package: lwat severity: wishlist version: 0.17-4 ---------- Forwarded Message ----------
Subject: How to grant squid/web proxy access? (Was: Merge LWAT and DHCP machine objects in LDAP?) Date: Wednesday 06 August 2008 11:12 From: Petter Reinholdtsen <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] [Finn-Arne Johansen] > In a short distance I can see 2 or 3 more: [...] > Squid access information (Or maybe that should be provided based on > netgroup) My proposal was to use subnet information in LDAP to grant squid access. Do you believe it is a better idea to grant it per host instead? Granting it to all hosts or users in a netgroup will be easier, as we do not need to add subnet information in LDAP. If we grant access per subnet, clients on those subnets will work out of the box without any updates to LDAP. If we grant it using netgroups, the host need to be added to LDAP before it can get on the net. This will make it required to add new hosts to netgroups before we can PXE install them, if the use of a proxy is required. Anyone got a view on this? Happy hacking, -- Petter Reinholdtsen ------------------------------------------------------- ---------- Forwarded Message ---------- Subject: Re: How to grant squid/web proxy access? (Was: Merge LWAT and DHCP machine objects in LDAP?) Date: Wednesday 06 August 2008 21:55 From: Finn-Arne Johansen <[EMAIL PROTECTED]> To: Petter Reinholdtsen <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] Petter Reinholdtsen skrev: > [Finn-Arne Johansen] > >> Reading from the list, I guess most people woul like to allow all >> hosts, unless the specific host(s) is denied access. So I guess the >> easiest approach will be to allow all, unless the host(s) is listed >> in a specifiec netgroup (like DeniedInet or something) > > Sound like a good idea. Do you mean all hosts, or all hosts on the > local subnets? I mean all hosts that can reach the squid proxy. The server would in all normal situation be behind a firewall, and therefor all hosts that can reach the proxy would be on the local subnet. Maybe there should be an example in the helper script to add a subnet. As this would only be an example, commented out by default, it would not be a problem to hardcode the IP-address. -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/ EE2A71C6403A3D191FCDC043006F1215062E6642 062E6642 -------------------------------------------------------
pgp6Xh1dFdFV0.pgp
Description: PGP signature