Am 31.05.2017 um 10:22 schrieb Anders Gustafsson:
> Now, got your attention?
> - Anders

You did. I'm now getting back to this, and must say as a fan of
"K.I.S.S", I'm now looking at a different approach, and am really
surprised not to find a lot on this on "the internet".

I have two reasons to not consider your solution.

1. The ident deamon on the workstation is insecure. Everybody can quite
easily write his own ident deamon claiming to be whoever. I understand
this might not matter much in many environments, but in my use case I
think it does.

2. Too much customization necessary, including compiling squid yourself.
For many that's a non-issue, but I prefer a more generally valid and
available solution.

My "ideal" would be regular authentication through ldap auth which
checks the requesting IP against the network address attribute in
eDirectory, next if the resulting user (if more than one result comes
back for the IP, fall back to ask for user/PW) is in an allowed group,
and if yes is allowed out and logged.

And all that if possible without adding *any* additional code to squid.

The two problems to solve are:

1. getting the IP of the connecting client in ldap_auth without
additional code or script.

2. The fallback to asking the user when there's more than one matching
user returned by ldap for the IP. The fallback when no user is returned
for the IP is easy.

This solution (if possible) is still not perfect due to the nature of
the Network Address attribute, but should work.

A perfect solution would need a (certificate?) secured daemon requesting
the local credentials.

Massimo Rosen
Micro Focus Knowledge Partner
No emails please!