Am Montag, den 29.10.2007, 13:22 -0500 schrieb Scott Balneaves: > On Mon, Oct 29, 2007 at 10:11:31AM -0700, Mel Wade wrote: > > In LTSP, each client is seen by my content > > filter and firewall as all coming from the same address - the LAN address of > > the LTSP server. Rules and authentication all happen based on the IP > > address. So what happens with my LTSP lab is that the first user would go > > to the internet and the filter would request a login. Once that user was > > authenticated, the content filter would not require additional logins and > > would log traffic from all users to the first user, making traffic logging > > useless. Citrix's feature allows each client to have a virtual IP on the > > LAN, enabling authentication to work. > > > > Is a feature like this available or in the works for LTSP. > > No, it's not possible, as all the traffic is, indeed, coming from one box: > the ltsp server itself.
I wonder how the Citrix thing does it - probably something maximum proprietary ;-) Or is it just some bug they call a "feature"? </rant> > The usual way around this is simply to have per session authentication with > the filter. Either that (which requires each firefox instance to send a username and password for web requests) or use "ident". Ident is considered "insecure" and "fakeable" for a reason - if you have an unadministered single user machine, you can run an ident server and let it submit whatever information you want. If you configure your squid (or whatever proxy version you use) to use ident only for the LTSP server and rely on other methods for all those windows boxes around, that should be OK though. What ident does: It listens on one IP port (don't remember wether UDP or TCP, but that is not the matter). A client connecting to the port can ask the ident daemon which user the connection from source port A to server B port C belongs to. As this information is unique for each connection, the ident process can interact with the IP subsystem of the LTSP server and retrieve that information. Assuming your users can be told apart by usernames this could work. Saying that I have setup something similar - ident is used for logging purposes only though, authentication was not required because everyone in that setup was allowed to access the web. They should just be "trackable", and for this, it worked well. > Scott And I do not believe _you_ mistrust the power of open source software ;-) Best regards Anselm ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/ _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net
