On Thu, Nov 07, 2013 at 04:02:48PM -0700, Samuel Anderson wrote:
> So I have multiple active directory groups that I’m attempting to
> integrate into squid. I have categorized URL lists located in
>
> "/etc/squid/whitelists/"
>
> When I add a user to a specific group in active directory I want squid
> to then allow that user to browse any website that is listed in the
> whitelist. Each user will be a member of multiple groups and will need
> to be able to access multiple whitelists depending on their role.
> Currently what I have will allow the user to browse the websites as
> long as there are a member of ONLY ONE of the groups, but if I add the
> user to both groups then they can’t see anything! I will get an access
> denied page for all websites including the ones that are listed in the
> whitelists. In total I have around 50 categories that I would like to
> implement. Below is what I currently have listed in my squid.conf
> file.
>
> #
> # INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
> #
>
> # AD communication
> auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b
> "DC=domain,DC=local" -D "CN=SQUID,OU=domain Service
> Accounts,DC=domain,DC=local" -w "*********" -f sAMAccountName=%s -h
> 10.0.0.***,10.0.0.***,10.0.0.***
> auth_param basic children 5
> auth_param basic realm Please enter your domain credentials to continue
> auth_param basic credentialsttl 1 hour
>
> # AD group membership commands
> external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group
> -R -b "DC=domain,DC=local" -D "CN=SQUID,OU=domain Service
> Accounts,DC=domain,DC=local" -w "*********" -f "(&(objectclass=person)
> (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL domain
> Groups,DC=domain,DC=local))" -h 10.0.0.***,10.0.0.***,10.0.0.***
>
> acl NEWS external ldap_group NEWS
> acl SHOPPING external ldap_group SHOPPING
>
>
> acl rule1 url_regex -i "/etc/squid/whitelists/news/domains"
> acl rule2 url_regex -i "/etc/squid/whitelists/shopping/domains"
>
> http_access deny NEWS !rule1
> http_access deny SHOPPING !rule2
> http_access allow all
Try this:
http_access deny rule1 !NEWS all
http_access deny rule2 !SHOPPING all
http_access allow all
Also set up 'debug_options' in your squid.conf as follows:
debug_options ALL,1 28,3
Then try to read cache.log and you will see the reason why client
request is blocked (don't forget to turn it off when in production).
And upgrade your squid to version 3.3.x.
-- Peter BenkoReceived on Fri Nov 08 2013 - 14:55:15 MST
This archive was generated by hypermail 2.2.0 : Fri Nov 08 2013 - 12:00:20 MST