Re: [squid-users] Multiple Auth Realms / E-mail auth

On Fri, 2003-07-04 at 00:21, Henrik Nordstrom wrote:

> I would recommend the second to be the only "driver" available.
>

I understand why, and agree. This will probably be what ends up
happening.

> A simple program where all configuration is in the code is no more
> than 3 lines per domain. (1 line of initialization, 1 line of
> condition to match the domain, 1 line to send the request to the
> correct backend helper). A configuration based program should be no
> more than about one screenful of code.

This one is a bit more than the screenful, but it's simple enough and
short enough. You are right though - the "driver" based approach is
mostly to allow for covering auth mechanisms that aren't inherently
supported by Squid (however strange or rare they may be).

> Err.. the usernames in such setup include the domain so Squid can
> easily group the users in different groups. But you probably want a
> glue similar to the above around the group helpers as well if you
> want to use group lookup helpers (2.5 feature).

I assume you refer to external_acl_type. I read the docs in the config
file, but I'm not clear on one thing:

given the line:

external_acl_type domain_1_users .....

The "OK" or "ERR" responses only indicate whether the user (source,
destination, etc) would be a member of that ACL or not, correct?

Thus, I could then do:

http_access {allow|deny} domain_1_users

This means I'd have to define an external ACL helper for each domain I
wish to separate, correct? This shouldn't be too much trouble and I'll
get on it.

Is there a way to define "dynamic" acls, where I wouldn't need multiple
different ACL helpers, but just one, and from its output squid can know
which (all?) of the dynamic ACLs the user belongs to.

Thus, I'd only need one ACL-selector helper program definition, and
could limit myself to something akin to:

http_dynamic_access {allow|deny} dynamic-acl-1 ...
http_dynamic_access {allow|deny} dynamic-acl-2 ...
...

Is this possible or even desireable?

BTW: here's an updated version of the squid-auth script, a little
cleaned up, slightly better internal docs, etc. I'm interested in any
additional comments you may have on it.

Best

-- 
===========================================================
* Diego Rivera                                            *
*                                                         *
* "The Disease: Windows, the cure: Linux"                 *
*                                                         *
* E-mail: lrivera<AT>racsa<DOT>co<DOT>cr                  *
* Replace: <AT>='@', <DOT>='.'                            *
*                                                         *
* GPG: BE59 5469 C696 C80D FF5C  5926 0B36 F8FF DA98 62AD *
* GPG Public Key avaliable at: http://pgp.mit.edu         *
===========================================================