Re: [squid-users] ldap auth & Novell problem

At 19:45 9/13/2002 +0200, Henrik Nordström wrote:

>Hmm.. Windows 2000 Terminal Server is defenitely multi user, and I would
>guess
>one can use Terminal Server in a NDS environment..

Could be. I have no experience with Terminal Services. We only use MS if we
really need to, e.g. for an application that really requires IIS or MS SQL.
Anything else we run under Novell or Linux. All our users have Windows 98
workstations. (less hardware requirements) Only us admins use Windows 2000
for the stability when using NWadmin (novell admin tool) and other tools.

> > But to wrap this subject up, I think that ident would work well enough in
> > most environments. The only gripe I had with ident is the amount of ident
> > request that Squid performs for the requests. In our environment with about
> > 100-200 concurrent users that's just too much traffic. But I say had,
> > because we recently upgraded our 256kbit/2 Mbit WAN lines to 100 Mbit :-D
>
>There will be one Ident lookup per TCP connection to the proxy. This is
>needed
>to be able to support multi-user client stations such as UNIX of Windows
>Terminal Server.

I still have a problem understanding 'per TCP connection'. So when IE
requests an url and keeps requesting urls within a certain time, the tcp
connections keeps open? And if yes, the ident request will occur only once,
as long there's a steady flow of requests? Is this like persistent connections?

> > Maybe I could throw in a feature request? :-) Could there be also an
> > ident_ttl option so this would occur only once in 5 minutes or so? That
> > would significantely reduce the amount of traffic (and maybe load on the
> > server side)
>
>Sure. But it would not really be IDENT then...

Ok, but we might come up with a mechanism that's similar to what Matt
posted about clntrust. How about the following scenario:

- client requests url.
- squid requests ident from client.
- client returns username in Novell style, like .user.container.tree.
- squid uses ldap to look up the ident and collects the list of ip
address(es) that user is logged in on.
(can be multiple addresses if the client is granted to login in more than once)
- if one of those adresses match the ip where the request for the url
originated from, the user is authenticated.
- ip address is authenticated until ttl expires.

Is this scenario feasonable? It may not be air tight in terms of security,
but tight enough for most environments. And more important, it can be done
transparantly because no user interaction is required.

The best part of this is the fact that all the software to do this is
allready available. It only needs to be 'glued' together.

What do you think from a technical point of view?

Gerben.
Received on Fri Sep 13 2002 - 16:54:20 MDT