Yes, I would say that something along those lines would be what is required.
Rather than replacing the username (because potentially leaving the username allows further restricting (ie all "SomePorn" members can go here except "SomePorn/jbloggs" who can go everywhere)) That's why I thought a starting point might be to modify Squid to put the Group in the IDENT field along with domain\username.. ie domain\NTGroup\username or similar. -----Original Message----- From: Rick Matthews [mailto:[EMAIL PROTECTED] Sent: Thursday, 6 March 2003 11:26 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: RE: SquidGuard & NT Groups Thanks for the explanation; I understand it now. Are you tracking anything in squidGuard at the username level? It doesn't sound like you are. If you don't need the username in squidGuard, why not pass the group to squidGuard in the username field? It sounds like that would solve your squidGuard problem, leaving the issue of how to get squid to log the username and send the redirector the group name. Maybe a second external process plus a squid patch? It's just a thought... Rick > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] Behalf Of Jay Turner > Sent: Wednesday, March 05, 2003 7:57 PM > To: Rick Matthews > Cc: [EMAIL PROTECTED] > Subject: RE: SquidGuard & NT Groups > > > Hi Rick, > > Comments in line. > > Identified by ** > > -----Original Message----- > From: Rick Matthews [mailto:[EMAIL PROTECTED] > Sent: Thursday, 6 March 2003 9:26 AM > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: RE: SquidGuard & NT Groups > > > I apologize up front for my ignorance of "NTLM" and "wb_group"! > > **NTLM basically uses the MS NTLM authentication scheme (challenge/response > mechanism) to authenticate a user against a > NT/W2K PDC. We primarily use this as an alternative to using IDENT to get the > username into the logfile. > > **wb_groups is an external acl helper for squid that works in conjunction with NTLM > to determine which NT Global Group > the user belongs to and use this as the basis for squid ACL rules etc. > > > Using NTLM I can list users in a userlist with their domain and > > username info: > > > > domain1/user1 > > domain1/user2 > > domain2/user4 > > etc.. > > > > what would be nice is to be able to filter against entire domains. > > > > src domain1 { > > userlist domain1Users > > } > > > > where domain1Users contains: > > domain1 > > Would you mind using some "semi-real" data and explain that again? I'm > lost. > > ** I'm not surprised.... I continually used the word "domain" instead of "groups" I > am actually talking about the users > NT Global Group not their NT domain. > > ** Real world would be to create 2 NT Global Groups - one called "NoPorn" another > called "SomePorn" on the NT server and > assign users to both of these groups. > > ** Then in squidguard have two Src declarations that identify these two groups > (rather than listing each user in each > group explicitly) and creating different blocking ACL's for each. > SquidGuard would then determine which NT group the current user request belonged to > and filter appropriately. > > ** This would allow users to be added and removed from these groups on the NT server > and no changes would be required on > the Linux server side, the increased/decreased access would be automatic as they are > apart of the new group. This makes > for easier management by windows administrators. > > ** The problem is currently the group information is not passed from Squid to > Squidguard (in my original post when I was > talking about domains instead of groups I then got more screwed up by thinking that > I actually was talking about domains > hence my references to "domain\username".... I'm never writing a technical email at > 5:30pm again!) > > > 2) Creating a new src type called domain/domainlist which would > > contain a list of valid domains. > > Listed in the squidGuard documentation under source group declarations > are: > > IP addresses and/or ranges (multiple) > IP address/range list (single) > Domains (multiple) > Users (multiple) > User list (single) > > This is not what you are looking for? > > ** As I said, I mean groups not domains. However domains in the squidGuard context > refers to DNS type domains, in any > case I was (incorrectly) referring to NT "global domains" > > > Alternatively you could move this functionality into Squid to allow > > only selected requests to be passed to the redirector via Squid > > ACL's (currently not possible AFAIK) > > Tag Name: redirector_access > Usage: redirector_access allow|deny > > Description > If defined, this access list specifies which requests are sent to > the redirector processes > > Default: All requests are sent > > Example: redirector_access allow aclname > > Will that do it? > > ** I don't know how I missed that in squid.conf!! Yes that does address that > suggestion. But once again it would not > provide the granular squidGuard filtering that I am suggesting. But I would allow me > to say "users in NT group 'Admins' > don't get filtered" "users in NT group 'staff' do get filtered by being sent to the > redirector" > But it is definitely a start. > > ** Hope that clears it up a bit for you. > As you are not aware of NTLM etc.. this is probably functionality you don't require > but maybe you can see some merit in. > > **Jay > > Rick > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Behalf Of Jay Turner > > Sent: Wednesday, March 05, 2003 2:58 AM > > To: [EMAIL PROTECTED] > > Cc: [EMAIL PROTECTED] > > Subject: SquidGuard & NT Groups > > > > > > Hi All, > > > > I have built a version of Squid-2.5.STABLE1 that uses NTLM and wb_group for user > > authentication. > > > > The next logical step is having squidGuard be aware of these NT groups and using > > those as src declarations. > > > > Has anybody else thought of this/know a way to do this? > > > > Using NTLM I can list users in a userlist with their domain and username info: > > > > domain1/user1 > > domain1/user2 > > domain2/user4 > > etc.. > > > > what would be nice is to be able to filter against entire domains. > > > > src domain1 { > > userlist domain1Users > > } > > > > where domain1Users contains: > > domain1 > > > > Changing squidGuard is probably the only way to do this. Possibly two ways this > > could be done: > > > > 1) Having userlists recognize regular expressions so domains could be listed as: > > ^domain1/.* - OK but probably not ideal > > 2) Creating a new src type called domain/domainlist which would contain a list of > > valid domains. > > > > This could be done by using a regular expression to match against the start of the > > IDENT username but be done behind the > > scenes perhaps?? (please suggest a better way if you have one) > > > > Alternatively you could move this functionality into Squid to allow only selected > > requests to be passed to the redirector > > via Squid ACL's (currently not possible AFAIK) > > This would not provide the granular level of control that would be available in > > SquidGuard, but it would be an easy > > solution to provide blocking against only some users. > > > > What are peoples thoughts on such functionality? > > > > Thanks > > Jay > > > > > > > > > > >
