On Tue, 2003-07-01 at 11:42, Diego Rivera wrote:
> Hello all
>
> I've been combing through the mailing lists trying to find a conclusive
> answer to my question, but with little luck as yet.
>
> I did find references to functionality similar to what I need, but it's
> supposedly in 2.5 - which I don't have and can't implement because of
> its beta-status (I'm using 2.4-STABLE7).
Quick correction: 2.5 is NOT beta, but I still can't use it (yet),
although I need to solve this issue ASAP! Sorry for the mixup.
>
>
> Here's my issue: I need to have 1 squid proxy for a group of companies
> that share the same building. Each company has their own auth server,
> and e-mail domain. Some share LDAP servers, but users are on different
> branches of the tree.
>
> My ideal solution would be to have the proxy authenticate using the
> user's full e-mail and their password. The authenticator program (or
> internal module, or whatever) would then discern which server to auth
> against from the e-mail addx domain, and proceed accordingly.
>
> For example: joe@company-1.com is different from joe@company-2.com and
> should be authenticated against the servers for company-1, company-2,
> etc.
>
> Once that's done, squidGuard can be used to do redirection, and use the
> full e-mails as usernames where appropriate. This also eliminates audit
> confusion (i.e., joe accessed a porn site, but which joe?!?!?).
>
> I'm currently working on an authenticator perl script that does the
> split, and uses specific configurations to determine against which
> server a "realm" will auth against and how (LDAP, SMB, etc).
>
> Currently I'm only working on the LDAP module which is the most pressing
> (using Net::LDAP). I realize that there's already an LDAP authenticator
> module available, but it doesn't have the functionality I need.
>
> What I'd like to know is if all this work is really necessary (not done
> before), and if anyone who has encountered an issue like this before has
> been able to solve it 100% without having to do custom code.
>
> I'm early on in writing the script(s), and it doesn't seem too tough
> (except when you throw in LDAPS/LDAP-TLS into the mix, in which case it
> just gets a little more complex to do the config), but I'd like to avoid
> adding code if it's possible to reduce the complexity of the setup (and
> learn from others' experiences as well).
>
> If possible (not a priority), would I be able to tell different domains
> apart for ACL purposes (i.e., company-1 can go to website X, but not
> company-2)? How would this be accomplished? Could it be accomplished
> with the above setup (don't think so...)?
>
> Best
-- =========================================================== * Diego Rivera * * * * "The Disease: Windows, the cure: Linux" * * * * E-mail: lrivera<AT>racsa<DOT>co<DOT>cr * * Replace: <AT>='@', <DOT>='.' * * * * GPG: BE59 5469 C696 C80D FF5C 5926 0B36 F8FF DA98 62AD * * GPG Public Key avaliable at: http://pgp.mit.edu * ===========================================================
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:47 MST