SQUID + Active Directory

A few post ago I wrote about integrating SQUID and Active Directory in order to allow/deny users to access specific webpages depeding on the groups a user belongs.

The windows package of Squid comes with several external programs which can be used as external ACLs which allow you to query the local Active Directory in order to obtain access or not. The one dealing with users and groups is called mswin_check_ad_group.exe which, as all the external ACLs, reads the standard input looking for a user and a group and return whether the user belongs to the given group.

This is fine and pretty straight forward it has a PROBLEM, it only works with Groups with scope set to “Domain Local”; which turn into a drawback when your users belong to Groups with Global Scope. I haven’t found any documentation explaining how to achive this so I have created a simple external ACL to peform this task in python.

You only need to download pywin32 and the active directory plugin for python. After installing just use the following code, which will return OK IFF the user belongs to the given group (non matter which scope):

import os, subprocess, sys, re
 
import active_directory
 
while (1) :
 
	squid = sys.stdin.readline()
 
	if len(squid) == 0:
 
		break
 
	m = re.search('(?<=%5C)\w+', squid);
 
	username = m.group(0)
 
	m = re.search('(?<= )[\w\.]+', squid);
 
	checkgroup = m.group(0)
 
	ret = "ERR";
 
	user = active_directory.find_user(username);
 
	for group in user.memberOf:
 
		if (cmp(group.cn, checkgroup)  == 0):
 
			ret = "OK"
			break
 
	print	ret + "\r\n";
 
	sys.stdout.flush()
I am new to the Python world so, for sure, this little thing can be improved, feel free to comment anything.