Em 15/06/2016 10:50, nilesh.gav...@tcs.com escreveu:
Hi Team;
I have setup as below-
* Squid Kerberos authentication with windows AD 2012r2. - works fine.
* Now need to restrict access based on AD Group membership.
Below configuration done but no luck. when try to access with user who
is not part of the group mention, still he is able to browse Internet.
The following works fine for me and in my opinion works better than
LDAP. The authentication is integrated, so it doesn't keep asking for
password (when the current user is a domain account). But you have to
add the Squid server to the domain using 'smb.conf', 'krb5.conf' and
then 'net ads join'. The service 'winbind' must be running too.
I'm using Squid 3.5.19.
auth_param ntlm program /usr/bin/ntlm_auth
--helper-protocol=squid-2.5-ntlmssp --domain=MYDOMAIN
--enable-external-acl-helpers="ext_wbinfo_group_acl"
auth_param ntlm children 10 startup=0 idle=2
external_acl_type NTGroup children-startup=10 children-idle=2
children-max=50 %LOGIN /usr/lib64/squid/ext_wbinfo_group_acl
acl authenticated proxy_auth REQUIRED
acl ad_group external NTGroup MYDOMAIN\AD_Group
acl denied_websites dstdom_regex -i "/etc/squid/denied-websites.txt"
http_access deny ad_group denied_websites
So all the members of MYDOMAIN\AD_Group won't have access to whatever
the file contains.
Bruno
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
