NCSA Authenitcation

I have scoured the FAQ and the squid-users mailing list archive and found
a lot of discussion on the general topic of authenticating squid users.
However, none of the information I found has helped me with my specific
problem. I've just installed squid-2.2.STABLE3 on a solaris 2.6 system
and it seems to work fine except for the NCSA authenitcation. The
pertinent parts for my squid.conf file follow:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl SSL_ports port 443 563
acl Safe_ports port 80 21 443 563 70 210 1025-65535
acl CONNECT method CONNECT

#Local acls
acl ourallowedhosts1 src 198.248.166.0/255.255.255.0
acl user_passwords proxy_auth REQUIRED
acl all src 0.0.0.0/0.0.0.0

#Default configuration:
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports

# The following line is commented out to test proxy authentication
#http_access allow ourallowedhosts1
http_access allow user_passwords
http_access deny all

authenticate_program /usr/local/squid/bin/ncsa_auth
/usr/local/squid/etc/ok_users
proxy_auth_realm Squid proxy-caching web server

debug_options ALL,1 28,9

The problem is that the authentication program (ncsa_auth) will ask the
client (Netscape or Internet Explorer) for a username and password. But,
regardless of what username/password I enter access is denied. I used
htpasswd to create a password file in /usr/local/squid/etc/ok_users.
debug messages from the cache log are shown below. They seem to indicate
that the username and password are correctly sent from the client to the
squid server and that the problem is between ncsa_auth and squid. Does
anyone have an idea on what I may be doing wrong?

1999/06/07 22:57:54| aclDecodeProxyAuth: cleartext = 'glen:skittles'
1999/06/07 22:57:54| aclMatchProxyAuth: checking user 'glen'
1999/06/07 22:57:54| aclMatchProxyAuth: user 'glen' not yet known
1999/06/07 22:57:54| aclMatchAclList: returning 0
1999/06/07 22:57:54| aclCheck: checking password via authenticator
1999/06/07 22:57:54| aclDecodeProxyAuth: cleartext = 'glen:skittles'
1999/06/07 22:57:54| aclLookupProxyAuthStart: going to ask authenticator
on glen
1999/06/07 22:57:54| aclLookupProxyAuthDone: result = ERR
1999/06/07 22:57:54| aclCheck: checking 'http_access allow user_passwords'
1999/06/07 22:57:54| aclMatchAclList: checking user_passwords
1999/06/07 22:57:54| aclMatchAcl: checking 'acl user_passwords proxy_auth
REQUIRED'
1999/06/07 22:57:54| aclDecodeProxyAuth: cleartext = 'glen:skittles'
1999/06/07 22:57:54| aclMatchProxyAuth: checking user 'glen'
1999/06/07 22:57:54| aclMatchProxyAuth: authentication failed for user
'glen'
1999/06/07 22:57:54| aclMatchAclList: returning 0
1999/06/07 22:57:54| aclCheck: match found, returning 2
1999/06/07 22:57:54| aclCheckCallback: answer=2

Glen Diener (glen@tabor.edu)
Systems Administrator
Tabor College
Received on Wed Jun 09 1999 - 12:58:48 MDT