Re: Proposed extension to the NTLM helper protocol from Andrew Bartlett on 2004-11-06 (squid-dev)

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: Sat, 06 Nov 2004 19:48:39 +1100

On Sat, 2004-11-06 at 19:38, Robert Collins wrote:
> On Sat, 2004-11-06 at 19:28 +1100, Andrew Bartlett wrote:
> > On Sat, 2004-11-06 at 12:26, Robert Collins wrote:
> > > On Sat, 2004-11-06 at 12:24 +1100, Andrew Bartlett wrote:
> > > > I wish to propose an extension to the NTLM helper/squid protocol, such
> > > > that a squid redirector, or a external ACL helper, may access the list
> > > > of groups.
> > > >
> > > > A new command to ntlm_auth, UG, would request the list of user groups
> > > > from the last authentication. This uses the fact that in NTLM and
> > > > SPNEGO authentication, the authentication produces the group list, that
> > > > should be valid for a particular session.
> > >
> > > It shouldn't be a new command. The cookie should just be returned with
> > > the auth. (Anything else races hugely with overlapped requests).
> >
> > How so?
> >
> > Squid controls when it asks for a new authentication, it can just do the
> > extra round-trip after getting the AF.
> >
> > For the multiplexed helper, it is just prefixed with the multiplex
> > integer, as for all other requests.
>
> In which case, you still have that bodgy caching you were telling me
> about on IRC.

I see no cache - the state of the authentication system is not reset
yet, and squid still holds a handle to the helper. The request for the
user groups (cookie) should be directly and immediately on receipt of
'AF' from the helper.

However, I think I see your complaint - because it's technically (and
potentially) a blocking call, Squid would need extra logic to defer
'authentication success' until this information is available.

> Surely just stuffing the answer in the result sent to squid is easier
> for you? Its easier for squid.

I didn't want to introduce an incompatible change to the protocol -
which is now in use further than squid.

An application that doesn't know of this extension won't request 'UG',
so nothing changes.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net

application/pgp-signature attachment: This is a digitally signed message part

Received on Sat Nov 06 2004 - 01:48:58 MST

This archive was generated by hypermail pre-2.1.9 : Tue Nov 30 2004 - 12:00:03 MST