RE: [squid-users] authenticate_program

You may be able to use something like I used to do with various groups of
users here at school. I set up the usernames in text files (and used Orso's
chetcpasswd to manage the passwords and users for the original files, one
for each form and then used a cron job to regularly concatenate them into
the ones used here, eg Yrs 11 and 12 are concatenated to 'seniors'). Not
quite whatb you were working on, but it worked for us.

Some of the lines that still existed in my squid.conf reproduced below

acl webmail dstdomain "/etc/squid/acls/webmail"
acl chatrooms dstdomain "/etc/squid/acls/chatrooms"
acl chatroomsregex url_regex -i "/etc/squid/acls/chatroomsregex"
acl WebmailIP dst "/etc/squid/acls/webmailIP"
acl webmailregex url_regex -i "/etc/squid/acls/webmailregex"

acl seniors proxy_auth "/etc/squid/etc/webmailusers"
acl staff proxy_auth "/etc/squid/etc/staff"
acl masters proxy_auth "/etc/squid/etc/masters"

http_access allow staff
http_access deny unsuitable !StaffMachines
http_access deny unsuitableregex !StaffMachines
http_access allow webmail Webmailclient
http_access deny webmail Library
http_access deny WebmailIP Library
http_access deny webmailregex Library
http_access allow webmail StaffMachines
http_access allow webmail seniors
http_access allow webmailIP Webmailclient
http_access allow webmailIP StaffMachines
http_access allow webmailIP seniors
http_access allow webmailregex Webmailclient
http_access allow webmailregex StaffMachines
http_access allow webmailregex seniors
http_access deny webmail
http_access deny WebmailIP

At 08:06 28/05/2001, you wrote:

>Henrik Nordstrom wrote
> > Matt Johnson wrote:
> > >
> > > My directory contains specific IPs, and specific URLs that a user has
> > > access to, and I am wanting to authenticate a user based on that
> > > information. So, getting the IP, and URL passed to my authentication
> > > program is a must. I just have to figure out how to make Squid do
> > > this. :-)
> >
> > For this purpose you should use the redirector interface, not the
> > "username+password" verification interface.
>
>I have a redirector setup, and am also using an authentication program to
>validate users, and they work fine independently... but I don't see how I
>can authenticate a user, with a "username+passoword", and then use the
>redirector to control which pages that user can go to. From what I can
>tell the redirector doesn't send the username, that was sent to the
>authenticate_program. Did I miss something here in how the redirectors work?
>
>We've developed a database of employees, and thousands of sites that we
>let them go to. We have groups in our database where we let certain
>departments go to certain sites. So, the tie between url, and username is
>required.
>
>Example:
>UserAA belongs to Department1, Department2, Department3
>UserBB belongs to Department2
>UserCC belongs to Department3
>UserDD belongs to Department2, Department1
>
>Department1 can access sites A, B, C, D, E, F, G
>Department2 can access sites A, F, H, I, J, K, L
>Department3 can access sites H, K, M, N, O, P
>
>We don't want UserCC to have access to UserAA's account, so we use a
>"username+password" to keep things relatively secure. Everything is
>restricted. Plus we have remote employee's and all kinds of other crazy
>variables. An ident solution just wouldn't work, be practical, or secure.
>
>So, with you knowing a little more of my situation, do you still think a
>redirector is going to work?
>
>Matt

Simon Bryan
____________________________________
IT Manager
OLMC Parramatta
http://www.olmc.nsw.edu.au
____________________________________
Received on Sun May 27 2001 - 16:41:04 MDT