So I have multiple active directory groups that I’m attempting to integrate into squid. I have categorized URL lists located in "/etc/squid/whitelists/" When I add a user to a specific group in active directory I want squid to then allow that user to browse any website that is listed in the whitelist. Each user will be a member of multiple groups and will need to be able to access multiple whitelists depending on their role. Currently what I have will allow the user to browse the websites as long as there are a member of ONLY ONE of the groups, but if I add the user to both groups then they can’t see anything! I will get an access denied page for all websites including the ones that are listed in the whitelists. In total I have around 50 categories that I would like to implement. Below is what I currently have listed in my squid.conf file. # # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS # # AD communication auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "DC=domain,DC=local" -D "CN=SQUID,OU=domain Service Accounts,DC=domain,DC=local" -w "*********" -f sAMAccountName=%s -h 10.0.0.***,10.0.0.***,10.0.0.*** auth_param basic children 5 auth_param basic realm Please enter your domain credentials to continue auth_param basic credentialsttl 1 hour # AD group membership commands external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "DC=domain,DC=local" -D "CN=SQUID,OU=domain Service Accounts,DC=domain,DC=local" -w "*********" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL domain Groups,DC=domain,DC=local))" -h 10.0.0.***,10.0.0.***,10.0.0.*** acl NEWS external ldap_group NEWS acl SHOPPING external ldap_group SHOPPING acl rule1 url_regex -i "/etc/squid/whitelists/news/domains" acl rule2 url_regex -i "/etc/squid/whitelists/shopping/domains" http_access deny NEWS !rule1 http_access deny SHOPPING !rule2 http_access allow all -- CONFIDENTIALITY NOTICE: This e-mail and any attachments are confidential. If you are not an intended recipient, please contact the sender to report the error and delete all copies of this message from your system.
