Felipe Augusto van de Wiel wrote:
> Hi,
>
> I'm already using LDAP authentication and the
> company I work for tries to put a lot of authentication
> and authorization (meta-)information inside LDAP.
>
> This week, we were wondering if it is possible
> to use LDAP as a backend for acl lists. The idea would
> be to get a list of domains for a user or a list of
> source domains for an acl and so on, instead of putting
> the list on squid.conf or in and external file, LDAP
> would be the "repository".
>
> Looking to the standard config it doesn't seems
> to be possible, the only external "repository" would be
> a file, but do you believe it is possible to try to
> achieve it using external_acl?
>
Certainly.
> Writing a custom script that would get info
> from LDAP and check different items and conditions?
>
Yes, this is possible.
> In principle, the discussion lead us to having
> an LDAP object for squid with generic lists, like
> sites allowed for all the company, sites for a Walled
> Garden, sites restricted for different groups, but we
> also spoke about having lists per-user, as every person
> would have an object inside LDAP, we could have a field
> that would add or remove sites from the previous lists
> in a per-user basis.
>
> What do you think?
>
Give your external ACL some leeway with caching results (also known as
the TTL). Make it too small and you are going to be hitting your LDAP
server for every object. Further realize that every request for an
object that results in different parameters being passed to the external
ACL is going to require a response from the external ACL. If you want
to verify that a specific user is allowed to access a specific URL, you
need to send a username/URL pair. Every object that comprises a web
page is going to result in a query to the external ACL. Obviously using
destination domain is going to reduce the number of checks that need to
be made.
> Have anybody heard about anything on those lines?
>
> Thanks in advance for any info/suggestions. :)
>
> Kind regards,
> - --
> Felipe Augusto van de Wiel <felipe.wiel_at_hpp.org.br>
> Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
> http://www.pequenoprincipe.org.br/ T: +55 41 3310 1085
Chris
Received on Wed Dec 09 2009 - 22:23:38 MST
This archive was generated by hypermail 2.2.0 : Thu Dec 10 2009 - 12:00:01 MST