Re: groups idea

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 02 Sep 2000 00:20:21 +0200

To explain what I meant by including the ACL name:

The ACL name is passed down to the authentication helper, and used as
part of the index key to authentication cache.

The drawback is that if there are multiple ACLs defined then multiple
calls to the authentication helper will be made.

The benefit compared to the other approaches is that different
authentication backends might be selected for different "groups".

I need to ponder over this some more to make up my mind. Will get back
to the subject tomorrow.

/Henrik

Henrik Nordstrom wrote:
>
> This has been discussed before.
>
> To make it perfect two different approaches are needed:
>
> a) Authenticators need to be able to report group membership when the
> user is authenticated
>
> b) There needs to be an acl type for external group membership lookups,
> much like the proxy_auth verification.
>
> A simple mid-ground approach is perhaps to change proxy_auth to include
> the ACL name as part of the authentication process and caching. Hmm..
> thinking about it I probably prefer this. Not very much needs to be
> changed to support it and it allows full flexibility in the access
> control. Only problem is that it does not scale that well with the
> number of groups.
>
> /Henrik
>
> Robert Collins wrote:
> >
> > For authentication, what if we have the authenticator return the groups
> > after the current response? so old authenticators are returning no group
> > memberships, and newer ones can return groups optionally?
> >
> > with ntlm_auth we return the username from the authenticator anyway... I
> > don't know how much overhead it would introduce.
> >
> > The in squid.conf we either match against both the username and group names,
> > or perhaps introduce a new directive proxy_auth_group?
> >
> > Rob
Received on Fri Sep 01 2000 - 16:20:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:36 MST