RE: [squid-users] acl ident_regex

Thanks for all the replies folks,

I'm sure that when I used identd on my clients at work ages ago, squid
logged hostname and username in it's logs, and I'm also 99.9% sure this was
a standard ident server and not a modified one. However, I am aware of an
ident server for Windows which does currently return hostname within the
response, and the person responsible may be open to modifying his code to
meet our needs (likely for a fee but it would be worth it).

For our project to work, we need a way of transparently being able to
control access by client hostname aswell as username. The hostname will be
used to determine whether Internet access is allowed, and the username will
be used to specify which filter is to be used for that user unless the user
themselves are denied access. Our project needs to be reliant only on
itself, ie it cannot rely on the network configuration it is being used on,
and it cannot require any major changes to the network for it to work. We
are happy that ident on the clients is an option, and the majority of our
target audience will already have security in place that wouldn't allow
users access to any ident server running on their machines. A vast majority
of our target networks will be using dynamic DHCP, so it is likely that
client computers will not have the same IP address on each connection to the
cache so it isn't an option to control access by IP. Also, using MAC
address is way too much of a hassle for the proposed end-uers of our system
to contemplate. Installing ident servers on client machines is at this
moment as much work as we want the end-uers to need to undertake.

If anyone is curious, the project proposal is sited at
http://www.nryonline.co.uk/project

If anyone has any further suggestions how we could undertake the ability to
control access by hostname then we are very open to suggestions!

Regards and thanks again,

nry

>
> > Sorry, but no there is no such field type in the ident protocol.
>
>My bad; I read it wrong. The two response types are "USERID" and
>"ERROR". As you have mentioned, "OTHER" is an operating system
>type within the USERID response. What I was trying to point out
>was that there should be no reason why he couldn't return the
>hostname. If it happens that his hostnames do not conform to the
>rules of the operating system, he can use the OTHER operating system
>type and remain in compliance.
>
>One other point that I was hinting about... Even his non-technical
>users can easily make the ident reply be anything *they* want it to
>be, too.
>
>Thanks,
>Rick
>
>
> > -----Original Message-----
> > From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> > Sent: Friday, July 25, 2003 12:52 PM
> > To: Rick Matthews
> > Cc: Chris Wilcox; squid-users@squid-cache.org
> > Subject: RE: [squid-users] acl ident_regex
> >
> >
> > fre 2003-07-25 klockan 18.42 skrev Rick Matthews:
> >
> > > <http://identd.dyndns.org/identd/rfc1413.txt>, in addition to the
> > > response type USERID, there is an additional type "OTHER":
> >
> > Sorry, but no there is no such field type in the ident protocol.
> >
> > OTHER is a operating system type and indicates that the username which
> > follows is not structured according to any standard operating system
> > rules, and probably not meant to be human readable.
> >
> > There can only be one username in the same ident reply.
> >
> > In all operating system types you are allowed to return pretty much
> > anything as username, but if the operating system type is anything else
> > than OTHER then the returned username SHOULD follow the rules of that
> > operating system.
> >
> > It is perfectly fine if you set your ident server to return the hostname
> > as userid, if this is what you wishes to make your users identify
> > themselves as to the network (using ident).
> >
> > Squid will use whatever is sent as user ident in the reply, ignoring the
> > opsys field.
> >
> > Regards
> > Henrik
> >
> > --
> > Donations welcome if you consider my Free Squid support helpful.
> > https://www.paypal.com/xclick/business=hno%40squid-cache.org
> >
> > Please consult the Squid FAQ and other available documentation before
> > asking Squid questions, and use the squid-users mailing-list when no
> > answer can be found. Private support questions is only answered
> > for a fee or as part of a commercial Squid support contract.
> >
> > If you need commercial Squid support or cost effective Squid and
> > firewall appliances please refer to MARA Systems AB, Sweden
> > http://www.marasystems.com/, info@marasystems.com
> >

_________________________________________________________________
Hotmail messages direct to your mobile phone http://www.msn.co.uk/msnmobile
Received on Fri Jul 25 2003 - 13:11:14 MDT