I have identd running on all clients. Squid doesn't appear to be caching ident lookups... maybe I'm missing something in my config for this?
If Squid could pass the ident username somehow to DG with cache_peer then DG wouldn't need to do any ident requests (this works if you're using basic auth). I'm more worried about Squid's ident requests failing and users having to type in their username/password in order to authenticate.
Ident could be taken out of the picture entirely if I had a client of some type on the Windows workstations that would handle the basic auth requests from squid automagically. Novell makes a SSO client for this sort of thing but it's too expen$ive.
- David
>>> "Chris Wilcox" <not_rich_yet@hotmail.com> 2/5/2004 10:28:57 AM >>>
I thought Squid did cache ident lookups?
Do I presume that you aren't able to run identd on all clients? DG can
already handle ident lookups as you know, and the latest 2.7.x code handles
multple filter levels. With multiple filter levels in place, if an ident
lookup cannot be found then DG will run that request through 'filter1' which
is the default filter level. You could in theory set filter1 to be very
restrictive and filter2 to meet the company requirements. If an ident
response is available then DG will filter as per company req: if it isn't
(eg the user has disabled it) then they'd be restrictively filtered.
The main problem with DG is that it currently does not cache ident lookups.
This means that for a sinlge webpage of 10 images and some text etc, DG will
do an ident lookup for EVERY request on that page. In itself this is almost
worth considering using ldap authenication exclusively, though I have no
idea about how much bandwidth/network overhead is required for each ident
lookup/response pair: my guess is that it's actually pretty small. Maybe
someone on here can quantify this guess?
Regards,
nry
Received on Thu Feb 05 2004 - 09:00:32 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST