On 9/27/2012 5:25 PM, E.S. Rosenberg wrote:
>what kind of ACLs are you talking about exactly?
Lists of users, users that browse through ISP A, and users that browse
thought ISP B, users that are blocked etc.
I would say the better approach to evade problems with users getting
access to ISP is "ISP B" first and if match acl use "ISP B" for the
external acl.
>think in mind that you can write you own settings file\db and to work with.
>
>if it's LDAP\mysql\RADUIS It can be done easily.
The info on which ISP a user is supposed to use at the moment is
"partially" in LDAP (ie. determined by location in tree or membership
of a unix group, I'd like to change it to being an attribute for each
user).
Since it's a kind of a simple check it shouldn't be such a big problem
to use external_acl.
if it's only 2 ISP connections it's either the "default" or "special"
and you should be able to use only one external_acl for that.
the good thing about helper is that it has ttl which make the user
"rule" for authenticated users(not by IP).
If you would use a helper with concurrency support(async) you can get
pretty good results.
if you do ask me the there is not much between unix\ldap group to user
specific ISP object.
With group you get the benefit of easy management of the group.
We also have a RADIUS server which basically acts as a frontend to
LDAP for some RADIUS based products, it seems that leveraging RADIUS
would provide other advantages if I also leverage the reporting
feature to count users' traffic....
Thanks,
Eli
Using radius can give you a lot in the sense of authentication etc.
and as I wrote before: one of the worst things to do in sense of
configurations of a proxy is to "reconfigure" every five or so minutes.
It should be safe generally if needed for specific operations but it
should be static configured and use any resource exists to allow dynamic
configuration instead of reconfiguration.
Regards,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
