Re: [squid-users] Multiple Auth Realms / E-mail auth

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 4 Jul 2003 08:21:48 +0200

On Thursday 03 July 2003 22.25, Diego Rivera wrote:
> Sorry for the mixup on Squid versions. I'll be sure to upgrade to
> 2.5 ASAP - although I don't see that happening that soon.
>
> I've written a perl script similar to the one referenced on Open2,
> but it's a more general case (driver-based). The idea is to allow
> e-mail based authentication as described on my original post, and
> allow each "realm" to authenticate differently.
>
> I see two additional drivers as being highly desireable:
> External-Program and External-Pipe. The first one would invoke an
> external program to execute each authentication (inefficient, but
> could be useful). The second one would start the external process
> once and pipe info to it just as squid would.

I would recommend the second to be the only "driver" available.

A simple program where all configuration is in the code is no more
than 3 lines per domain. (1 line of initialization, 1 line of
condition to match the domain, 1 line to send the request to the
correct backend helper). A configuration based program should be no
more than about one screenful of code.

> The one drawback with this scheme is that it would NOT be possible
> to have Squid be aware of the different realms - i.e., let users
> authenticated on realm example-1.com through, but NOT users from
> example-2.org. All the users would be generalized into one big
> "authenticated users" group.

Err.. the usernames in such setup include the domain so Squid can
easily group the users in different groups. But you probably want a
glue similar to the above around the group helpers as well if you
want to use group lookup helpers (2.5 feature).

Regards
Henrik
Received on Fri Jul 04 2003 - 00:22:01 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:17:49 MST