Re: External group concept

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Thu, 05 Jul 2001 16:08:28 +0200

Robert Collins wrote:

> I was suggesting that squid dynamically add users to proxy
> auth acls when informed by the helper that was necessary.

Naa... but proxy_auth ACL's could be made to refer to auth groups, not
only user names. Mostly needs a syntax definition, and support in the
helper protocol.

Want to be able to make lists of groups (unions, not intersections as
done by http_access).

> We can do more than 1. We can have a separate helper and/or tie it into the
> authentication helper. I think thats what Henrik meant with his a)/b)
> options.

Yes, and both are required I think.

'a' is tied to the authentication helper.

'b' is a separate helper, not really groups but can be used to implement
groups. Not at all tied to authentication (except that authentication ID
can be one of the selection criterias)

> I agree - I'm saying that "proxy_auth" IS group acls. We don't have a
> user-name checking facility today. (We can't say
> http_access allow userrobert
> unless we define a group userrobert with the user "robert" in it.

Correct.

Hoever, proxy_auth IS the group definition, not the ACL telling which
groups to match.

Lets say your authentication system has 20 different groups, all
published by the auth helper to Squid.

You want to give 5 of these groups access to a given resource, deny 6
from some other resource, and allow 2 to proxy to anything else.

--
Henrik
Received on Thu Jul 05 2001 - 08:59:36 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:14:05 MST