[K12OSN] Shared Sessions? - SonicWall

Darryl Palmer dpalmerjr at gmail.com
Mon Nov 6 21:16:56 UTC 2006 

On 11/6/06, Peter Hartmann <ascensiontech at gmail.com> wrote:
>
> > 1)  Run the web browsers locally on each thin client.  This will take up
> > tons of resources, at least for Firefox, but if you have the memory to
> spare
> > then this will fix it.
>
> Our principal wants logging of squidguard blocked attempts per user.
> I told him that I thought authenticating to squidguard with ldap was
> possible.  Do you think I would have to run firefox locally too?


Squid and squidguard can use auth/identd to identify the user.  You need to
run a service on your server to make it work.  What the service will do is
respond to queries on what username is connected with a TCP connection.

For example let's say you have two users, Bob and Sue, that are trying to go
to a web site.  Because you are using LTSP, firefox will run from the
server, let's say it is at 192.168.0.1.  Your proxy is on another firewall
machine at 192.168.0.2 and it is running on port 80.

Using only internet address or ethernet MAC address, there is no way for the
proxy to distinguish between Bob and Sue because both of their versions of
firefox have its network connection originating from the same server at
address 192.168.0.1.

What Auth/Identd does is make a service avaiable on your server.  This
service will listen in for requests of connection information and tell the
requester what user is associated with that network connection.  When Bob
started Firefox on the server, firefox grabbed a local-port of 5010 to open
a network connection.  When Sue started Firefox on the server, she was given
another port, let's say 6198.

What your proxy server can now do is send a request in the form of

<local-port>, <foreign-port> where local port is the port on the proxy
server, and foreign-port is the port on the origin server, here the LTSP
server.

So when the proxy sends a request like:

80, 5010

It will get a response like:

80, 5010 : USERID : BOB

If on the other hand the request was

80, 6198

It would be:

80, 6198 : USERID : SUE

(Both of the local ports are 80 because this is the port you selected for
your proxy service to run on)

The way that auth/identd will know the difference between Bob and Sue, is
that Bob's version of Firefox was started under the linux userid "BOB" and
Sue's version was started under the linux userid "SUE".

If you set up your clients to have all the same usernames, then even
auth/identd won't do much for you.

Darryl
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/k12osn/attachments/20061106/72eba9ef/attachment.htm>

More information about the K12OSN mailing list