Re: [squid-users] LDAP in access.log

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 24 Nov 2009 14:13:30 +1300

On Mon, 23 Nov 2009 19:30:00 -0500, <rchandler_at_ntelos.net> wrote:
> Thanks!
>
> The LDAP server is also a Radius server that does Auth for all services.

> The time zones are different and our ips are pooled so we get a lot of
> false positives when we corelate the log files. The LDAP database
stores
> the username/ip so realtime lookups are to most accurate. We are
working
> on updating the log files on the radius server to get more pertaint
> information.
> I just wanted to try this.

Have you considered using the squid_radius_auth helper bundled with Squid?
to get Squid logging the auth details+IP and having the same auth backend
as for all other services.

Amos

>
> Thanks for your help!
>
> Riley
> -----Original Message-----
>
> From: Jose Ildefonso Camargo Tolosa <ildefonso.camargo_at_gmail.com>
> Subj: Re: [squid-users] LDAP in access.log
> Date: Mon Nov 23, 2009 15:23
> Size: 2K
> To: Henrik Nordstrom <henrik_at_henriknordstrom.net>
> cc: "Riley E. Chandler" <rchandler_at_ntelos.net>;
> squid-users_at_squid-cache.org
>
> Sorry, missed the "key point":
>
>>> I don't authenticate, and I can't enable it.
>
> Now, the question is: where does he stores the "ldap authentication"
> + IP.... I don't get what is Riley trying to do.
>
> Where does the users "log into"?. Anywhere they log into, that system
> should be able to log the IP and the username, and then, another
> (external) script could parse both logs files (which are on the same
> computer, and thus can be time-correlated) and get squid's entries
> coming from the same IP at the same time as the user was logged in
> from that IP.... but then, there are some ISPs (mostly, cell phone
> access), that masquerade their users to a narrow set of *real* IPs,
> and thus: you can have more than one user at the same time from the
> same IP (at least, that's possible).
>
> I hope this helps,
>
> Ildefonso Camargo
>
> On Tue, Nov 24, 2009 at 3:43 PM, Henrik Nordstrom
> <henrik_at_henriknordstrom.net> wrote:
>> There is only scripts for performing LDAP based authenitication based
on
>> login+password, there is not scripts to query some LDAP on what user is
>> logged in at ip X.
>>
>>
>>
>> tis 2009-11-24 klockan 15:23 +1930 skrev Jose Ildefonso Camargo Tolosa:
>>> Hi!
>>>
>>> But... such scripts are already part of squid, I don't have the names
>>> at hand, but really: squid works really well with LDAP, you can even
>>> create ACLs "by-ldap-groups".
>>>
>>> And, squid will produce something like this in the logs:
>>>
>>> 1258978126.154 5238 192.168.12.34 TCP_REFRESH_MISS/200 776 GET
>>> http://mail.goo
>>> gle.com/ username DIRECT/74.125.45.17 text/html
>>>
>>> As you can see, it has: client's IP, URL, username and server IP.
>>>
>>> I hope this helps,
>>>
>>> Ildefonso Camargo
>>>
>>> On Tue, Nov 24, 2009 at 5:06 AM, Henrik Nordstrom
>>> <henrik_at_henriknordstrom.net> wrote:
>>> > sön 2009-11-22 klockan 21:32 -0500 skrev Riley E. Chandler:
>>> >> I need to do a LDAP search for username based on source IP, I would
>>> >> prefer to have Squid put it in the access.log. My other option is
>>> >> to
>>> >> generate my own log file based off the access.log and to include
the
>>> >> LDAP info separately. My users are only online for minutes or
>>> >> seconds
>>> >> at a time, so it's hard to correlate IP to username from the two
>>> >> different logs.
>>> >
>>> > You will need to write a small script performing the lookup, and
then
>>> > integrate this into Squid via external_acl_type.
>>> >
>>> >
>>> > external_acl_type ldap_ip_user_lookup %SRC /path/to/your/script
>>> > acl lookup_ip_user external ldap_ip_user_lookup
>>> > http_access deny lookup_ip_user !all
>>> >
>>> >
>>> > The strange http_access rule is just to trigger the acl. It does not
>>> > in
>>> > itself have any outcome on the request and only used for the
>>> > siteeffect
>>> > of setting the username.
>>> >
>>> > Regards
>>> > Henrik
>>> >
>>> >
>>
>>
>
> --- message truncated ---
Received on Tue Nov 24 2009 - 01:13:41 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 24 2009 - 12:00:04 MST