[menpavel]

Для тех, кому интересно:

%s is the name this authenticator gets from Squid

И еще:

external_acl_type ldapgroup %LOGIN /usr/lib/squid/squid_ldap_group -b o=Company
-f (&(objectclass=person)(cn=%v)(groupMembership=cn=%a,ou=Proxygroups,o=Company))
-D cn=Tim,ou=IT-Services,o=Company -w timspassword -h ldapserver

The filter expression looks a little complicated. It just means that we are looking for any user (person) with the name we are looking for (%v) who is a member of the group we are looking for (groupMembership). You can now just create any number of groups in the tree like

cn=googleallowed,ou=Proxygroups,o=Company

Then this pile of ACLs should block off everyone from google.com who is not a member of that group:

acl ldapgroup-googleallowed external ldapgroup googleallowed
acl google dstdomain google.com
http_access deny google !ldapgroup-googleallowed

You may be curious how such a group authorizator works. Simple. It just reads line after line from STDIN (like the console) where each line looks like

username groupname

and returns either OK or ERR depending on whether the user is a member of that group or not.

Пока больше ничего не нашел более менее стоящего. Хочется все таки разобраться более подробно.