Hello:
Ankit Jain wrote,
> I have squid runnin on a debian box and samba runnin on another server
> (Mandrake 8.1). I have created all the users on the samba(>600 users)
> machine. I need 2 allow access to the net via the debian box(squid) to
> the same users, wat would be the best way 2 avoid creatin users on the
> debian box?
I would do it like this:
1) Set up OpenLDAP for storing posixAccounts and sambaAccounts
2) Hook up all UNIX servers for LDAP lookups using pam_ldap
3) Hook up Squid for LDAP lookups using the Squid ldap_auth module.
Squid -> ldap_auth -> LDAP
Alternatively, you could use the Squid's pam_auth module. ldap_auth
supports filters, so you can "weed" out users whom you don't want proxy
access, very handy.
Squid -> pam_auth -> pam_ldap -> LDAP
4) Write a bunch of Perl/PHP scripts to maintain users and keep
passwords in sync.
OR
If you feel that LDAP is an overkill for your setup, do this:
1) Maintain Unix/Samba users on your file server
2) Setup pam/samba to make sure passwords are kept in sync
3) On the Squid server, use Squid's smb_auth as the external helper:
Squid -> smb_auth -> Samba Server
> I have heard of smb_auth, tho' havent used that as yet.
> Would it be reliable and fast?
Yes.
> Hmm.. or say if i want 2 maintain an independent user list on the
> debian box which shud b exactly the same as the one on mandrake
> (includin passwds?), can i somehow sync these?
Bad idea. Things can get out of sync. The Samba approach is a better
idea. If you want to add more UNIX servers later, you can easily hook
them up to your central auth servers using Samba's Winbind daemon. You
will not have to maintain another set of unix accounts on them.
> This would be good cos then i dont need to have the samba machine
> running (as a necessity) for accessing the net!
Not a good idea at all. You do not want to keep user accounts on your
firewall machine (I assume that your proxy is also your firewall).
> The user a/cs wont really change once ALL are created(lots more have 2
> b created).
But wont the passwords change?
Oh, don't even think of NIS. IMHO, it is not very scalable and is also
insecure.
-- Shanu
BTW: Has anyone tried digest-MD5 hashes for proxy auth? I am not
comfortable with clear-text passwords going across the wire every time
some does a proxy auth. :)
--
Ben (Obi-Wan) Kenobi:
The Force can have a strong influence on a weak mind.
_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
