[squid-users] ext_ldap_group_acl - allowing websites based on ad group membership

[Amos Jeffries]

On 10/02/2016 3:24 a.m., mathew abraham wrote:
> Could some point me to the right direction?
> I want to use ext_ldap_group_acl to allow certain users who are members of the ad group for example
> YouTube - Allowed, Twitter - Allowed
> Yes with the blank space and dash in the group name. For that reason I have create files /adgroups/youtube.txt and /adgroups/youtube.txt
> The content of the file is "YouTube - Allowed" and the other file "Twitter - Allowed" 
> Within quotes.
> What am I doing wrong, the websites are blocked even if a user is in the allowed group. Please help.
> Extract from squid.conf below
> external_acl_type ldapgroup ttl=3600 negative_ttl=3600 %LOGIN /lib/squid/ext_ldap_group_acl -R -b "dc=mydomain,dc=com" -f "(&(samaccountname=%v)
> (memberof=cn=%a,dc=mydomain,dc=com))" -D squid at mydomain.com -w MyPassword -h mydomain.com 
> acl allowtwitter external ldapgroup /adgroups/twitter.txtacl allowyoutube external ldapgroup /adgroups/youtube.txt
> acl twitter dstdomain twitter.comacl youtube dstdomain www.youtube.com
> http_access deny !allowtwitter twitterhttp_access deny !allowyoutube youtube
> http_access allow allowtwitterhttp_access allow allowyoutube 		 	   		  
> 

To load the acl parameters from a file you need to put "" around the
filename in squid.conf.

Like this:

 acl allowtwitter external ldapgroup "/adgroups/twitter.txt"

 acl allowyoutube external ldapgroup "/adgroups/youtube.txt"


The "" tells Squid its a filename and not a group called
'/adgroups/twitter.txt' etc.

This strange filename syntax is why you cant just use quoted strings on
the acl line in the first place.

Amos