Squid and Active Directory authentication

I want to integrate a Squid proxy with an Active Directory domain, so that the following is achieved:

  • I can grant/deny access to web sites based on user accounts and/or groups.
  • Domain users don't need to explicitly authenticate when accessing the proxy, i.e. they automatically use their Windows logon credentials.
  • Unauthenticated users can still be granted access (to specific destinations).

The two last points are my main concern; I know Squid can authenticate users against AD, but I don't know if it can manage authenticated and anonymous users at the same time, and if it can use transparent authentication, i.e. without requiring the user to explicitly log in to the proxy server.

Also, I know there are two ways to integrate Squid with AD: WinBind and LDAP. Which one is better for this scenario?

I don't need Squid to be a transparent proxy; there's already a GPO in place which configures IE proxy settings for all domain users.

Bonus question: can all of this work when SquidGuard is involved, too?


I'm using Squid as a non-transparent proxy to authenticate (and database) user access to web sites in production and it works very well.

I'm running it on Win32, so the integration with Active Directory has been pretty painless. As such, I can't speak to the relative merits of WinBind versus LDAP.

The "bypass" functionality that you're looking for re: anonymous users having access to some sites is documented in the Squid wiki. I haven't tried the configuration example there on a real Squid instance. After reading the first sample configuration I'd say that it should work "as advertised". It looks like the trick (since Squid parses ACLs top-to-bottom, bailing out after the first ACL it finds that satisfies the request) is to put the anonymous access ACLs before any ACLs that depend on authentication.