Re: [squid-users] ACL based on User Groups

From: John P Santos <[email protected]>
Date: Sat, 24 Apr 2004 18:58:53

I'm interested in seeing this solution as I have some clients who have been
asking for a user based solution, and up to now I've not been able to
produce one for them.

At 19:51 24/4/2004 -0300, Valdir Henrique Dias Leite wrote:
>Thank you again Henrik, but i have some concerns about this approach
>(network traffic and performance)
>
>Our scenario has 3 groups and the script make at least 3 calls to winbind.
>So, every HTTP GET made by user, will be made 9 winbind calls for check
>either user has or not access to perform that GET.
>
>For a page like aol.com, with dozens of images, the general overhead caused
>by this approach is a great concern to us.
>
>Well, I will configure it and test some time to see if it is true.
>
>In time, I was wondering to build an ad-hoc solution using either Berkely-DB
>or Embedded MySQL Server (libmysqld) where one can model acls like a
>relacional model and check all acls against all groups the current user are
>in. ( Advantages: Only one call to winbind, retrieving all groups and
>caching them for the entire session; and the performance of data access
>layer - BDB or libmysqld - ) Of course, it will be released to the
>community.
>
>I would be glad to hear some words about that approach ...
>
>Thanks again,
>
>Valdir Leite
>Sao Paulo
>Brasil
>
>----- Original Message -----
>From: "Henrik Nordstrom" <hno@squid-cache.org>
>To: "Valdir Henrique Dias Leite" <valdirh@uol.com.br>
>Cc: "Henrik Nordstrom" <hno@squid-cache.org>; <squid-users@squid-cache.org>
>Sent: Saturday, April 24, 2004 6:00 PM
>Subject: Re: [squid-users] ACL based on User Groups
>
>
>> On Sat, 24 Apr 2004, Valdir Henrique Dias Leite wrote:
>>
>> > I saw wb_group.pl script, which checks, via winbind calls, if a user is
>or
>> > not inside a given group.
>> >
>> > What I need is to have, 3 ACLs, for example, and divide all my users
>among
>> > these groups, like:
>>
>> This is exacly the purpose of the above script. It is used for building
>> any number of ACLs referring to NT Domain groups (via Samba).
>>
>> > groups, apply on of the three ACL above. Here is my problem. After
>> > authenticating, how to perform the authorization based on which group
>the
>> > user is in.
>>
>> By defining one acl per group, and use these accordingly in http_access.
>>
>> > I was thinking in pass to squidGuard the name of the group (meaning as a
>> > "login" ou "username") and create the acls with this information (group
>> > name) as user names.
>>
>> This sounds very hard to accomplish.
>>
>> Much easier to simply use group connectec ACLs within Squid.
>>
>>
>> There is defails on how to use group helpers in the squid_ldap_group
>> helper manual. The same principles apply to all group helpers.
>>
>> Regards
>> Henrik
>>
>
>
>---
>Outgoing mail is certified Virus Free.
>Checked by AVG anti-virus system (http://www.grisoft.com).
>Version: 6.0.668 / Virus Database: 430 - Release Date: 24/4/2004
>
Received on Sat Apr 24 2004 - 18:02:27 MDT

This archive was generated by hypermail pre-2.1.9 : Fri Apr 30 2004 - 12:00:02 MDT