-----Original Message----- From: Jasper Van Der Westhuizen [mailto:javanderwesthui...@shoprite.co.za] Sent: Wednesday, April 04, 2012 11:13 AM To: squid-users@squid-cache.org Subject: RE: [squid-users] Allowing linked sites - NTLM and un-authenticated users
> This allows my un-authenticated users access to the whitelisted domains and > blocks any links in the sites that are not whitelisted(like facebook and > youtube). It also allows my authenticated users access to all sites, > including whitelisted sites, as well as allowing linked sites like facebook > etc. > > Do you perhaps see any issue with this setup? > The only problem I forsee is that srcdomain is the clients IP rDNS record. > You have to encode into that what group they are in, so its restricted to > clients you > have control over rDNS for. In which case you may as well make > them static and use src IP checks. >Amos > Hi Amos > I want to change my setup to do authentication for everyone, and based on > whether the user is in a specific group or not, allow them access to certain > ACL's. > I have a group in AD that should have full access. All users should > authenticate. If the user is not in my Internet group then he gets to access > a list of sites. If >the user is in the Internet group he gets a different > ACL to access everything. >Is this possible with NTLM? I don't think it is. How would I approach this? What I did now was use wbinfo_group.pl to help with group ACL's. --cut-- external_acl_type testForNTGroup1 children=5 %LOGIN /usr/sbin/wbinfo_group.pl external_acl_type testForNTGroup2 children=5 %LOGIN /usr/sbin/wbinfo_group.pl acl InternetUsers external testForNTGroup1 "/etc/squid/group_auth_all_access" acl NonInternetUsers external testForNTGroup2 "/etc/squid/group_auth_limited_access" --- ### Allow Whitelisted domains to all users http_access allow InternetUsers http_access allow NonInternetUsers whitelist http_access deny NonInternetUsers !whitelist all --cut-- I place my groups that allowed to have full access in group_auth_all_access. The file group_auth_limited_access contains the group that covers my entire AD domain. I think this will work fine. I've tested it successfully.