I'm interested in seeing this solution as I have some clients who have been asking for a user based solution, and up to now I've not been able to produce one for them.
At 19:51 24/4/2004 -0300, Valdir Henrique Dias Leite wrote: >Thank you again Henrik, but i have some concerns about this approach >(network traffic and performance) > >Our scenario has 3 groups and the script make at least 3 calls to winbind. >So, every HTTP GET made by user, will be made 9 winbind calls for check >either user has or not access to perform that GET. > >For a page like aol.com, with dozens of images, the general overhead caused >by this approach is a great concern to us. > >Well, I will configure it and test some time to see if it is true. > >In time, I was wondering to build an ad-hoc solution using either Berkely-DB >or Embedded MySQL Server (libmysqld) where one can model acls like a >relacional model and check all acls against all groups the current user are >in. ( Advantages: Only one call to winbind, retrieving all groups and >caching them for the entire session; and the performance of data access >layer - BDB or libmysqld - ) Of course, it will be released to the >community. > >I would be glad to hear some words about that approach ... > >Thanks again, > >Valdir Leite >Sao Paulo >Brasil > >----- Original Message ----- >From: "Henrik Nordstrom" <[EMAIL PROTECTED]> >To: "Valdir Henrique Dias Leite" <[EMAIL PROTECTED]> >Cc: "Henrik Nordstrom" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> >Sent: Saturday, April 24, 2004 6:00 PM >Subject: Re: [squid-users] ACL based on User Groups > > >> On Sat, 24 Apr 2004, Valdir Henrique Dias Leite wrote: >> >> > I saw wb_group.pl script, which checks, via winbind calls, if a user is >or >> > not inside a given group. >> > >> > What I need is to have, 3 ACLs, for example, and divide all my users >among >> > these groups, like: >> >> This is exacly the purpose of the above script. It is used for building >> any number of ACLs referring to NT Domain groups (via Samba). >> >> > groups, apply on of the three ACL above. Here is my problem. After >> > authenticating, how to perform the authorization based on which group >the >> > user is in. >> >> By defining one acl per group, and use these accordingly in http_access. >> >> > I was thinking in pass to squidGuard the name of the group (meaning as a >> > "login" ou "username") and create the acls with this information (group >> > name) as user names. >> >> This sounds very hard to accomplish. >> >> Much easier to simply use group connectec ACLs within Squid. >> >> >> There is defails on how to use group helpers in the squid_ldap_group >> helper manual. The same principles apply to all group helpers. >> >> Regards >> Henrik >> > > >--- >Outgoing mail is certified Virus Free. >Checked by AVG anti-virus system (http://www.grisoft.com). >Version: 6.0.668 / Virus Database: 430 - Release Date: 24/4/2004 >
