Hi Rick, Comments in line.
Identified by ** -----Original Message----- From: Rick Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, 6 March 2003 9:26 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: SquidGuard & NT Groups I apologize up front for my ignorance of "NTLM" and "wb_group"! **NTLM basically uses the MS NTLM authentication scheme (challenge/response mechanism) to authenticate a user against a NT/W2K PDC. We primarily use this as an alternative to using IDENT to get the username into the logfile. **wb_groups is an external acl helper for squid that works in conjunction with NTLM to determine which NT Global Group the user belongs to and use this as the basis for squid ACL rules etc. > Using NTLM I can list users in a userlist with their domain and > username info: > > domain1/user1 > domain1/user2 > domain2/user4 > etc.. > > what would be nice is to be able to filter against entire domains. > > src domain1 { > userlist domain1Users > } > > where domain1Users contains: > domain1 Would you mind using some "semi-real" data and explain that again? I'm lost. ** I'm not surprised.... I continually used the word "domain" instead of "groups" I am actually talking about the users NT Global Group not their NT domain. ** Real world would be to create 2 NT Global Groups - one called "NoPorn" another called "SomePorn" on the NT server and assign users to both of these groups. ** Then in squidguard have two Src declarations that identify these two groups (rather than listing each user in each group explicitly) and creating different blocking ACL's for each. SquidGuard would then determine which NT group the current user request belonged to and filter appropriately. ** This would allow users to be added and removed from these groups on the NT server and no changes would be required on the Linux server side, the increased/decreased access would be automatic as they are apart of the new group. This makes for easier management by windows administrators. ** The problem is currently the group information is not passed from Squid to Squidguard (in my original post when I was talking about domains instead of groups I then got more screwed up by thinking that I actually was talking about domains hence my references to "domain\username".... I'm never writing a technical email at 5:30pm again!) > 2) Creating a new src type called domain/domainlist which would > contain a list of valid domains. Listed in the squidGuard documentation under source group declarations are: IP addresses and/or ranges (multiple) IP address/range list (single) Domains (multiple) Users (multiple) User list (single) This is not what you are looking for? ** As I said, I mean groups not domains. However domains in the squidGuard context refers to DNS type domains, in any case I was (incorrectly) referring to NT "global domains" > Alternatively you could move this functionality into Squid to allow > only selected requests to be passed to the redirector via Squid > ACL's (currently not possible AFAIK) Tag Name: redirector_access Usage: redirector_access allow|deny Description If defined, this access list specifies which requests are sent to the redirector processes Default: All requests are sent Example: redirector_access allow aclname Will that do it? ** I don't know how I missed that in squid.conf!! Yes that does address that suggestion. But once again it would not provide the granular squidGuard filtering that I am suggesting. But I would allow me to say "users in NT group 'Admins' don't get filtered" "users in NT group 'staff' do get filtered by being sent to the redirector" But it is definitely a start. ** Hope that clears it up a bit for you. As you are not aware of NTLM etc.. this is probably functionality you don't require but maybe you can see some merit in. **Jay Rick > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jay Turner > Sent: Wednesday, March 05, 2003 2:58 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: SquidGuard & NT Groups > > > Hi All, > > I have built a version of Squid-2.5.STABLE1 that uses NTLM and wb_group for user > authentication. > > The next logical step is having squidGuard be aware of these NT groups and using > those as src declarations. > > Has anybody else thought of this/know a way to do this? > > Using NTLM I can list users in a userlist with their domain and username info: > > domain1/user1 > domain1/user2 > domain2/user4 > etc.. > > what would be nice is to be able to filter against entire domains. > > src domain1 { > userlist domain1Users > } > > where domain1Users contains: > domain1 > > Changing squidGuard is probably the only way to do this. Possibly two ways this > could be done: > > 1) Having userlists recognize regular expressions so domains could be listed as: > ^domain1/.* - OK but probably not ideal > 2) Creating a new src type called domain/domainlist which would contain a list of > valid domains. > > This could be done by using a regular expression to match against the start of the > IDENT username but be done behind the > scenes perhaps?? (please suggest a better way if you have one) > > Alternatively you could move this functionality into Squid to allow only selected > requests to be passed to the redirector > via Squid ACL's (currently not possible AFAIK) > This would not provide the granular level of control that would be available in > SquidGuard, but it would be an easy > solution to provide blocking against only some users. > > What are peoples thoughts on such functionality? > > Thanks > Jay > > >
