Добрый день!Настроил сквид для авториpации в АД. Конфиг ниже.
---------------------------------------
auth_param ntlm program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp
auth_param ntlm children 5
auth_param ntlm keep_alive off
auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic
auth_param basic children 5
auth_param basic realm Squid proxy-caching web server
auth_param basic credentialsttl 2 hours
auth_param basic casesensitive off
acl authenticated proxy_auth REQUIRED
icp_port 0
acl all src 0.0.0.0/0.0.0.0
acl localhost src 127.0.0.1/32
acl from_our_networks src 192.168.0.0/24
acl QUERY urlpath_regex cgi-bin \?
no_cache deny QUERY
cache_mem 500 MB
maximum_object_size 64 MB
visible_hostname proxy
external_acl_type nt_group ttl=60 %LOGIN /usr/lib64/squid/wbinfo_group.pl
# подключаем группу из домена
acl inet_full1 external nt_group internet
http_access allow authenticated inet_full1 from_our_networks
cache_mgr admins@domain.local
error_directory /usr/share/squid/errors/Russian-1251
# Tuning
dns_timeout 2 minutes
positive_dns_ttl 8 hours
negative_dns_ttl 1 minute
negative_ttl 5 minutes
request_timeout 2 minutes
client_lifetime 8 hours
authenticate_ttl 6 hour
half_closed_clients off
client_db off
balance_on_multiple_ip off
relaxed_header_parser on
collapsed_forwarding on
minimum_object_size 20 Gb
access_log /var/log/squid/access.log squid
append_domain .domain.local
redirect_program /usr/local/bin/squidGuard -C /usr/local/squidGuard/squidGuard.conf
---------------------------------------
Каким образом можно корректно передать дальнейшею обработку AD группы internet на squidGuard, дабы уже там указать заблокированные ресурсы?
squidGuard собран с поддержкой LDAP. Проверка конфига (запуск с ключем d) проходит
В конфиг squidGuard, который ниже, добавил src для AD группы internet, но сайты из списка ads все равно доступны.
---------------------------------------
dbhome /var/lib/squidguard
logdir /var/log/squidguard
ldapbinddn cn=ldap,ou=Service,dc=domain,dc=local
ldapbindpass password
ldapcachetime 300
ldapprotover 3
time workhours {
weekly mtwhf 08:00 - 16:30
date *-*-01 08:00 - 16:30
}
rew dmz {
}
src admin {
ip 1.2.3.4 1.2.3.5
user root foo bar
within workhours
}
src foo-clients {
ip 172.16.2.32-172.16.2.100 172.16.2.100 172.16.2.200
}
src bar-clients {
ip 172.16.4.0/26
}
src internet {
ldapusersearch ldap://192.168.0.1/cn=internet,ou=Service,dc=domain,dc=local?memberUid?sub?objectclass=posixGroup?memberUid=%s
}
#
# DESTINATION CLASSES:
#
dest good {
}
dest local {
}
dest ads {
domainlist ads/domains
urllist ads/urls
expressionlist ads/expressions
redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clien...
}
dest adult {
domainlist adult/domains
urllist adult/urls
redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clien...
}
acl {
admin {
pass any
}
foo-clients within workhours {
pass good !in-addr !adult any
} else {
pass any
}
bar-clients {
pass local none
}
internet {
pass !ads any
}
default {
pass local none
rewrite dmz
redirect http://admin.foo.bar.de/cgi/blocked?clientaddr=%a+clien...
}
}
---------------------------------------
Заранее спасибо.