Squidguard crazyness (ACL, authentification and transparent proxy)

ldperron

I'm just asking if this idea is good. I may be able to program it by myself.

I have a situation where SquidGuard ACL, transparent proxy, group membership, Active Directory is in the mix.

I wonder if it possible that when an unauthenticated user try to open a web page, he's automatically redirected to a webpage to authenticate himself.
This authentification Web form, served by a deamon that will take care of updating the SquidGuard ACLs, in order to associate this particular user with a particular IP address. This user won't have to authenticate until his session is finished.

I know some commercial web proxy that works in a similar way, and even one that allow the installation of a daemon directly on the Domain Controller so it can automatically inform the proxy of any IP address&user association.

As far as I know, we can't use Active Directory groups in SquidGuard ACLs, even if we are using non-transparent proxy with AD authentication, am I right?

In my opinion, it works well unless you have multiple users sharing the same IP address, like with terminal servers.

I'm just asking for opinions… is it doable? useful? Or am I trying to do something too complicated for something that already exists?

Any tips would be appreciated. If enough people like the idea, this could make a nice new package.

Thanks

dvserg

What about use Captive Portal ?

ldperron

You mean by modifying the captive portal, or the captive portal is already able to authenticate using AD, and it's able to send user/groups to SquidGuard?