Re: [squid-users] authenticate_program

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 28 May 2001 08:09:35 +1000

----- Original Message -----
From: "Matt Johnson" <mjohnson@iblp.org>
To: "'Henrik Nordstrom'" <hno@hem.passagen.se>
Cc: <squid-users@squid-cache.org>
Sent: Monday, May 28, 2001 8:06 AM
Subject: RE: [squid-users] authenticate_program

> Henrik Nordstrom wrote
> > Matt Johnson wrote:
> > >
> > > My directory contains specific IPs, and specific URLs that a user
has
> > > access to, and I am wanting to authenticate a user based on that
> > > information. So, getting the IP, and URL passed to my
authentication
> > > program is a must. I just have to figure out how to make Squid do
> > > this. :-)
> >
> > For this purpose you should use the redirector interface, not the
> > "username+password" verification interface.
>
> I have a redirector setup, and am also using an authentication program
to
> validate users, and they work fine independently... but I don't see
how I
> can authenticate a user, with a "username+passoword", and then use the
> redirector to control which pages that user can go to. From what I can
tell
> the redirector doesn't send the username, that was sent to the
> authenticate_program. Did I miss something here in how the redirectors
work?

Yes. Squid performs the authentication, then gives the username to the
redirector. You need to configure squid to perform authentication first.
Also IIRC a somewhat older version of squid had a bug in this area.

> We've developed a database of employees, and thousands of sites that
we let
> them go to. We have groups in our database where we let certain
departments
> go to certain sites. So, the tie between url, and username is
required.
>
> Example:
> UserAA belongs to Department1, Department2, Department3
> UserBB belongs to Department2
> UserCC belongs to Department3
> UserDD belongs to Department2, Department1
>
> Department1 can access sites A, B, C, D, E, F, G
> Department2 can access sites A, F, H, I, J, K, L
> Department3 can access sites H, K, M, N, O, P
>
> We don't want UserCC to have access to UserAA's account, so we use a
> "username+password" to keep things relatively secure. Everything is
> restricted. Plus we have remote employee's and all kinds of other
crazy
> variables. An ident solution just wouldn't work, be practical, or
secure.

I don't recall anyone suggesting ident as a solution :]. You can do
everything you've described in-squid, without even needing a redirector.
Henrik has a patch to allow dynamic acl updates which might be useful.

> So, with you knowing a little more of my situation, do you still think
a
> redirector is going to work?

Yes. I know of at least one site running with similar requirements, with
1000's of employees.

Rob

> Matt
>
Received on Sun May 27 2001 - 16:10:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:19 MST