Hi I've got Squid on a Linux (Debian 3.1) box running beautifully and authenticating users to a Windows Active Directory. The bits from squid.conf that I think matter for this discussion looked like this ... ||auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp ||auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic Then later on I have ... ||acl ADuser proxy_auth REQUIRED and then ||http_access deny !ADuser ||http_access allow all Ok, so this means only authenticated users can use the proxy and access.log has their Windows usernames I can further change auth_param to allow only members of one certian Active Directory Group ||auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --require-membership- of=XXX_DOMAIN\\ADgroup1 --domain=xxx_domain ||auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic --require-membership-of =XXX_DOMAIN\\ADgroup1 --domain=xxx_domain ||acl ADgroup1 proxy_auth REQUIRED Although the above works great, what I really want is the following 1 - Authenticate all users (need to see those usernames in access.log) 2 - Allow all users access to some sites (freesites) 3 - Allow Active Directory Group 1 access only to freesites, and a few more (othersites) 4 - Allow Active Directory Group 2 access to all other sites Ok, so I can add freesites ||acl freesites dst_domain .cnn.com ||acl freesites dst_domain .bbc.co.uk add othersites ||acl othersites dst_domain .yahoo.com ||acl othersites dst_domain .hotmail.com and setup of acl hierarchy would be something as follows: ||http_access allow freesites ||http_access deny !ADgroup1 !ADgroup2 ||http_access allow othersites ||http_access deny !ADgroup2 ||http_access allow all Problem I have is how to setup the acl to get the different ADgroups? Do I need two auth_params? Is that possible and what would the syntax be? Thanks Yours Roy ---ooo--- Internet Confidentiality Statement ---ooo--- The information contained in this communication is confidential and is intended only for the use of the recipient named above, and may be legally privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please resend it to the sender and delete the original message and any copy of it from your computer system. Opinions, conclusions and other information in this message that do not relate to our official business should be understood as neither given nor endorsed by this company.
