Re: Authorization by acl

i would prefer that the 'authentication' method be extended to allow
for access control. i may not entirely understand this, but i would
like to have something like the following sent to the external
authenticator:

<src> <dst> <user> <password>

then the external authenticator can manage the access control as well,
better than squid (i.e. for large numbers). We are looking at have the
userid, password and the access control information in an LDAP. This i
why i have been working on the LDAP side of things.

We are also looking at using the redirector for this, and instead of
just having one URL per line, having the above. The redirector would
check whether the user had access to a particular resource.

i'm not sure if either of these methods (doing a lookup on an LDAP)
would slow down things too much. The authenticator could always cache
some of this information...

-glen

-- 
/glen newton                   
/glen.newton@nrc.ca
/internet project leader              
/advanced services		      
/canadian institute for scientific    
/and technical information
/national research council
/ottawa canada
/613 990-9163
-- 
> From: Chris Hughes <hughesc@barclayscapital.com>
> Reply-To: chris.hughes@barclayscapital.com
> To: Wade Komisar <Komisar@virginia.edu>
> cc: squid-users@ircache.net
> Subject: Re: Authorization by acl
> In-Reply-To: <378DEB1C.7910CF00@Virginia.EDU>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
> Content-Length: 1288
> 
> On Thu, 15 Jul 1999, Wade Komisar wrote:
> 
> > Thank you for the patch, and once again raising the question of
> > authorization in squid.  
> > 
> > I have a similar need for greater granularity in authorization. 
> > However, I'm using the NCSA authentication method and not LDAP. 
> > Granted, that I will need to customize the NCSA routine to recognize my
> > authorization criteria, is your patch generalized enough for me to use,
> > or is it LDAP specific?
> 
>  I really just knocked up the patch because I wanted to prove to someone
> that it was possible to do this with squid, and I'd like to suggest at
> least an evaluation of a squid deployment versus our current Netscape
> Proxy infrastructure (which I truly detest).
> 
>  It's _totally_ untested, and I wouldn't recommend using it.  I just
> really wanted to provoke some discussion again ;)  Basically, it just
> passes the acl name to the external authenticator as:
> <acl> <user> <password>
> instead of the normal
> <user> <password>
> so that the external authenticator can use that to determine if the user
> is authorized to get the resource.  But it kinda subverts squid's
> authentication method to do authorisation, and there's a couple of kludges
> in there to retrieve the acl name.  
> 
>  On the other hand... it's not LDAP specific.
> 
> Chris
> -- 
> Chris Hughes
> 
> 
>