Proposed extension to the NTLM helper protocol from Andrew Bartlett on 2004-11-05 (squid-dev)

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: Sat, 06 Nov 2004 12:24:00 +1100

I wish to propose an extension to the NTLM helper/squid protocol, such
that a squid redirector, or a external ACL helper, may access the list
of groups.

A new command to ntlm_auth, UG, would request the list of user groups
from the last authentication. This uses the fact that in NTLM and
SPNEGO authentication, the authentication produces the group list, that
should be valid for a particular session.

The resulting string, actually a sid list, could be passed as a cookie
in squid, for processing elsewhere.

This avoids us touching and managing global caches for this per-session
information.

I have an example implementation, in Samba4's ntlm_auth.
(which, when run with --option='auth methods = winbind', drops into an
existing Samba3 winbindd setup).

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net

application/pgp-signature attachment: This is a digitally signed message part

Received on Fri Nov 05 2004 - 18:24:19 MST

This archive was generated by hypermail pre-2.1.9 : Tue Nov 30 2004 - 12:00:03 MST