2012/9/29 Eliezer Croitoru <eliezer@xxxxxxxxxxxx>: > On 9/27/2012 5:25 PM, E.S. Rosenberg wrote: >>> >>> >what kind of ACLs are you talking about exactly? >> >> Lists of users, users that browse through ISP A, and users that browse >> thought ISP B, users that are blocked etc. >> > I would say the better approach to evade problems with users getting access > to ISP is "ISP B" first and if match acl use "ISP B" for the external acl. I have A, B and C with a potential for quite a few more (not necisarily ISPs but also browsing restrictions or lack thereof). I guess I over-simplified things a bit, but we have lots of user based stuff going on, in addition we also want to start capping bandwidth usage on a per user basis so that resources are shared more fairly etc. Regards, Eli > >>> >think in mind that you can write you own settings file\db and to work >>> > with. >>> > >>> >if it's LDAP\mysql\RADUIS It can be done easily. >> >> The info on which ISP a user is supposed to use at the moment is >> "partially" in LDAP (ie. determined by location in tree or membership >> of a unix group, I'd like to change it to being an attribute for each >> user). > > Since it's a kind of a simple check it shouldn't be such a big problem to > use external_acl. > if it's only 2 ISP connections it's either the "default" or "special" and > you should be able to use only one external_acl for that. > the good thing about helper is that it has ttl which make the user "rule" > for authenticated users(not by IP). > If you would use a helper with concurrency support(async) you can get pretty > good results. > if you do ask me the there is not much between unix\ldap group to user > specific ISP object. > With group you get the benefit of easy management of the group. > > >> >> We also have a RADIUS server which basically acts as a frontend to >> LDAP for some RADIUS based products, it seems that leveraging RADIUS >> would provide other advantages if I also leverage the reporting >> feature to count users' traffic.... >> Thanks, >> Eli >> > Using radius can give you a lot in the sense of authentication etc. > > and as I wrote before: one of the worst things to do in sense of > configurations of a proxy is to "reconfigure" every five or so minutes. > It should be safe generally if needed for specific operations but it should > be static configured and use any resource exists to allow dynamic > configuration instead of reconfiguration. > > Regards, > > Eliezer > > -- > Eliezer Croitoru > https://www1.ngtech.co.il > IT consulting for Nonprofit organizations > eliezer <at> ngtech.co.il
