Re: [squid-users] Groups using authentication via wb_auth

From: Henrik Nordstrom (hno@squid-cache.org)
Date: Fri Feb 28 2003 - 12:12:46 MST


Scott Wrosch wrote:

> Running a Windows 2000 Domain with two Domain Controllers. We have
> approximately 100-120 users at this site, which is the primary concern.
> Of these 100-120 users, we have a variety of network and Internet needs.
> First we have our Customer Service people. Then we have everyone else.

Fine.

> Now, we have some CS people who need no Internet access whatsoever.

Fine.

> Then, we have some who need access to perhaps 1 or 2 specific sites.

Fine.

> Then, to top that off, we have others who may need access to 1 or 2
> specific sites as well.

Fine.

> Still more, we have some people who may need access to the 2 or 4
> sites mentioned above.

Fine.

> And finally, we may have people who need Internet access as well.
> We also have everyone else, most of whom will usually need Internet access.

Fine, I suppose.. hard to see any difference between the two group
rights..

> With that being said, I'm looking at needing to create groups of users,
> some users being in multiple groups.

Which is how I would recommend solving this.

> Now, I have set up squid-2.5.STABLE1-20030225 on a RedHat 7.3 system. I
> had used msnt_auth for authentication, before it was determined we
> needed groups. So after a posting or two here, I tried LDAP. Doesn't
> appear to be set up here. Not a big deal, as it looked to be quite
> confusing anyways. So now I'm using winbind via the Samba suite
> (2.2.7a) for authentication. Works beautifully. I was under the
> impression that we were going to create the groups on the Domain
> Controller, and then control access that way. Nope. Not happening.
> They want to keep all the groups on the server.

Ok. So you want to keep all groups on the Squid server. No problem.

> So, with that being said, I'm stuck. I had planned on creating groups
> in the domain, and going about it using wb_group for everything. Too
> many "dependencies"... (/me beats head on desk.)

Well.. delegate to the helpdesk of updating the groups on the Squid
server using vi and you quickly get them on a better mindset..

> I'm looking for suggestions. Pointers to FAQs. Anything that will get
> me on the right track so I can stop beating my head on my desk. I've
> been poking around, going through archives and stuff, and I've seen much
> that looks like it will work. The problem is, in the mental state that
> I'm in at the moment, I haven't been able to put the pieces together.
> I'm sure it can be done... I just can't get everything connected in my
> mind in order to do it.

The groups will be needed to be defined somewhere, there is no question
about that.

You can if you like define the groups on the Squid server simply by
listing the users in plain text files and refer to these files via
proxy_auth acls..

acl group1 proxy_auth "/path/to/file/defining/group1"
...

but I would strongly recommend persuing the NT Domain manager that
having the groups in the domain is the correct approach, both for
technical and administrative reasons. Updating the groups on the Squid
server directly is both error prone and cumbersome if you have many
groups to maintain.

In both cases the http_access rules should be the same.

# Access permissions for group1
acl group1 ... (proxy_auth or wbgroup depending on your setup)
acl destinations_group1 dstdomain site1 site2 ...
http_access allow group1 destinations_group1

# Access permissiong for group2
acl group2 ... (proxy_auth or wbgroup depending on your setup)
acl destinations_group2 dstdomain site3 site4 ...
http_access allow group2 destinations_group2

[repeated for each user group]

# Deny any other access
http_access deny all

Regards
Henrik



This archive was generated by hypermail 2b29 : Sat Mar 01 2003 - 12:03:35 MST