Re-reading my post, I totally screwed it up and continually made references to domains when I was actually meaning to say groups. You have gotten my point though.
Like Phil, I have used wb_groups for exactly the same purposes, to get a username in the log file and also allowing the use of a group to either completely allow or disallow internet access. Is there no way squid could be modified to pass group information through to the redirector? Possibly modifying the IDENT field to show domain\group\user? Or is this likely to break too many other components that rely on the existing formatting? It would be much easier I assume to have squid do that rather than modify SquidGuard to actually perform the group authentication via an external ACL like wb_groups. Jay -----Original Message----- From: Henrik Nordstrom [mailto:[EMAIL PROTECTED] Sent: Thursday, 6 March 2003 6:31 AM To: Phil Crooker; [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: SquidGuard & NT Groups On Wednesday 05 March 2003 23.19, Phil Crooker wrote: > Seems to me that as the user (and squid) has already gone thru > authentication it would be redundant to have squidGuard do it > again. Rather squid could pass additional info along with the > username to squidGuard (as an x.500 DN?, ie > cn=PCrooker,ou=DEPT,ou=DIVISION,o=ORGANISATION, hopefully we could > put in arbitrary attributes here) that could then be parsed by SG. The only information Squid has available to pass to SquidGuard is the username. Note: Squid-2.5 has extensive support for groups and other types of acls. Modifying SquidGuard to use the same type of group membership lookups as Squid should not be hard as Squid is relying on external helpers for the purpose. Regards Henrik
