On 29/02/2012 12:35 p.m., Amos Jeffries wrote:
On 29.02.2012 02:50, E.S. Rosenberg wrote:
2012/2/28 Amos Jeffries:
On 28/02/2012 9:07 p.m., Erwann Pencreach wrote:
Hi all,
here is what I've done in squid.conf :
external_acl_type loggeduser children=15 %DST %SRC
/etc/squid3/squid.d/loggeduser_acl.sh
acl isok external loggeduser
http_access allow isok
If you add an ID you can use concurrency to reduce process overheads.
and here isloggeduser_acl.sh script :
while read dst srchost;
while read id dst srchost;
do
date=$(date +"%d/%m/%Y %H:%M:%S")
authuser=$(command to get logged user on client host)
if [ ! $(echo $authuser | wc -w) -eq 1 ]
then
echo "[KO] number of connected user differs from 1 $srchost
$dst"
/var/log/squid3/extacl.log
echo "ERR"
echo "${id} ERR"
else
isok=$(the I check my access right)
if [ $isok ]
then
echo "[OK]$date $authuser($accountstatus) $srchost $dst">>
/var/log/squid3/headers.log
echo "OK user=$authuser"
echo "${id} OK user="${authuser}"
else
echo "[KO]$date $authuser($accountstatus) $srchost $dst">>
/var/log/squid3/headers.log
echo "ERR user=$authuser"
echo "${id} ERR user=${authuser}"
# NOTE: do you actually have authuser at this point?
fi
fi
done
exit 1
The question that comes to my mind here is what backend you are
intending to
use this with? what authentication database/system needs you to write a
whole new helper?
Amos
I don't know about Erwann, but I am creating this to connect between
squid and cisco wlc, basically a script will update a MySQL db with
the user currently associated with an IP and then squid will get the
username based on the IP...
Since the user already authenticated against the WLC (which in turn
uses radius/ldap) I don't want to present them with another password
dialog so when the radius server logs a succesful authentication for
IP X by user Y the db gets updated with those details...
Thanks for the example...
Eli
Hmm. Thanks for the push. I have a new session helper which can become
FOSS I suppose. It works with many DB types and takes arbitrary user
Identifier tokens. Similar to the session helper, but uses SQL
database types shared with external management systems.
Will get that to squid-dev shortly, and try to remember to cc' you on
the details.
Amos
Preliminary version of this can be found at
http://treenet.co.nz/project/squid/patches/ext_sql_session_acl.pl
It still has issues with handling whitespace in the UUID format
token(s) from Squid. If anyone can provide a perl split operator that
pops off just the channel ID and leaves the rest as a single string in
the $uid variable that would complete it.
Amos