RE: [squid-users] Fw: squid_ldap_group config

From: Chris Robertson <crobertson@dont-contact.us>
Date: Wed, 1 Dec 2004 11:06:28 -0900

For clarification, I don't use the squid_ldap_group external acl, so I may
be completely off base, but that's never stopped me from giving suggestions
before. :o) All the following advice assumes that you have the arguments
to squid_ldap_group correct.

I think you want to change your external acl lines to something like:

external_acl_type allowed_group %LOGIN /usr/sbin/squid_ldap_group -b
<basedn> \
  -D <squidaccount> -w <passwd> -f
"(&(cn=%v)(groupMembership=cn=<group1dn>))" \
  -h ldap.host
external_acl_type denied_group %LOGIN (yadda, yadda)

The second argument to external_acl_type is the title of the external acl,
which you use to reference it when you make a (non external) acl. It's a
bit confusing to be sure, but I certainly can't think of a better way to do
it.

Now that you have your external acls named, set the acl lines up like:

acl Restricted port 20 21 1025-65535 # (no change)
acl allowedGroup external allowed_group
acl deniedGroup external denied_group

Now you can use the acl names "Restricted", "allowedGroup" and "deniedGroup"
to route traffic to the redirectors or whatever. In the next line, I've set
it up such that deniedGroup can't access the restricted ports.

http_access deny deniedGroup Restricted

Chris

-----Original Message-----
From: Kelly_Connor@gilbert.k12.az.us
[mailto:Kelly_Connor@gilbert.k12.az.us]
Sent: Wednesday, December 01, 2004 8:57 AM
To: Matt Benjamin
Cc: Adam D. Gorski; squid-users@squid-cache.org
Subject: Re: [squid-users] Fw: squid_ldap_group config

Hi Matt -

Your solution sounds pretty cool, but my boss is really "pro-vendor"
software and I have won a big point getting squid into our district.

However, he is dead set on keeping Websense as our content filter, and does
not want our internet system to become difficult to support if someone
leaves the department.

If I use the squid_ldap_auth, program, I can only use one group and I am
stuck in an accept/deny internet filtering role. I had this working for a
while, but it does not fit our organization quite right. I stumbled upon
squid_ldap_group and it sounds like it works perfectly, but I am really
confused as to how to use and external_acl_type role, and how to bring this
group information back to squid for potential redirection, ftp filtering or
user denial.

Is there anyone on this list who currently uses squid_ldap_group to
segregate internet traffic permission?

Kelly Connor
Network Technician
Gilbert Unified School District
kelly_connor@gilbert.k12.az.us

                                                                           
             Matt Benjamin
             <matt@linuxbox.co
             m> To
                                       Kelly_Connor@gilbert.k12.az.us
             12/01/2004 10:39 cc
             AM squid-users@squid-cache.org, "Adam
                                       D. Gorski" <adam@linuxbox.com>
                                                                   Subject
                                       Re: [squid-users] Fw:
                                       squid_ldap_group config
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           

Kelly,

The intent of the Squid mechanism, is, I think, a bit obscure--hopefully
the authors will step forward and show how you set up the two distinct
external auth mechanisms it appears you need in order for Squid to a)
authenticate to LDAP b) do the group check.

However, our solution (which resembles that used in a commercial K12
proxy solution which I shall not name), is as follows:

1. We use one external authenticator, the squid_ldap_auth program
2. All traffic is sent to a customized Squidguard redirect_program--our
version combines a bunch of extant modifications, including LDAP
group-based ACLs, and a modified logging feature used to drive reporting
3. Any sort of authorization rule, including one forbidding specific
users/groups to visit FTP urls, would happen here. For example, your
source group might be "kids," and the destination group anything
matching an "^ftp://" regex.

We have some tweaks to Webmin, a real-time log parser, and reporting
tool we're releasing, that organize all this.

Matt

Kelly_Connor@gilbert.k12.az.us wrote:

>
>Hi all,
>
>I hope this has not been addressed anywhere in the mailing lists. I did a
>search and couldn't find anything, and I've already RTFM'd.
>
>I don't understand how to set up the squid_ldap_group external acl type.
>
>We are running Novell eDirectory and using various LDAP groups to
>(hopefully) control internet access for our various high school campuses.
>We want to have different control lists based upon the user. Students are
>denied ftp downloads and are sent to a redirector/content filter, while we
>IT people don't go to the redirector and get ftp downloads.
>
>The man page for external_acl_type doesn't seem clear to me.
>
>This is what I've got so far:
>
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn>
>-D <squidaccount> -w <passwd> -f
>"(&(cn=%v)(groupMembership=cn=<group1dn>))" -h ldap.host
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn>
>-D <squidaccount> -w <passwd> -f
>"(&(cn=%v)(groupMembership=cn=<group2dn>))" -h ldap.host
>
>acl Restricted port 20 21 1025-65535
>
>acl external ldap_group deny Restricted
>acl external ldap_group allow Restricted
>
>I'm certain I am doing something wrong with my "acl external" lines. How
>do I differentiate the two different groups? How exactly is the
>external_acl_type line used? Is ldap_group a reserved phrase that has to
>follow external_acl_type? How do I return to squid the group membership
>token for the user?
>
>Thanks for any illumination...
>
>
>Kelly Connor
>Network Technician
>Gilbert Unified School District
>kelly_connor@gilbert.k12.az.us
>
>
>
Received on Wed Dec 01 2004 - 13:06:31 MST

This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST