Hi Oliver, Thank you very much for your time :) Yes, i already have authentication working with squid_ldap_auth. Now i am going to study carefully the directions you pointed and i will write about how it went! hope i can be in touch with you by saturday. Speak to you soon and thanks a lot for caring ;) *cipher* > cipher wrote: > > Dear users, > > > > I just got squid authenticating through ldap, > using > > squid_ldap_auth and everything is fine. > > Users can authenticate and no problems are > showing up. > > > > Now i would like to know a way to give user > permissions > > to different web accesses to different users. > > For example, i have this configuration: > > > > [...] > > acl block_word url_regex > "/etc/squid/block_word" > > acl block_url url_regex > "/etc/squid/block_url" > > acl block_domain dstdomain > "/etc/squid/block_domain" > > acl block_dest_ip dst > "/etc/squid/block_dest_ip" > > acl accept proxy_auth > "/etc/squid/accept_user" > > acl forbidden proxy_auth > "/etc/squid/forbidden_user" > > http_access allow accept block_word > > http_access allow accept block_domain > > http_access allow accept block_dest_ip > > http_access allow accept block_url > > http_access deny forbidden block_word > > http_access deny forbidden block_domain > > http_access deny forbidden block_dest_ip > > http_access deny forbidden block_url > > [...] > > > > What happened was that i was filtering web > access > > through a text file called > /etc/squid/accept_user > > and /etc/squid/forbidden_user, which had > information > > about the users that were allowed or not > allowed to > > have web access to the urls in the > /etc/squid/block_url > > file for example. > > > > Now with ldap working i have two groups: > > > > -> proxy-allow > > -> proxy-deny > > > > I want to put users in those two groups, and > the ideia > > is that users in the proxy-allow group will > have > > web access to urls in the > /etc/squid/block_url and > > users in the proxy-deny group will not have > web access to > > those urls. > > > > I am aware that squid_ldap_group does the job > but i am > > not really understanding how. > > > > I read through the archives and no answer to > this issue > > was found. At least i wasn't able to see it. > :) > > > > I already know that an external_acl_type acl > is needed. > > I just haven't figured out how to tell > squid.conf to go > > search on that groups and give access like it > is meant to. > > > > Is there a chance someone could point in the > right > > direction to get this working or maybe point > me the archive > > where this issue is answered? > > > > Feel free to ask for more configuration > information if > > you need to. > > > > Thanks a lot for reading this and in advance! > > squid_ldap_group operates very similarly to > squid_ldap_auth. I assume > you are already successfully getting the user > login details and are > authenticating the users. After that you just > need an external_acl_type > statement for the ldap checking such as this > (forgive the long > description, it's something I wrote up after I > got it working so that it > is understandable to some degree): > > external_acl_type ldap_group ttl=120 > negative_ttl=120 %LOGIN > /usr/lib/squid/squid_ldap_group -b > cn=Users,dc=domain,dc=local -f > "(&(cn=%g)(member=%u)(objectClass=group))" -B > dc=domain,dc=local -F > "samaccountname=%s" -S -R -D > cn=ldapsearchuser,cn=Users,dc=domain,dc=local > -w password -a find -s sub > -h server.domain.local > > ldap_group is the type of external ACL we are > using. > ttl and negative_ttl are set to short intervals > so that adding or > removing a user from the authorised group > doesn't incur a huge delay. > %LOGIN is a standard parameter - it just passes > the user details from > the authenticator module > -b is the Base DN for the security group in the > AD. > -f specifies how the user is to be found in the > group. cn=%g will give > you the group DN itself, member=%u finds the > user by their DN, and > objectClass=group is self explanatory. > -B is the Base DN for the users. > -F is used to specify the search filter for the > users. Samaccountname is > the parameter I search for since I found the > browser sends the shortened > version of the login name (instead of the full > name or something). > -S specifies that it should strip the domain > name off the front of the > username (since I was using NTLM and that > passed the domain name) > -R allows us to have users in multiple OUs. > -D specifies the DN of a user authorised to > perform LDAP searches on the > AD. This I believe can be any user in the AD. > -a specifies the search technique and may not > be required > -s specifies how to handle searching up the > tree and defaults to sub > anyway so is not really required. > -h server.domain.local just specifies the > domain controller that the > LDAP query is performed on. > > Then you need acls to specify the groups you > are checking for: > > acl AuthGroup external ldap_group Internet > > and http_access lines to actually allow those > groups or whatever: > > http_access allow AuthGroup > > This is where you can get very creative (not > something I have done...). > Hope this helps (and is relatively correct - my > explanations are > probably not entirely accurate). > > Cheers, > Oliver > ------------------------------------------------- Email Enviado utilizando o serviço MegaMail
