Kelly,
The intent of the Squid mechanism, is, I think, a bit obscure--hopefully
the authors will step forward and show how you set up the two distinct
external auth mechanisms it appears you need in order for Squid to a)
authenticate to LDAP b) do the group check.
However, our solution (which resembles that used in a commercial K12
proxy solution which I shall not name), is as follows:
1. We use one external authenticator, the squid_ldap_auth program
2. All traffic is sent to a customized Squidguard redirect_program--our
version combines a bunch of extant modifications, including LDAP
group-based ACLs, and a modified logging feature used to drive reporting
3. Any sort of authorization rule, including one forbidding specific
users/groups to visit FTP urls, would happen here. For example, your
source group might be "kids," and the destination group anything
matching an "^ftp://" regex.
We have some tweaks to Webmin, a real-time log parser, and reporting
tool we're releasing, that organize all this.
Matt
Kelly_Connor@gilbert.k12.az.us wrote:
>
>Hi all,
>
>I hope this has not been addressed anywhere in the mailing lists. I did a
>search and couldn't find anything, and I've already RTFM'd.
>
>I don't understand how to set up the squid_ldap_group external acl type.
>
>We are running Novell eDirectory and using various LDAP groups to
>(hopefully) control internet access for our various high school campuses.
>We want to have different control lists based upon the user. Students are
>denied ftp downloads and are sent to a redirector/content filter, while we
>IT people don't go to the redirector and get ftp downloads.
>
>The man page for external_acl_type doesn't seem clear to me.
>
>This is what I've got so far:
>
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn>
>-D <squidaccount> -w <passwd> -f
>"(&(cn=%v)(groupMembership=cn=<group1dn>))" -h ldap.host
>external_acl_type ldap_group %LOGIN /usr/sbin/squid_ldap_group -b <basedn>
>-D <squidaccount> -w <passwd> -f
>"(&(cn=%v)(groupMembership=cn=<group2dn>))" -h ldap.host
>
>acl Restricted port 20 21 1025-65535
>
>acl external ldap_group deny Restricted
>acl external ldap_group allow Restricted
>
>I'm certain I am doing something wrong with my "acl external" lines. How
>do I differentiate the two different groups? How exactly is the
>external_acl_type line used? Is ldap_group a reserved phrase that has to
>follow external_acl_type? How do I return to squid the group membership
>token for the user?
>
>Thanks for any illumination...
>
>
>Kelly Connor
>Network Technician
>Gilbert Unified School District
>kelly_connor@gilbert.k12.az.us
>
>
>
Received on Wed Dec 01 2004 - 10:35:58 MST
This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:01 MST