Re: [squid-users] web access based on ldap groups

From: cipher <[email protected]>
Date: Thu, 03 Feb 2005 10:28:29 +0000

Hi Oliver,

Thank you very much for your time :)
Yes, i already have authentication working with
squid_ldap_auth. Now i am going to study carefully the
directions you pointed and i will write about how it
went! hope i can be in touch with you by saturday.

Speak to you soon and thanks a lot for caring ;)

*cipher*

> cipher wrote:
> > Dear users,
> >
> > I just got squid authenticating through ldap,
> using
> > squid_ldap_auth and everything is fine.
> > Users can authenticate and no problems are
> showing up.
> >
> > Now i would like to know a way to give user
> permissions
> > to different web accesses to different users.
> > For example, i have this configuration:
> >
> > [...]
> > acl block_word url_regex
> "/etc/squid/block_word"
> > acl block_url url_regex
> "/etc/squid/block_url"
> > acl block_domain dstdomain
> "/etc/squid/block_domain"
> > acl block_dest_ip dst
> "/etc/squid/block_dest_ip"
> > acl accept proxy_auth
> "/etc/squid/accept_user"
> > acl forbidden proxy_auth
> "/etc/squid/forbidden_user"
> > http_access allow accept block_word
> > http_access allow accept block_domain
> > http_access allow accept block_dest_ip
> > http_access allow accept block_url
> > http_access deny forbidden block_word
> > http_access deny forbidden block_domain
> > http_access deny forbidden block_dest_ip
> > http_access deny forbidden block_url
> > [...]
> >
> > What happened was that i was filtering web
> access
> > through a text file called
> /etc/squid/accept_user
> > and /etc/squid/forbidden_user, which had
> information
> > about the users that were allowed or not
> allowed to
> > have web access to the urls in the
> /etc/squid/block_url
> > file for example.
> >
> > Now with ldap working i have two groups:
> >
> > -> proxy-allow
> > -> proxy-deny
> >
> > I want to put users in those two groups, and
> the ideia
> > is that users in the proxy-allow group will
> have
> > web access to urls in the
> /etc/squid/block_url and
> > users in the proxy-deny group will not have
> web access to
> > those urls.
> >
> > I am aware that squid_ldap_group does the job
> but i am
> > not really understanding how.
> >
> > I read through the archives and no answer to
> this issue
> > was found. At least i wasn't able to see it.
> :)
> >
> > I already know that an external_acl_type acl
> is needed.
> > I just haven't figured out how to tell
> squid.conf to go
> > search on that groups and give access like it
> is meant to.
> >
> > Is there a chance someone could point in the
> right
> > direction to get this working or maybe point
> me the archive
> > where this issue is answered?
> >
> > Feel free to ask for more configuration
> information if
> > you need to.
> >
> > Thanks a lot for reading this and in advance!
>
> squid_ldap_group operates very similarly to
> squid_ldap_auth. I assume
> you are already successfully getting the user
> login details and are
> authenticating the users. After that you just
> need an external_acl_type
> statement for the ldap checking such as this
> (forgive the long
> description, it's something I wrote up after I
> got it working so that it
> is understandable to some degree):
>
> external_acl_type ldap_group ttl=120
> negative_ttl=120 %LOGIN
> /usr/lib/squid/squid_ldap_group -b
> cn=Users,dc=domain,dc=local -f
> "(&(cn=%g)(member=%u)(objectClass=group))" -B
> dc=domain,dc=local -F
> "samaccountname=%s" -S -R -D
> cn=ldapsearchuser,cn=Users,dc=domain,dc=local
> -w password -a find -s sub
> -h server.domain.local
>
> ldap_group is the type of external ACL we are
> using.
> ttl and negative_ttl are set to short intervals
> so that adding or
> removing a user from the authorised group
> doesn't incur a huge delay.
> %LOGIN is a standard parameter - it just passes
> the user details from
> the authenticator module
> -b is the Base DN for the security group in the
> AD.
> -f specifies how the user is to be found in the
> group. cn=%g will give
> you the group DN itself, member=%u finds the
> user by their DN, and
> objectClass=group is self explanatory.
> -B is the Base DN for the users.
> -F is used to specify the search filter for the
> users. Samaccountname is
> the parameter I search for since I found the
> browser sends the shortened
> version of the login name (instead of the full
> name or something).
> -S specifies that it should strip the domain
> name off the front of the
> username (since I was using NTLM and that
> passed the domain name)
> -R allows us to have users in multiple OUs.
> -D specifies the DN of a user authorised to
> perform LDAP searches on the
> AD. This I believe can be any user in the AD.
> -a specifies the search technique and may not
> be required
> -s specifies how to handle searching up the
> tree and defaults to sub
> anyway so is not really required.
> -h server.domain.local just specifies the
> domain controller that the
> LDAP query is performed on.
>
> Then you need acls to specify the groups you
> are checking for:
>
> acl AuthGroup external ldap_group Internet
>
> and http_access lines to actually allow those
> groups or whatever:
>
> http_access allow AuthGroup
>
> This is where you can get very creative (not
> something I have done...).
> Hope this helps (and is relatively correct - my
> explanations are
> probably not entirely accurate).
>
> Cheers,
> Oliver
>

-------------------------------------------------
Email Enviado utilizando o servi�o MegaMail
Received on Thu Feb 03 2005 - 03:27:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST