I'm using Squid as a non-transparent proxy to authenticate (and database) user access to web sites in production and it works very well.
I'm running it on Win32, so the integration with Active Directory has been pretty painless. As such, I can't speak to the relative merits of WinBind versus LDAP.
The "bypass" functionality that you're looking for re: anonymous users having access to some sites is documented in the Squid wiki. I haven't tried the configuration example there on a real Squid instance. After reading the first sample configuration I'd say that it should work "as advertised". It looks like the trick (since Squid parses ACLs top-to-bottom, bailing out after the first ACL it finds that satisfies the request) is to put the anonymous access ACLs before any ACLs that depend on authentication.
Solved.
Assuming the following:
- Domain name: "domain.com"
- Group name: "Internet Users"
- User name: "UserName"
- Path to group: "domain.com\OU1\OU2\Internet Users"
The query for checking if the user is member of that group would be:
(&(memberOf=CN=Group Name,OU=OU2,OU=OU1,DC=domain,DC=com)(SAMAccountName=UserName))
So you would have to add the following to squidGuard.conf to identify the members of that group ("%s" is squidGuard.conf's placeholder for "the client's user name"):
src Internet_Users {
ldapusersearch ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet Users,OU=OU2,OU=OU1,DC=domain,DC=com))
}
Caveat: it will not work if written as above, giving you a laconic "syntax error" message; this is because (part of) the statement is treated like a URL, so you have to escape special characters such as commas and whitespaces; the correct form would thus be this one:
src Internet_Users {
ldapusersearch ldap://dc.domain.com/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}
Also, in order to avoid problems with Active Directory referrals (sometimes a DC will just redirect you to another one, even if you are on the same domain it manages), it might be useful to query a global catalog:
src Internet_Users {
ldapusersearch ldap://gc.domain.com:3268/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=Internet%20Users%2cOU=OU2%2cOU=OU1%2cDC=domain%2cDC=com))
}
Best Answer
This depends on what you're authenticating against. For example, I once got squid to authenticate against a Mac OS X Open Directory server (effectively LDAP).
A few tips to get you started:
Hope that helps!