Re: [squid-users] Multiple Auth Realms / E-mail auth

--=-h27D2LJuF3AvEY5cNYrd
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Tue, 2003-07-01 at 11:42, Diego Rivera wrote:
> Hello all
>=20
> I've been combing through the mailing lists trying to find a conclusive
> answer to my question, but with little luck as yet.
>=20
> I did find references to functionality similar to what I need, but it's
> supposedly in 2.5 - which I don't have and can't implement because of
> its beta-status (I'm using 2.4-STABLE7).

Quick correction: 2.5 is NOT beta, but I still can't use it (yet),
although I need to solve this issue ASAP! Sorry for the mixup.

>=20
>=20
> Here's my issue: I need to have 1 squid proxy for a group of companies
> that share the same building. Each company has their own auth server,
> and e-mail domain. Some share LDAP servers, but users are on different
> branches of the tree.
>=20
> My ideal solution would be to have the proxy authenticate using the
> user's full e-mail and their password. The authenticator program (or
> internal module, or whatever) would then discern which server to auth
> against from the e-mail addx domain, and proceed accordingly.
>=20
> For example: joe@company-1.com is different from joe@company-2.com and
> should be authenticated against the servers for company-1, company-2,
> etc.
>=20
> Once that's done, squidGuard can be used to do redirection, and use the
> full e-mails as usernames where appropriate. This also eliminates audit
> confusion (i.e., joe accessed a porn site, but which joe?!?!?).
>=20
> I'm currently working on an authenticator perl script that does the
> split, and uses specific configurations to determine against which
> server a "realm" will auth against and how (LDAP, SMB, etc).
>=20
> Currently I'm only working on the LDAP module which is the most pressing
> (using Net::LDAP). I realize that there's already an LDAP authenticator
> module available, but it doesn't have the functionality I need.
>=20
> What I'd like to know is if all this work is really necessary (not done
> before), and if anyone who has encountered an issue like this before has
> been able to solve it 100% without having to do custom code.
>=20
> I'm early on in writing the script(s), and it doesn't seem too tough
> (except when you throw in LDAPS/LDAP-TLS into the mix, in which case it
> just gets a little more complex to do the config), but I'd like to avoid
> adding code if it's possible to reduce the complexity of the setup (and
> learn from others' experiences as well).
>=20
> If possible (not a priority), would I be able to tell different domains
> apart for ACL purposes (i.e., company-1 can go to website X, but not
> company-2)? How would this be accomplished? Could it be accomplished
> with the above setup (don't think so...)?
>=20
> Best
--=20
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D
* Diego Rivera *
* *
* "The Disease: Windows, the cure: Linux" *
* *
* E-mail: lrivera<AT>racsa<DOT>co<DOT>cr *
* Replace: <AT>=3D'@', <DOT>=3D'.' *
* *
* GPG: BE59 5469 C696 C80D FF5C 5926 0B36 F8FF DA98 62AD *
* GPG Public Key avaliable at: http://pgp.mit.edu *
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3 D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D

--=-h27D2LJuF3AvEY5cNYrd
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA/AcopCzb4/9qYYq0RAgvmAJ92SxYCTPvRBVVPCj3vJ13FoeG8+wCfXNas
VUjKqyIhnFQZ2XA5fuZhcOE=
=iET/
-----END PGP SIGNATURE-----

--=-h27D2LJuF3AvEY5cNYrd--