Hi guys! Thanks very much for your quick replies to my initial
message. It seems like it was eons ago... Er, actually it was!!
Sorry... :(
I don't yet have any further information regarding traces, etc, but I
have been doing a lot of research on commercial products. Perhaps we
can enter squid in with commercial players like Barracuda. There are
two ways that authentication works with the Barracuda:
1) IP-based timed session. Authentication is actually done via a web
page and not using the browser's built-in authentication schemes.
This provides a lot of flexibility. Once the user enters credentials
into the browser and is accepted, a session is created for x amount of
time for that IP. Shut down the computer all you want, as long as the
session hasn't timed-out, the session still exists for that PC. A
problem exists for schools where login sessions range from 5 minutes
to hours and the PCs are shared among dozens of users throughout the
day. An agent could be running on the computer that would, when
killed, send an instruction to squid to kill the open session for that
IP.
2) Active Directory. The Barracuda provides and Active
Directory-based Domain Controller Agent which runs on every PC. When
a user logs into the computer, this information is sent via the DCA to
AD such that the Barracuda can ask the AD who is logged in on this
machine. The squid method could be an improvement over the cuda
method by making it an LDAP Agent. An Agent would run on the computer
informing LDAP of the user's login status -- user abc is currently
logged into machine xyz (or of the machine's login status -- who is
currently logged in on machine xyz?) Squid would then determine who
is logged into a machine by querying LDAP. squid would then be able
to proceed as normal with acls, et al...
What would it take for us to enhance squid to follow one of these
approaches? And, again, can I throw some money at it to make it
happen (and perhaps start soon)?
Thanks for your time and consideration!
Stefan Adams, president
Cogent Innovators, LLC
http://www.cogentinnovators.com
stefan@cogentinnovators.com
On 4/2/07, Adrian Chadd <adrian@creative.net.au> wrote:
> On Sat, Mar 31, 2007, Stefan Adams wrote:
> > Hello squid developers!
> >
> > I have been devoting a lot of time to authentication within the proxy.
> > However, every solution I provide to my customers is unacceptable.
> > They simply get prompted too often or something doesn't work at all.
>
> Erk! Hey, someone who might help fix why those Java applets break with NTLM/basic
> authentication!
>
> Quick, tie him down. :)
>
> > Using NTLM, certain sites, e.g. links to videos on cnn.com, don't work
> > at all. These videos are loaded by Real Player which apparently has
> > an issue working passing NTLM credentials. As such, when using NTLM
> > authentication, these videos are inaccessible. This is unacceptable
> > to customers.
>
> Have you any packet dumps/NTLM traces of this? It might be easily worked around
> by some patches to Squid.
>
> > Using Basic (PAM module), certain situations cause credential
> > querying. This is extremely evident while using the help function of
> > Microsoft Office products. The online help is web-based. Each link
> > loads a new browser window and Office does not remember the
> > credentials from link to link. As a result, everytime a customer
> > clicks a link, they are asked once again for credentials. This is
> > unacceptable to customers.
>
> Hm, does the online help, being web-based, does that work happy with
> NTLM? Does NTLM work well in this case?
>
> > I think entry 2.3 in the FAQ most clearly sums up the problem:
> >
> > http://netmirror.org/mirror/squid-www/Doc/FAQ/FAQ-23.html
> >
> > "Note: This has nothing to do with how often the user needs to
> > re-authenticate himself. It is the browser who maintains the session,
> > and re-authentication is a business between the user and his browser,
> > not the browser and Squid. The browser authenticates on behalf of the
> > user on every request sent to Squid. What this parameter controls is
> > only how often Squid will ask the defined helper if the password is
> > still valid."
> >
> > That said, there simply MUST be a better way. I have heard of other
> > schools that provide authentication to the proxy that apparently do
> > not complain about such "inconveniences". These users use commerical,
> > proprietary products. I have no idea how they work.
>
> Can you get access to them? Can you throw a packet trace at them?
>
> Its entirely possible to "cache" authentication based on IP address.
> That'd be perfectly fine in a lot of cases.
>
> My suggestion: get some traces from broken implementations, fire them
> off to the list, offer some money at people to try and fix it up and see
> what happens.
>
>
>
>
>
> Adrian
>
Received on Wed May 09 2007 - 12:20:59 MDT
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:08 MDT