Felipe Augusto van de Wiel wrote:
Hi,
I'm already using LDAP authentication and the
company I work for tries to put a lot of authentication
and authorization (meta-)information inside LDAP.
This week, we were wondering if it is possible
to use LDAP as a backend for acl lists. The idea would
be to get a list of domains for a user or a list of
source domains for an acl and so on, instead of putting
the list on squid.conf or in and external file, LDAP
would be the "repository".
Looking to the standard config it doesn't seems
to be possible, the only external "repository" would be
a file, but do you believe it is possible to try to
achieve it using external_acl?
Certainly.
Writing a custom script that would get info
from LDAP and check different items and conditions?
Yes, this is possible.
In principle, the discussion lead us to having
an LDAP object for squid with generic lists, like
sites allowed for all the company, sites for a Walled
Garden, sites restricted for different groups, but we
also spoke about having lists per-user, as every person
would have an object inside LDAP, we could have a field
that would add or remove sites from the previous lists
in a per-user basis.
What do you think?
Give your external ACL some leeway with caching results (also known as
the TTL). Make it too small and you are going to be hitting your LDAP
server for every object. Further realize that every request for an
object that results in different parameters being passed to the external
ACL is going to require a response from the external ACL. If you want
to verify that a specific user is allowed to access a specific URL, you
need to send a username/URL pair. Every object that comprises a web
page is going to result in a query to the external ACL. Obviously using
destination domain is going to reduce the number of checks that need to
be made.
Have anybody heard about anything on those lines?
Thanks in advance for any info/suggestions. :)
Kind regards,
- --
Felipe Augusto van de Wiel <felipe.wiel@xxxxxxxxxx>
Tecnologia da Informação (TI) - Complexo Pequeno Príncipe
http://www.pequenoprincipe.org.br/ T: +55 41 3310 1085
Chris
