Dear users,
I just got squid authenticating through ldap, using squid_ldap_auth and everything is fine. Users can authenticate and no problems are showing up.
Now i would like to know a way to give user permissions to different web accesses to different users. For example, i have this configuration:
[...] acl block_word url_regex "/etc/squid/block_word" acl block_url url_regex "/etc/squid/block_url" acl block_domain dstdomain "/etc/squid/block_domain" acl block_dest_ip dst "/etc/squid/block_dest_ip" acl accept proxy_auth "/etc/squid/accept_user" acl forbidden proxy_auth "/etc/squid/forbidden_user" http_access allow accept block_word http_access allow accept block_domain http_access allow accept block_dest_ip http_access allow accept block_url http_access deny forbidden block_word http_access deny forbidden block_domain http_access deny forbidden block_dest_ip http_access deny forbidden block_url [...]
What happened was that i was filtering web access through a text file called /etc/squid/accept_user and /etc/squid/forbidden_user, which had information about the users that were allowed or not allowed to have web access to the urls in the /etc/squid/block_url file for example.
Now with ldap working i have two groups:
-> proxy-allow -> proxy-deny
I want to put users in those two groups, and the ideia is that users in the proxy-allow group will have web access to urls in the /etc/squid/block_url and users in the proxy-deny group will not have web access to those urls.
I am aware that squid_ldap_group does the job but i am not really understanding how.
I read through the archives and no answer to this issue was found. At least i wasn't able to see it. :)
I already know that an external_acl_type acl is needed. I just haven't figured out how to tell squid.conf to go search on that groups and give access like it is meant to.
Is there a chance someone could point in the right direction to get this working or maybe point me the archive where this issue is answered?
Feel free to ask for more configuration information if you need to.
Thanks a lot for reading this and in advance!
squid_ldap_group operates very similarly to squid_ldap_auth. I assume you are already successfully getting the user login details and are authenticating the users. After that you just need an external_acl_type statement for the ldap checking such as this (forgive the long description, it's something I wrote up after I got it working so that it is understandable to some degree):
external_acl_type ldap_group ttl=120 negative_ttl=120 %LOGIN /usr/lib/squid/squid_ldap_group -b cn=Users,dc=domain,dc=local -f "(&(cn=%g)(member=%u)(objectClass=group))" -B dc=domain,dc=local -F "samaccountname=%s" -S -R -D cn=ldapsearchuser,cn=Users,dc=domain,dc=local -w password -a find -s sub -h server.domain.local
ldap_group is the type of external ACL we are using.
ttl and negative_ttl are set to short intervals so that adding or removing a user from the authorised group doesn't incur a huge delay.
%LOGIN is a standard parameter - it just passes the user details from the authenticator module
-b is the Base DN for the security group in the AD.
-f specifies how the user is to be found in the group. cn=%g will give you the group DN itself, member=%u finds the user by their DN, and objectClass=group is self explanatory.
-B is the Base DN for the users.
-F is used to specify the search filter for the users. Samaccountname is the parameter I search for since I found the browser sends the shortened version of the login name (instead of the full name or something).
-S specifies that it should strip the domain name off the front of the username (since I was using NTLM and that passed the domain name)
-R allows us to have users in multiple OUs.
-D specifies the DN of a user authorised to perform LDAP searches on the AD. This I believe can be any user in the AD.
-a specifies the search technique and may not be required
-s specifies how to handle searching up the tree and defaults to sub anyway so is not really required.
-h server.domain.local just specifies the domain controller that the LDAP query is performed on.
Then you need acls to specify the groups you are checking for:
acl AuthGroup external ldap_group Internet
and http_access lines to actually allow those groups or whatever:
http_access allow AuthGroup
This is where you can get very creative (not something I have done...). Hope this helps (and is relatively correct - my explanations are probably not entirely accurate).
Cheers, Oliver
