[squid-users] URL access based on AD group membership
Bruno de Paula Larini
bruno.larini at riosoft.com.br
Wed Jun 15 17:27:14 UTC 2016
Em 15/06/2016 10:50, nilesh.gavali at tcs.com escreveu:
> Hi Team;
> I have setup as below-
>
> * Squid Kerberos authentication with windows AD 2012r2. - works fine.
> * Now need to restrict access based on AD Group membership.
>
>
> Below configuration done but no luck. when try to access with user who
> is not part of the group mention, still he is able to browse Internet.
The following works fine for me and in my opinion works better than
LDAP. The authentication is integrated, so it doesn't keep asking for
password (when the current user is a domain account). But you have to
add the Squid server to the domain using 'smb.conf', 'krb5.conf' and
then 'net ads join'. The service 'winbind' must be running too.
I'm using Squid 3.5.19.
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
--enable-external-acl-helpers="ext_wbinfo_group_acl"
auth_param ntlm children 10 startup=0 idle=2
external_acl_type NTGroup children-startup=10 children-idle=2
children-max=50 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
acl authenticated proxy_auth REQUIRED
acl ad_group external NTGroup MYDOMAIN\AD_Group
acl denied_websites dstdom_regex -i "/etc/squid/denied-websites.txt"
http_access deny ad_group denied_websites
So all the members of MYDOMAIN\AD_Group won't have access to whatever
the file contains.
Bruno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160615/810a3d96/attachment-0001.html>
More information about the squid-users
mailing list