On Tue, 20 Apr 2004, Alexander Samad wrote:
> On Tue, Apr 20, 2004 at 12:04:02PM +1000, Broun, Bevan wrote:
> > Well, squid is running on linux!
> >
> > Currently we run squid-2.4 latest stable, but upgrading to 2.5 lastest
> > stable is an option and from my reading so far this is probably needed.
> >
> > The current squid was compiled with --enable-auth-modules="SMB" and we have
> > a file on NT domain controller to limit Interent to those in a particular
> > NT group (who have read access to the file).
> >
> > Now a request has come in to have another nt group access to a particular
> > dstdomain - only no internet. Can anyone fast track me to the solution?
> > I dont want to go down the path of placing the usernames into squid.conf
>
> I think in the winbind package (debian, part of samba I think), there is
> the script/interface to test weather a NT userid is part of a NT group.
> Just do it once for the group and then manage it from within NT
Good answer.. just to the wrong question.
Haven't looked into this particular case for a while but I think the key
here is to
a) pass the ACL group required to the squid authentication program
OR
b) somehow get the group back from the squid authentication program and
apply that to the ACL's.
Problem is I don't think squid has a concept of a group. Hopefully I'm
wrong.
I think most of the time we divided the web space up as follows:-
internal-only + business sites
internal-only + business sites + cached data
full web access
Basically for the first 2 cases no authentication required, authentication
only popped up when trying for something not on the business list.
In actual fact we added one more dimension... time. IE some people allowed
full web access but only after business hours.
One ugly way of solving it is to use 2 proxies A and B.
Proxy A allows internal-only without a password and anything not internal
gets handed off to the cache_peer B. If you like some internal sites could
require a password on proxy A.
Proxy B then allows business sites without a password but requires a
password for anything else.
Anyway.. you can see how adding more proxies can give you the opportunity
for different authentication strategies at the expense of maintaining it -
hence it's ugly but you may be desparate.
--
---<GRiP>---
Electronic Hobbyist, Former Arcadia BBS nut, Occasional nudist,
Linux Guru, SLUG Secretary, AUUG and Linux Australia member, Sydney
Flashmobber, BMX rider, Walker, Raver & rave music lover, Big kid that
refuses to grow up. I'd make a good family pet, take me home today!
Do people actually read these things?
--
SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/
Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
