU and denying access if found.

external_acl_program ldap_service_accounts %LOGIN /usr/lib/squid_ldap_group -R -b "OU=Service Accounts,dc=company,dc=internal" -D username -w password -f "(&(sAMAccountName=%u)(objectClass=Person))" -h
acl ldap_service_accounts external ldap_service_accounts X
http_access deny ldap_service_accounts

If you have many of these OUs that you want to match then the -g option
to squid_ldap_group may be handy, enabling you to add the OU part via
the acl line. But is a little tricky if the OU contains spaces as in
your "OU=Service Accounts" (requries an acl include file).

The content of this e-mail, including any attachments, is a confidential communication between Virgin Blue, Pacific Blue or a related entity (or the sender if this email is a private communication) and the intended addressee and is for the sole use of that intended addressee. If you are not the intended addressee, any use, interference with, disclosure or copying of this material is unauthorized and prohibited. If you have received this e-mail in error please contact the sender immediately and then delete the message and any attachment(s). There is no warranty that this email is error, virus or defect free. This email is also subject to copyright. No part of it should be reproduced, adapted or communicated without the written consent of the copyright owner. If this is a private communication it does not represent the views of Virgin Blue, Pacific Blue or their related entities. Please be aware that the contents of any emails sent to or from Virgin Blue, Pacific Blue or their related entities may be periodically monitored and reviewed. Virgin Blue, Pacific Blue and their related entities respect your privacy. Our privacy policy can be accessed from our website:
Received on Wed May 19 2010 - 00:54:34 MDT

This archive was generated by hypermail 2.2.0 : Wed May 19 2010 - 12:00:06 MDT