On 2010-05-27, Henrik Nordström <henrik@xxxxxxxxxxxxxxxxxxx> wrote: >> >> Authentication? no. > > Yes, if the client is using a certificate for authentication purposes. > > If the provided client certificate have an emailAddress attribute then > this is used as the user identity at least for log purposes. We already have lots of OpenVPN users, with client certs and use the cn of the cert to assign which networks they have access to. All certs have the emailAddress attribute as well. Full VPN is a bit overkill for the users that only needs to access a few internal webservers, so I'm wondering if we can utilize the same public key infrastructure to give access trough a squid proxy, and use squid acl's to controle what they get access to based on preferably cn, but emailAddress is probably OK too. Do you think this sounds feasable? Has anybody done something similar, and might care to share their config ? -jf
