This has been discussed before.
To make it perfect two different approaches are needed:
a) Authenticators need to be able to report group membership when the
user is authenticated
b) There needs to be an acl type for external group membership lookups,
much like the proxy_auth verification.
A simple mid-ground approach is perhaps to change proxy_auth to include
the ACL name as part of the authentication process and caching. Hmm..
thinking about it I probably prefer this. Not very much needs to be
changed to support it and it allows full flexibility in the access
control. Only problem is that it does not scale that well with the
number of groups.
/Henrik
Robert Collins wrote:
>
> For authentication, what if we have the authenticator return the groups
> after the current response? so old authenticators are returning no group
> memberships, and newer ones can return groups optionally?
>
> with ntlm_auth we return the username from the authenticator anyway... I
> don't know how much overhead it would introduce.
>
> The in squid.conf we either match against both the username and group names,
> or perhaps introduce a new directive proxy_auth_group?
>
> Rob
Received on Fri Sep 01 2000 - 16:20:27 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:36 MST