SQUID + Active Directory

Gabriel Gonzalez — Mon, 21 Sep 2009 10:59:54 +0000

A few post ago I wrote about integrating SQUID and Active Directory in order to allow/deny users to access specific webpages depeding on the groups a user belongs.

The windows package of Squid comes with several external programs which can be used as external ACLs which allow you to query the local Active Directory in order to obtain access or not. The one dealing with users and groups is called mswin_check_ad_group.exe which, as all the external ACLs, reads the standard input looking for a user and a group and return whether the user belongs to the given group.

This is fine and pretty straight forward it has a PROBLEM, it only works with Groups with scope set to “Domain Local”; which turn into a drawback when your users belong to Groups with Global Scope. I haven’t found any documentation explaining how to achive this so I have created a simple external ACL to peform this task in python.

You only need to download pywin32 and the active directory plugin for python. After installing just use the following code, which will return OK IFF the user belongs to the given group (non matter which scope):

import os, subprocess, sys, re
import active_directory
while (1) :
squid = sys.stdin.readline()
if len(squid) == 0:
break
m = re.search(‘(?<=%5C)\w+’, squid);
username = m.group(0)
m = re.search(‘(?<= )[\w\.]+’, squid);
checkgroup = m.group(0)
ret = "ERR";
user = active_directory.find_user(username);
for group in user.memberOf:
if (cmp(group.cn, checkgroup) == 0):
ret = "OK"
break
print ret + "\r\n";
sys.stdout.flush()

I am new to the Python world so, for sure, this little thing can be improved, feel free to comment anything.

Mostly Software Engineering » SQUID

SQUID + Active Directory