[squid-users] Squid on Linux authenticating to two different Windows Active Directory groups

From: Roy Verrips <[email protected]>
Date: Tue, 1 Nov 2005 15:04:13 +0400

Hi

I've got Squid on a Linux (Debian 3.1) box running beautifully and
authenticating users to a Windows Active Directory.
The bits from squid.conf that I think matter for this discussion looked like
this ...

||auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
||auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic

Then later on I have ...

||acl ADuser proxy_auth REQUIRED

and then

||http_access deny !ADuser
||http_access allow all

Ok, so this means only authenticated users can use the proxy and access.log
has their Windows usernames

I can further change auth_param to allow only members of one certian Active
Directory Group

||auth_param ntlm program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership-
of=XXX_DOMAIN\\ADgroup1 --domain=xxx_domain
||auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of
=XXX_DOMAIN\\ADgroup1 --domain=xxx_domain

||acl ADgroup1 proxy_auth REQUIRED

Although the above works great, what I really want is the following

1 - Authenticate all users (need to see those usernames in access.log)
2 - Allow all users access to some sites (freesites)
3 - Allow Active Directory Group 1 access only to freesites, and a few more
(othersites)
4 - Allow Active Directory Group 2 access to all other sites

Ok, so I can

add freesites

||acl freesites dst_domain .cnn.com
||acl freesites dst_domain .bbc.co.uk

add othersites

||acl othersites dst_domain .yahoo.com
||acl othersites dst_domain .hotmail.com

and setup of acl hierarchy would be something as follows:

||http_access allow freesites
||http_access deny !ADgroup1 !ADgroup2
||http_access allow othersites
||http_access deny !ADgroup2
||http_access allow all

Problem I have is how to setup the acl to get the different ADgroups? Do I
need two auth_params? Is that possible and what would the syntax be?

Thanks

Yours

Roy

---ooo--- Internet Confidentiality Statement ---ooo---

The information contained in this communication is confidential and is intended only for the use of the recipient named above, and may be legally privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend it to the sender and delete the original message and any copy of it from your computer system. Opinions, conclusions and other information in this message that do not relate to our official business should be understood as neither given nor endorsed by this company.
Received on Tue Nov 01 2005 - 04:04:43 MST

This archive was generated by hypermail pre-2.1.9 : Thu Dec 01 2005 - 12:00:09 MST