Re: [squid-users] Squid 2.5 stable 1 and basic auth/ldap

From: Alex Sharaz <A.Sharaz@dont-contact.us>
Date: Thu, 13 Feb 2003 08:20:33 +0000

Quoting Henrik Nordstrom <hno@squid-cache.org>:

> Alex Sharaz wrote:
> >
> > Quoting Henrik Nordstrom <hno@squid-cache.org>:
> >
> > > Nobody has written one for the FAQ yet, but there is some documentation
> > > in the documentation to each helper (authentication and/or group
> > > helper).
> > >
> > > If you plan on using groups I strongly advise to look into the group
> > > helper of 2.5.STABLE1-2003XXXX snapshots, or 2.5.STABLE2 when released
> > > (which is not far away now).
>
> > if you're running on linux why not just use pam authentication and set up
> a
> > squid specific pam.d file that uses ldap that's what I'm running here and
> it was
> > very easy to set up. didn;t have to modify any squid related files at all
>
>
> Using PAM is suitable if you want to have the proxy users fully
> integrated as UNIX accounts on the proxy server. Most people running
> proxy services and having external authentication databases such as NT
> or LDAP do not actually want this, instead running the proxy as an
> appliance where the accounts is only valid for the proxy service, not
> the OS.
>
but you don't have to have proxy users integrated into the unix accounts. My
squid caches are basically black boxes with 2 userids on it. My own and a
colleague in the computer centre. The "squid" file in /etc/pam.d just says
"authenticate to openldap" there is no reference to local user as found in
/etc/passwd or nis or whatever else you would normaly use so if a user with a
userid of FredBloggs tries to use the cache as long as his userid is in our ldap
 database it all works

Would there be any performance hits using pam instead of a squid ldap module? I
must admit that I've only got about 20 people authenticating to our caches and
as there are 4 of them connected to a load balancing switch there's notmuch
going on at the moment :-))
alex
> But yes, if your OS is already set up to use the correct user accounts
> database then PAM will do the job fine.
>
> Regards
> Henrik
>
Received on Thu Feb 13 2003 - 01:21:08 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:13:22 MST