From: "David Rippel" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Subject: [squid-users] Identd authentication Date: Thu, 05 Feb 2004 09:53:19 -0500
My current setup:
Squid (ACLs) -> DansGuardian (filtering) -> Squid (Caching)
What happens is that Squid sends an ident query to the client, if the username in the response (using an external acl) appears in a file that contains a list of allowed users (polled from an ldap server every hour), it allows the client access. From there, DG will send another ident query for logging purposes.
If the ident query fails, the next acl uses basic auth and authenticates the user with ldap.
The problem is that it generates two ident queries per request and I'm afraid on a network with over 3000 users this might be too much. It would be nice if Squid would treat ident as a true authentication mechanism and "remember" who the user is for a certain amount of time, like with basic auth.
I thought Squid did cache ident lookups?
Do I presume that you aren't able to run identd on all clients? DG can already handle ident lookups as you know, and the latest 2.7.x code handles multple filter levels. With multiple filter levels in place, if an ident lookup cannot be found then DG will run that request through 'filter1' which is the default filter level. You could in theory set filter1 to be very restrictive and filter2 to meet the company requirements. If an ident response is available then DG will filter as per company req: if it isn't (eg the user has disabled it) then they'd be restrictively filtered.
The main problem with DG is that it currently does not cache ident lookups. This means that for a sinlge webpage of 10 images and some text etc, DG will do an ident lookup for EVERY request on that page. In itself this is almost worth considering using ldap authenication exclusively, though I have no idea about how much bandwidth/network overhead is required for each ident lookup/response pair: my guess is that it's actually pretty small. Maybe someone on here can quantify this guess?
Regards,
nry
_________________________________________________________________ Express yourself with cool new emoticons http://www.msn.co.uk/specials/myemo
