Re: AW: AW: [squid-users] authentication at windows 2000 domain - users AND groups

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 9 May 2002 12:20:29 +0200

acl group1 proxy_auth "/path/to/file/with/users/in/group1"
acl group2 proxy_auth "/path/to/file/with/users/in/group2"

http_access allow group1 what_they_are_allowed_to_access
http_access allow group2 ....
http_access deny all

On Thursday 09 May 2002 11:46, Brunner Richard wrote:
> Dear Henrik!
>
> It should not be a problem to extract the user/group informations
> from the win2k-domain either with the "net" tool or with the
> "winbindd-daemon" (from samba) or an ldap-tool.
>
> Let´s say I´ve all these informations on my local disk.
>
> But I still don´t know how I can manage in my squid.conf that
> group1 is allowed to view "http://site1.com" and "http://site2.com"
> but group2 is allowed to view all web-pages. This should be done
> without having to define all users in my squid.conf. Do you have a
> solution for this problem ?
>
> thank you for your help
>
> richard brunner
>
>
> -----Ursprüngliche Nachricht-----
> Von: Henrik Nordstrom [mailto:hno@marasystems.com]
> Gesendet: Mittwoch, 08. Mai 2002 18:01
> An: Brunner Richard
> Cc: squid-users@squid-cache.org
> Betreff: Re: AW: [squid-users] authentication at windows 2000
> domain - users AND groups
>
>
> For NT domains the "net" command line tool can be used to extract
> group members IIRC. Samba also has tools allowing you to talk to
> query the NT domain from UNIX.
>
> For MSAD, any LDAP search tool can be used to extract the needed
> information.
>
> For postprocessing into suitable format, awk is a safe bet..
>
> Regards
> Henrik
>
> Brunner Richard wrote:
> > Dear Henrik!
> >
> > Thank you for your hint.
> > Do you know a batch tool that extracts the users/groups from the
> > win2000 domain ? Perhaps you can provide me an url ?
> >
> > Thank you
> > Richard Brunner
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Squid Support (Henrik Nordstrom)
> > [mailto:hno@marasystems.com] Gesendet: Mittwoch, 08. Mai 2002
> > 12:44
> > An: Brunner Richard; squid-users@squid-cache.org
> > Betreff: Re: [squid-users] authentication at windows 2000 domain
> > - users AND groups
> >
> > You can use a batch tool that regulary extraxts the user group
> > from your 2000 domain and puts it into a file for use by Squid.
> >
> > In future you should also be able to write a Win 2000 group
> > helper to the external_acl framework (see
> > http://devel.squid-cache.org/extenal_acl/).
> >
> > (Note: external_acl will be in Squid-2.6, or as a patch to
> > Squid-2.5)
> >
> > Regards
> > Henrik
> >
> > Brunner Richard wrote:
> > > Dear Mailinglist!
> > >
> > > I´ve to set up a squid-proxy-server (squid-2.4STABLE6) with
> > > authentication at a windows 2000 domain.
> > >
> > > I have three Groups on the Windows 2000 Domain which should be
> > > authenticated. This should not be a problem with "smb_auth". I
> > > create the file "proxyauth" with the content "allow" on the
> > > windows 2000 netlogon share and give only these three groups
> > > access rights.
> > >
> > > But my problem is that I want to specify that group1 is only
> > > allowed to visit http://page1.com, http://page2.com and
> > > http://page3.com, but group2 should be able to surf everywhere
> > > in the web with some restrictions (sex-sites and so on) and
> > > group3 should have access to the internet without any
> > > restrictions.
> > >
> > > In the "squid.conf" I can make a "user access list", eg.: "acl
> > > group1 proxy_auth winuser1 winuser2 winuser3" but in each of
> > > these groups are a few hundred users and therefore it is not
> > > very comfortable to define the groups this way. Every time a
> > > user gets added/deleted from the windows 2000-domain I would
> > > have to delete/add this user in the squid.conf as well. Is
> > > there a possibility to say for example: "acl group1 proxy_auth
> > > wingroup1" ?
> > >
> > > Thank you very much for your help
> > >
> > > Richard Brunner
> > >
> > > ____________________________________________
> > >
> > > Richard Brunner
> > > Dyna Data Informatik GmbH
> > > A 6850 Dornbirn/Austria, J.G. Ulmerstrasse 21
> > >
> > > tel ++43 - (0)5572 - 90 80 90
> > > fax ++43 - (0)5572 - 90 80 905
> > >
> > > richard.brunner@dynadata.at
> > > ____________________________________________
Received on Fri May 10 2002 - 14:56:38 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:04 MST