Ian.Large@salvesen.com wrote:
>Hello
>
>I am hoping that I can gain some knowledge here...for several weeks, on
>and off, I've been playing with squid and all sorts of authenticators but
>I am still running into the same wall that I did at the beginning. The big
>thing I am being asked for by my boss is the ability to detect an expired
>password. As far as I've found from trolling the archives, the only
>projects to handle this sort of thing are now old and unmaintained and all
>of the authenticators I got working well report only OK or ERR.
>
>Our (planned) environment is this:
>Two layers of squids; the first will serve certain websites that we have
>deemed general access - for example, our Corporate web site - without
>authentication or pass on any other requests to the second which will be
>using authentication and Websense Enterprise to filter access.
>
>I had hoped to use our fresh new Windows AD in some way to provide the
>authentication since my early NTLM and Samba authenticator experiments
>were all too flaky to put into a production system and I'd read many posts
>on this list suggesting LDAP authentication against AD. I got this working
>nicely using the squid_ldap_auth helper program and a username/group
>filter like "(&(CN=%s)(memberOf=CN=InternetUsers))". This is great but the
>demand from on high still stands. The helper returns only OK or ERR!
>
>So are there any "live" projects out there that can help? As I mentioned,
>I'd like to use the AD as a source to save having to maintain seperate
>user lists - and frankly our users have enough problems remembering
>passwords as it is - but I need to trap expired passwords and at least
>redirect the user to a web page saying "Your password has expired! Go
>change it!".
>
You could accomplish this with your own custom redirector program. It
would take the user and url,
look up that user's password expiry time and output the URL to an
appropriate password expiry webpage if it is about to lapse, otherwise
it just outputs a new line (the passthru action for a redirector).
Redirectors are persistent, so you can cache the LDAP queries to keep
the load and latency down, as this will happen for every page fetch.
There's more on redirectors here:
http://www.squid-cache.org/Doc/FAQ/FAQ-15.html
John
Received on Thu Dec 23 2004 - 17:17:01 MST
This archive was generated by hypermail pre-2.1.9 : Sat Jan 01 2005 - 12:00:03 MST