Rick Dont want to hijack the thread but what do you suggest if using squid as a transparent proxy?
I get the feeling that this is part of Ryans problem to. Ident lookup does not work in this configuration and from Ryans description of his setup it may be that this is part of the problem. Paul > > I've asked this a number of times and never > > really got an adequate response. > > I'll see if I can be of assistance. > > > I have a novell netware infrastructure ... > > I know next to nothing about Novell; that's why I have not responded > before. > > > ... it deals with > > file serving, printing, and user authentication. Our > > machines have dynamic ip addressing and there are a > > lot of them. It is because of this that I need a way > > to control access based upon user ids. > > I understand. > > In order to do that you will need to set up Squid to do IDENT (RFC931) > lookups. > <http://squid.visolve.com/squid24s1/contents.htm> > > Then you'll need to run an ident server on each workstation. (I don't > know if Novell > already has that capability.) The squid site has a page that lists > "related > software", including ident servers: > <http://www.squid-cache.org/related-software.html>, and here are the > direct links: > > For Windows NT > <http://freeware.teledanmark.no/identd/> > > For Windows 95/98/Me > <http://identd.sourceforge.net/> > > Once you have ident up and running you can define squidGuard source > groups using > usernames: > ------------- > src admin { > user root administrator foo bar # login names > } > ------------- > or > ------------- > src ab_users { > userlist [filename] > } > ------------- > where: > filename is either a path relative to dbhome or an absolute path (i.e. > /full/path) to > a database file. The userlist file format is simply RFC-931 usernames, > optionally > followed by a `:' and a comment (i.e. /etc/passwd or a .htpasswd file > may be used) > separated by a newline as in the user declaration but without the user > keyword. Thus > a userlist could look something like: > ------------- > root > administrator > foo > bar > ------------- > [From <http://www.squidguard.org/config/>] > > You had also mentioned earlier about wanting to know who tried to go > where. My > suggestion there would be to give every destination group its own log > file: > ------------- > dest porn { > domainlist porn/domains > urllist porn/urls > logfile porn.log > } > ------------- > (You will need to manually create each of these log files and correct > set file > ownership and permissions.) Then bounce squid. > > These destination group log files contain a record for every redirect > within that > destination group. For example, here are <my interpretation> of several > > of the fields > in the log: > > 2002-05-06 23:13:40 - Date & time > [24056] - Process ID > Request > (ab_users/porn/-) - source group / destination group / ? > http://nasty-nasty.com - requested url > 192.168.44.3/- - ip of requestor / ? > rick - ident username > GET - method > > I hope this helps. > > Rick Matthews > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]]On Behalf Of Ryan Kather > > Sent: Wednesday, May 08, 2002 8:03 AM > > To: [EMAIL PROTECTED] > > Subject: Authentication question > > > > > > I've asked this a number of times and never > > really got an adequate response. Perhaps this will > > clear up what exactly I'm trying to do. > > > > I have a novell netware infrastructure, it deals with > > file serving, printing, and user authentication. Our > > machines have dynamic ip addressing and there are a > > lot of them. It is because of this that I need a way > > to control access based upon user ids. I don't > > necessarily need to authenticate users, but I do need > > to be able to ban certain users (whose parents don't > > want them using the internet) from using the internet. > > > > > > I've looked into LDAP authentication to Novell > > (netware 5.1 sp4) and PAM_NDS module authentication. > > The problems I have with these solutions are 1.) I > > don't want to have a prompt pop up to authenticate all > > users. 2.) Security concerns about possible clear text > > packets containing user ids and passwords. > > > > A solution I would prefer is a simple userid check. > > Squidguard checks the client workstation to determine > > the userid. Squid then checks novell to see if that > > id exists if it does squid checks a banned userid > > list, and if the id is not banned squid passes out to > > net. I don't know if this is possible, but any help > > at all would be greatly appreciated. > > > > Another solution maybe would be for me to integrate > > bordermanager's proxy server and set squid up as it's > > parent. Then use bordermanager to handle user > > authentication, however I don't know if I can > > configure bordermanager to always only allow what > > squid will pass in. In laments terms I don't know if > > that will enforce blacklist policies. > > > > Thanks for any input, > > Ryan Kather > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! Health - your guide to health and wellness > > http://health.yahoo.com > > > > Paul McCormack MIS Limited [EMAIL PROTECTED]
