Ldap – SquidGuard and Active Directory: how to deal with multiple groups


I'm setting up SquidGuard (1.4) to validate users against an Active Directory domain and apply ACLs based on group membership; this is an example of my squidGuard.conf:

src AD_Group_A {
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com))

src AD_Group_B {
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com))

dest dest_a {
    domainlist  dest_a/domains
    urllist     dest_b/urls
    log     dest_a.log

dest dest_b {
    domainlist  dest_b/domains
    urllist     dest_b/urls
    log     dest_b.log

acl {
    AD_Group_A {
        pass    dest_a !dest_b all
        redirect http://some.url

    AD_Group_B {
        pass    !dest_a dest_b all
        redirect http://some.url

    default {
        pass    !dest_a !dest_b all
        redirect http://some.url

All works fine if an user is member of Group_A OR Group_B. But if an user is member of BOTH groups, only the first source rule is evaluated, thus applying only the first ACL.

I understand this is due to how source rule matching works in SquidGuard (if one rule matches, evaluation stops there and then the related ACL is applied); so I tried this, too:

src AD_Group_A_B {
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_A%2cdc=domain%2cdc=com))
        ldapusersearch  ldap://my.dc.name/dc=domain,dc=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=cn=Group_B%2cdc=domain%2cdc=com))

acl {
    AD_Group_A_B {
        pass    dest_a dest_b all
        redirect http://some.url


But this doesn't work, too: if an user is member of either one of those groups, the whole source rule is matched anyway, so he can reach both destinations (which is of course not what I want).

The only solution I found so far is creating a THIRD group in AD, and assign a source rule and an ACL to it; but this setup grows exponentially with more than two or three destination sets.

Is there any way to handle this better?

Best Answer

Solved... partially. I had totally overlooked the fact that you can add another condition to the LDAP query... so it's quite easy to check for membership of more than one group.

Some caveats:

  • It's still necessary to define a SquidGuard ACL for every possible combination of groups
  • You need to add at least two other directives to the SquidGuard configuration: ldapbinddn (which defines the username to use to connect to AD, and you have to use the DN of the user object here, not the plain username!) and ldapbindpass, which defines the user's password.
  • SquidGuard needs to be compiled with LDAP support, which is not compiled in by default.

…but at least the actual groups in AD can be kept to a minimum.