My current setup:
Squid (ACLs) -> DansGuardian (filtering) -> Squid (Caching)
What happens is that Squid sends an ident query to the client, if the username in the response (using an external acl) appears in a file that contains a list of allowed users (polled from an ldap server every hour), it allows the client access. From there, DG will send another ident query for logging purposes.
If the ident query fails, the next acl uses basic auth and authenticates the user with ldap.
The problem is that it generates two ident queries per request and I'm afraid on a network with over 3000 users this might be too much. It would be nice if Squid would treat ident as a true authentication mechanism and "remember" who the user is for a certain amount of time, like with basic auth.
It also would be an improvement if Squid would pass the ident username between cache peers as it does with basic auth. DG could then get the username from this and wouldn't need to send an ident query. I know I've posted on this subject before, but I'm really hoping this will inspire someone as others are probably dealing with my same quandary.
An alternate idea would be to ditch ident and use a client on the Windows workstations that would automatically respond to the basic auth requests. The goal is to make this setup similar to our BorderManager proxy which uses a Novell application called Client Trust so proxy authentication is seamless to the end-user.
I have no idea if said application exists which would handle basic auth for more than just IE (for instance.. what if they're using Netscape, an FTP client, Java, etc).
Sorry for such a long email... any input will be greatly appreciated!
Best regards,
David Rippel
Received on Thu Feb 05 2004 - 08:17:23 MST
This archive was generated by hypermail pre-2.1.9 : Mon Mar 01 2004 - 12:00:02 MST