SquidGuard and Active Directory: how to deal with multiple groups?
Solved... partially. I had totally overlooked the fact that you can add another condition to the LDAP query... so it's quite easy to check for membership of more than one group.
Some caveats:
- It's still necessary to define a SquidGuard ACL for every possible combination of groups
- You need to add at least two other directives to the SquidGuard configuration:
ldapbinddn
(which defines the username to use to connect to AD, and you have to use the DN of the user object here, not the plain username!) andldapbindpass
, which defines the user's password. - SquidGuard needs to be compiled with LDAP support, which is not compiled in by default.
…but at least the actual groups in AD can be kept to a minimum.
Related videos on Youtube
Massimo
"Against stupidity, the Gods themselves fight in vain." https://www.linkedin.com/in/massimo-pascucci
Updated on September 17, 2022Comments
-
Massimo over 1 year
I'm setting up SquidGuard (1.4) to validate users against an Active Directory domain and apply ACLs based on group membership; this is an example of my squidGuard.conf:
src AD_Group_A { ldapusersearch ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com)) } src AD_Group_B { ldapusersearch ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com)) } dest dest_a { domainlist dest_a/domains urllist dest_b/urls log dest_a.log } dest dest_b { domainlist dest_b/domains urllist dest_b/urls log dest_b.log } acl { AD_Group_A { pass dest_a !dest_b all redirect http://some.url } AD_Group_B { pass !dest_a dest_b all redirect http://some.url } default { pass !dest_a !dest_b all redirect http://some.url } }
All works fine if an user is member of Group_A OR Group_B. But if an user is member of BOTH groups, only the first source rule is evaluated, thus applying only the first ACL.
I understand this is due to how source rule matching works in SquidGuard (if one rule matches, evaluation stops there and then the related ACL is applied); so I tried this, too:
src AD_Group_A_B { ldapusersearch ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com)) ldapusersearch ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com)) } acl { AD_Group_A_B { pass dest_a dest_b all redirect http://some.url } [...] }
But this doesn't work, too: if an user is member of either one of those groups, the whole source rule is matched anyway, so he can reach both destinations (which is of course not what I want).
The only solution I found so far is creating a THIRD group in AD, and assign a source rule and an ACL to it; but this setup grows exponentially with more than two or three destination sets.
Is there any way to handle this better?