On Tue, 2003-07-01 at 11:42, Diego Rivera wrote: > Hello all > > I've been combing through the mailing lists trying to find a conclusive > answer to my question, but with little luck as yet. > > I did find references to functionality similar to what I need, but it's > supposedly in 2.5 - which I don't have and can't implement because of > its beta-status (I'm using 2.4-STABLE7).
Quick correction: 2.5 is NOT beta, but I still can't use it (yet), although I need to solve this issue ASAP! Sorry for the mixup. > > > Here's my issue: I need to have 1 squid proxy for a group of companies > that share the same building. Each company has their own auth server, > and e-mail domain. Some share LDAP servers, but users are on different > branches of the tree. > > My ideal solution would be to have the proxy authenticate using the > user's full e-mail and their password. The authenticator program (or > internal module, or whatever) would then discern which server to auth > against from the e-mail addx domain, and proceed accordingly. > > For example: [EMAIL PROTECTED] is different from [EMAIL PROTECTED] and > should be authenticated against the servers for company-1, company-2, > etc. > > Once that's done, squidGuard can be used to do redirection, and use the > full e-mails as usernames where appropriate. This also eliminates audit > confusion (i.e., joe accessed a porn site, but which joe?!?!?). > > I'm currently working on an authenticator perl script that does the > split, and uses specific configurations to determine against which > server a "realm" will auth against and how (LDAP, SMB, etc). > > Currently I'm only working on the LDAP module which is the most pressing > (using Net::LDAP). I realize that there's already an LDAP authenticator > module available, but it doesn't have the functionality I need. > > What I'd like to know is if all this work is really necessary (not done > before), and if anyone who has encountered an issue like this before has > been able to solve it 100% without having to do custom code. > > I'm early on in writing the script(s), and it doesn't seem too tough > (except when you throw in LDAPS/LDAP-TLS into the mix, in which case it > just gets a little more complex to do the config), but I'd like to avoid > adding code if it's possible to reduce the complexity of the setup (and > learn from others' experiences as well). > > If possible (not a priority), would I be able to tell different domains > apart for ACL purposes (i.e., company-1 can go to website X, but not > company-2)? How would this be accomplished? Could it be accomplished > with the above setup (don't think so...)? > > Best -- =========================================================== * Diego Rivera * * * * "The Disease: Windows, the cure: Linux" * * * * E-mail: lrivera<AT>racsa<DOT>co<DOT>cr * * Replace: <AT>='@', <DOT>='.' * * * * GPG: BE59 5469 C696 C80D FF5C 5926 0B36 F8FF DA98 62AD * * GPG Public Key avaliable at: http://pgp.mit.edu * ===========================================================
signature.asc
Description: This is a digitally signed message part
