I am working on setting up new web proxies at my job. We were initialy planning on buying Blue Coat proxys but the economic downturn came along and we're not buying them anymore...
The great feature that these proxys had was that they offered the possibility to authenticate users against several LDAP proxies. For example, a certain subnet of users authenticate against a specific LDAP serve while another subnet of users authenticate against another LDAP server.
Is this possible using open source software such as Squid ? I really like Pfsense because the interface is really simple and pretty, would it be possible to do such thing with it ?
Thank you in advance for your help,
Antoine
You cold make Squid authenticate against a single OpenLDAP server acting as a proxy for several backend directories. From slapd-meta(5):
This will work even if the DN hierarchies overlay among both groups by writing a few massaging rules -- I'm guessing that is the case because you would be using aliasing and delegation instead.
In any case I believe it is healthy that users are allowed to authenticate against the unified directory because their identity remains the same regardless of the subnet they happen to find themselves into.
In my answer, I'm assuming that you have read about the Squid authentication protocol, are familiar on how to configure an LDAP auth helper and are planning to run Squid under some kind of Unix operationg system. Furthermore, the first two answers help you chose different LDAP servers based on username, not IP subnet (you mentioned "subnet", but ITYM "subset" - right?).
If you really want to change LDAP servers based on the IP subnet things will get a little ugly, since the Squid auth protocol only transmits username/password pairs to the auth helpers:
You can build your own authentication helper for squid - http://www.visolve.com/squid/squid30/externalsupport.php#auth_param
http://www.cyberciti.biz/tips/howto-configure-squid-ldap-authentication.html