Re: URL access based on AD group membership

Bruno de Paula Larini <bruno.larini@xxxxxxxxxxxxxx> · Wed, 15 Jun 2016 14:27:14 -0300



    Em 15/06/2016 10:50, nilesh.gavali@xxxxxxx escreveu:

    Hi Team;
      

      I have setup as below-
      
        Squid Kerberos
            authentication with windows
            AD 2012r2. - works fine.
        
        Now need to restrict access
            based on
            AD Group membership.
      
      
      Below configuration done but no
        luck.
        when try to access with user who is not part of the group
        mention, still
        he is able to browse Internet.
      

    The following works fine for me and in my opinion works better than
    LDAP. The authentication is integrated, so it doesn't keep asking
    for password (when the current user is a domain account). But you
    have to add the Squid server to the domain using 'smb.conf',
    'krb5.conf' and then 'net ads join'. The service 'winbind' must be
    running too.

    I'm using Squid 3.5.19.

    
        auth_param ntlm program /usr/bin/ntlm_auth
    --helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
    --enable-external-acl-helpers="ext_wbinfo_group_acl"

        auth_param ntlm children 10 startup=0 idle=2

    
        external_acl_type NTGroup children-startup=10 children-idle=2
    children-max=50 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl

    
        acl authenticated proxy_auth REQUIRED

    
        acl ad_group external NTGroup MYDOMAIN\AD_Group

        acl denied_websites dstdom_regex -i
    "/etc/squid/denied-websites.txt"

        http_access deny ad_group denied_websites

    
    So all the members of MYDOMAIN\AD_Group won't have access to
    whatever the file contains.

    
    Bruno

  
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users