I'm setting up SquidGuard (1.4) to validate users against an Active Directory domain and apply ACLs based on group membership; this is an example of my squidGuard.conf:
src AD_Group_A {
ldapusersearch ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com))
}
src AD_Group_B {
ldapusersearch ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com))
}
dest dest_a {
domainlist dest_a/domains
urllist dest_b/urls
log dest_a.log
}
dest dest_b {
domainlist dest_b/domains
urllist dest_b/urls
log dest_b.log
}
acl {
AD_Group_A {
pass dest_a !dest_b all
redirect http://some.url
}
AD_Group_B {
pass !dest_a dest_b all
redirect http://some.url
}
default {
pass !dest_a !dest_b all
redirect http://some.url
}
}
All works fine if an user is member of Group_A OR Group_B. But if an user is member of BOTH groups, only the first source rule is evaluated, thus applying only the first ACL.
I understand this is due to how source rule matching works in SquidGuard (if one rule matches, evaluation stops there and then the related ACL is applied); so I tried this, too:
src AD_Group_A_B {
ldapusersearch ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com))
ldapusersearch ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com))
}
acl {
AD_Group_A_B {
pass dest_a dest_b all
redirect http://some.url
}
[...]
}
But this doesn't work, too: if an user is member of either one of those groups, the whole source rule is matched anyway, so he can reach both destinations (which is of course not what I want).
The only solution I found so far is creating a THIRD group in AD, and assign a source rule and an ACL to it; but this setup grows exponentially with more than two or three destination sets.
Is there any way to handle this better?