SquidGuard and Active Directory: how to deal with multiple groups?

Posted by Massimo on Server Fault See other posts from Server Fault or by Massimo
Published on 2010-05-19T13:15:43Z Indexed on 2010/05/19 13:20 UTC
Read the original article Hit count: 549

I'm setting up SquidGuard (1.4) to validate users against an Active Directory domain and apply ACLs based on group membership; this is an example of my squidGuard.conf:

src AD_Group_A {
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com))
}

src AD_Group_B {
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com))
}

dest dest_a {
    domainlist  dest_a/domains
    urllist     dest_b/urls
    log     dest_a.log
}

dest dest_b {
    domainlist  dest_b/domains
    urllist     dest_b/urls
    log     dest_b.log
}

acl {
    AD_Group_A {
        pass    dest_a !dest_b all
        redirect http://some.url
    }

    AD_Group_B {
        pass    !dest_a dest_b all
        redirect http://some.url
    }

    default {
        pass    !dest_a !dest_b all
        redirect http://some.url
    }
}

All works fine if an user is member of Group_A OR Group_B. But if an user is member of BOTH groups, only the first source rule is evaluated, thus applying only the first ACL.

I understand this is due to how source rule matching works in SquidGuard (if one rule matches, evaluation stops there and then the related ACL is applied); so I tried this, too:

src AD_Group_A_B {
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com))
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com))
}

acl {
    AD_Group_A_B {
        pass    dest_a dest_b all
        redirect http://some.url
    }

    [...]
}

But this doesn't work, too: if an user is member of either one of those groups, the whole source rule is matched anyway, so he can reach both destinations (which is of course not what I want).

The only solution I found so far is creating a THIRD group in AD, and assign a source rule and an ACL to it; but this setup grows exponentially with more than two or three destination sets.

Is there any way to handle this better?

© Server Fault or respective owner

Related posts about squidguard

Related posts about ldap