2012/5/6 Amos Jeffries <squid3_at_treenet.co.nz>:
> On 6/05/2012 10:55 a.m., Amos Jeffries wrote:
>>
>> On 6/05/2012 8:09 a.m., E.S. Rosenberg wrote:
>>>
>>> 2012/5/3 Eliezer Croitoru<eliezer_at_ngtech.co.il>:
>>>>
>>>> On 02/05/2012 14:53, E.S. Rosenberg wrote:
>>>>>
>>>>> 2012/5/2 E.S. Rosenberg<esr_at_g.jct.ac.il>:
>>>>>>
>>>>>> Hi,
>>>>>> I just thought I'd share the script I have for the squid side, maybe
>>>>>> someone finds it useful.
>>>>>> I wrote in PHP because I wanted to use prepared statements and am most
>>>>>> familiar with PDO.
>>>>>>
>>>>>> Now my logs have usernames but squid does not allow me to make
>>>>>> proxy_auth acls since I have no auth mechanism configured (this
>>>>>> particular squid instance is a museum piece - 2.6, soon to be
>>>>>> replaced), if this issue also exists in squid 3.1 then how would I
>>>>>> control users based on a username returned through an external ACL?
>>>>>>
>>>>>> Thanks,
>>>>>> Eli
>>>>>
>>>>> I stuck the script on my server, that makes an easier read then from
>>>>> inside a mail:
>>>>> http://kotk.nl/verifyIP.phps
>>>>>
>>>>> Hope that helps,
>>>>> Eli
>>>>>
>>>> i saw your external_acl app and it seems very nice.
>>>> i wrote another one on ruby that seems almost like that(a mimic for
>>>> practice).
>>>> and i was wondering about how do you plan to implement the proxy_auth
>>>> acls?
>>>> using AD? some other DB?
>>>
>>> I am not usre I follow, do you mean how I intend to manage my lists of
>>> usernames?
>>> In that case I am pushing for the use of LDAP properties, then a
>>> script will run every X time, determine whether or not the LDAP
>>> database was changed since the last update (based on change
>>> timestamps) and generate lists of usernames.
>>> Currently we don't have a good way of managing this, I have some
>>> sctipts that work based on the location of a user in our organization
>>> but that is not always correct.
>>>>
>>>> you mentioned something about the network infrastructure\CISCO if i
>>>> remember
>>>> right.
>>>
>>> Yes, the link of IP->username is generated based on the radius logs of
>>> the server that provides authentication for the wireless.
>>>
>>> However as said squid tells me that since I have no auth-mechanism
>>> fully setup I can't use proxy_auth lists so I wonder how can I use the
>>> username I provided in the external acl in the rest of squid?
>>
>>
>> It is just a label to Squid. Authentication happened outside with no
>> internal state other than teh external_acl_type format key to link it to
>> anything. It can be used in logging with %eo log tag, or passed to other
>> proxies as HTTP auth login with cache_peer login= option.
>
>
> Oops sorry %ue tag, not %eo.
>
> Amos
Ah, so if I understand this correctly I can't do anything with the
usernames on the proxy that runs the external acl but by handing of
the usernames to a parent I can start implementing policies based on
the usernames?
Thanks,
Eli
Received on Sun May 06 2012 - 08:37:36 MDT
This archive was generated by hypermail 2.2.0 : Mon May 07 2012 - 12:00:03 MDT