Re: SSO identification on Squid from Muthukumar on 2004-06-21 (squid-dev)

From: Muthukumar <kmuthu_gct@dont-contact.us>
Date: Tue, 22 Jun 2004 10:24:35 +0530

> I am writing to you as a Nufw developper. Nufw is, shortly said, a
> users-aware firewall, released on GPL v2. Basically, it marks any (TCP and
> others) connections with a user id. This leads to (hopefully) interesting
> perspectives in terms of transparent users identification/authentication.
> Right now, an apache module exists, which lets users be identified to an
> Apache server, without any interactive login/password prompt.

Specified perspective is good one ,because only one authentication of NTLM is used to the trasparent users identfication /
authentication.
Trasparent users identfication / authentication can be used on the environment where we are using DHCP for allocating IP's and with
multiple subnet where we can not use the MAC address to control the http connection.

Requirement as like in the thread,
http://www.mail-archive.com/squid-users@squid-cache.org/msg17988.html

> More details about the nufw project can be found at www.nufw.org.
>
> Anyway, this email is not about Nufw, sorry about this too long introduction.

Good introduction needs to be there to understand and to get a lot of squid developments.

> In a view to create a SSO authentication solution (based on nufw) for
> Squid, we need to build an authentication module for squid. It needs the
> following informations from squid : (source IP, source Port, destination
> IP, destination port), all these about the connection from the
> browser/client to the Squid server.

Authentication modules has to be configured depends upon the users requirement. It has to be given with the specified informations
as like NCSA auth method as,
password file which contains <username> <password> It is started from squid,it does not get the client informations from squid and
it has to give the current user informations to Squid.

> In the nufw point of view, user should not be prompted with
> username/password (or maybe in a second period, if user cannot be
> identified through Nufw).

Olny NTLM is doing this one. Check there in,
http://devel.squid-cache.org/ntlm/

On NTLM , the web access is done as,
                                                                internet
                                                                  /
                                             client ---> squid <--> NTLM auth module
                                                                                  \ / <gives the domain-name,user and
password>
                                                                                 apache-server

> I have read this thread :
>
> http://www.mail-archive.com/squid-dev@squid-cache.org/msg01881.html
>
> which is about the source IP address, so I suppose this should be possible.

Requirement is,authentication made to be done as.,
<Fixed - IP-Addres> <username> <password>

I am not sure,how it can be adoptable for Transparent Authentication.

Regards,
Muthukumar.

---
===============  It is a "Virus Free Mail" ===============
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.708 / Virus Database: 464 - Release Date: 6/18/2004

Received on Tue Jun 22 2004 - 17:06:39 MDT

This archive was generated by hypermail pre-2.1.9 : Wed Jun 30 2004 - 12:00:03 MDT