Hi,
I'm trying to set up a Squid proxy where users can be authentificated via NTLM, SMB or LDAP (this is an
implemantation detail and the final choice is not relevant here) and where authorization (depending of the protocols
used [HTTP, FTP, CONNECT]) is done at a group level.
I've tried group_ldap_auth (wich add groups fonctionnality to the core Squid) but it seems to be buggy when it's used
with differents ACLs and groups. For exemple, the following config is too unstable to be used in production
environnement :
=====[squid.conf]=============================
acl ldap_users_HTTP ldap_auth static 'Utilisateurs_HTTP'
acl ldap_users_FTP ldap_auth static 'Utilisateurs_FTP'
acl ldap_users_HTTPS ldap_auth static 'Utilisateurs_HTTPS'
acl ldap_proto_HTTP proto HTTP
acl ldap_proto_FTP proto FTP
acl ldap_port_HTTPS port 443
acl CONNECT method CONNECT
http_access allow ldap_proto_HTTP ldap_users_HTTP
http_access allow ldap_proto_FTP ldap_users_FTP
http_access allow ldap_port_HTTPS ldap_users_HTTPS CONNECT
=====[/squid.conf]============================
So, I've look around and I see two possibles solutions to my problem :
- the first one is a bit dirty :
1) do a normal authentification at the Squid level (with the patch described
at http://www.squidguard.org/faq/)
2) then use SquidGuard to do the authorization in function of groups
3) the groups should defined locally
- the second one is much cleaner but code isn't in STABLE :
1) get a Squid with groups supports (Patchs ? HEAD release ? DEVEL release ?)
2) use the external_acl project to implement groups authorization
3) the groups can be defined anywhere (Win2K domains, db file, ...)
There's perhaps some others possibilities, but I'm not aware of them.
All in all, it seems strange to me that this functionnality (group authorization) hasn't been added to the core Squid,
because it seems to be asked by many people.
Now, my questions :
- can Squid developpers give me an idea of the date of disponibilty of group authorization in the STABLE release ?
- is there some others Squid users who have met the same problem than me, and who have solved successfully ? If
Yes, how have you do ?
Nicob
Received on Tue May 28 2002 - 03:29:52 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:14 MST