<font size=2 face="sans-serif">Hello Eliezer, </font>
<br><font size=2 face="sans-serif">Able to achieve want require with below
link, thank to you and Amos for support...</font>
<br>
<br>
<br><font size=2 face="sans-serif">Thanks & Regards<br>
Nilesh Suresh Gavali<br>
</font>
<br>
<br>
<br>
<br><font size=1 color=#5f5f5f face="sans-serif">From:
</font><font size=1 face="sans-serif">Eliezer Croitoru <eliezer@ngtech.co.il></font>
<br><font size=1 color=#5f5f5f face="sans-serif">To:
</font><font size=1 face="sans-serif">'Nilesh Gavali' <nilesh.gavali@tcs.com>,
squid-users@lists.squid-cache.org</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Date:
</font><font size=1 face="sans-serif">21/06/2016 07:47</font>
<br><font size=1 color=#5f5f5f face="sans-serif">Subject:
</font><font size=1 face="sans-serif">RE: [squid-users]
URL access based on AD group membership</font>
<br>
<hr noshade>
<br>
<br>
<br><font size=2 color=#004080 face="Calibri">Hey,</font>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 color=#004080 face="Calibri">The first place to find documents
is at:</font>
<br><a href="http://www.squid-cache.org/Versions/v3/3.5/cfgman/external_acl_type.html"><font size=2 color=blue face="Calibri"><u>http://www.squid-cache.org/Versions/v3/3.5/cfgman/external_acl_type.html</u></font></a>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 color=#004080 face="Calibri">But you are not the first
to encounter squid and do not understand couple basics.</font>
<br><font size=2 color=#004080 face="Calibri">Like any complex piece of
software you can just ask publically or privately.</font>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 color=#004080 face="Calibri">Eliezer</font>
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 color=#004080 face="Arial Rounded MT Bold">----</font>
<br><a href=http://ngtech.co.il/lmgtfy/><font size=2 color=#0082bf face="Arial Rounded MT Bold"><u>Eliezer
Croitoru</u></font></a><font size=2 color=#004080 face="Arial Rounded MT Bold"><br>
Linux System Administrator<br>
Mobile: +972-5-28704261<br>
Email: eliezer@ngtech.co.il</font>
<br><img src=cid:_4_0A58EFD40A58ED68003FDFF480257FD9 style="border:0px solid;">
<br><font size=2 color=#004080 face="Calibri"> </font>
<br><font size=2 face="Calibri"><b>From:</b> squid-users [</font><a href="mailto:squid-users-bounces@lists.squid-cache.org"><font size=2 face="Calibri">mailto:squid-users-bounces@lists.squid-cache.org</font></a><font size=2 face="Calibri">]
<b>On Behalf Of </b>Nilesh Gavali<b><br>
Sent:</b> Monday, June 20, 2016 8:58 PM<b><br>
To:</b> squid-users@lists.squid-cache.org<b><br>
Subject:</b> [squid-users] URL access based on AD group membership</font>
<br><font size=3 face="Times New Roman"> </font>
<br><font size=2 face="Arial">Hello Amos;</font><font size=3 face="Times New Roman">
</font><font size=2 face="Arial"><br>
is there a simpler way to tackle this as I am not linux guy and not sure
howto write any helper program which need to call.</font><font size=3 face="Times New Roman">
<br>
<br>
</font><font size=2 face="Arial"><br>
Regards;</font><font size=3 face="Times New Roman"> </font><font size=2 face="Arial"><br>
Nilesh Gavali</font><font size=3 face="Times New Roman"> <br>
<br>
</font><font size=2 face="Courier New"><br>
<br>
> Thanks Eliezer for reply.<br>
> Its is working now for be perfectly with below command with -d option
<br>
> gives helpful debug info to troubleshoot.<br>
> <br>
> external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group
-P -R <br>
> -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f <br>
> "(&(objectclass=person)(userPrincipalName=%v)(memberof=cn=%a,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=IN))"
<br>
> -h abcd.gov.in -s sub -v 3 -d<br>
> <br>
> Currently I have configure squid with AD kerberos auth. also url access
<br>
> restricted based on AD group membership.<br>
> <br>
> Now I observed, is that when I add any user to one of the AD group
which <br>
> allowed in squid. it is not accepting the changes until I restart
the <br>
> squid service.<br>
<br>
Your external_acl_type has a 1 hour response cache. Meaning it will take<br>
a minimum of 1 hour for any changes to the AD group settings to be<br>
passed on to Squid.<br>
<br>
<br>
> <br>
> auth_param negotiate program /usr/lib64/squid/squid_kerb_auth -s <br>
> </font><a href=mailto:HTTP/proxy02.abcd.gov.in@ABCD.GOV.IN><font size=2 color=blue face="Courier New"><u>HTTP/proxy02.abcd.gov.in@ABCD.GOV.IN</u></font></a><font size=2 face="Courier New">
<br>
> auth_param negotiate children 10 <br>
> auth_param negotiate keep_alive on <br>
> auth_param basic credentialsttl 2 hours <br>
<br>
NP: settings for Basic authentication do not have any affect on<br>
non-Basic types of authentication.<br>
<br>
There is no TTL for Kerberos user credentials. They are valid for as<br>
long as the TCP connection to the proxy is open. Any change in the<br>
Kerberos security tokens sent by the client after authentication is<br>
completed will terminate/close the TCP connection.<br>
<br>
<br>
> <br>
> external_acl_type AD_Group %LOGIN /usr/lib64/squid/squid_ldap_group
-P -R <br>
> -b "DC=ABCD,DC=GOV,DC=IN" -D svcproxy -w 123456789 -f <br>
> "(&(objectclass=person)(userPrincipalName=%u)(memberof=cn=%g,ou=InternetAccess,ou=Groups,dc=ABCD,dc=GOV,dc=IN))"
<br>
> -h abcd.gov.in -s sub -v 3 -d <br>
> <br>
<br>
Since your helper names were outdated 6 years ago I assume you are using<br>
Squid-3.1 or older:<br>
<</font><a href="http://www.squid-cache.org/Versions/v3/3.1/cfgman/external_acl_type.html"><font size=2 color=blue face="Courier New"><u>http://www.squid-cache.org/Versions/v3/3.1/cfgman/external_acl_type.html</u></font></a><font size=2 face="Courier New">><br>
<br>
Note the default values for ttl= , negative_ttl=, and grace=<br>
<br>
Amos</font>
<p><font size=3 face="Times New Roman">=====-----=====-----=====<br>
Notice: The information contained in this e-mail<br>
message and/or attachments to it may contain <br>
confidential or privileged information. If you are <br>
not the intended recipient, any dissemination, use, <br>
review, distribution, printing or copying of the <br>
information contained in this e-mail message <br>
and/or attachments to it are strictly prohibited. If <br>
you have received this communication in error, <br>
please notify us by reply e-mail or telephone and <br>
immediately and permanently delete the message <br>
and any attachments. Thank you</font>
<p>