Dear all, :) I finally had some time to work on this issue, using the directions i was pointed to. I still don't know what else to do, since web access using squid_ldap_group to give different web access doesn't work. I'll try to give you some examples on my configuration so it will be easier to understand what the problema might bem. Here is my squid_ldap_auth line in squid.conf: [...] auth_param basic program /usr/local/squid/libexec/squid_ldap_auth -b o=domain.int -h 10.0.0.1 -D uid=proxy ,ou=squid,o=domain.int -w proxy-binder -f (&(objectclass=inetOrgPerson)(uid=%s)) [...] --> working fine and autheticating users with no kind of problem. Now here goes the squid_ldap_group: [...] external_acl_type ldap_group ttl=120 negative_ttl=120 %LOGIN /usr/local/squid/libexec/squid_ldap_group -b ou=squid ,o=domain.int -f "(&(uid=%v)(memberUid=%g))" -B ou=People,o=domain.int -F "uid=%s" -S -R -D uid=prox y,ou=squid,o=dmain.int -w proxy-binder -h localhost [...] note:squid_ldap_group is bindding to ldap server with the same user squid_ldap_auth is. And here goes the access list: [...] acl block_word url_regex "/etc/squid/block_word" acl block_url url_regex "/etc/squid/block_url" acl block_domain dstdomain "/etc/squid/block_domain" acl block_dest_ip dst "/etc/squid/block_dest_ip" #################### acl proxy-allow external ldap_group proxy-allow acl proxy-deny external ldap_group proxy-deny #################### http_access allow proxy-allow block_word http_access allow proxy-allow block_url http_access allow proxy-allow block_domain http_access allow proxy-allow block_dest_ip #################### http_access deny proxy-deny block_word http_access deny proxy-deny block_url http_access deny proxy-deny block_domain http_access deny proxy-deny block_dest_ip [...] /etc/squid/block_word contains words i will not allow in urls except for users in cn=proxy-allow,ou=squid,o=domain.int group /etc/squid/block_url contains urls i will not allow at all except for users in cn=proxy-allow,ou=squid,o=domain.int group /etc/squid/block_domain contains domaisn i will not allow at all except for users in cn=proxy-allow,ou=squid,o=domain.int group /etc/squid/block_dest_ip contains ip addresses i will not allow at all except for users in cn=proxy-allow,ou=squid,o=domain.int grou p Users in the cn=proxy-allow,ou=squid,o=domain.int group are to be given access to the urls words and ip addresses contained in the above files. Users in the cn=proxy-deny,ou=squid,o=domain.int group, are not. Here is my ldif for the squid group, were users are to be checked which group they belong to, so they can have their permissions or not: dn: cn=proxy-allow,ou=squid, o=domain.int gidNumber: 600 memberUid: test-user objectClass: posixGroup objectClass: top cn: proxy-allow -> same thing for proxy-deny group except user is named *test-user-deny* dn: uid=test-user,ou=People, o=systemblast objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: sambaSamAccount uid: test-user uidNumber: 1000 cn: test-user sambaLogoffTime: 214647 sambaPwdLastSet: 117888 gidNumber: 513 sambaPwdMustChange: 1111888 sambaNTPassword: EB8B79A3E6FEC sambaPwdCanChange:0 gecos: System User description: System User sn: user What can it be wrong here? I think somthing must be missing or wrong in the squid_ldap_group flag and still not sure if acls are correct... thanks for your time reading this and i hope my doubt will help someone in the future :) Many thanks in advance *cipher* > cipher wrote: > > Dear users, > > > > I just got squid authenticating through ldap, > using > > squid_ldap_auth and everything is fine. > > Users can authenticate and no problems are > showing up. > > > > Now i would like to know a way to give user > permissions > > to different web accesses to different users. > > For example, i have this configuration: > > > > [...] > > acl block_word url_regex > "/etc/squid/block_word" > > acl block_url url_regex > "/etc/squid/block_url" > > acl block_domain dstdomain > "/etc/squid/block_domain" > > acl block_dest_ip dst > "/etc/squid/block_dest_ip" > > acl accept proxy_auth > "/etc/squid/accept_user" > > acl forbidden proxy_auth > "/etc/squid/forbidden_user" > > http_access allow accept block_word > > http_access allow accept block_domain > > http_access allow