[squid-users] URL access based on AD group membership

Nilesh Gavali nilesh.gavali at tcs.com
Tue Jun 21 11:43:18 UTC 2016

Hello Eliezer, 
Able to achieve want require with below link, thank to you and Amos for 

Thanks & Regards
Nilesh Suresh Gavali

From:   Eliezer Croitoru <eliezer at ngtech.co.il>
To:     'Nilesh Gavali' <nilesh.gavali at tcs.com>, 
squid-users at lists.squid-cache.org
Date:   21/06/2016 07:47
Subject:        RE: [squid-users] URL access based on AD group membership

The first place to find documents is at:
But you are not the first to encounter squid and do not understand couple 
Like any complex piece of software you can just ask publically or 
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

From: squid-users [mailto:squid-users-bounces at lists.squid-cache.org] On 
Behalf Of Nilesh Gavali
Sent: Monday, June 20, 2016 8:58 PM
To: squid-users at lists.squid-cache.org
Subject: [squid-users] URL access based on AD group membership
Hello Amos; 
is there a simpler way to tackle this as I am not linux guy and not sure 
howto write any helper program which need to call. 

Nilesh Gavali 

> Thanks Eliezer for reply.
> Its is working now for be perfectly with below command with -d option 
> gives helpful debug info to troubleshoot.
> external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -P 
> -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f 

> -h abcd.gov.in -s sub -v 3 -d
> Currently I have configure squid with AD kerberos auth. also url access 
> restricted based on  AD group membership.
> Now I observed, is that when I add any user to one of the AD group which 

> allowed in squid.  it is not accepting the changes until I restart the 
> squid service.

Your external_acl_type has a 1 hour response cache. Meaning it will take
a minimum of 1 hour for any changes to the AD group settings to be
passed on to Squid.

> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s 
> HTTP/proxy02.abcd.gov.in at ABCD.GOV.IN 
> auth_param negotiate children 10 
> auth_param negotiate keep_alive on 
> auth_param basic credentialsttl 2 hours 

NP: settings for Basic authentication do not have any affect on
non-Basic types of authentication.

There is no TTL for Kerberos user credentials. They are valid for as
long as the TCP connection to the proxy is open. Any change in the
Kerberos security tokens sent by the client after authentication is
completed will terminate/close the TCP connection.

> external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -P 
> -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f 

> -h abcd.gov.in -s sub -v 3 -d 

Since your helper names were outdated 6 years ago I assume you are using
Squid-3.1 or older:

Note the default values for ttl= , negative_ttl=, and grace=

Notice: The information contained in this e-mail
message and/or attachments to it may contain 
confidential or privileged information. If you are 
not the intended recipient, any dissemination, use, 
review, distribution, printing or copying of the 
information contained in this e-mail message 
and/or attachments to it are strictly prohibited. If 
you have received this communication in error, 
please notify us by reply e-mail or telephone and 
immediately and permanently delete the message 
and any attachments. Thank you
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/a292d246/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 11295 bytes
Desc: not available
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160621/a292d246/attachment-0001.png>

More information about the squid-users mailing list