SquidGuard and Active Directory: how to deal with multiple groups?

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Posted by Massimo on Server Fault See other posts from Server Fault or by Massimo
Published on 2010-05-19T13:15:43Z Indexed on 2010/05/19 13:20 UTC
Read the original article Hit count: 544

Filed under:
|
|
|

I'm setting up SquidGuard (1.4) to validate users against an Active Directory domain and apply ACLs based on group membership; this is an example of my squidGuard.conf:

src AD_Group_A {
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com))
}

src AD_Group_B {
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com))
}

dest dest_a {
    domainlist  dest_a/domains
    urllist     dest_b/urls
    log     dest_a.log
}

dest dest_b {
    domainlist  dest_b/domains
    urllist     dest_b/urls
    log     dest_b.log
}

acl {
    AD_Group_A {
        pass    dest_a !dest_b all
        redirect http://some.url
    }

    AD_Group_B {
        pass    !dest_a dest_b all
        redirect http://some.url
    }

    default {
        pass    !dest_a !dest_b all
        redirect http://some.url
    }
}

All works fine if an user is member of Group_A OR Group_B. But if an user is member of BOTH groups, only the first source rule is evaluated, thus applying only the first ACL.

I understand this is due to how source rule matching works in SquidGuard (if one rule matches, evaluation stops there and then the related ACL is applied); so I tried this, too:

src AD_Group_A_B {
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com))
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com))
}

acl {
    AD_Group_A_B {
        pass    dest_a dest_b all
        redirect http://some.url
    }

    [...]
}

But this doesn't work, too: if an user is member of either one of those groups, the whole source rule is matched anyway, so he can reach both destinations (which is of course not what I want).

The only solution I found so far is creating a THIRD group in AD, and assign a source rule and an ACL to it; but this setup grows exponentially with more than two or three destination sets.

Is there any way to handle this better?

© Server Fault or respective owner

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Related posts about squidguard

Related posts about ldap

Categories cloud

.NET ASP.NET iphone linux python Windows mysql android sql windows-7 html c ruby-on-rails css objective-c ubuntu networking sql-server wpf asp.net-mvc ruby database Xml apache AJAX osx security regex django Performance 12.04 windows-xp mac web-development iphone-sdk vb.net Silverlight apache2 flash server perl best-practices email installation eclipse visual-studio algorithm windows-server-2008 winforms wcf firefox bash dns /Oracle