Re: Modified squid to allow user groups based acl's

From: <Ted_Rule@dont-contact.us>
Date: Mon, 24 May 1999 16:33:43 +0100

Interesting. Actually what I'd really like is a hybrid authentication,
authorisation scheme.

This would somehow involve Squid obtaining a clients username via a variety of
means, and then
using that same name as an index into a variety of different databases to obtain
authorisation to perform
various different actions.

As a first instance, I'm after Squid retrieving the username from either say
ident lookup - or preferably NT domain
login name, and then using some open protocol - probably LDAP - to hook into an
external database for
authorisation rights for that username. The LDAP hook provides for a future
proofing compatibility with NT5, and would
already hook into various Unix and Notes boxes.

I've had a very cursory scan of the existing extra authentication tools which
have been provided such as ncsa_auth
and so on, but in the longer term I feel I'm after a finer grained approach
where a single authentication takes place at
connection to the cache, but multiple authorisation sequences may take place
later on to grant the user rights
to use different services - without any extra password dialogs taking place.

The multi-level authorisation probably also requires extra syntactic glue in the
configuration file as well.

This is probably wildly over the top functionality for a web-cache, but one can
always dream.

Ted Rule,
Flextech Television
Received on Mon May 24 1999 - 09:32:43 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:46:24 MST