> ** This would allow users to be added and removed from these groups
> on the NT server and no changes would be required on the Linux
> server side, the increased/decreased access would be automatic as
> they are apart of the new group. This makes for easier management
> by windows administrators.
I can definitely understand the benefits of accomplishing that! Would
you say that this is the primary goal behind the project? I like
your proposal of increasing the amount/types of information passed
between Squid and squidGuard, as it opens the door for added
functionality between the two. Having said that, I also suspect
that you would prefer to get this done sooner, rather than later.
Is it possible to accomplish you goal via script(s)?
In your original message on this topic you said:
> > Using NTLM I can list users in a userlist with their domain and
> > username info:
> >
> > domain1/user1
> > domain1/user2
> > domain2/user4
> > etc..
> >
> > what would be nice is to be able to filter against entire domains.
> >
> > src domain1 {
> > userlist domain1Users
> > }
> >
> > where domain1Users contains:
> > domain1
Based on your subsequent comments, I think I can safely replace
"domain" with "group":
> > Using NTLM I can list users in a userlist with their group and
> > username info:
> >
> > group1/user1
> > group1/user2
> > group2/user4
> > etc..
I don't know if "Using NTLM I can list..." means that you can
provide the information to NTLM in that format, or that you can
ask NTLM to list the information in that format. Either way, it
sounds like you could (through scripting) create and regularly update
a text file that contains that information.
Make that file available to your *nix box (through shared directory,
or some other way), and run a script that reads:
group1/user1
group1/user2
group2/user4
group3/user5
and creates:
group1users
user1
user2
group2users
user4
group3users
user5
Then use the squidGuard.conf logic that you suggested:
> > what would be nice is to be able to filter against entire groups.
> >
> > src group1 {
> > userlist group1Users
> > }
True, this would not make the windows user maintenance *immediately*
effective in squidGuard, but it would be automatic, and the delay
could be minimized through procedures, scheduled cron jobs, or maybe
even trigger the process from the NT maintenance. Minimize the
delay, then properly set the user's expectations, and I think it
could work.
Rick
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Jay Turner
> Sent: Wednesday, March 05, 2003 7:57 PM
> To: Rick Matthews
> Cc: [EMAIL PROTECTED]
> Subject: RE: SquidGuard & NT Groups
>
>
> Hi Rick,
>
> Comments in line.
>
> Identified by **
>
> -----Original Message-----
> From: Rick Matthews [mailto:[EMAIL PROTECTED]
> Sent: Thursday, 6 March 2003 9:26 AM
> To: [EMAIL PROTECTED]
> Cc: [EMAIL PROTECTED]
> Subject: RE: SquidGuard & NT Groups
>
>
> I apologize up front for my ignorance of "NTLM" and "wb_group"!
>
> **NTLM basically uses the MS NTLM authentication scheme (challenge/response
> mechanism) to authenticate a user against a
> NT/W2K PDC. We primarily use this as an alternative to using IDENT to get the
> username into the logfile.
>
> **wb_groups is an external acl helper for squid that works in conjunction with NTLM
> to determine which NT Global Group
> the user belongs to and use this as the basis for squid ACL rules etc.
>
> > Using NTLM I can list users in a userlist with their domain and
> > username info:
> >
> > domain1/user1
> > domain1/user2
> > domain2/user4
> > etc..
> >
> > what would be nice is to be able to filter against entire domains.
> >
> > src domain1 {
> > userlist domain1Users
> > }
> >
> > where domain1Users contains:
> > domain1
>
> Would you mind using some "semi-real" data and explain that again? I'm
> lost.
>
> ** I'm not surprised.... I continually used the word "domain" instead of "groups" I
> am actually talking about the users
> NT Global Group not their NT domain.
>
> ** Real world would be to create 2 NT Global Groups - one called "NoPorn" another
> called "SomePorn" on the NT server and
> assign users to both of these groups.
>
> ** Then in squidguard have two Src declarations that identify these two groups
> (rather than listing each user in each
> group explicitly) and creating different blocking ACL's for each.
