On 2010-05-27, Henrik Nordström <henrik_at_henriknordstrom.net> wrote:
>>
>> Authentication? no.
>
> Yes, if the client is using a certificate for authentication purposes.
>
> If the provided client certificate have an emailAddress attribute then
> this is used as the user identity at least for log purposes.
We already have lots of OpenVPN users, with client certs and use the cn
of the cert to assign which networks they have access to. All certs have
the emailAddress attribute as well. Full VPN is a bit overkill for the
users that only needs to access a few internal webservers, so I'm
wondering if we can utilize the same public key infrastructure to give
access trough a squid proxy, and use squid acl's to controle what they
get access to based on preferably cn, but emailAddress is probably OK too.
Do you think this sounds feasable? Has anybody done something similar,
and might care to share their config ?
-jf
Received on Thu May 27 2010 - 12:03:37 MDT
This archive was generated by hypermail 2.2.0 : Thu May 27 2010 - 12:00:06 MDT