[squid-users] URL access based on AD group membership
Amos Jeffries
squid3 at treenet.co.nz
Wed Jun 15 14:21:54 UTC 2016
On 16/06/2016 1:50 a.m., nilesh.gavali wrote:
> Hi Team;
> I have setup as below-
> Squid Kerberos authentication with windows AD 2012r2. - works fine.
> Now need to restrict access based on AD Group membership.
>
> Below configuration done but no luck. when try to access with user who is
> not part of the group mention, still he is able to browse Internet.
>
This is because:
<snip>
Step 0) check the basic security rules that deny bad behaviour.
>
> http_access deny !ad_auth
Step 1) deny with a "require authentication" message if there are no
valid credentials sent.
> http_access allow ad_auth
Step 2) allow anyone who has valid credentials to use the proxy.
... Uh, Stop.
Users either sent valid credentials [2 happened] or they did not [1
happened]. There are no other possibilities.
> http_access deny !AllowDomainAdmin
> http_access allow AllowDomainAdmin
>
As explained in the FAQ
<http://wiki.squid-cache.org/SquidFaq/SquidAcl#Access_Lists>
Amos
More information about the squid-users
mailing list