Re: LDAP + Proxy + Browser
Not sure you can do what you like by definition.
1) You want to restrict when a particular person has access to the
2) You cannot tell who any particular user is.
Mutually exclusive. They will need to have a user account or something
that will allow you to tell who they are. You probably don't want to
just allow a popup asking for a password, because then someone just
clicks 'remember my password' one time and everyone will be using that
HTTP is stateless, so you cannot know if someone has 'finished'
browsing to expire a password. The protocol 'finishes' after every
request, so it is already done. You could time out a session, but for
those that sit and read for awhile, they will have to repeatedly enter
their password (most of us have seen this when we are sending an email
via web messaging and get distracted).
Seems to me that your first task is to find a feasible way to identify
who is on the network and which system they are on at any given time.
Once you have that ability, the rest will fall into place.
If you cannot manage their systems, you should probably manage the
network. Nobody connects unless you know who they are.
Just one guys 2 cents.
On Feb 8, 11:00 am, "dt" <dayt...@yahoo.com> wrote:[color=blue]
> I would like to restrict the network access for some people to certain
> hours. However, the problem is that the network is "unmanaged", in the
> sense that I cannot know who the people are, which computers they use
> and how they are setup. This makes the only possibility for the
> solution just to make a centralized user/password database which would
> allow the users to access the system only if they know the username/
> password that is allowed to use the network resources at the given
> I was thinking about using squid proxy server, which would allow me to
> control the users using e.g. LDAP as the authentication method. There
> are at least two problems with this. The first one is that I don't
> know how to configure the browsers to supply the username/password
> that I need. I cannot tell the users to make the actual users on their
> machines, that is not an option. Can e.g. Mozilla be somehow told to
> give the specified username/password to squid so it can pass it to
> LDAP for the final check?
> Another thing is that I would like to allow only one usage of the
> password. I wouldn't like to give one password and 10 people to use
> it. Is this possible in squid?
> The last thing is that I made a lot of assumptions about what I would
> like - maybe there is a much better/easier solution. If you have any
> other thoughts about this or other ways this could/should be done,
> please let me know.[/color]