Re: [squid-users] LDAP in access.log

From: <rchandler_at_ntelos.net>
Date: Mon, 23 Nov 2009 19:30:00 -0500

Thanks!

The LDAP server is also a Radius server that does Auth for all services. The time zones are different and our ips are pooled so we get a lot of false positives when we corelate the log files. The LDAP database stores the username/ip so realtime lookups are to most accurate. We are working on updating the log files on the radius server to get more pertaint information.
I just wanted to try this.

Thanks for your help!

Riley
-----Original Message-----

From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo_at_gmail.com>
Subj: Re: [squid-users] LDAP in access.log
Date: Mon Nov 23, 2009 15:23
Size: 2K
To: Henrik Nordstrom <henrik_at_henriknordstrom.net>
cc: "Riley E. Chandler" <rchandler_at_ntelos.net>; squid-users_at_squid-cache.org

Sorry, missed the "key point":

>> I don't authenticate, and I can't enable it.

Now, the question is: where does he stores the "ldap authentication"
+ IP.... I don't get what is Riley trying to do.

Where does the users "log into"?. Anywhere they log into, that system
should be able to log the IP and the username, and then, another
(external) script could parse both logs files (which are on the same
computer, and thus can be time-correlated) and get squid's entries
coming from the same IP at the same time as the user was logged in
from that IP.... but then, there are some ISPs (mostly, cell phone
access), that masquerade their users to a narrow set of *real* IPs,
and thus: you can have more than one user at the same time from the
same IP (at least, that's possible).

I hope this helps,

Ildefonso Camargo

On Tue, Nov 24, 2009 at 3:43 PM, Henrik Nordstrom
<henrik_at_henriknordstrom.net> wrote:
> There is only scripts for performing LDAP based authenitication based on
> login+password, there is not scripts to query some LDAP on what user is
> logged in at ip X.
>
>
>
> tis 2009-11-24 klockan 15:23 +1930 skrev Jose Ildefonso Camargo Tolosa:
>> Hi!
>>
>> But... such scripts are already part of squid, I don't have the names
>> at hand, but really: squid works really well with LDAP, you can even
>> create ACLs "by-ldap-groups".
>>
>> And, squid will produce something like this in the logs:
>>
>> 1258978126.154   5238 192.168.12.34 TCP_REFRESH_MISS/200 776 GET http://mail.goo
>> gle.com/ username DIRECT/74.125.45.17 text/html
>>
>> As you can see, it has: client's IP, URL, username and server IP.
>>
>> I hope this helps,
>>
>> Ildefonso Camargo
>>
>> On Tue, Nov 24, 2009 at 5:06 AM, Henrik Nordstrom
>> <henrik_at_henriknordstrom.net> wrote:
>> > sön 2009-11-22 klockan 21:32 -0500 skrev Riley E. Chandler:
>> >> I need to do a LDAP search for username based on source IP, I would
>> >> prefer to have Squid put it in the access.log.  My other option is to
>> >> generate my own log file based off the access.log and to include the
>> >> LDAP info separately.  My users are only online for minutes or seconds
>> >> at a time, so it's hard to correlate IP to username from the two
>> >> different logs.
>> >
>> > You will need to write a small script performing the lookup, and then
>> > integrate this into Squid via external_acl_type.
>> >
>> >
>> > external_acl_type ldap_ip_user_lookup %SRC /path/to/your/script
>> > acl lookup_ip_user external ldap_ip_user_lookup
>> > http_access deny lookup_ip_user !all
>> >
>> >
>> > The strange http_access rule is just to trigger the acl. It does not in
>> > itself have any outcome on the request and only used for the siteeffect
>> > of setting the username.
>> >
>> > Regards
>> > Henrik
>> >
>> >
>
>

--- message truncated ---
Received on Tue Nov 24 2009 - 00:31:06 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 24 2009 - 12:00:04 MST