Re: Proposed extension to the NTLM helper protocol

From: Andrew Bartlett <abartlet@dont-contact.us>
Date: Mon, 08 Nov 2004 22:34:09 +1100

On Sat, 2004-11-06 at 20:24, Robert Collins wrote:
> On Sat, 2004-11-06 at 19:48 +1100, Andrew Bartlett wrote:
>
> > I see no cache - the state of the authentication system is not reset
> > yet,
>
> Thats not guaranteed.

As the author of ntlm_auth, I guarantee that after issuing an 'AF' (and
no other commands), the client program may issue 'UG', to return the
group list. Is that enough? :-)

> > and squid still holds a handle to the helper. The request for the
> > user groups (cookie) should be directly and immediately on receipt of
> > 'AF' from the helper.
> >
> > However, I think I see your complaint - because it's technically (and
> > potentially) a blocking call, Squid would need extra logic to defer
> > 'authentication success' until this information is available.
>
> Right.

How hard is it to add the extra step?

> > > Surely just stuffing the answer in the result sent to squid is easier
> > > for you? Its easier for squid.
> >
> > I didn't want to introduce an incompatible change to the protocol -
> > which is now in use further than squid.
>
> I suggest adding an option to the helper to enable returning the info,
> that way its site specific, and when squid has something implemented, it
> will always just be 'use if present'.

The other reason I avoided it was for simplicity of parsing - currently
we define the username as everything from the 'AF' to the end of line.
I suppose we should now define the 'AF' response as:

AF username=url-encoded-username authtoken=url-encodedgrouplist

How does that sound?

What I would have liked was some way that this scheme could have been
auto-negotiated. My previous proposal allowed squid to always try 'UG',
and just swallow the failure reply if the helper was 'old'.

Got any good ways we can handle this one?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net

Received on Mon Nov 08 2004 - 04:34:30 MST

This archive was generated by hypermail pre-2.1.9 : Tue Nov 30 2004 - 12:00:03 MST