aha. I needed to use this:
external_acl_type NT_global_group %LOGIN /usr/local/libexec/squid/wbinfo_group.pl
Well that's one step further, but now it allows everyone to access the proxy even if they aren't in the allowed groups.
external_acl_type NT_global_group %LOGIN /usr/local/libexec/squid/wbinfo_group.pl
# Use the group
acl AllowedNTUsers external NT_global_group "/usr/local/etc/squid/acls/allowedntgroups"
acl LoggedInUsers proxy_auth REQUIRED
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow AllowedNTUsers
http_access allow LoggedInUsers
http_access deny !AllowedNTUsers
http_access deny !LoggedInUsers
Slowly getting somewhere.
Does this allow all from the AllowedNTUsers file and also all logged in users?
How do I make it that they have to be
A: Logged into the ADS
and
B: In particular groups
instead of A: OR B:
-----Original Message-----
From: squid-users-return-49446-Jason.Oakley=aapt.com.au@squid-cache.org
[mailto:squid-users-return-49446-Jason.Oakley=aapt.com.au@squid-cache.or
g]On Behalf Of Jason Oakley
Sent: Thursday, 28 October 2004 10:31 AM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Authing to ADS NT Groups in a file
Okay. I forgot this:
# Define the group
external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wb_group
Now I can start squid.
I am in group "ITDepartment"
which I put in the "allowedntgroups" file
but it still denies me access.
#Recommended minimum configuration:
acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443 563
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 563 # https, snews
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
# Define the group
external_acl_type NT_global_group %LOGIN /usr/local/squid/libexec/wb_group
# Use the group
acl AllowedNTUsers external NT_global_group "/usr/local/etc/squid/acls/allowedntgroups"
acl AuthorizedUsers proxy_auth REQUIRED
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
http_access allow AllowedNTUsers
http_access allow AuthorizedUsers
http_access deny !AllowedNTUsers
http_access deny !AuthorizedUsers
# And finally deny all other access to this proxy
http_access deny all
cat allowedntgroups
ITDepartment
-----Original Message-----
From: squid-users-return-49444-Jason.Oakley=aapt.com.au@squid-cache.org
[mailto:squid-users-return-49444-Jason.Oakley=aapt.com.au@squid-cache.or
g]On Behalf Of Jason Oakley
Sent: Thursday, 28 October 2004 9:06 AM
To: squid-users@squid-cache.org
Subject: RE: [squid-users] Authing to ADS NT Groups in a file
According to the docs:
acl ProxyUsers external NT_global_group "/usr/local/squid/etc/DomainUsers"
and the DomainUsers files will contain only the following line:
"Domain Users"
I tried this:
acl AllowedNTUsers external NT_global_group "/usr/local/etc/squid/acls/allowedntgroups"
acl AuthorizedUsers proxy_auth REQUIRED
in allowedntgroups:
"IT Dept"
but I get this:
FATAL: Bungled squid.conf line 1840: acl AllowedNTUsers external NT_global_group "/usr/local/etc/squid/acls/allowedntgroups"
Squid Cache (Version 2.5.STABLE7): Terminated abnormally.
-----Original Message-----
From: squid-users-return-49441-Jason.Oakley=aapt.com.au@squid-cache.org
[mailto:squid-users-return-49441-Jason.Oakley=aapt.com.au@squid-cache.or
g]On Behalf Of Jason Oakley
Sent: Thursday, 28 October 2004 8:47 AM
To: squid-users@squid-cache.org
Subject: [squid-users] Authing to ADS NT Groups in a file
I have Squid authing to ADS via Samba and I need to add certain groups to have access.
It's something like this:
acl unrestrictedusers external nt_group "/usr/local/etc/squid/acls/allowedntgroups"
but that doesn't work.
Of course, being NT groups, they have spaces in the names.. eg "IT Dept" so a file (allowedntgroups) to list the groups would be preferable.
What am I doing wrong?
TIA
--------------
Jason Oakley
Robina Helpdesk
AAPT Limited
Ph: 07 5562 4359
Jason.Oakley@aapt.com.au
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
This communication, including any attachments, is confidential. If
you are not the intended recipient, you should not read it - please
contact me immediately, destroy it, and do not copy or use any part of
this communication or disclose anything about it.
------------------------------------------------------------------------------
Received on Wed Oct 27 2004 - 20:02:30 MDT
This archive was generated by hypermail pre-2.1.9 : Mon Nov 01 2004 - 12:00:02 MST