It should be pretty straightforward.
On a per scheme basis I assume? (make implementation much easier).
The duplicated data groups across auth domains will be
* cache entries
* helpers
* all per scheme settings
We should probably simply use a new acl type auth_domain, and then allow
tests against it in http_access, and some mechanism to place _requests_
in an auth domain. We'll also need to add an auth domain parameter to
the authentication config entries (ie
(2.5 devel style)
auth_param ntlm authdomainaclname1 program /foo/bar
auth_param ntlm authdomainaclname2 program /foo/bar
It needs to be requests because for digest && NTLM we don't know the
username at the beginning of the auth process (vs basic where its always
a single transaction).
Most of the authentication data is already split out to make this
straightfoward (and you could potentially implement only one scheme).
However some things aren't as abstracted as needed. Some care will be
needed...
For my sake I'd like to you to do this to the generic.modules branch :]
(Several parts of the above will be easier - in particular the parser
modifications will be quite a bit easier).
What's your desired timeframe?
Rob
----- Original Message -----
From: "Henrik Nordstrom" <hno@marasystems.com>
To: <squid-dev@squid-cache.org>
Sent: Thursday, April 26, 2001 7:10 PM
Subject: Multiple authentication domains?
> How much would it take to split proxy authentication into multiple
> domains with their own respective auth_param settings?
>
> Imagine a shared proxy where different "groups" of users, selected for
> example by the http_port they connect to or their source IP,
> authenticate agains different backend systems.
>
> --
> Henrik
>
>
Received on Thu Apr 26 2001 - 08:00:50 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:13:49 MST