package: debian-edu-config severity: wishlist version: 1.423 ---------- Forwarded Message ----------
Subject: Getting rid of hardcoded IP numbers in the squid.conf file? Date: Tuesday 05 August 2008 17:48 From: Petter Reinholdtsen <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] At the moment, very few services in Skolelinux uses hardcoded IP addresses. Each and every one of these make it harder to change to use a different IP subnet for the Skolelinux network. The services I am aware of are - DNS (/etc/bind/debian-edu/*) - DHCP (LDAP) - Squid (/etc/squid/squid.conf) - CUPS (/etc/cups/cups.conf) - tcp-wrapper (/etc/hosts.{allow,deny}) I doubt we will be able to drop IP addresses from DHCP and DNS, but we should try to get rid of them for the others. This email is about Squid. At the moment, we specify the range of IP addresses allowed to talk to the Squid server in squid.conf. Recently I have become aware of the support in squid for 'external' ACL providers. We could easily write such external ACL provider that look up the subnet in LDAP and grant access based on the content in LDAP instead of hardcoding it in the configuration file. For this to work, we need to add subnet information in LDAP. I found <URL:http://devel.squid-cache.org/external_acl/> documenting the original project to add support for external ACL providers. It got a reference to a script to authenticate users and IP addresses. We could probably use it as a starting point. Anyone know of any well defined specification for storing subnet information in LDAP? I know AD got a subnet schema, ref <URL: http://www.grotan.com/ldap/microsoft.schema >. Perhaps we could use some ideas from there? LDAP objects like this would work: dn: dn=10.0.2.0/23,cn=subnets,dc=skole,dc=skolelinux,dc=no objectClass: top objectclass: subnet cn=10.0.2.0/23 We could configure the external ACL provider to accept all subnets registered in LDAP. This would make it trivial to add access for more subnets. Happy hacking, -- Petter Reinholdtsen -------------------------------------------------------
pgpnxrpLoCau0.pgp
Description: PGP signature