Search code examples
proxyactive-directoryldapsquidwhitelist

Integrating multiple active directory groups with Squid access lists

So I have multiple active directory groups that i'm attempting to integrate into squid. I have categorized URL lists located in

"/etc/squid/blacklists/"

When I add a user to a specific group I want squid to then allow that user to browse any website in that list. Each user will be a member of multiple groups depending on there role. Currently what I have will allow the user to browse the websites as long as there are a member of only one of the groups, but if I add the user to both groups then they cant see anything! In total I have around 50 categories that I would like to implement. Below is what I currently have listed in my squid.conf file.

#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
# AD communication #
auth_param basic program /usr/lib64/squid/squid_ldap_auth -R -b "DC=domain,DC=local" -D "CN=SQUID,OU=domain Service Accounts,DC=domain,DC=local" -w "*********" -f sAMAccountName=%s -h 10.0.0.***,10.0.0.***,10.0.0.***
auth_param basic children 5
auth_param basic realm Please enter your domain credentials to continue
auth_param basic credentialsttl 1 hour

# AD group membership commands
external_acl_type ldap_group %LOGIN /usr/lib64/squid/squid_ldap_group -R -b "DC=domain,DC=local" -D "CN=SQUID,OU=domain Service Accounts,DC=domain,DC=local" -w "*********" -f "(&(objectclass=person) (sAMAccountname=%v)(memberof=CN=%a,OU=PROXY,ou=ALL domain Groups,DC=domain,DC=local))" -h 10.0.0.***,10.0.0.***,10.0.0.***

acl NEWS external ldap_group NEWS
acl SHOPPING external ldap_group SHOPPING


acl rule1 url_regex -i "/etc/squid/blacklists/news/domains"
acl rule2 url_regex -i "/etc/squid/blacklists/shopping/domains"

http_access deny NEWS !rule1
http_access deny SHOPPING !rule2
http_access allow all
Solution

  • Squid stops processing rules on the first match. If you add an account to both groups then it always matches one of 'deny' ACLs when the user tries to access a web-site from one of these categories.

    Instead you can use 'allow' rules:

    http_access allow NEWS rule1
http_access allow SHOPPING rule2
http_access deny all

    In this case all matched are allowed and all non-matched are denied.

    In order to make it more readable you can rename acls:

    http_access allow group-NEWS url_regex-news
http_access allow group-SHOPPING url_regex-shopping
http_access deny all