Razvan Grigore wrote:
>> What you are looking for is winbind helper. It runs as an external ACL.
>> Any other approach will also need to run an external ACL, so the answer to
>> your seconds question is yes and the example is winbind.
>>
>>
>
> The winbind helper is declared like this:
>
> external_acl_type ad_group children=3 ttl=120 %LOGIN
> /usr/lib/squid/wbinfo_group.pl
>
> I pass to it only the username. What I want is allow ANY username
> (even if it's not member of Internet AD group) who is logged on a
> computer member of this Internet group. I guess i have to pass the
> %SRC variable to a external helper and user nmblookup to get the
> computer name and then i'm stuck.
>
> Any ideas?
> Razvan
You appear not to understand the real concepts behind authentication and
authorization....
You can authenticate a username/password pair, regardless of location.
(standard login)
THEN you can use the username/password to retrieve and verify a
particular group for the username/password (winbind group external ACL).
THEN you can also verify a location with one of the username/password or
username/password/group tuplets.
You cannot use AD _user_ groups to assign a group membership to a
_location_ while ignoring username.
For the setup you are now describing the secure way to do it is to
ignore username completely and use the location (source IP) in an ACL.
As has been mentioned several times already.
You can _additional_ to that, to force users to login correctly (anyone
with valid username/password pair) before the external ACL gets run. But
even then the external ACL MUST ignore the login details it gets.
Amos
-- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.2 or 3.0.STABLE11-RC1Received on Fri Dec 05 2008 - 01:00:30 MST
This archive was generated by hypermail 2.2.0 : Fri Dec 05 2008 - 12:00:02 MST