Re: [squid-users] Fw: squid_ldap_group config

From: <Kelly_Connor@dont-contact.us>
Date: Wed, 1 Dec 2004 10:56:45 -0700

Hi Matt -

Your solution sounds pretty cool, but my boss is really "pro-vendor"
software and I have won a big point getting squid into our district.

However, he is dead set on keeping Websense as our content filter, and does
not want our internet system to become difficult to support if someone
leaves the department.

If I use the squid_ldap_auth, program, I can only use one group and I am
stuck in an accept/deny internet filtering role. I had this working for a
while, but it does not fit our organization quite right. I stumbled upon
squid_ldap_group and it sounds like it works perfectly, but I am really
confused as to how to use and external_acl_type role, and how to bring this
group information back to squid for potential redirection, ftp filtering or
user denial.

Is there anyone on this list who currently uses squid_ldap_group to
segregate internet traffic permission?

Kelly Connor
Network Technician
Gilbert Unified School District
kelly_connor@gilbert.k12.az.us

                                                                           
             Matt Benjamin
             <matt@linuxbox.co
             m> To
                                       Kelly_Connor@gilbert.k12.az.us
             12/01/2004 10:39 cc
             AM squid-users@squid-cache.org, "Adam
                                       D. Gorski" <adam@linuxbox.com>
                                                                   Subject
                                       Re: [squid-users] Fw:
                                       squid_ldap_group config
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           

Kelly,

The intent of the Squid mechanism, is, I think, a bit obscure--hopefully
the authors will step forward and show how you set up the two distinct
external auth mechanisms it appears you need in order for Squid to a)
authenticate to LDAP b) do the group check.

However, our solution (which resembles that used in a commercial K12
proxy solution which I shall not name), is as follows:

1. We use one external authenticator, the squid_ldap_auth program
2. All traffic is sent to a customized Squidguard redirect_program--our
version combines a bunch of extant modifications, including LDAP
group-based ACLs, and a modified logging feature used to drive reporting
3. Any sort of authorization rule, including one forbidding specific
users/groups to visit FTP urls, would happen here. For example, your
source group might be "kids," and the destination group anything
matching an "^ftp://" regex.

We have some tweaks to Webmin, a real-time log parser, and reporting
tool we're releasing, that organize all this.

Matt

Kelly_Connor@gilbert.k12.az.us wrote:

>
>Hi all,
>
>I hope this has not been addressed anywhere in the mailing lists. I did a
>search and couldn't find anything, and I've already RTFM'd.
>
>I don't understand how to set up the squid_ldap_group external acl type.
>
>We are running Novell eDirectory and using various LDAP groups to
>(hopefully) control internet access for our various high school campuses.
>We want to have different control lists based upon the user. Students are
>denied ftp downloads and are sent to a redirector/content filter, while we
>IT people don't go to the redirector and get ftp downloads.
>
>The man page for external_acl_type doesn't seem clear to me.
>
>This is what I've got so far:
>
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn>
>-D <squidaccount> -w <passwd> -f
>"(&(cn=%v)(groupMembership=cn=<group1dn>))" -h ldap.host
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn>
>-D <squidaccount> -w <passwd> -f
>"(&(cn=%v)(groupMembership=cn=<group2dn>))" -h ldap.host
>
>acl Restricted port 20 21 1025-65535
>
>acl external ldap_group deny Restricted
>acl external ldap_group allow Restricted
>
>I'm certain I am doing something wrong with my "acl external" lines. How
>do I differentiate the two different groups? How exactly is the
>external_acl_type line used? Is ldap_group a reserved phrase that has to
>follow external_acl_type? How do I return to squid the group membership
>token for the user?
>
>Thanks for any illumination...
>
>
>Kelly Connor
>Network Technician
>Gilbert Unified School District
>kelly_connor@gilbert.k12.az.us
>
>
>
Received on Wed Dec 01 2004 - 10:58:50 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST