[squid-users] Re: squid active directory integration from cheitac on 2013-08-31 (squid-users)

From: cheitac <ghost.vsphere_at_gmail.com>
Date: Sat, 31 Aug 2013 08:24:18 -0700 (PDT)

Amos Jeffries-2 wrote
> On 17/08/2013 1:09 a.m., cheitac wrote:
>> Hello all, Recently I tried many helpers to integrate squid with active
>> directory. I have 2 domain controllers in my lab environment two windows
>> 7
>> machines and centos 6. I'm interesting what is the best way to use squid
>> with active directory? I need to control AD User groups. Thanks.
>
> The Squid wiki contains what you need:
> http://wiki.squid-cache.org/ConfigExamples/Authenticate/WindowsActiveDirectory
>
> Amos

I Used this howto and it's fine. But I use Active directory groups for
restrictions. Unfortunately *squid_ldap_group* does not works for me.

I add Bellow external access lists in my squid conf but i cannot filter AD
Groups.

########## Restrict Accountants
external_acl_type Accountant_Ldap %LOGIN /usr/lib64/squid/squid_ldap_group
-R -K \
        -b "dc=myorg,dc=example,dc=local" \
        -D squid_at_mcg.com.ge \
        -w /etc/squid/ldappass.txt \
        -f
"(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Accountants,ou=Myorg
Staff,ou=Administration,dc=myorg,dc=example,dc=local))" \
        -h dc02.myorg.example.local
########## Restrict Standard Users ###
external_acl_type Standard_Users_Ldap %LOGIN
/usr/lib64/squid/squid_ldap_group -R -K \
        -b "dc=myorg,dc=example,dc=local" \
        -D squid_at_mcg.com.ge \
        -w /etc/squid/ldappass.txt \
        -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=cn=Standard
Users,ou=Myorg Staff,ou=Administration,dc=myorg,dc=example,dc=local))" \
        -h dc02.myorg.example.local
#######################################
########## ACL

acl auth proxy_auth REQUIRED

acl MYAccountants external Accountant_Ldap Accountants
acl STUsers external Standard_Users_Ldap Standard\ Users

acl allowedlists url_regex -i "/etc/squid/Blacklists/Local/allowedlists.txt"
acl blacklists url_regex -i "/etc/squid/Blacklists/Local/blacklists.txt"

http_access deny !auth

http_access allow STUsers allowedlists
http_access deny STUsers all

http_access deny MYAccountants blacklists
http_access allow all

########################################################

if i use *"http_access allow all"* , all authenticated users use internet
without restrictions

--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/squid-active-directory-integration-tp4661575p4661867.html
Sent from the Squid - Users mailing list archive at Nabble.com.

Received on Sat Aug 31 2013 - 15:25:01 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 31 2013 - 12:00:30 MDT