RE: [squid-users] acl ident_regex

From: Rick Matthews <k5wls@dont-contact.us>
Date: Fri, 25 Jul 2003 11:42:39 -0500

> Does ident_regex allow pattern matching on the entire string
> returned from an ident lookup?

According to the Squid Configuration Manual:
<http://squid.visolve.com/squid24s1/contents.htm>
---------------------------------------------
Acl Type: ident_regex

Description
Regular expression pattern matching on the user's name. String match
on ident output. Use REQUIRED to accept any non-null ident

Usage acl aclname ident_regex pattern

Example
You can use ident to allow specific users access to your cache. This
requires that an ident server process run on the user's machine(s). In
your squid.conf configuration file you would write something like this:

ident_lookup on
acl friends ident_regex joe
This looks for the pattern "joe" in username
---------------------------------------------

According to the specifications for the ident protocol
<http://identd.dyndns.org/identd/rfc1413.txt>, in addition to the
response type USERID, there is an additional type "OTHER":
---------------------------------------------
"OTHER" indicates the identifier is an unformatted
character string consisting of printable characters
in the specified character set. "OTHER" should be
specified if the user identifier does not meet the
constraints of the previous paragraph. Sending an
encrypted audit token, or returning other non-userid
information about a user (such as the real name and
phone number of a user from a UNIX passwd file) are
both examples of when "OTHER" should be used.
---------------------------------------------

Using the ident server available here http://identd.dyndns.org/identd/
I was able to manipulate the ident response to be pretty much anything
I wanted it to be:

identReadReply: FD 17: Read '1377 , 3128 : USERID : WIN32 : Cindy'
identReadReply: FD 17: Read '1394 , 3128 : USERID : WIN32 : Bryan'
identReadReply: FD 19: Read '1106, 3128 : USERID : OTHER : Rick'
identReadReply: FD 25: Read '1092, 3128 : USERID : OTHER : Now is the \
time for all good men to come to the aid of their country.'

(Samples obtained from Squid's cache.log after adding
"debug_options ALL,1 30,9" to squid.conf and issuing a
"squid -k reconfigure".)

So yes, you or your users can make the ident return whatever you want
it to be, and you can use ident_regex to search for a pattern in
that ident response.

Rick

> -----Original Message-----
> From: Chris Wilcox [mailto:not_rich_yet@hotmail.com]
> Sent: Friday, July 25, 2003 10:32 AM
> To: squid-users@squid-cache.org
> Subject: [squid-users] acl ident_regex
>
>
> Hello again all,
>
> Been having yet another read through the ACL types I can use within squid.
> Does ident_regex allow pattern matching on the entire string returned from
> an ident lookup? eg if I have an altered version of an identd server running
> on a client PC, and this returns (amongst other things) username and client
> PC hostname, would it be possible for ident_regex to look for a certain
> hostname within the returned ident string?
>
> If not, is it possible to pass the hostname info (or if need be, all the
> info) from the ident query to an external ACL type and use this to
> allow/disallow access to the cache?
>
> If I can suss out access control via hostname then I will be a very happy
> bunny (or other small fluffy animal)!
>
> Regards,
>
> nry
>
> _________________________________________________________________
> Find a cheaper internet access deal - choose one to suit you.
> http://www.msn.co.uk/internetaccess
>
Received on Fri Jul 25 2003 - 10:42:56 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:18:17 MST