I'm configuring a Linux proxy with Squid and SquidGuard to filter Internet traffic.
I know how to authenticate users against Active Directory in Squid, and then how to filter access for users using SquidGuard.
The question: how to use Active Directory groups in SquidGuard instead of plain user names?
My goal is to be able to configure rules like "members of this group can go anywhere" or "members of this group can only visit certain sites".
I know SquidGuard can't manage group membership directly, but it can do LDAP searches on its own; but the syntax to look up wheter a user is member of a given group seems to be quite cryptic, and I couldn't find any good documentation around.
Best Answer
Solved.
Assuming the following:
The query for checking if the user is member of that group would be:
So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):
Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:
Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog: