[squid-users] Multiple Auth Realms / E-mail auth

From: Diego Rivera <lrivera@dont-contact.us>
Date: 01 Jul 2003 11:42:23 -0600

Hello all

I've been combing through the mailing lists trying to find a conclusive
answer to my question, but with little luck as yet.

I did find references to functionality similar to what I need, but it's
supposedly in 2.5 - which I don't have and can't implement because of
its beta-status (I'm using 2.4-STABLE7).

Here's my issue: I need to have 1 squid proxy for a group of companies
that share the same building. Each company has their own auth server,
and e-mail domain. Some share LDAP servers, but users are on different
branches of the tree.

My ideal solution would be to have the proxy authenticate using the
user's full e-mail and their password. The authenticator program (or
internal module, or whatever) would then discern which server to auth
against from the e-mail addx domain, and proceed accordingly.

For example: joe@company-1.com is different from joe@company-2.com and
should be authenticated against the servers for company-1, company-2,
etc.

Once that's done, squidGuard can be used to do redirection, and use the
full e-mails as usernames where appropriate. This also eliminates audit
confusion (i.e., joe accessed a porn site, but which joe?!?!?).

I'm currently working on an authenticator perl script that does the
split, and uses specific configurations to determine against which
server a "realm" will auth against and how (LDAP, SMB, etc).

Currently I'm only working on the LDAP module which is the most pressing
(using Net::LDAP). I realize that there's already an LDAP authenticator
module available, but it doesn't have the functionality I need.

What I'd like to know is if all this work is really necessary (not done
before), and if anyone who has encountered an issue like this before has
been able to solve it 100% without having to do custom code.

I'm early on in writing the script(s), and it doesn't seem too tough
(except when you throw in LDAPS/LDAP-TLS into the mix, in which case it
just gets a little more complex to do the config), but I'd like to avoid
adding code if it's possible to reduce the complexity of the setup (and
learn from others' experiences as well).

If possible (not a priority), would I be able to tell different domains
apart for ACL purposes (i.e., company-1 can go to website X, but not
company-2)? How would this be accomplished? Could it be accomplished
with the above setup (don't think so...)?

Best

-- 
===========================================================
* Diego Rivera                                            *
*                                                         *
* "The Disease: Windows, the cure: Linux"                 *
*                                                         *
* E-mail: lrivera<AT>racsa<DOT>co<DOT>cr                  *
* Replace: <AT>='@', <DOT>='.'                            *
*                                                         *
* GPG: BE59 5469 C696 C80D FF5C  5926 0B36 F8FF DA98 62AD *
* GPG Public Key avaliable at: http://pgp.mit.edu         *
===========================================================

Received on Tue Jul 01 2003 - 11:42:30 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:47 MST