Re: SquidGuard & NT Groups

Wed, 05 Mar 2003 15:14:27 -0800

It would be very nice to do this. As most of our users are on dhcp the IP-based rules of squidGuard aren't that useful. We run novell, but use the pams ldap module to authenticate squid - we mainly did this to give us log entries with user names, but also as part of the user authentication we can check whether they are a member of the novell squid group or not and allow/deny overall access on that basis. Not very granular but better than nothing.

Seems to me that as the user (and squid) has already gone thru authentication it would be redundant to have squidGuard do it again. Rather squid could pass additional info along with the username to squidGuard (as an x.500 DN?, ie cn=PCrooker,ou=DEPT,ou=DIVISION,o=ORGANISATION, hopefully we could put in arbitrary attributes here) that could then be parsed by SG.

This would require a small change to squid, so that the external authenticator could accept more than just OK and ERR and put what the authenticator returns into some variable

just my 2 cents.

Phil


Jay Turner wrote:

Hi All,

I have built a version of Squid-2.5.STABLE1 that uses NTLM and wb_group for user authentication.

The next logical step is having squidGuard be aware of these NT groups and using those as src declarations.

Has anybody else thought of this/know a way to do this?

Using NTLM I can list users in a userlist with their domain and username info:

domain1/user1
domain1/user2
domain2/user4
etc..

what would be nice is to be able to filter against entire domains.

src domain1 {
    userlist domain1Users
}

where domain1Users contains:
domain1

Changing squidGuard is probably the only way to do this. Possibly two ways this could be done:

1) Having userlists recognize regular expressions so domains could be listed as:
^domain1/.*  - OK but probably not ideal
2) Creating a new src type called domain/domainlist which would contain a list of 
valid domains.

This could be done by using a regular expression to match against the start of the IDENT username but be done behind the scenes perhaps?? (please suggest a better way if you have one)

Alternatively you could move this functionality into Squid to allow only selected 
requests to be passed to the redirector via Squid ACL's (currently not possible AFAIK)
This would not provide the granular level of control that would be available in 
SquidGuard, but it would be an easy solution to provide blocking against only some 
users.

What are peoples thoughts on such functionality?

Thanks
Jay






--

Phil Crooker            ORIX Australia                  61 8 8159 8806
UNIX SysAdmin           [EMAIL PROTECTED]               61 8 8159 8855 (fax)

Reply via email to