Squidguard Group ACL LDAP Client Source cache refresh

  • I'm running pfSense 2.1 release using squidgaurd for squid3 and obviously, squid3.

    I have setup squid to use LDAP as an AD account authentication only - proof of account only.

    Squidguard further identifies the user with an ldapsearch in Group ACLs. Each ACL is tied to a separate AD Security Group for each of the Group ACLs in Squidguard. The authentication is all working fine.

    After a user authenticates to Squid3, the url is sent to Squidguard for processing as normal. Squidguard tests the url against the GROUP ACLs until it finds a matching group by LDAP AD Group membership. If the user is a member of that group the rules of the group are applied, the url is allowed or denied, and the process finishes. Excellent Smithers.

    Where the first match of a group by LDAP AD membership occurs and the requested URL is not allowed, the process does not continue to check further Group ACLs to find other groups the user may be a member of, and thus the user is blocked from content that the user would have been allowed. Being a member of another group that is allowed to access the content wont work if the user is a member of a group that is lower in the list of Group ACLs that has less rights.

    This is not a case of the order of rules in Group ACLs, but a problem of ACLs failing out before completing a full run of the Group ACLs.

    I'm interested to know if it is at all possible to achieve what I am trying to do using Squidguard, or even rewriting some code somewhere.

    Another question…Is it possible to cause a timeout on the cache of Client Group that forces LDAP Groups to be rechecked on next url request?

  • I apologize if this is my first post, but I am also having problems with SquidGuard + AD with users having multiple groups.


    **SquidGuard Common ACL: Deny all

    SquidGuard Group ACLs:
        - Only Facebook is allowed, the rest blocked.
        - Only company email is allowed, the rest blocked.

    AD Groups:

    AD Users:
        memberOf: FB_InternetAccess
        memberOf: FB_InternetAccess and Email_InternetAccess**

    If JohnDoe opens facebook.com and auth is success, the site loads fine. If SamSmith opens facebook.com, it will load fine, but opening his company email will not be allowed.

    Checking the SG blocked logs seems to point that SG will do a first-match-forget-all basis. It would not check if the user still has other groups that will match other Groups ACLs. If this is not possible, please let me know. Any help would be greatly appreciated. TIA!

Log in to reply