Your message dated Wed, 4 Nov 2009 16:46:27 +0100 with message-id <200911041646.28026.holger@layer-acht.org> and subject line fixed has caused the Debian Bug report #499709, regarding please get rid of hardcoded IP numbers in the squid.conf file to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 499709: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=499709 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: please get rid of hardcoded IP numbers in the squid.conf file
- From: Holger Levsen <holger@layer-acht.org>
- Date: Sun, 21 Sep 2008 15:28:37 +0200
- Message-id: <200809211528.37667.holger@layer-acht.org>
package: debian-edu-config severity: wishlist version: 1.423 ---------- Forwarded Message ---------- Subject: Getting rid of hardcoded IP numbers in the squid.conf file? Date: Tuesday 05 August 2008 17:48 From: Petter Reinholdtsen <pere@hungry.com> To: debian-edu@lists.debian.org At the moment, very few services in Skolelinux uses hardcoded IP addresses. Each and every one of these make it harder to change to use a different IP subnet for the Skolelinux network. The services I am aware of are - DNS (/etc/bind/debian-edu/*) - DHCP (LDAP) - Squid (/etc/squid/squid.conf) - CUPS (/etc/cups/cups.conf) - tcp-wrapper (/etc/hosts.{allow,deny}) I doubt we will be able to drop IP addresses from DHCP and DNS, but we should try to get rid of them for the others. This email is about Squid. At the moment, we specify the range of IP addresses allowed to talk to the Squid server in squid.conf. Recently I have become aware of the support in squid for 'external' ACL providers. We could easily write such external ACL provider that look up the subnet in LDAP and grant access based on the content in LDAP instead of hardcoding it in the configuration file. For this to work, we need to add subnet information in LDAP. I found <URL:http://devel.squid-cache.org/external_acl/> documenting the original project to add support for external ACL providers. It got a reference to a script to authenticate users and IP addresses. We could probably use it as a starting point. Anyone know of any well defined specification for storing subnet information in LDAP? I know AD got a subnet schema, ref <URL: http://www.grotan.com/ldap/microsoft.schema >. Perhaps we could use some ideas from there? LDAP objects like this would work: dn: dn=10.0.2.0/23,cn=subnets,dc=skole,dc=skolelinux,dc=no objectClass: top objectclass: subnet cn=10.0.2.0/23 We could configure the external ACL provider to accept all subnets registered in LDAP. This would make it trivial to add access for more subnets. Happy hacking, -- Petter Reinholdtsen -------------------------------------------------------Attachment: pgpj5b_go5qjP.pgp
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: control@bugs.debian.org, 499709-done@bugs.debian.org
- Subject: fixed
- From: Holger Levsen <holger@layer-acht.org>
- Date: Wed, 4 Nov 2009 16:46:27 +0100
- Message-id: <200911041646.28026.holger@layer-acht.org>
fixed 499709 1.428 thanksAttachment: signature.asc
Description: This is a digitally signed message part.
--- End Message ---