In the last weeks, Robert Collins and I worked at implementing NTLM (aka
microsoft-internet-explorer-without-credentials-requester)-style
authentication for Squid.
We're proud to announce that we've reached a test-able state: there's still
more than a bit of work to do to clean up and smooth around the edges, but
the functionality is there.
In order to work it needs to rely on a Domain Controller (Samba is fine) to
actually perform the authentication operation. If you're authenticating
against multiple domains, they must be trusted by the Domain Controller
you're using for the authentication operation.
It's not for the weak of heart yet. We expect to get bugreports, please
include debugging information when you have problems (when, not if). A
backtrace and cache.log snippet are the preferred form of information.
To get it, access cvs using "ntlm" as release tag. To build it, configure
using as arguments at least
--enable-ntlm-authentication --enable-ntlm-auth-modules="NTLMSSP"
(plus any other configuration options you might wish to use - watch out for
--enable-basic-authentication, it's new, and without it you do not have
basic authentication.)
You might want to edit squid/ntlm_auth_modules/NTLMSSP/ntlm.h for some
settings that will eventually be turned into command-line arguments, then
build and install as usual.
A new configuration option was introduced,
"authenticate_program_ntlm". Just point it to the ntlm_auth executable,
with options "-d domain -s server". The latter is the DC you're going to
authenticate against, the former is the domain that server belongs to.
We'll add details about the protocol and the implementation in some README
file sometime in the future (not too far hopefully).
We encourage anybody willing to try to give it a spin, as our aim is
inclusion in the 2.4 release but to get that we need testing.
-- ing. Francesco ChemolliReceived on Thu Aug 24 2000 - 00:41:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:35 MST