Re: [squid-users] web access based on ldap groups

From: Oliver Hookins <[email protected]>
Date: Thu, 03 Feb 2005 10:11:48 +1100

cipher wrote:
> Dear users,
>
> I just got squid authenticating through ldap, using
> squid_ldap_auth and everything is fine.
> Users can authenticate and no problems are showing up.
>
> Now i would like to know a way to give user permissions
> to different web accesses to different users.
> For example, i have this configuration:
>
> [...]
> acl block_word url_regex "/etc/squid/block_word"
> acl block_url url_regex "/etc/squid/block_url"
> acl block_domain dstdomain "/etc/squid/block_domain"
> acl block_dest_ip dst "/etc/squid/block_dest_ip"
> acl accept proxy_auth "/etc/squid/accept_user"
> acl forbidden proxy_auth "/etc/squid/forbidden_user"
> http_access allow accept block_word
> http_access allow accept block_domain
> http_access allow accept block_dest_ip
> http_access allow accept block_url
> http_access deny forbidden block_word
> http_access deny forbidden block_domain
> http_access deny forbidden block_dest_ip
> http_access deny forbidden block_url
> [...]
>
> What happened was that i was filtering web access
> through a text file called /etc/squid/accept_user
> and /etc/squid/forbidden_user, which had information
> about the users that were allowed or not allowed to
> have web access to the urls in the /etc/squid/block_url
> file for example.
>
> Now with ldap working i have two groups:
>
> -> proxy-allow
> -> proxy-deny
>
> I want to put users in those two groups, and the ideia
> is that users in the proxy-allow group will have
> web access to urls in the /etc/squid/block_url and
> users in the proxy-deny group will not have web access to
> those urls.
>
> I am aware that squid_ldap_group does the job but i am
> not really understanding how.
>
> I read through the archives and no answer to this issue
> was found. At least i wasn't able to see it. :)
>
> I already know that an external_acl_type acl is needed.
> I just haven't figured out how to tell squid.conf to go
> search on that groups and give access like it is meant to.
>
> Is there a chance someone could point in the right
> direction to get this working or maybe point me the archive
> where this issue is answered?
>
> Feel free to ask for more configuration information if
> you need to.
>
> Thanks a lot for reading this and in advance!

squid_ldap_group operates very similarly to squid_ldap_auth. I assume
you are already successfully getting the user login details and are
authenticating the users. After that you just need an external_acl_type
statement for the ldap checking such as this (forgive the long
description, it's something I wrote up after I got it working so that it
is understandable to some degree):

external_acl_type ldap_group ttl=120 negative_ttl=120 %LOGIN
/usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f
"(&(cn=%g)(member=%u)(objectClass=group))" -B dc=domain,dc=local -F
"samaccountname=%s" -S -R -D
cn=ldapsearchuser,cn=Users,dc=domain,dc=local -w password -a find -s sub
-h server.domain.local

ldap_group is the type of external ACL we are using.
ttl and negative_ttl are set to short intervals so that adding or
removing a user from the authorised group doesn't incur a huge delay.
%LOGIN is a standard parameter - it just passes the user details from
the authenticator module
-b is the Base DN for the security group in the AD.
-f specifies how the user is to be found in the group. cn=%g will give
you the group DN itself, member=%u finds the user by their DN, and
objectClass=group is self explanatory.
-B is the Base DN for the users.
-F is used to specify the search filter for the users. Samaccountname is
the parameter I search for since I found the browser sends the shortened
version of the login name (instead of the full name or something).
-S specifies that it should strip the domain name off the front of the
username (since I was using NTLM and that passed the domain name)
-R allows us to have users in multiple OUs.
-D specifies the DN of a user authorised to perform LDAP searches on the
AD. This I believe can be any user in the AD.
-a specifies the search technique and may not be required
-s specifies how to handle searching up the tree and defaults to sub
anyway so is not really required.
-h server.domain.local just specifies the domain controller that the
LDAP query is performed on.

Then you need acls to specify the groups you are checking for:

acl AuthGroup external ldap_group Internet

and http_access lines to actually allow those groups or whatever:

http_access allow AuthGroup

This is where you can get very creative (not something I have done...).
Hope this helps (and is relatively correct - my explanations are
probably not entirely accurate).

Cheers,
Oliver
Received on Wed Feb 02 2005 - 16:11:55 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST