Thank you again Henrik, but i have some concerns about this approach (network traffic and performance)
Our scenario has 3 groups and the script make at least 3 calls to winbind. So, every HTTP GET made by user, will be made 9 winbind calls for check either user has or not access to perform that GET. For a page like aol.com, with dozens of images, the general overhead caused by this approach is a great concern to us. Well, I will configure it and test some time to see if it is true. In time, I was wondering to build an ad-hoc solution using either Berkely-DB or Embedded MySQL Server (libmysqld) where one can model acls like a relacional model and check all acls against all groups the current user are in. ( Advantages: Only one call to winbind, retrieving all groups and caching them for the entire session; and the performance of data access layer - BDB or libmysqld - ) Of course, it will be released to the community. I would be glad to hear some words about that approach ... Thanks again, Valdir Leite Sao Paulo Brasil ----- Original Message ----- From: "Henrik Nordstrom" <[EMAIL PROTECTED]> To: "Valdir Henrique Dias Leite" <[EMAIL PROTECTED]> Cc: "Henrik Nordstrom" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Saturday, April 24, 2004 6:00 PM Subject: Re: [squid-users] ACL based on User Groups > On Sat, 24 Apr 2004, Valdir Henrique Dias Leite wrote: > > > I saw wb_group.pl script, which checks, via winbind calls, if a user is or > > not inside a given group. > > > > What I need is to have, 3 ACLs, for example, and divide all my users among > > these groups, like: > > This is exacly the purpose of the above script. It is used for building > any number of ACLs referring to NT Domain groups (via Samba). > > > groups, apply on of the three ACL above. Here is my problem. After > > authenticating, how to perform the authorization based on which group the > > user is in. > > By defining one acl per group, and use these accordingly in http_access. > > > I was thinking in pass to squidGuard the name of the group (meaning as a > > "login" ou "username") and create the acls with this information (group > > name) as user names. > > This sounds very hard to accomplish. > > Much easier to simply use group connectec ACLs within Squid. > > > There is defails on how to use group helpers in the squid_ldap_group > helper manual. The same principles apply to all group helpers. > > Regards > Henrik > --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.668 / Virus Database: 430 - Release Date: 24/4/2004
