[squid-users] Storing more squid config into LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Hi, I'm already using LDAP authentication and the company I work for tries to put a lot of authentication and authorization (meta-)information inside LDAP. This week, we were wondering if it is possible to use LDAP as a backend for acl lists. The idea would be to get a list of domains for a user or a list of source domains for an acl and so on, instead of putting the list on squid.conf or in and external file, LDAP would be the "repository". Looking to the standard config it doesn't seems to be possible, the only external "repository" would be a file, but do you believe it is possible to try to achieve it using external_acl? Writing a custom script that would get info from LDAP and check different items and conditions? In principle, the discussion lead us to having an LDAP object for squid with generic lists, like sites allowed for all the company, sites for a Walled Garden, sites restricted for different groups, but we also spoke about having lists per-user, as every person would have an object inside LDAP, we could have a field that would add or remove sites from the previous lists in a per-user basis. What do you think? Have anybody heard about anything on those lines? Thanks in advance for any info/suggestions. :) Kind regards, - -- Felipe Augusto van de Wiel Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/T: +55 41 3310 1085 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBCgAGBQJLH7V+AAoJECCPPxLgxLxPdjgP/Ai4DCQRoE6rvU6y1bpAlcbG tSgA22nBr2bdPfE2HYkEROyH8T0PzwVJVuoD1v7XYOy31ZRsmET9Y45vLBwYR1t5 1ic1j4N5GHrSJ0iZj7+fCAoi5rKW3EghewYYvZ6poFKrpNVjsIY9z2SqYCW48mHi itfeen/FYHI0dHNAoryGE/0YThtGGcIsjA/YlnQ2jb9gEvolQOvGNIcMTeKNJZEy zFjgd/wjyzb0Q9tEI7cYGA+PgMfxLdWernPnrWpNsReg6u5Bt7LajJB5yzYOHvzZ 2x9/bsnqwaN0r0zN2uL+zpEP/dzNK4kctshCe7sOclTBg9fkL+VoTnVDkZjIWeKL B5AwqvoaQ85MD5ueG/nWAqXJJqdcaAyGCa+fHY0Rg84G0a6P/gmgAM5qi1JxVp4t yJQaMxDyxmTtdwOmR4LPXeOwu6LaLoCxI1Dd3AyMTGNmb2c5iSeCxhsYdVMqkfO2 0hs3KeDqYTSAERq1tihNpx5st8cmTIfFDlKon+d1ZE21sBNPhjAMzHUWa9pTw7RW gJdLBQYVJUkRmSmxqdW0m39yi07e7H+34Qo8Qi3lmImezF6DlqBjUsxpp2XkmKZN MfgSV7N+TUOtdWHxJZAFbEAmkxGgyVPkCgtN4B/m3aDwU/CcuiqNUg5h5R0gKXvT Vyso4h8Qi9UoIsbzlqJy =nwRu -END PGP SIGNATURE-
Re: [squid-users] Storing more squid config into LDAP
On Wed, 09 Dec 2009 12:34:42 -0200, Felipe Augusto van de Wiel wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi, > > I'm already using LDAP authentication and the > company I work for tries to put a lot of authentication > and authorization (meta-)information inside LDAP. > > This week, we were wondering if it is possible > to use LDAP as a backend for acl lists. The idea would > be to get a list of domains for a user or a list of > source domains for an acl and so on, instead of putting > the list on squid.conf or in and external file, LDAP > would be the "repository". > > Looking to the standard config it doesn't seems > to be possible, the only external "repository" would be > a file, but do you believe it is possible to try to > achieve it using external_acl? > > Writing a custom script that would get info > from LDAP and check different items and conditions? > Yes. Exactly the intention of the external_acl_type. It's frequently done with other database backends. The cons are that its a "slow" type ACL as well as being relatively slow time-wise. So not all tests can use it. > > Have anybody heard about anything on those lines? > AFAIK there is nothing preventing it. Have not heard about it being done for LDAP yet but that is not unusual since any such implementation would be an extremely site-specific custom setup. Amos
Re: [squid-users] Storing more squid config into LDAP
Felipe Augusto van de Wiel wrote: Hi, I'm already using LDAP authentication and the company I work for tries to put a lot of authentication and authorization (meta-)information inside LDAP. This week, we were wondering if it is possible to use LDAP as a backend for acl lists. The idea would be to get a list of domains for a user or a list of source domains for an acl and so on, instead of putting the list on squid.conf or in and external file, LDAP would be the "repository". Looking to the standard config it doesn't seems to be possible, the only external "repository" would be a file, but do you believe it is possible to try to achieve it using external_acl? Certainly. Writing a custom script that would get info from LDAP and check different items and conditions? Yes, this is possible. In principle, the discussion lead us to having an LDAP object for squid with generic lists, like sites allowed for all the company, sites for a Walled Garden, sites restricted for different groups, but we also spoke about having lists per-user, as every person would have an object inside LDAP, we could have a field that would add or remove sites from the previous lists in a per-user basis. What do you think? Give your external ACL some leeway with caching results (also known as the TTL). Make it too small and you are going to be hitting your LDAP server for every object. Further realize that every request for an object that results in different parameters being passed to the external ACL is going to require a response from the external ACL. If you want to verify that a specific user is allowed to access a specific URL, you need to send a username/URL pair. Every object that comprises a web page is going to result in a query to the external ACL. Obviously using destination domain is going to reduce the number of checks that need to be made. Have anybody heard about anything on those lines? Thanks in advance for any info/suggestions. :) Kind regards, - -- Felipe Augusto van de Wiel Tecnologia da Informação (TI) - Complexo Pequeno Príncipe http://www.pequenoprincipe.org.br/T: +55 41 3310 1085 Chris
