Re: http://www.news.com/News/Item/0,4,14917,00.html?latest

Oskar Pearson wrote:
>
> Hi all
>
> Some of us might be interested - The next netscape proxy includes
> ldap support (presumably to authenticate against OS's rather than a
> server maintained list). Support for this would be nice for squid.
>
> http://www.news.com/News/Item/0,4,14917,00.html?latest

Mmm... maybe, though my impression from past comments from Netscape was they
were aiming to use LDAP as a place to store configuration information for
their servers. And LDAPs a directory service, not an authentication service.

Plus ... if you're suggesting using user's normal username/password details
for proxy authentication, that's not something that is generally advisable
even in situations where it would be possible. With the password sent across
the net with every request to a proxy or password-controlled web server,
the consequences of a successful password-snooping attack would be much
greater if the same passwords were used (far less frequently, and quite
possibly only over much smaller and more secure parts of the network) for
access to other systems. [See, for example, the frequent "how can I make
Apache use /etc/passwd?" "You *really* don't want to!" postings in the
comp.infosystems.www.servers.unix newsgroup.]

The only good reason I can see for a web server or web cache having any
information about users' passwords for other systems might be to allow the
server to refuse to let them use the same password! [As ever, the situation
and risks are rather different on an intranet behind a firewall compared to
a non-firewalled network or a situation where the passwords would be
travelling over external, untrusted parts of the network.]

                                John Line

-- 
University of Cambridge WWW manager account (usually John Line)
Send general WWW-related enquiries to webmaster@ucs.cam.ac.uk