Thanks you've been a great help. I've turned on IDENTD
in squid, I now recieve usernames and can restrict
based upon them. I'm using the identd package from
sourceforge.net. As for the logging, I've enabled it
and it is working out quite nicely. Thanks again
Ryan Kather
--- Rick Matthews <[EMAIL PROTECTED]> wrote:
> > I've asked this a number of times and never
> > really got an adequate response.
>
> I'll see if I can be of assistance.
>
> > I have a novell netware infrastructure ...
>
> I know next to nothing about Novell; that's why I
> have not responded before.
>
> > ... it deals with
> > file serving, printing, and user authentication.
> Our
> > machines have dynamic ip addressing and there are
> a
> > lot of them. It is because of this that I need a
> way
> > to control access based upon user ids.
>
> I understand.
>
> In order to do that you will need to set up Squid to
> do IDENT (RFC931) lookups.
> <http://squid.visolve.com/squid24s1/contents.htm>
>
> Then you'll need to run an ident server on each
> workstation. (I don't know if Novell
> already has that capability.) The squid site has a
> page that lists "related
> software", including ident servers:
> <http://www.squid-cache.org/related-software.html>,
> and here are the direct links:
>
> For Windows NT
> <http://freeware.teledanmark.no/identd/>
>
> For Windows 95/98/Me
> <http://identd.sourceforge.net/>
>
> Once you have ident up and running you can define
> squidGuard source groups using
> usernames:
> -------------
> src admin {
> user root administrator foo bar # login names
> }
> -------------
> or
> -------------
> src ab_users {
> userlist [filename]
> }
> -------------
> where:
> filename is either a path relative to dbhome or an
> absolute path (i.e. /full/path) to
> a database file. The userlist file format is simply
> RFC-931 usernames, optionally
> followed by a `:' and a comment (i.e. /etc/passwd or
> a .htpasswd file may be used)
> separated by a newline as in the user declaration
> but without the user keyword. Thus
> a userlist could look something like:
> -------------
> root
> administrator
> foo
> bar
> -------------
> [From <http://www.squidguard.org/config/>]
>
> You had also mentioned earlier about wanting to know
> who tried to go where. My
> suggestion there would be to give every destination
> group its own log file:
> -------------
> dest porn {
> domainlist porn/domains
> urllist porn/urls
> logfile porn.log
> }
> -------------
> (You will need to manually create each of these log
> files and correct set file
> ownership and permissions.) Then bounce squid.
>
> These destination group log files contain a record
> for every redirect within that
> destination group. For example, here are <my
> interpretation> of several of the fields
> in the log:
>
> 2002-05-06 23:13:40 - Date & time
> [24056] - Process ID
> Request
> (ab_users/porn/-) - source group / destination
> group / ?
> http://nasty-nasty.com - requested url
> 192.168.44.3/- - ip of requestor / ?
> rick - ident username
> GET - method
>
> I hope this helps.
>
> Rick Matthews
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On
> Behalf Of Ryan Kather
> > Sent: Wednesday, May 08, 2002 8:03 AM
> > To: [EMAIL PROTECTED]
> > Subject: Authentication question
> >
> >
> > I've asked this a number of times and never
> > really got an adequate response. Perhaps this
> will
> > clear up what exactly I'm trying to do.
> >
> > I have a novell netware infrastructure, it deals
> with
> > file serving, printing, and user authentication.
> Our
> > machines have dynamic ip addressing and there are
> a
> > lot of them. It is because of this that I need a
> way
> > to control access based upon user ids. I don't
> > necessarily need to authenticate users, but I do
> need
> > to be able to ban certain users (whose parents
> don't
> > want them using the internet) from using the
> internet.
> >
> >
> > I've looked into LDAP authentication to Novell
> > (netware 5.1 sp4) and PAM_NDS module
> authentication.
> > The problems I have with these solutions are 1.) I
> > don't want to have a prompt pop up to authenticate
> all
> > users. 2.) Security concerns about possible clear
> text
> > packets containing user ids and passwords.
> >
> > A solution I would prefer is a simple userid
> check.
> > Squidguard checks the client workstation to
> determine
> > the userid. Squid then checks novell to see if
> that
> > id exists if it does squid checks a banned userid
> > list, and if the id is not banned squid passes out
> to
> > net. I don't know if this is possible, but any
> help
> > at all would be greatly appreciated.
> >
> > Another solution maybe would be for me to
> integrate
> > bordermanager's proxy server and set squid up as
> it's
> > parent. Then use bordermanager to handle user
> > authentication, however I don't know if I can
> > configure bordermanager to always only allow what
> > squid will pass in. In laments terms I don't know
> if
> > that will enforce blacklist policies.
> >
> > Thanks for any input,
> > Ryan Kather
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Yahoo! Health - your guide to health and wellness
> > http://health.yahoo.com
> >
>
__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com
