I have been setting up an "Authentication Gateway" using
ipchains and ncsa-auth in collusion with a local company. It is
not complete yet, but the project is well under way. It runs
standalone on a dual-homed Linux box. The user logs in to the
box, and in doing so, his profile script amends the ipchains
table to allow him/her access to anything on the "other" side.
On logout, the reverse happens.
Regards, Trevor.
29/05/01 17:40:01, Colin McKinnon <[EMAIL PROTECTED]> wrote:
>Hi all,
>
>Anybody out there doing much in the way of authentication for
web access? I
>don't just mean the htaccess stuff - I want to be able to
authenticate
>users putting requests through our internet web proxy (squid)
and using PHP
>based applications locally.
>
>I do have programs written in C for squid redirection and PHP
which use a
>common database which expires 'sessions' after a period of
inactivity.
>Because I am using it for authentication on the proxy I can't
rely on
>information stored at the client end. The downside is that it
requires the
>user to log on again (although the PHP login page they get
redirected to
>calls an external C program which is linked to the PAM libs so
that they
>can be authenticated using an existing Samba / NT / Unix
account).
>
>I'd prefer if it were completely transparent though - i.e. not
require the
>user to log on but still to be authenticated for access. Given
that they
>should already have logged on to their workstation (most
commonly Windows
>9X, although a couple of 3.11 and Linux boxes) the obvious
solution is to
>authenticate on the basis of that session.
>
>AFAICS there are 2 ways to do this - NTLM and ident.
>
>NTLM is very Microsoft specific - but I can authenticate a
MSWindows
>against a unix account using Samba and its supported under
squid. But what
>about Netscape? Non MS-Windows clients?
>
>If I use ident, I get the username associated with the current
session on
>the workstation, but how do I know that they were
authenticated by a server
>which I control? (I got a MSWindows identd from the SquidGuard
site).
>
>Anybody any ideas? Other solutions?
>
>Colin
>
>--------------------------------------------------------------
------
>http://www.lug.org.uk
http://www.linuxportal.co.uk
>http://www.linuxjob.co.uk
http://www.linuxshop.co.uk
>--------------------------------------------------------------
------
>
Trevor Oxborrow
(Information Officer, Lomond and Argyll Primary Care NHS Trust)
(This email may have been received by you in error. If this is
the case, please delete it immediately and accept my apologies.
No use or reliance on the contents should be made by any party
not an intended recipient.)
--------------------------------------------------------------------
http://www.lug.org.uk http://www.linuxportal.co.uk
http://www.linuxjob.co.uk http://www.linuxshop.co.uk
--------------------------------------------------------------------
