Solved

How to use group membership to control internet users with SQUID LDAP authentication.

Posted on 2010-08-18
2
556 Views
Last Modified: 2013-12-16
Hey Team,
We have a working SQUID server.   It does authentication against Active Directory via LDAP.  Currently there is a group that is allowed to surf the internet unrestricted:  Group0 if you will..  Anyone not in the group is white listed to only a few business sites.  This all works fine.  My question is this:  Now I need to make several new active directory groups and based on their membership white list them to the required business web sites only.  So for example:  Group1 needs to only be able to go to www.google.com.  Group2 members should be able to only go to www.yahoo.com.  The Group0 we discussed earlier can go anywhere on the internet.  How do I do this?"
Thanks!!!!
0
Comment
Question by:tedayoungii
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 

Author Comment

by:tedayoungii
ID: 33463910
I went ahead and posted the pertenent current ldap settings that work.  Below:


auth_param basic program /usr/lib/squid/squid_ldap_auth -R -b "dc=xxxxx,dc=xxxxxxxx,dc=com" -D "CN=LDAP USERNAME,OU=IT,OU=SUI,DC=xxxxxxx,DC=xxxxxxxxxx,DC=com" -w "password" -f sAMAccountName=%s -h dc01
auth_param basic children 5
auth_param basic realm xxxxxxxx
auth_param basic credentialsttl 480 minute
auth_param basic casesensitive off

##group auth
external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=xxxxxxx,dc=xxxxxxx,dc=com" -D "CN=LDAP USERNAME,OU=IT,OU=SUI,DC=xxxxxx,DC=xxxxxx,DC=com" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=Firebox Users,OU=Security Groups,OU=SUI,DC=xxxxxx,DC=xxxxxx,DC=com))" -h DC01



acl internetusergroup proxy_auth REQUIRED
acl internetgroup external internetusergroup internetusers
acl Allowed_Sites url_regex "/etc/squid/allowed-sites.acl"
http_access allow internetgroup
http_access allow internetusergroup Allowed_Sites
#http_access deny internetusergroup
#http_access deny bad
http_access deny all
0
 
LVL 3

Accepted Solution

by:
pitt7 earned 500 total points
ID: 33465889
Use the auth_param parameter as is.

Change ##group auth to (the %a at memberof=CN= is the relevant change)
external_acl_type internetusergroup %LOGIN /usr/lib/squid/squid_ldap_group -R -b "dc=xxxxxxx,dc=xxxxxxx,dc=com" -D "CN=LDAP USERNAME,OU=IT,OU=SUI,DC=xxxxxx,DC=xxxxxx,DC=com" -w "password" -f "(&(objectclass=person)(sAMAccountName=%v)(memberof=CN=%a,OU=Security Groups,OU=SUI,DC=xxxxxx,DC=xxxxxx,DC=com))" -h DC01

acl internetusergroup proxy_auth REQUIRED
acl internetgroup external internetusergroup internetusers
acl InternetGroup1 external internetusergroup Group1
acl Group1_Sites url_regex "/etc/squid/allowed-sites_Group1.acl"
acl Allowed_Sites url_regex "/etc/squid/allowed-sites.acl"

http_access allow internetgroup
http_access allow InternetGroup1 Group1_Sites
http_access allow internetusergroup Allowed_Sites
http_access deny all
0

Featured Post

Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Connect to CentOS (in a local VMWare VM) using Putty 7 224
Disabling security updates Ubuntu 3 68
Advice on ESXi 5.1 Health / Storage 1 80
RHEL 6.0 - Does it support SHA2? 7 41
How many times have you wanted to quickly do the same thing to a list but found yourself typing it again and again? I first figured out a small time saver with the up arrow to recall the last command but that can only get you so far if you have a bi…
In the first part of this tutorial we will cover the prerequisites for installing SQL Server vNext on Linux.
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Suggested Courses

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question