Integrating multiple active directory groups with Squid access lists

StackOverflow https://stackoverflow.com/questions/19798312

Вопрос

So I have multiple active directory groups that i'm attempting to integrate into squid. I have categorized URL lists located in

"/etc/squid/blacklists/"

When I add a user to a specific group I want squid to then allow that user to browse any website in that list. Each user will be a member of multiple groups depending on there role. Currently what I have will allow the user to browse the websites as long as there are a member of only one of the groups, but if I add the user to both groups then they cant see anything! In total I have around 50 categories that I would like to implement. Below is what I currently have listed in my squid.conf file.

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# AD communication #
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "DC=domain,DC=local" -D "CN=SQUID,OU=domain Service Accounts,DC=domain,DC=local" -w "*********" -f sAMAccountName=%s -h 10.0.0.***,10.0.0.***,10.0.0.***
auth_param basic children 5
auth_param basic realm Please enter your domain credentials to continue
auth_param basic credentialsttl 1 hour

# AD group membership commands
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "DC=domain,DC=local" -D "CN=SQUID,OU=domain Service Accounts,DC=domain,DC=local" -w "*********" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL domain Groups,DC=domain,DC=local))" -h 10.0.0.***,10.0.0.***,10.0.0.***

acl NEWS external ldap_group NEWS
acl SHOPPING external ldap_group SHOPPING


acl rule1 url_regex -i "/etc/squid/blacklists/news/domains"
acl rule2 url_regex -i "/etc/squid/blacklists/shopping/domains"

http_access deny NEWS !rule1
http_access deny SHOPPING !rule2
http_access allow all
Это было полезно?

Решение

Squid stops processing rules on the first match. If you add an account to both groups then it always matches one of 'deny' ACLs when the user tries to access a web-site from one of these categories.

Instead you can use 'allow' rules:

http_access allow NEWS rule1
http_access allow SHOPPING rule2
http_access deny all

In this case all matched are allowed and all non-matched are denied.

In order to make it more readable you can rename acls:

http_access allow group-NEWS url_regex-news
http_access allow group-SHOPPING url_regex-shopping
http_access deny all
Лицензировано под: CC-BY-SA с атрибуция
Не связан с StackOverflow
scroll top