<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
        {font-family:"Cambria Math";
        panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:"Arial Rounded MT Bold";
        panose-1:2 15 7 4 3 5 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0cm;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:#0563C1;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:#954F72;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0cm;
        mso-margin-bottom-alt:auto;
        margin-left:0cm;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
span.EmailStyle18
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:612.0pt 792.0pt;
        margin:72.0pt 90.0pt 72.0pt 90.0pt;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link="#0563C1" vlink="#954F72"><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hey Nilesh,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Did you tried to test it in any way outside of squid?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Like in a command line as a self running program?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Eliezer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1F497D'>----<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Arial Rounded MT Bold","sans-serif";color:#1F497D'><a href="http://ngtech.co.il/lmgtfy/">Eliezer Croitoru</a><br>Linux System Administrator<br>Mobile: +972-5-28704261<br>Email: eliezer@ngtech.co.il<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><img border=0 width=183 height=69 id="Picture_x0020_1" src="cid:image001.png@01D1CAEB.B8D61C20"><o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>From:</span></b><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> squid-users [mailto:squid-users-bounces@lists.squid-cache.org] <b>On Behalf Of </b>Nilesh Gavali<br><b>Sent:</b> Friday, June 17, 2016 5:25 PM<br><b>To:</b> squid-users@lists.squid-cache.org<br><b>Subject:</b> [squid-users] URL access based on AD group membership<o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Team;</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Need expert help here,</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>here is my set up - as of now squid integrated with Windows 2012R2 AD, SSO with kerberos - working fine. </span><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Now I want to restrict Internet access for user based on their AD group membership. I tried loads of options from various site but no luck. not sure what is going wrong.</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>here is my squid config, and cache.log o/p. </span><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>=============================</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Recommended minimum configuration:</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s <a href="mailto:HTTP/proxy02.abcd.gov.in@ABCD.GOV.IN">HTTP/proxy02.abcd.gov.in@ABCD.GOV.IN</a></span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>auth_param negotiate children 10</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>auth_param negotiate keep_alive on</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>auth_param basic credentialsttl 2 hours</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl ad_auth proxy_auth REQUIRED</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>#AD Group membership</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group -P -R -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f "(&(objectclass=person)(userPrincipalName=%u)(memberof=cn=%g,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=IN))" -h abcd.gov.in -s sub -v 3 -d</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>acl infrateam external AD_Group lgInternetAccess</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl windowsupdate dstdomain "/etc/squid/sitelist/infra_update_site"</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>acl manager proto cache_object</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localhost src 127.0.0.1/32 ::1</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Example rule allowing access from your local networks.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Adapt to list your (internal) IP networks from where browsing</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># should be allowed</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src 10.0.0.0/8        # RFC1918 possible internal network</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src 172.16.0.0/12        # RFC1918 possible internal network</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src 192.168.0.0/16        # RFC1918 possible internal network</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src fc00::/7       # RFC 4193 local private network range</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl localnet src fe80::/10      # RFC 4291 link-local (directly plugged) machines</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>acl SSL_ports port 443</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 80                # http</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 21                # ftp</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 443                # https</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 70                # gopher</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 210                # wais</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 1025-65535        # unregistered ports</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 280                # http-mgmt</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 488                # gss-http</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 591                # filemaker</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl Safe_ports port 777                # multiling http</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>acl CONNECT method CONNECT</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Recommended minimum Access Permission configuration:</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Only allow cachemgr access from localhost</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access allow manager localhost</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny manager</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Deny requests to certain unsafe ports</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny !Safe_ports</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Deny CONNECT to other than secure SSL ports</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny CONNECT !SSL_ports</span> <br><br><br><span style='font-size:10.0pt;font-family:"Courier New"'># We strongly recommend the following be uncommented to protect innocent</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># web applications running on the proxy server who think the only</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># one who can access services on "localhost" is a local user</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#http_access deny to_localhost</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Example rule allowing access from your local networks.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># Adapt localnet in the ACL section to list your (internal) IP networks</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'># from where browsing should be allowed</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny infrateam windowsupdate</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access allow ad_auth</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># And finally deny all other access to this proxy</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_access deny all</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Squid normally listens to port 3128</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>http_port 8080</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>never_direct allow all</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'>cache_peer xx.xx.2.108 parent 8080 0 default</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#dns_nameservers DNSSVR.abcd.gov.in</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>dns_nameservers XX.XX.2.108</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># We recommend you to use at least the following line.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>#hierarchy_stoplist cgi-bin ?</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Uncomment and adjust the following to add a disk cache directory.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>cache_dir ufs /var/spool/squid 2048 16 256</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Leave coredumps in the first cache dir</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>coredump_dir /var/spool/squid</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Log forwarding to SysLog</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>access_log syslog:local1.info</span> <br><br><span style='font-size:10.0pt;font-family:"Courier New"'># Add any of your own refresh_pattern entries above these.</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>refresh_pattern ^ftp:                1440        20%        10080</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>refresh_pattern ^gopher:        1440        0%        1440</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>refresh_pattern -i (/cgi-bin/|\?) 0        0%        0</span> <br><span style='font-size:10.0pt;font-family:"Courier New"'>refresh_pattern .                0        20%        4320</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>======================================</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>cache.log o/p-</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Connected OK</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>group filter '(&(objectclass=person)(<a href="mailto:userPrincipalName=da.853438@ABCD.GOV.IN)(memberof=cn=lgInternetAccess,ou=InternetAccess,ou=Groups,dc=abcd,dc=gov,dc=in))">userPrincipalName=da.853438@ABCD.GOV.IN)(memberof=cn=lgInternetAccess,ou=InternetAccess,ou=Groups,dc=abcd,dc=gov,dc=in))</a>', searchbase 'DC=ABCD,DC=GOV,DC=IN'</span> <br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>======================================</span> <br><br><br><span style='font-size:10.0pt;font-family:"Arial","sans-serif"'>Thanks & Regards<br>Nilesh Suresh Gavali</span><o:p></o:p></p><p>=====-----=====-----=====<br>Notice: The information contained in this e-mail<br>message and/or attachments to it may contain <br>confidential or privileged information. If you are <br>not the intended recipient, any dissemination, use, <br>review, distribution, printing or copying of the <br>information contained in this e-mail message <br>and/or attachments to it are strictly prohibited. If <br>you have received this communication in error, <br>please notify us by reply e-mail or telephone and <br>immediately and permanently delete the message <br>and any attachments. Thank you<o:p></o:p></p></div></body></html>