> SquidGuard would then determine which NT group the current user request belonged to
> and filter appropriately.
>
> ** This would allow users to be added and removed from these groups on the NT server
> and no changes would be required on
> the Linux server side, the increased/decreased access would be automatic as they are
> apart of the new group. This makes
> for easier management by windows administrators.
>
> ** The problem is currently the group information is not passed from Squid to
> Squidguard (in my original post when I was
> talking about domains instead of groups I then got more screwed up by thinking that
> I actually was talking about domains
> hence my references to "domain\username".... I'm never writing a technical email at
> 5:30pm again!)
>
> > 2) Creating a new src type called domain/domainlist which would
> > contain a list of valid domains.
>
> Listed in the squidGuard documentation under source group declarations
> are:
>
> IP addresses and/or ranges (multiple)
> IP address/range list (single)
> Domains (multiple)
> Users (multiple)
> User list (single)
>
> This is not what you are looking for?
>
> ** As I said, I mean groups not domains. However domains in the squidGuard context
> refers to DNS type domains, in any
> case I was (incorrectly) referring to NT "global domains"
>
> > Alternatively you could move this functionality into Squid to allow
> > only selected requests to be passed to the redirector via Squid
> > ACL's (currently not possible AFAIK)
>
> Tag Name: redirector_access
> Usage: redirector_access allow|deny
>
> Description
> If defined, this access list specifies which requests are sent to
> the redirector processes
>
> Default: All requests are sent
>
> Example: redirector_access allow aclname
>
> Will that do it?
>
> ** I don't know how I missed that in squid.conf!! Yes that does address that
> suggestion. But once again it would not
> provide the granular squidGuard filtering that I am suggesting. But I would allow me
> to say "users in NT group 'Admins'
> don't get filtered" "users in NT group 'staff' do get filtered by being sent to the
> redirector"
> But it is definitely a start.
>
> ** Hope that clears it up a bit for you.
> As you are not aware of NTLM etc.. this is probably functionality you don't require
> but maybe you can see some merit in.
>
> **Jay
>
> Rick
>
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED] Behalf Of Jay Turner
> > Sent: Wednesday, March 05, 2003 2:58 AM
> > To: [EMAIL PROTECTED]
> > Cc: [EMAIL PROTECTED]
> > Subject: SquidGuard & NT Groups
> >
> >
> > Hi All,
> >
> > I have built a version of Squid-2.5.STABLE1 that uses NTLM and wb_group for user
> > authentication.
> >
> > The next logical step is having squidGuard be aware of these NT groups and using
> > those as src declarations.
> >
> > Has anybody else thought of this/know a way to do this?
> >
> > Using NTLM I can list users in a userlist with their domain and username info:
> >
> > domain1/user1
> > domain1/user2
> > domain2/user4
> > etc..
> >
> > what would be nice is to be able to filter against entire domains.
> >
> > src domain1 {
> > userlist domain1Users
> > }
> >
> > where domain1Users contains:
> > domain1
> >
> > Changing squidGuard is probably the only way to do this. Possibly two ways this
> > could be done:
> >
> > 1) Having userlists recognize regular expressions so domains could be listed as:
> > ^domain1/.* - OK but probably not ideal
> > 2) Creating a new src type called domain/domainlist which would contain a list of
> > valid domains.
> >
> > This could be done by using a regular expression to match against the start of the
> > IDENT username but be done behind the
> > scenes perhaps?? (please suggest a better way if you have one)
> >
> > Alternatively you could move this functionality into Squid to allow only selected
> > requests to be passed to the redirector
> > via Squid ACL's (currently not possible AFAIK)
> > This would not provide the granular level of control that would be available in
> > SquidGuard, but it would be an easy
> > solution to provide blocking against only some users.
> >
> > What are peoples thoughts on such functionality?
> >
> > Thanks
> > Jay
> >
> >
> >
>
>
>
>
>
