On Mon, 12 Jul 2004, Andrew Bartlett wrote:
> I'm about to dive head-long into writing the SPNEGO support for Squid,
> unless I can somehow bribe a real squid dev onto the task.
Great!
I am still trying to allocate time for this myself. Main hinderance is
that the NT testbed I had with an AD domain unfortunately is no more which
somewhat complicates testing..
> SPENGO in Squid is an interesting point - as far as I understand it,
> SPNEGO (Negotiate) HTTP support is not specified (in terms of the RFC)
> to a proxy server, only to a HTTP origin server. I see no reason for
> this silly restriction, and I'm going to play with Mozilla and IE to see
> what we can make them do. (Mozilla just gained SPENGO via SSPI,
> including transparent NTLM).
Fully agree. I do remember asking about this when the draft was released
and from what I can remember I was given the answer that the draft only
documents what was implemented by Microsoft to date of the draft and that
"Negotiate" to proxies may well appear in later versions.
From a look at the protocol there is absolutely nothing which stops
"Negotiate" or SPNEGO from being used in proxy authentication.
> So, I am trying to follow the advise offered in the programming guide,
> which says to copy the closest auth module, and go. Does the list have
> any particular tricks or traps I should know about?
None other than that the closest is the ntlm module which is a bit of an
ugly mess due to the (slightly broken) support for challenge reuse which
will be of no use and only hinderance to implementing "Negotiate" support.
> I realise that new code should be in Squid3 - but is Squid 2.5's NTLM
> code more mature?
Currenly the Squid 2.5 NTLM code is more mature, but the problematic areas
is in relation to the challenge reuse and response caching which
isn't really of any use here so you should not need to worry so much about
this.
It should be OK to start loosely from the ntlm module, mostly as a
template for an authentication module and some hints on how the stateful
helper system works.. if you throw away most of the inner guts and
cachings of the ntlm module and you should have a pretty clean plate to
work from. This can be dome in either 2.5 or 3, but if done in 2.5 then
some work will need to be duplicated to port to 3 so I would recommend 3.
Regards
Henrik
Received on Mon Jul 12 2004 - 16:07:12 MDT
This archive was generated by hypermail pre-2.1.9 : Sat Jul 31 2004 - 12:00:03 MDT