[squid-users] Assistance with Kerberos Authentication and AD Group-Based ACLs in Squid

[Enfal Gok]

Dear Squid Support Team,
I am currently configuring Squid with Kerberos authentication and would like to integrate Active Directory (AD) group-based access control. My Kerberos authentication is working, and I can access AD successfully from my Ubuntu server. Below is my current Squid configuration:

# Kerberos authentication
auth_param negotiate program /usr/lib/squid/negotiate_kerberos_auth
auth_param negotiate children 10
auth_param negotiate keep_alive on

# ACL's
acl kerberos-auth proxy_auth REQUIRED
http_access allow kerberos-auth

# General access
http_access allow localhost
http_access deny all

# Proxy settings
http_port 3128
cache_dir ufs /var/spool/squid 100 16 256
coredump_dir /var/spool/squid


What Works:

  1.  Kerberos authentication is successfully validating users, and authenticated requests are being allowed through the proxy.
  2.  My Ubuntu server is connected to AD, and I can query AD successfully using ldapsearch.

What I Need Assistance With:
I want to integrate AD group-based ACLs to control user access based on their group membership in Active Directory. Specifically:

  1.  Restrict access for users in certain groups (e.g., Blocked group).
  2.  Allow limited or filtered access for users in other groups (e.g., Restricted or Filtered groups).
  3.  Provide full internet access for users in a FullAccess group.

Questions:

  1.  What is the best way to combine Kerberos authentication with AD group-based access control in Squid?
  2.  Should I use the external_acl_type helper with LDAP queries, or is there a better way, such as leveraging note ACLs and group annotations from the Kerberos helper?
  3.  Are there specific configuration examples or optimizations you recommend to achieve this setup?

Additional Information:

  *   I am new to configuring Squid and AD integration and have very little experience with these systems. If possible, I would greatly appreciate clear and beginner-friendly guidance.
  *   I have tested ldapsearch and confirmed that I can retrieve user attributes, including memberof, from AD.
  *   Despite extensive searching online, I couldn’t find a complete configuration example for integrating Kerberos authentication and AD group-based ACLs. If such an example exists, could you share it or guide me in creating one?

Thank you in advance for your assistance. Please let me know if additional details or logs are needed.
Best regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20250102/8f5a4b50/attachment.htm>