Re: [squid-users] Logging user names

From: Mark Worsdall <squid@dont-contact.us>
Date: Sat, 30 Jun 2001 13:56:25 +0100

Hi,

I have done what you want, basically my system follows the following
rules:-

Everyone (Students/Staff) have to validate themselves before the get
Internet access, this happens in the form of them being presented with
logon prompt if they access the Internet.

Once staff validated they can access the Internet at anytime.

Once student validated they can access the Internet within curriculum
time.

Unless ANY user is trying to access a banned site.

This is done on a proper UNIX system (FreeBSD) with a script that runs
from cron every 15minutes though it can be done more or less. I am sure
the script will work on Linux (I know it does) (Just a FreeBSD / Linux
prod going on there) :-)

The perl script simply extracts staff and students from the main
password file and writes it to a staff & student file, each contains
username and password.

I feel a howto coming on!
http://www.hinwick.demon.co.uk/computerDept/HowTo-AuthenticateUsers-squid
.html

I hope it helps!

In message <200106300759.RAA25628@adm7.vic.schools.net.au>, Peter Wood
<woodp@phsc.vic.edu.au> writes
>Hi all,
>
>Henrik Nordstrom <hno@hem.passagen.se> on Fri, 29 Jun 2001 12:07:36
>+0200 wrote:
>
>> Peter Wood wrote:
>> > Alas no. The users all had the same login details for both local NT login
>> > and SINA but divergence in the passwords has occured since then.
>
>> Am I correct in that you want the proxy to log the login information
>> even if the proxy as such does not care about managing logins?
>
>Correct. I'm interested in keeping track of students movements in case
>they get into areas they shouldn't and maybe be better able to restrict their
>access using quotas or such. They don't (yet) have accounts on the
>Linux box although as we get more adventurous we might set up Apache and
>give the kids the ability to publish their own stuff direct to the web server.
>I'm probably looking for trouble there :-)
>
>> This can theoretically be done by using log_mime_hdrs, and then
>> postprocess the logs to extract the relevant HTTP header information,
>> but be warned that this will log a lot of information, including
>> passwords both for the parent proxy and many web sites... If this is too
>> much then hacking the code to log the parent proxy user name is also
>> possible.
>
>I tried this (It does produce a lot of extra data!!) but although I can see
>users logging into, say, Hotmail (I'm seeing "EmailAddress=username") I can't
>see any logins to our parent cache... What would they look like?
>Would they be in a plain text format or encrypted in some way?
>
>> Another approach would be to make your proxy validate the login before
>> forwarding the request. Writing a auth helper that validates the login
>> to another proxy shouldn't be too hard. This way your proxy will know
>> the username. In effect the users will be logging in to your proxy which
>> uses the parent proxy to validate the password.
>
>This sounds great but we're all school teachers in here and C isn't on the
>curriculum :-)
>
>> A third approach woul be to use some other method of identifying the
>> users. For example ident.
>
>I'm not familiar with ident but I'll look it up.
>
>Thanks to all the replies we've been getting to this thread. We're
>slowly getting
>an understanding of how this all fits together.
>
>regards,
>
>Peter.
>
>Peter Wood
>Learning Technologies Coordinator
>Princes Hill Secondary College
>North Carlton
>Victoria
>Australia
>
>

-- 
Work:- postmasterAThinwick.demon.co.uk  WEB:- http://www.hinwick.demon.co.uk
Work:- mworsdallATshaftesburysoc.org.uk REPLACE AT with @
Home:- hinwickATworsdall.demon.co.uk    WEB:- http://www.wizdom.org.uk
Shadow:- webmasterATshadow.org.uk       WEB:- http://www.shadow.org.uk
Received on Sat Jun 30 2001 - 06:57:06 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:53 MST