Re: [squid-users] ACL based on User Groups

From: Valdir Henrique Dias Leite <[email protected]>
Date: Sat, 24 Apr 2004 19:51:32 -0300

Thank you again Henrik, but i have some concerns about this approach
(network traffic and performance)

Our scenario has 3 groups and the script make at least 3 calls to winbind.
So, every HTTP GET made by user, will be made 9 winbind calls for check
either user has or not access to perform that GET.

For a page like aol.com, with dozens of images, the general overhead caused
by this approach is a great concern to us.

Well, I will configure it and test some time to see if it is true.

In time, I was wondering to build an ad-hoc solution using either Berkely-DB
or Embedded MySQL Server (libmysqld) where one can model acls like a
relacional model and check all acls against all groups the current user are
in. ( Advantages: Only one call to winbind, retrieving all groups and
caching them for the entire session; and the performance of data access
layer - BDB or libmysqld - ) Of course, it will be released to the
community.

I would be glad to hear some words about that approach ...

Thanks again,

Valdir Leite
Sao Paulo
Brasil

----- Original Message -----
From: "Henrik Nordstrom" <hno@squid-cache.org>
To: "Valdir Henrique Dias Leite" <valdirh@uol.com.br>
Cc: "Henrik Nordstrom" <hno@squid-cache.org>; <squid-users@squid-cache.org>
Sent: Saturday, April 24, 2004 6:00 PM
Subject: Re: [squid-users] ACL based on User Groups

> On Sat, 24 Apr 2004, Valdir Henrique Dias Leite wrote:
>
> > I saw wb_group.pl script, which checks, via winbind calls, if a user is
or
> > not inside a given group.
> >
> > What I need is to have, 3 ACLs, for example, and divide all my users
among
> > these groups, like:
>
> This is exacly the purpose of the above script. It is used for building
> any number of ACLs referring to NT Domain groups (via Samba).
>
> > groups, apply on of the three ACL above. Here is my problem. After
> > authenticating, how to perform the authorization based on which group
the
> > user is in.
>
> By defining one acl per group, and use these accordingly in http_access.
>
> > I was thinking in pass to squidGuard the name of the group (meaning as a
> > "login" ou "username") and create the acls with this information (group
> > name) as user names.
>
> This sounds very hard to accomplish.
>
> Much easier to simply use group connectec ACLs within Squid.
>
>
> There is defails on how to use group helpers in the squid_ldap_group
> helper manual. The same principles apply to all group helpers.
>
> Regards
> Henrik
>

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.668 / Virus Database: 430 - Release Date: 24/4/2004
Received on Sat Apr 24 2004 - 16:52:23 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:02 MDT