tis 2010-05-18 klockan 14:33 +1000 skrev Kris Glynn: > I would like to know if it is possible to deny/allow based on a specific OU in Active Directory. Yes. The squid_ldap_group helper can do this by simply searching for the user again below that OU and denying access if found. external_acl_program ldap_service_accounts %LOGIN /usr/lib/squid_ldap_group -R -b "OU=Service Accounts,dc=company,dc=internal" -D username -w password -f "(&(sAMAccountName=%u)(objectClass=Person))" -h 192.168.60.4 acl ldap_service_accounts external ldap_service_accounts X http_access deny ldap_service_accounts If you have many of these OUs that you want to match then the -g option to squid_ldap_group may be handy, enabling you to add the OU part via the acl line. But is a little tricky if the OU contains spaces as in your "OU=Service Accounts" (requries an acl include file). Regards Henrik
