You can use the winbind group helper external ACL in the Squid distribution to perform a group lookup from Active Directory and use that during ACL lookups. You can then create sales, marketing and such rules as you're after. Adrian On Wed, Nov 07, 2007, Paul Cocker wrote: > As those of you watching this list will be aware, I am currently setting > up a whole load of exciting website blocks. Since blocking facebook I > doubt I have more than a couple of days left to live. > > What I'm looking for is an easy way to create exceptions. Our Sales and > Marketing departments need to bypass the shopping site block, because > going to such sites is part of their job. I can do this in the following > ways: > > 1. Setup an acl linking to the AD group for sales and one for for > marketing, then setup a whitelist acl which links to the shopping > blacklist, I then add an http_access allow line above the blocks calling > this whitelist if you're authenticated AND in sales, and then another > such line for marketing. > > 2. Setup an AD group called shoppingexceptions and add sales and > marketing users to it. I create an acl which looks at this group and > then modify the shopping line to http_access deny !shoppingexceptions > shopping. > > I am currently using method 2, but the squidNT's AD group checker cannot > handle groups within groups, so I can't have an exception group > containing the sales and marketing groups, I have to export those groups > and put the user's into the exceptions group. > > So, my question is, can I: > > a) List multiple exceptions to a rule on a single line e.g. http_access > deny !sales !marketing shopping > > b) Handle it in another, more elegant way? > > Obviously the idea is that no administrative effort is required on our > part, someone joins sales and they automatically get the relevant > exceptions. > > Paul Cocker > IT Systems Administrator > IT Security Officer > > 01628 81(6647) > > TNT Post > 1 Globeside Business Park > Fieldhouse Lane > Marlow > Bucks > SL7 1HY > > > > > > TNT Post is the trading name for TNT Post UK Ltd (company number: 04417047), TNT Post (Doordrop Media) Ltd (00613278), TNT Post Scotland Ltd (05695897),TNT Post North Ltd (05701709) and TNT Post South West Ltd (05983401). Emma's Diary and Lifecycle are trading names for Lifecycle Marketing (Mother and Baby) Ltd (02556692). All companies are registered in England and Wales; registered address: 1 Globeside Business Park, Fieldhouse Lane, Marlow, Buckinghamshire, SL7 1HY. -- - Xenion - http://www.xenion.com.au/ - VPS Hosting - Commercial Squid Support - - $25/pm entry-level VPSes w/ capped bandwidth charges available in WA -