Re: NTLM + auth_rewrite

----- Original Message -----
From: "Henrik Nordstrom" <hno@hem.passagen.se>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <squid-dev@squid-cache.org>
Sent: Sunday, January 07, 2001 10:49 PM
Subject: Re: NTLM + auth_rewrite

> Robert Collins wrote:
>
> > * there is a lot of variation in the needed helper support for each scheme ie some schemes may not use helpers/ some like ntlm
need
> > very complex helper support/ some need very little like basic & digest.
>
> The basic message format between Squid and the helper could still be the
> same, the difference is the amount&type of information passed, and
> amount of state kept at both ends..

Sure - sounds like we agree - see my comment about a global standard for helpers. Having said that there is a basic message format
at the moment, but it's not got any structure other than
line in
line out
:]

Anyone out there have any comments on a preferred, parseable message format? SML/XML/CSV/???

> > * backend provided group information (ie in the acl have group names, and then the helper tells us that john is in group
> > internet-users.
>
> This and more in that direction I have some old notes on...
>
> http://www.squid-cache.org/mail-archive/squid-dev/199912/0031.html

yeah - I think its also in the notes at squid.soureforge.net/ntlm. I agree with a lot of it - and now it should be _relatively_ easy
to add it.

> > * upstream modular auth code - so squid can login into an
> > upstream proxy using digest (or _shudder_ ntlm). are important
> > features.
>
> And proxying of NTLM authentication. Mainly for those who run
> transparent proxies...

Hmm. Can't do according to MS's web site (unless you are willing to tie a upstream and client_side fd together). We could do it by
utilising CONNECT rather than proxying but that's about it.

Rob
Received on Sun Jan 07 2001 - 05:05:21 MST