Re: LDAP + Proxy + Browser
- From: "dt" <daytues@xxxxxxxxx>
- Date: 9 Feb 2007 03:39:42 -0800
Chris, thanks for the reply. Let me give a few comments on your reply.
Network access != Web access
Which do you really mean?
Web is enough.
Not your problem. If you pop proxy authentication into squid "it just
works".
Maybe I haven't been clear enough on this. As far as I know, it works
if the "default" system authentication is used. I don't want that,
because I cannot enforce the users to create/change user accounts on
their machines. In this case, I would need to change the configuration
for each new user that comes and in some cases it may be even
unfeasible (e.g. when the user doesn't have the password-protected
account to use for this purpose). I need the way to allow the users to
enter this information in the browser and force the browser not to
send the default, but this info. Without this, what I am thinking is
not possible, but there may be other ways - if you know of such,
please let me know.
That's a social engineering issue. Assuming this is a business you
have to have an effective Security Policy that forbids people sharing
passwords. You can then enforce that with internal discliplinary
procedures.
That is probably not possible in the situation I have. I have a very
dynamic list of users of my network and I cannot enforce too much in
my case. The only thing I can conut on is a centralized password
system. I can give them the username/password combination (that is
pretty easy) and if I only could do the other mentioned things, it
would work. If I could make the browser send exactly this combination
and tell the proxy not to let more then 1 usage of the username/
password at any given time, then it would work and the social
engineering issue would be gone (noone would give the username/
password to others - they themselves wouldn't be able to use the
network in that case).
The above is my proposed way, any other ways, considering the
requirements. To make me clear again, the requirements are as follows.
I cannot influence the users (and their computers) too much, but I
have the full control of the network itself. I cannot make the users
have fixed IP or MAC addresses, I cannot rely on the user accounts on
their machines or in fact anything else on their machines. The only
thing I can do is give them something and rely on the usage count.
If it helps to imagine the situation, think about my network as the
mail (e.g. Yahoo!) provider. The objective is to let only the users
with the given username/password to pass. Yahoo! cannot influence the
user accounts on my machine, but I still can use their services. If
they would also restrict the login count to one (i.e. one user can
login only once at the given time), that would be exactly the
situation I am right now.
Chris
Thanks again, hope to hear from you again!
.
- Follow-Ups:
- Re: LDAP + Proxy + Browser
- From: Chris Davies
- Re: LDAP + Proxy + Browser
- References:
- LDAP + Proxy + Browser
- From: dt
- Re: LDAP + Proxy + Browser
- From: Chris Davies
- LDAP + Proxy + Browser
- Prev by Date: Re: thead security
- Next by Date: Re: I dcfldd'd a 40GB to a 120GB - drive reads as 40GB
- Previous by thread: Re: LDAP + Proxy + Browser
- Next by thread: Re: LDAP + Proxy + Browser
- Index(es):
Relevant Pages
|
