[squid-users] Multiple external authenticators

From: James Tolchard <squidlist@dont-contact.us>
Date: Thu, 30 May 2002 13:54:50 +1200

Hi there

I have configured squid before, but have come across a situation that
requires a configuration that I haven't needed to do before, and I can't
find any information in either the list archives or google.

What I need to do is authenticate users via an external authenticator
process (this bit I have done before). However, I need the request to
match a different ACL, based upon a factor that is determined by the
external process.

I have configured the external authenticator in the usual way, and it
returns OK for any user on the system. However, what I really need it to
do is match one ACL if the authenticated user's primary group (in the
system user database) is A, and match a different ACL if the authenticated
user's primary group is B. The authenticator I am using does have the
ability to determine this information.

My idea is that I could define multiple external authenticator programs
(called, say auth_groupa and auth_groupb). The first authenticator would
return OK only if the user was in the group A, and the second
authenticator would return OK only if the user was in group B.

This way, if I configured the ACLs right, the first external process
(auth_groupa) would return ERR unless the user existed and their primary
group was group A, and the second external process (auth_groupb) would
return ERR unless the user existed and their primary group was group B.

So, if a requesting user's primary group was group B, the first
authenticator would be called once (and return ERR), then the second
authenticator would be called once, and would return OK, thus causing
squid to match the ACL for the second authenticator (maybe??).

This would allow me to match all requests from group A users to one ACL,
and all requests from group B users to a different ACL.

HOWEVER - all of the above doesn't work, because you can only configure
one external authenticator (as far as I can see).

So, does anyone know how I could achieve this (ie, match a request to a
particular ACL based upon which username was successfully passed by the
external process)?

With over 700 users on the system, and users changing on a daily basis
(being added and deleted), it is impractical to maintain a seperate file
of which usernames should match which ACL (and it would be a shame to do
so, since this information is so clearly defined by which primary group
the user is in)

PS: I'm open to any suggestions at all, and I have written my own working
external authenticator for this purpose (I needed to authenticate to a
remote NetInfo Domain).

Thanks in advance for any help.

Regards
James Tolchard
Received on Wed May 29 2002 - 19:56:35 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:08:16 MST