On Sun, 13 Nov 2011 12:35:13 +0100, Giovanni Rosini wrote:
Pherhaps i wasn't clear.
I know how sql queries work, i'm able to write down a select query,
this is not the question.
What i mean is that, looking at the actual access.log file, it seems
squid hasn't enough details to filter RADACCT table and extract the
right record.
The logged details are not the complete set of data available to Squid.
It is a small subset which has been found to be useful for logging, and
log analyser graphs for management people.
What I am talking about has been the external_acl_type helper. Which
currently has an almost completely different set of format parameters:
http://www.squid-cache.org/Doc/config/external_acl_type/
I think that the only way is having somewhere in squid files both nat
ip and local ip, as in RADACCT records.
For the duration of each session nat ip+local ip are associated
uniquely to one username.
Comparing date and time i could extract a unique record.
External ACL have:
* %SRC %SRCPORT for client IP:port (before the local squid box SNAT,
if any. After remote box SNAT).
* %MYADDR %MYPORT for squid local IP:port (before local Squid box
DNAT, if any. After remote box DNAT).
** With iptables REDIRECT %MYADDR is unreliable.
* time 'now' can be identified by the helper without being passed in
from Squid.
If you bump up to 3.2.0.8 you can also get the MAC / EUI addresses for
more reliable source tracing. But in your case with remote boxes doing
relays this will only link which of those boxes it came through (subnet
separation?).
Amos
Giovanni
p.s.: i hope i responded to the right address this time, and thanks
for previous answers
Il 13/11/2011 4.33, Amos Jeffries ha scritto:
On 13/11/2011 2:55 p.m., Giovanni Rosini wrote:
I'm not sure to understand.
How can the external script find the rigth username?
In radius db i have the RADCHECK table containing all user
registered, and RADACCT table where you find a record for every
session.
Take that above sentence, replace "where you find" with "where
script finds".
Each record in RADACCT shows a lot of data (username, nat ip, local
ip, time of start and end of each session, etc.) but how squid can
match a page request with database entries to retrieve username?
By looking up the details Squid has and finding the matching record.
Please find a beginners tutorial on how database queries work. It
should cover how to find a database record by querying it with some
few of the field details. The db_auth script I mentioned earlier does
database queries. You adjust the script (either the code or teh
command parameters passed to is in squid.conf) to create a query for
the RADIUS database.
Amos
PS. and please consider responding to the mailing list address. I
only do private answers for paid customers.
