RE: NTLM + auth_rewrite

From: Chemolli Francesco (USI) <ChemolliF@dont-contact.us>
Date: Mon, 8 Jan 2001 09:35:00 +0100

-- 
	ing. Francesco Chemolli
	Unicredit Servizi Informativi
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@hem.passagen.se]
> Sent: Sunday, January 07, 2001 9:23 AM
> To: Robert Collins
> Cc: squid-dev@squid-cache.org; Chemolli Francesco (USI)
> Subject: Re: NTLM + auth_rewrite
> 
> 
> Robert Collins wrote:
> 
> > ==== Other than the doco, auth_rewrite is ready to merge ====
> 
> I have one large restructuring of the source layout that I'd like to
> discuss before the commit:
> 
> * Conceptual change to call the helpers backend helpers and 
> not modules
> 
> * Group the schemes together
> 
>   auth_backends
>   auth_backends/basic
>   auth_backends/basic/NCSA
>   auth_backends/basic/...
>   auth_backends/ntlm
>   auth_backends/ntlm/NTLMSSP
>   auth_backends/ntlm/...
>   auth_backends/...
This would be good.
> * Make sure that each installed "backend helper" has a unique name. 
> 
> Hmm.. thinking about it it might be a good idea to simply put all of
> them directly in auth_backends, without dividing on scheme. Especially
> if considering the idea below..
> 
> 
> I also got the crazy idea of joining the auth helper 
> protocols into one
> for all schemes using a more structured message format, and let the
> helpers register what schemes they support. Only schemes for 
> where there
> exists a registered backend will then be announced, and if 
> there exists
> multiple for one scheme then each is tried in order until a 
> success. But
> this would be the next generation of auth_rewrite I think.
Nice in theory, a bit more difficult in practice:
backends need a fair bit of infos about the authentication scheme's
internals
For instance, in NTLM, decoding of the headers sent from the clients
is left to the helpers.
Extending the squid-helper protocols to cover all the bases would make them
pretty complex (which strikes when compared to the current
designed-for-simplicity schemes.
Also, it would add a negotiation phase with all the problems that come
together with it.
So, if it comes to voting for the feature, my take is
too-much-hassle-for-too-little-gain, but of course I'll follow the
majority's
opinions.
-- 
	/kinkie
Received on Mon Jan 08 2001 - 01:34:43 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:13 MST