Re: AW: [squid-users] authentication at windows 2000 domain - users AND groups

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Wed, 8 May 2002 18:00:45 +0200

For NT domains the "net" command line tool can be used to extract group
members IIRC. Samba also has tools allowing you to talk to query the NT
domain from UNIX.

For MSAD, any LDAP search tool can be used to extract the needed information.

For postprocessing into suitable format, awk is a safe bet..

Regards
Henrik

Brunner Richard wrote:
> Dear Henrik!
>
> Thank you for your hint.
> Do you know a batch tool that extracts the users/groups from the win2000
> domain ? Perhaps you can provide me an url ?
>
> Thank you
> Richard Brunner
>
> -----Ursprüngliche Nachricht-----
> Von: Squid Support (Henrik Nordstrom) [mailto:hno@marasystems.com]
> Gesendet: Mittwoch, 08. Mai 2002 12:44
> An: Brunner Richard; squid-users@squid-cache.org
> Betreff: Re: [squid-users] authentication at windows 2000 domain - users
> AND groups
>
> You can use a batch tool that regulary extraxts the user group from your
> 2000 domain and puts it into a file for use by Squid.
>
> In future you should also be able to write a Win 2000 group helper to the
> external_acl framework (see http://devel.squid-cache.org/extenal_acl/).
>
> (Note: external_acl will be in Squid-2.6, or as a patch to Squid-2.5)
>
> Regards
> Henrik
>
> Brunner Richard wrote:
> > Dear Mailinglist!
> >
> > I´ve to set up a squid-proxy-server (squid-2.4STABLE6) with
> > authentication at a windows 2000 domain.
> >
> > I have three Groups on the Windows 2000 Domain which should be
> > authenticated. This should not be a problem with "smb_auth". I create the
> > file "proxyauth" with the content "allow" on the windows 2000 netlogon
> > share and give only these three groups access rights.
> >
> > But my problem is that I want to specify that group1 is only allowed to
> > visit http://page1.com, http://page2.com and http://page3.com, but group2
> > should be able to surf everywhere in the web with some restrictions
> > (sex-sites and so on) and group3 should have access to the internet
> > without any restrictions.
> >
> > In the "squid.conf" I can make a "user access list", eg.: "acl group1
> > proxy_auth winuser1 winuser2 winuser3" but in each of these groups are a
> > few hundred users and therefore it is not very comfortable to define the
> > groups this way. Every time a user gets added/deleted from the windows
> > 2000-domain I would have to delete/add this user in the squid.conf as
> > well. Is there a possibility to say for example: "acl group1 proxy_auth
> > wingroup1" ?
> >
> > Thank you very much for your help
> >
> > Richard Brunner
> >
> > ____________________________________________
> >
> > Richard Brunner
> > Dyna Data Informatik GmbH
> > A 6850 Dornbirn/Austria, J.G. Ulmerstrasse 21
> >
> > tel ++43 - (0)5572 - 90 80 90
> > fax ++43 - (0)5572 - 90 80 905
> >
> > richard.brunner@dynadata.at
> > ____________________________________________
Received on Wed May 08 2002 - 10:00:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:03 MST