Nathan Zamprogno <email@hidden> writes:
>We're looking at Web filtering/ monitoring solutions and a common
>problem we're encountering is when we mention the word "Mac". Most of
>the big players like Surf Control usually assume that everyone in the
>entire universe uses Windows boxes that authenticate to Active
>Directory. Yeah, right. The issue of course is finding a way to tie a
>user's internet activity to their login so that the logs aren't just
>lists of anonymous I.P numbers.
>
>
>Several other candidates (like WebMarshall) claim that they can
>authenticate against LDAP, which I presume means that it would be
>fine with Mac OS-X Server 10.3. My greatest fear is the need to
>maintain duplicate user lists. Anything that could draw from our
>userlist on 10.3 server would save us a heap of time, but I don't
>know enough about LDAP, or Apple's flavour of it to know if it would
>work with filters that advertise "LDAP compatibility"
>
>
>Has anyone implemented a web filtering/monitoring solution that
>authenticates against 10.3 Server? I am imagining that in such an
>arrangement, if all the web traffic is obliged to pass through the
>filter, then all our users (Mac or PC) would be confronted by some
>kind of login dialog when they open a web browser for the first time
>in a session. They would enter their username and password, just
>like they were connecting to an AFP server on the OS-X box, and from
>then on all their surfing would be duly logged against their name.
>
>
>At least, that's how I'm guessing it would work. If the process could
>be automated through the regular login process at all our managed
>OS-X student terminals then this would be even better.
>
Yep... we do this. Your guess about how it would operate is exactly right.
The user is prompted with a sheet (in Safari) or an app-modal dialog (in
IE) asking them to authenticate to the proxy server (just like when a
website realm is protected with HTTP basic authentication). This session
persists until the user quits their browser.
For our web caching, content control and authentication, we run the squid
proxy server (as well as dansguardian, but you didn't ask about content
filtering :-)). See http://www.squid-cache.org/
Once squid is running, you need to look into pam_auth, an external
authentication tool included with squid. Firstly, compile it and install
it into your $squid/bin directory. Then edit your $squid/etc/squid.conf
file like this:
auth_param basic program /usr/local/squid/bin/pam_auth
auth_param basic children 30
auth_param basic realm Surf The Web
auth_param basic credentialsttl 2 minutes
acl authorized proxy_auth REQUIRED
http_access allow authorized
http_access deny all
Next create a file called /etc/pam.d/squid, containing the following 2
lines:
auth required pam_securityserver.so
account required pam_permit.so
Then restart squid.
Take a workstation and configure it use your new web proxy. Fire up a
browser and try to surf. You should be prompted for a username and
password, and it should only allow you to surf if you get these right.
Now go back to the server and tail $squid/var/logs/access.log. You should
see the username being logged with each request.
The only issue I've found with this setup is that something enforces
case-sensititvity on usernames. This is a pain, because if the user enters
their username like this: "JAMES" or this: "James" it will tell them their
password is wrong. Only if they enter it like this: "james" (or however it
is entered on the server) will it be accepted. This behaviour is clearly
wrong (usernames ought to be treated as case-insensitive) but I don't know
enough about PAM to deduce exactly where the problem lies.
Squid also has an ldap_auth which may not cause the username
case-sensitivity issue, but I haven't tried using it.
Once it is all working you'll want to block outgoing TCP/80 at the edge of
your network for all IP addresses except the proxy server. This way,
unless people have their machine configured to use the proxy, they won't
be able to surf at all. While this isn't as nice as a transparent proxy
arrangement (where your router or firewall silently diverts all outgoing
web requests through squid without telling the user), you can't use
transparent proxying at the same time as proxy authentication.
Hope this helps
James
--
James Tolchard
ICT Services
Christ's College Canterbury
DDI: +64-3-364-6806
"Never attribute to malice that which can be adequately explained by
stupidity." - Hanlon's Razor
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
