[squid-users] URL access based on AD group membership

Bruno de Paula Larini bruno.larini at riosoft.com.br
Wed Jun 15 17:27:14 UTC 2016


Em 15/06/2016 10:50, nilesh.gavali at tcs.com escreveu:
> Hi Team;
> I have setup as below-
>
>   * Squid Kerberos authentication with windows AD 2012r2. - works fine.
>   * Now need to restrict access based on AD Group membership.
>
>
> Below configuration done but no luck. when try to access with user who 
> is not part of the group mention, still he is able to browse Internet.

The following works fine for me and in my opinion works better than 
LDAP. The authentication is integrated, so it doesn't keep asking for 
password (when the current user is a domain account). But you have to 
add the Squid server to the domain using 'smb.conf', 'krb5.conf' and 
then 'net ads join'. The service 'winbind' must be running too.
I'm using Squid 3.5.19.


     auth_param ntlm program /usr/bin/ntlm_auth 
--helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN 
--enable-external-acl-helpers="ext_wbinfo_group_acl"
     auth_param ntlm children 10 startup=0 idle=2

     external_acl_type NTGroup children-startup=10 children-idle=2 
children-max=50 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl

     acl authenticated proxy_auth REQUIRED

     acl ad_group external NTGroup MYDOMAIN\AD_Group
     acl denied_websites dstdom_regex -i "/etc/squid/denied-websites.txt"
     http_access deny ad_group denied_websites


So all the members of MYDOMAIN\AD_Group won't have access to whatever 
the file contains.

Bruno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20160615/810a3d96/attachment-0001.html>


More information about the squid-users mailing list