problem: proxy authentication

We have a problem with the actual (squid2.2) version of proxy
authentication, being not flexible enough for our needs (maybe we are wrong
about that).

We have an intranet with 40.000 users, an internet-connection through a
firewall, which about 1000 Users may use. We also have some
extranet-connections through a firewall, one may be used by any valid user,
some only by some thousands of users.

So we decided to use a ldap directory. Group Membership tells us, which
connections to the outside may be used by whom.

Something like "acl internet proxy_auth user1 user2 user3 ..." would be not
good for 1000 users.
"acl internet proxy_auth all_internet_users.txt" with
"all_internet_users.txt" being a file with the valid users might work (we
didn't test that) but is not too good either.

So we thougt about putting the test for the group-membership in the external
authentication program.
But then we would need different authentication programs for different
outside-connections (extranets).
This means something like
"acl internet proxy_auth auth_program1"
"acl extranet1 proxy_auth auth_program2"
"acl extranet2 proxy_auth auth_program3"

This might, by the way, solve a problem which the "netscape proxy server"
has. It can do ldap-checks like "all members of this group may access the
internet" but caches only the user-id and password.
So it must do a lookup with every page, image ..., to see if the user is
member of the group.

These are our thoughts. Maybe we are completely wrong, and there is already
a simple way to solve our problem with squid. Please tell us.
We know, there is a workaround using "smb_auth". But we don't really want a
M$-Domain Environment with a lot of trust relationships (40.000 users).

Thank you for any help

Juergen Sandner
Received on Tue Jul 27 1999 - 03:49:59 MDT