2012/9/29 Eliezer Croitoru <eliezer_at_ngtech.co.il>:
> On 9/27/2012 5:25 PM, E.S. Rosenberg wrote:
>>>
>>> >what kind of ACLs are you talking about exactly?
>>
>> Lists of users, users that browse through ISP A, and users that browse
>> thought ISP B, users that are blocked etc.
>>
> I would say the better approach to evade problems with users getting access
> to ISP is "ISP B" first and if match acl use "ISP B" for the external acl.
I have A, B and C with a potential for quite a few more (not
necisarily ISPs but also browsing restrictions or lack thereof).
I guess I over-simplified things a bit, but we have lots of user based
stuff going on, in addition we also want to start capping bandwidth
usage on a per user basis so that resources are shared more fairly
etc.
Regards,
Eli
>
>>> >think in mind that you can write you own settings file\db and to work
>>> > with.
>>> >
>>> >if it's LDAP\mysql\RADUIS It can be done easily.
>>
>> The info on which ISP a user is supposed to use at the moment is
>> "partially" in LDAP (ie. determined by location in tree or membership
>> of a unix group, I'd like to change it to being an attribute for each
>> user).
>
> Since it's a kind of a simple check it shouldn't be such a big problem to
> use external_acl.
> if it's only 2 ISP connections it's either the "default" or "special" and
> you should be able to use only one external_acl for that.
> the good thing about helper is that it has ttl which make the user "rule"
> for authenticated users(not by IP).
> If you would use a helper with concurrency support(async) you can get pretty
> good results.
> if you do ask me the there is not much between unix\ldap group to user
> specific ISP object.
> With group you get the benefit of easy management of the group.
>
>
>>
>> We also have a RADIUS server which basically acts as a frontend to
>> LDAP for some RADIUS based products, it seems that leveraging RADIUS
>> would provide other advantages if I also leverage the reporting
>> feature to count users' traffic....
>> Thanks,
>> Eli
>>
> Using radius can give you a lot in the sense of authentication etc.
>
> and as I wrote before: one of the worst things to do in sense of
> configurations of a proxy is to "reconfigure" every five or so minutes.
> It should be safe generally if needed for specific operations but it should
> be static configured and use any resource exists to allow dynamic
> configuration instead of reconfiguration.
>
> Regards,
>
> Eliezer
>
> --
> Eliezer Croitoru
> https://www1.ngtech.co.il
> IT consulting for Nonprofit organizations
> eliezer <at> ngtech.co.il
Received on Sat Sep 29 2012 - 19:38:52 MDT
This archive was generated by hypermail 2.2.0 : Sun Sep 30 2012 - 12:00:15 MDT