LDAP + Proxy + Browser - Networking

This is a discussion on LDAP + Proxy + Browser - Networking ; I would like to restrict the network access for some people to certain hours. However, the problem is that the network is "unmanaged", in the sense that I cannot know who the people are, which computers they use and how ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: LDAP + Proxy + Browser

  1. LDAP + Proxy + Browser

    I would like to restrict the network access for some people to certain
    hours. However, the problem is that the network is "unmanaged", in the
    sense that I cannot know who the people are, which computers they use
    and how they are setup. This makes the only possibility for the
    solution just to make a centralized user/password database which would
    allow the users to access the system only if they know the username/
    password that is allowed to use the network resources at the given
    time.

    I was thinking about using squid proxy server, which would allow me to
    control the users using e.g. LDAP as the authentication method. There
    are at least two problems with this. The first one is that I don't
    know how to configure the browsers to supply the username/password
    that I need. I cannot tell the users to make the actual users on their
    machines, that is not an option. Can e.g. Mozilla be somehow told to
    give the specified username/password to squid so it can pass it to
    LDAP for the final check?

    Another thing is that I would like to allow only one usage of the
    password. I wouldn't like to give one password and 10 people to use
    it. Is this possible in squid?

    The last thing is that I made a lot of assumptions about what I would
    like - maybe there is a much better/easier solution. If you have any
    other thoughts about this or other ways this could/should be done,
    please let me know.


  2. Re: LDAP + Proxy + Browser

    Not sure you can do what you like by definition.

    1) You want to restrict when a particular person has access to the
    internet
    2) You cannot tell who any particular user is.

    Mutually exclusive. They will need to have a user account or something
    that will allow you to tell who they are. You probably don't want to
    just allow a popup asking for a password, because then someone just
    clicks 'remember my password' one time and everyone will be using that
    account.

    HTTP is stateless, so you cannot know if someone has 'finished'
    browsing to expire a password. The protocol 'finishes' after every
    request, so it is already done. You could time out a session, but for
    those that sit and read for awhile, they will have to repeatedly enter
    their password (most of us have seen this when we are sending an email
    via web messaging and get distracted).


    Seems to me that your first task is to find a feasible way to identify
    who is on the network and which system they are on at any given time.
    Once you have that ability, the rest will fall into place.
    If you cannot manage their systems, you should probably manage the
    network. Nobody connects unless you know who they are.

    Just one guys 2 cents.

    Brian

    On Feb 8, 11:00 am, "dt" wrote:
    > I would like to restrict the network access for some people to certain
    > hours. However, the problem is that the network is "unmanaged", in the
    > sense that I cannot know who the people are, which computers they use
    > and how they are setup. This makes the only possibility for the
    > solution just to make a centralized user/password database which would
    > allow the users to access the system only if they know the username/
    > password that is allowed to use the network resources at the given
    > time.
    >
    > I was thinking about using squid proxy server, which would allow me to
    > control the users using e.g. LDAP as the authentication method. There
    > are at least two problems with this. The first one is that I don't
    > know how to configure the browsers to supply the username/password
    > that I need. I cannot tell the users to make the actual users on their
    > machines, that is not an option. Can e.g. Mozilla be somehow told to
    > give the specified username/password to squid so it can pass it to
    > LDAP for the final check?
    >
    > Another thing is that I would like to allow only one usage of the
    > password. I wouldn't like to give one password and 10 people to use
    > it. Is this possible in squid?
    >
    > The last thing is that I made a lot of assumptions about what I would
    > like - maybe there is a much better/easier solution. If you have any
    > other thoughts about this or other ways this could/should be done,
    > please let me know.




+ Reply to Thread