accept block_dest_ip > > http_access allow accept block_url > > http_access deny forbidden block_word > > http_access deny forbidden block_domain > > http_access deny forbidden block_dest_ip > > http_access deny forbidden block_url > > [...] > > > > What happened was that i was filtering web > access > > through a text file called > /etc/squid/accept_user > > and /etc/squid/forbidden_user, which had > information > > about the users that were allowed or not > allowed to > > have web access to the urls in the > /etc/squid/block_url > > file for example. > > > > Now with ldap working i have two groups: > > > > -> proxy-allow > > -> proxy-deny > > > > I want to put users in those two groups, and > the ideia > > is that users in the proxy-allow group will > have > > web access to urls in the > /etc/squid/block_url and > > users in the proxy-deny group will not have > web access to > > those urls. > > > > I am aware that squid_ldap_group does the job > but i am > > not really understanding how. > > > > I read through the archives and no answer to > this issue > > was found. At least i wasn't able to see it. > :) > > > > I already know that an external_acl_type acl > is needed. > > I just haven't figured out how to tell > squid.conf to go > > search on that groups and give access like it > is meant to. > > > > Is there a chance someone could point in the > right > > direction to get this working or maybe point > me the archive > > where this issue is answered? > > > > Feel free to ask for more configuration > information if > > you need to. > > > > Thanks a lot for reading this and in advance! > > squid_ldap_group operates very similarly to > squid_ldap_auth. I assume > you are already successfully getting the user > login details and are > authenticating the users. After that you just > need an external_acl_type > statement for the ldap checking such as this > (forgive the long > description, it's something I wrote up after I > got it working so that it > is understandable to some degree): > > external_acl_type ldap_group ttl=120 > negative_ttl=120 %LOGIN > /usr/lib/squid/squid_ldap_group -b > cn=Users,dc=domain,dc=local -f > "(&(cn=%g)(member=%u)(objectClass=group))" -B > dc=domain,dc=local -F > "samaccountname=%s" -S -R -D > cn=ldapsearchuser,cn=Users,dc=domain,dc=local > -w password -a find -s sub > -h server.domain.local > > ldap_group is the type of external ACL we are > using. > ttl and negative_ttl are set to short intervals > so that adding or > removing a user from the authorised group > doesn't incur a huge delay. > %LOGIN is a standard parameter - it just passes > the user details from > the authenticator module > -b is the Base DN for the security group in the > AD. > -f specifies how the user is to be found in the > group. cn=%g will give > you the group DN itself, member=%u finds the > user by their DN, and > objectClass=group is self explanatory. > -B is the Base DN for the users. > -F is used to specify the search filter for the > users. Samaccountname is > the parameter I search for since I found the > browser sends the shortened > version of the login name (instead of the full > name or something). > -S specifies that it should strip the domain > name off the front of the > username (since I was using NTLM and that > passed the domain name) > -R allows us to have users in multiple OUs. > -D specifies the DN of a user authorised to > perform LDAP searches on the > AD. This I believe can be any user in the AD. > -a specifies the search technique and may not > be required > -s specifies how to handle searching up the > tree and defaults to sub > anyway so is not really required. > -h server.domain.local just specifies the > domain controller that the > LDAP query is performed on. > > Then you need acls to specify the groups you > are checking for: > > acl AuthGroup external ldap_group Internet > > and http_access lines to actually allow those > groups or whatever: > > http_access allow AuthGroup > > This is where you can get very creative (not > something I have done...). > Hope this helps (and is relatively correct - my > explanations are > probably not entirely accurate). > > Cheers, > Oliver > ------------------------------------------------- Email Enviado utilizando o serviço MegaMail
