Re: [squid-users] Ident large scale usage

From: G Welter <G.Welter@dont-contact.us>
Date: Tue, 07 Jan 2003 14:28:24 +0100

Hi.

I'm also very interested in this subject. For some time I've been wanting to experiment with Squid as a replacement for our current Novell Bordermanager setup which does all the authenticating. The greatest advantage Bordermanager currently has over Squid is the transparant authentication. Users are authenticated to the NDS in the background. Squid can be used in combination with a NDS, using ldap, but it requires manual input of the login credentials by the user for *each* new instance of the browser. Atleast for IE afaik.

In my spare time I've been testing a combination of Squid, ident and NDS/ldap. I know ident is insecure, but I use some extra authentication checks. In this scenario Squid receives a http request, does an ident request to the workstation. The ident client returns the Novell loginname. Squid searches the NDS tree for the user name using ldap and checks the ip from which the user logged in the NDS with the ip the http request originated from. If these ip's match, I assume that the user's credential are genuine.

But all of this is a mix of Squid's ldap auth module, some php and a modified windows ident client which returns the Novell login name (http://sourceforge.net/projects/winidentd). It kind of works, but it isn't really usable yet. I also don't know how Squid will perform in such an environment and how much load it will generate on the network. Especially if you just use plain ident 'authentication', because -a lot- of ident requests will be performed.

So, if security isn't an issue I would go ahead with it. But if you want it to be secure, ident isn't an option. NTLM would be the preferred option.

Gerben.

>>> "Jay Turner" <jturner@bsis.com.au> 01/07/03 05:31AM >>>
Hi All,

Does anyone have any opinions/advice on the use of ident?

We are looking to put Squid into an environment with 1500 users and we want
to have username information stored in the log files.

Two ways to do this 1)Use an authentication scheme (NTLM, SMB etc) or have
each client PC run an ident service and have Squid request this info as
required.

I have tested this out fine in a small installation but I was wondering if
there would be an impact in a 1500 user environment?

Any thoughts?

Regards
Jay
Received on Tue Jan 07 2003 - 06:28:42 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:29 MST