[squid-users] URL access based on AD group membership

Amos Jeffries squid3 at treenet.co.nz
Wed Jun 15 14:21:54 UTC 2016


On 16/06/2016 1:50 a.m., nilesh.gavali wrote:
> Hi Team;
> I have setup as below-
> Squid Kerberos authentication with windows AD 2012r2. - works fine.
> Now need to restrict access based on AD Group membership.
> 
> Below configuration done but no luck. when try to access with user who is 
> not part of the group mention, still he is able to browse Internet.
> 

This is because:

<snip>
Step 0) check the basic security rules that deny bad behaviour.

>
> http_access deny !ad_auth

Step 1) deny with a "require authentication" message if there are no
valid credentials sent.

> http_access allow ad_auth

Step 2) allow anyone who has valid credentials to use the proxy.

... Uh, Stop.

Users either sent valid credentials [2 happened] or they did not [1
happened]. There are no other possibilities.


> http_access deny !AllowDomainAdmin
> http_access allow AllowDomainAdmin
> 

As explained in the FAQ
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Access_Lists>

Amos



More information about the squid-users mailing list