RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users from Jasper Van Der Westhuizen on 2012-04-04 (squid-users)

From: Jasper Van Der Westhuizen <javanderwesthuizen_at_shoprite.co.za>
Date: Wed, 4 Apr 2012 14:16:09 +0200

-----Original Message-----
From: Jasper Van Der Westhuizen [mailto:javanderwesthuizen_at_shoprite.co.za]
Sent: Wednesday, April 04, 2012 11:13 AM
To: squid-users_at_squid-cache.org
Subject: RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users

> This allows my un-authenticated users access to the whitelisted domains and blocks any links in the sites that are not whitelisted(like facebook and youtube). It also allows my authenticated users access to all sites, including whitelisted sites, as well as allowing linked sites like facebook etc.
>
> Do you perhaps see any issue with this setup?

> The only problem I forsee is that srcdomain is the clients IP rDNS record. You have to encode into that what group they are in, so its restricted to clients you > have control over rDNS for. In which case you may as well make them static and use src IP checks.

>Amos

> Hi Amos

> I want to change my setup to do authentication for everyone, and based on whether the user is in a specific group or not, allow them access to certain ACL's.

> I have a group in AD that should have full access. All users should authenticate. If the user is not in my Internet group then he gets to access a list of sites. If >the user is in the Internet group he gets a different ACL to access everything.

>Is this possible with NTLM? I don't think it is. How would I approach this?

What I did now was use wbinfo_group.pl to help with group ACL's.

--cut--
external_acl_type testForNTGroup1 children=5 %LOGIN /usr/sbin/wbinfo_group.pl
external_acl_type testForNTGroup2 children=5 %LOGIN /usr/sbin/wbinfo_group.pl
acl InternetUsers external testForNTGroup1 "/etc/squid/group_auth_all_access"
acl NonInternetUsers external testForNTGroup2 "/etc/squid/group_auth_limited_access"

---
### Allow Whitelisted domains to all users
http_access allow InternetUsers
http_access allow NonInternetUsers whitelist
http_access deny NonInternetUsers !whitelist all
--cut--
I place my groups that allowed to have full access in group_auth_all_access. The file group_auth_limited_access contains the group that covers my entire AD domain.
I think this will work fine. I've tested it successfully.

Received on Wed Apr 04 2012 - 12:16:20 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 04 2012 - 12:00:02 MDT