Re: [squid-users] Using multiple groups, multiple access list on W2K?

Wed, 05 Jan 2005 03:17:33 -0800 

Hi,

At 22.55 04/01/2005, James Bruce wrote:



Hello List,
I'm a newb to squid and this list, I need a little help. I have
squid/2.5.STABLE7-NT installed on a W2K server with the latest patches.

The goal is to have multiple groups with different levels of internet access
for each group. Also let everyone have full internet access during lunch
12-1pm. Last but not least use active directory authentication.

I am able to add windows authentication for my proxy. I created a local
group called ProxyUsers on the w2k server, that group consist of the domain
group called RestrictedUsers. More groups will be created later
(AccountingRestricted, SalesRestricted, Unrestristed, etc...) For now I'm
using one group (for testing). If employees are not in that domain group
(RestrictedUsers) they do not have internet access and if they are, a login
box appears. So I know this works with the active directory authentication.

This is were I'm stuck. We will need to have multiple groups that need more
access then others. Which will require multiple access list I know. I guess
my question is how do you associate certain access-lists for certain groups
with authentication. I included my squid.conf to give you a basic idea of
what I have. I know it's not the cleanest but it's working so far :) If
anyone has a link or advice, please let me know. Sorry if this is such a
newb question.

You must use External ACL with the win32_check_group.exe helper.
See the win32_check_group.txt file that you can find in the binary distribution for more details.

According to the example in the documentation, you can define many ACLs as you need:

acl AccountingRestricted external NT_global_group AccountingRestricted
acl SalesRestricted external NT_global_group SalesRestricted
acl Unrestricted external NT_global_group Unrestricted

The group that can be specified in win32_ntlm_auth.exe command line is a quick shortcut for simple installations, without using External ACLs, is not suitable for complex configurations.

Regards

Guido



-
========================================================
Guido Serassio
Acme Consulting S.r.l. - Microsoft Certified Partner
Via Gorizia, 69             10136 - Torino - ITALY
Tel. : +39.011.3249426      Fax. : +39.011.3293665
Email: [EMAIL PROTECTED]
WWW: http://www.acmeconsulting.it/

Reply via email to