The problem is lack of a standardised method for exchanging the user
information.
There are at least three alternatives here
a) Have ident support installed on the client machines, and configure
Squid to query for this (the ident ACL type).
The weaknesses of this approach is:
a1: Some ident service must be installed on every client machine.
a2: ident is not a very secure protocol, and if the users can control
the ident service on their station then they can spoof themselves as any
user.
b) Investigate if you might make use of Microsoft NTLM proxy
authentication.
Weaknesses:
b1) Not yet supported by Squid. Alpha quality code ara available from
squid.sourceforge.net.
b2) A very Microsoft specific protocol, only supported by Microsoft
browsers on Microsoft OS:es. Not ever likely to be supported by any
client-side things outside Microsoft.
c) Extend the authentication to verify that the user is actually logged
on to the station he/she comes from.
This can be done by eithe
c1: Extend Squids authentication mechanism to also pass the client IP
address, and extend the authenticator helper to verify that the user is
actually logged on to that client IP using wins/netbt calls.
c2: Do the verification in a redirector helper (with internal status
caching). The redirector mechanism already includes the client station
IP, and should also include the authenticated user name when proxy_auth
is being used.
big_fish@email.com.cn wrote:
>
> Thanks,
> I think I've not express my meaning clearly.
> What I want is:
> squid can identify the client's NT username,I have ACLs
> in squid.conf ,it indicates if the user is albe to use
> squid.If it's valid,squid won't ask him for a password.
> (Just like if you logon to a NT network,you can visit
> resource on some servers without provide password again).
> Actually,I'm now using NCSA,its username isn't the same
> thing as NT username.That's to say,a NCSA user USER1
> needn't to logon NT as USER1,he can use any NT username,
> maybe USERX,and provide the browser with its NCSA username.
> In this situation,squid only get a NCSA username instead of
> a real NT username.
> ----------------------------------------------
> 欢迎您使用 百家商务电子邮件系统 http://www.email.com.cn
> Welcome to E-mail business system
Received on Tue Jun 27 2000 - 00:48:27 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:54:11 MST