Internet usage based on AD group membership

I was looking for a way to block internetusage for students in a class. As all students are member of active directory groups that correspond to classes they are member of, I decided I was going to deny users internet usage if they were a member of certain group, e.g. internetDenied.

Prerequisites

AD proxy-authentication: see this post

Setting an external ACL program

This is done by adding a directive to /etc/squid/squid.conf. Look for the tag external_acl_type and add this line

external_acl_type nt_group ttl=10 children=5 %LOGIN /usr/lib/squid/wbinfo_group.pl

• nt_group is just a name we give this external acl program so we can use it in our ACL
• ttl: how long in seconds the results are cached. Set this to a low number if there is a good change the group membership will change often or if a quick response is needed
• children: the number of times wbinfo_group.pl is spawned: set this according to your system resources and number of requests
• %LOGIN: a variable that holds the username
• /usr/lib/…: the acl program to use

Deny internet usage

First  add an ACL to /etc/squid/squid.conf

acl noInternet external nt_group internetDenied

• noInternet: the name I gave this rule
• nt_group: the name of the external acl previously defined
• internetDenied: the name of AD-group

Now I have to add a proxy restriction. In my previous post I added a rule to allow all authenticated users

acl AuthorizedUsers proxy_auth REQUIRED

http_access allow all AuthorizedUsers

Now basically what I want to do is allow everyone internet usage, EXCEPT to users who are member of the group internetDenied. So I added the following line

http_access deny noInternet

But be carefull here: the deny rule has to be inserted above the allow rule.

References

http://www.papercut.com/kb/Main/ConfiguringSquidProxyToAuthenticateWithActiveDirectory

http://www.flatmtn.com/article/setting-squid-ntlm-auth

Advertisement