RE: [squid-users] Identd authentication from Chris Wilcox on 2004-02-05 (squid-users)

From: Chris Wilcox <not_rich_yet@dont-contact.us>
Date: Thu, 05 Feb 2004 15:28:57 +0000

>From: "David Rippel" <RippelD@hillsboroughcounty.org>
>To: <squid-users@squid-cache.org>
>Subject: [squid-users] Identd authentication
>Date: Thu, 05 Feb 2004 09:53:19 -0500
>
>My current setup:
>
>Squid (ACLs) -> DansGuardian (filtering) -> Squid (Caching)
>
>What happens is that Squid sends an ident query to the client, if the
>username in the response (using an external acl) appears in a file that
>contains a list of allowed users (polled from an ldap server every hour),
>it allows the client access. From there, DG will send another ident query
>for logging purposes.
>
>If the ident query fails, the next acl uses basic auth and authenticates
>the user with ldap.
>
>The problem is that it generates two ident queries per request and I'm
>afraid on a network with over 3000 users this might be too much. It would
>be nice if Squid would treat ident as a true authentication mechanism and
>"remember" who the user is for a certain amount of time, like with basic
>auth.

I thought Squid did cache ident lookups?

Do I presume that you aren't able to run identd on all clients? DG can
already handle ident lookups as you know, and the latest 2.7.x code handles
multple filter levels. With multiple filter levels in place, if an ident
lookup cannot be found then DG will run that request through 'filter1' which
is the default filter level. You could in theory set filter1 to be very
restrictive and filter2 to meet the company requirements. If an ident
response is available then DG will filter as per company req: if it isn't
(eg the user has disabled it) then they'd be restrictively filtered.

The main problem with DG is that it currently does not cache ident lookups.
This means that for a sinlge webpage of 10 images and some text etc, DG will
do an ident lookup for EVERY request on that page. In itself this is almost
worth considering using ldap authenication exclusively, though I have no
idea about how much bandwidth/network overhead is required for each ident
lookup/response pair: my guess is that it's actually pretty small. Maybe
someone on here can quantify this guess?

Regards,

nry

_________________________________________________________________
Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo
Received on Thu Feb 05 2004 - 08:47:06 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST