Re: [SQU] ANNOUNCEMENT: NTLM update #2

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 13 Nov 2000 22:34:33 +1100

----- Original Message -----
From: "Thomas Goebel" <thomas@an-netz.de>
To: "Robert Collins" <robert.collins@itdomain.com.au>
Cc: <squid-users@ircache.net>
Sent: Monday, November 13, 2000 10:10 PM
Subject: Re: [SQU] ANNOUNCEMENT: NTLM update #2

> Hello,
>
> that is my next problem. You wrote
>
> * removed --enable-basic-authentication and --enable-ntlm-authentication
> configure options. Authentication schemes are now implicitly controlled
> via squid.conf. (By setting a helper for a given scheme).

the
--enable-ntlm-auth-modules=
still needs to be used to build particular helpers.

>
> But the ntlm_auth helper is not present in
> squid-ntlm/ntlm_auth_modules/NTLMSSP after i do a "make". I try it with
> this directive and there are also NO ntlm_auth.
>
> In the generated squid.conf.default, there are no options for
> authenticate_cache_garbage_interval

I don't know why you don't get it... but here it is.

# TAG: authenticate_cache_garbage_interval
# The time period between garbage collection across the username
cache.
# This is a tradeoff between memory utilisation (long intervals - say
# 2 days) and CPU (short intervals - say 1 minute). Only change if
# you have good reason to.
#
#Default:
# authenticate_cache_garbage_interval 1 hour

> I have a complete NEW(i have delete my old squid-ntlm tree) copy of the
> cvs-tree
>
> cu
>
> Thomas
>
>
> Robert Collins wrote:
> >
> > You don't need to use it. If you have a very large number of users(say
more
> > than 10,000), or are very short on ram you may want to use it. See the
> > squid.conf.default entry for it.
> >
> > Rob
> > ----- Original Message -----
> > From: "Thomas Goebel" <thomas@an-netz.de>
> > To: "Robert Collins" <robert.collins@itdomain.com.au>
> > Cc: <squid-users@ircache.net>
> > Sent: Monday, November 13, 2000 9:55 PM
> > Subject: Re: [SQU] ANNOUNCEMENT: NTLM update #2
> >
> > > Hello,
> > >
> > > ok now it works fine.
> > >
> > > What does this mean? When should i use the directive?
> > >
> > > New config directive authenticate_cache_garbage_interval to tune
> > > user cache garbage collection.
> > >
> > > Thomas
> > >
> > > Robert Collins wrote:
> > > >
> > > > I've done a clean checkout of the ntlm branch to check, and had no
> > problem.
> > > >
> > > > I think something is wrong with your local copy. So I am suggesting
you
> > get
> > > > a fresh local copy.
> > > >
> > > > Rob
> > > > ----- Original Message -----
> > > > From: "Thomas Goebel" <thomas@an-netz.de>
> > > > To: "Robert Collins" <robert.collins@itdomain.com.au>
> > > > Cc: <squid-users@ircache.net>
> > > > Sent: Monday, November 13, 2000 9:28 PM
> > > > Subject: Re: [SQU] ANNOUNCEMENT: NTLM update #2
> > > >
> > > > > Sorry, I don't understand what you mean?
> > > > >
> > > > > I have updated my cvs tree in the same way as i did it five times
in
> > the
> > > > > past.
> > > > >
> > > > > Thomas
> > > > >
> > > > > Robert Collins wrote:
> > > > > >
> > > > > > I think you have a broken source tree. Try checking out the ntlm
> > branch
> > > > from
> > > > > > scratch.
> > > > > >
> > > > > > Rob
> > > > > > ----- Original Message -----
> > > > > > From: "Thomas Goebel" <thomas@an-netz.de>
> > > > > > To: "Robert Collins" <robert.collins@itdomain.com.au>
> > > > > > Cc: <squid-users@ircache.net>
> > > > > > Sent: Monday, November 13, 2000 9:02 PM
> > > > > > Subject: Re: [SQU] ANNOUNCEMENT: NTLM update #2
> > > > > >
> > > > > > > Hi,
> > > > > > >
> > > > > > > the same happend when i do a
> > > > > > >
> > > > > > > make
> > > > > > >
> > > > > > > Here are the lines at the end of the make command and then
they
> > > > > > > restarting
> > > > > > > creating ./ntlm_auth_modules/no_check/Makefile
> > > > > > > creating include/autoconf.h
> > > > > > > include/autoconf.h is unchanged
> > > > > > > make[5]: Entering directory `/DOWN/squid-ntlm'
> > > > > > > make[5]: *** Warning: File `lib/Makefile.in' has modification
time
> > in
> > > > > > > the future
> > > > > > > (2000-11-13 11:35:14 > 2000-11-13 10:59:30)
> > > > > > > Package configuration updated. Cleaning and reconfiguring
> > > > > > > running /bin/sh
> > ./configure --enable-snmp --prefix=/usr --no-create
> > > > > > > --no-recurs
> > > > > > > ion
> > > > > > > loading cache ./config.cache
> > > > > > > checking host system type... i686-pc-linux-gnu
> > > > > > > checking for gcc... (cached) gcc
> > > > > > > checking whether the C compiler (gcc -g) works... yes
> > > > > > > checking whether the C compiler (gcc -g) is a
cross-compiler...
> > no
> > > > > > > checking whether we are using GNU C... (cached) yes
> > > > > > > checking whether gcc accepts -g... (cached) yes
> > > > > > > Store modules built: ufs
> > > > > > > Removal policies built: lru
> > > > > > > SNMP monitoring enabled
> > > > > > >
> > > > > > >
> > > > > > > My config:
> > > > > > >
> > > > > > > autoconf
> > > > > > > autoheader
> > > > > > > ./configure --enable-snmp --prefix=/usr
> > > > > > >
> > > > > > > Thomas
> > > > > > >
> > > > > > >
> > > > > > >
> > > > > > > Robert Collins wrote:
> > > > > > > >
> > > > > > > > This is to announce an update to the CVS tree for
squid-ntlm.
> > > > > > > >
> > > > > > > > The new code (like the existing code) is somewhere after
alpha
> > and
> > > > > > > > before production. YMMV.
> > > > > > > >
> > > > > > > > Why upgrade?
> > > > > > > >
> > > > > > > > * Nearly complete authentication rewrite.
> > > > > > > > * Full reconfigure support (Prior to this squid does not
expire
> > > > users in
> > > > > > > > the user cache according to the new authenticate ttl).
> > > > > > > > * Dynamic Authentication scheme support. Squid only offers
and
> > > > accepts
> > > > > > > > the authentication scheme that helpers are defined in
squid.conf
> > > > for.
> > > > > > > > I.E. if you need Basic support, simply list an
> > authenticate_program.
> > > > > > > > * NTLM usernames are logged as domain\user, not
domain%5cuser.
> > > > > > > > * At a source level authenticate.c now handles nearly all
the
> > > > > > > > authentication functionality, and acl.c the access controls.
> > This
> > > > should
> > > > > > > > allow easy integration of digest/kerberos etc as acl.c
should
> > need
> > > > > > > > minimal (if any) changes.
> > > > > > > > * generic acl match caching function for acl.c (used by this
> > update)
> > > > > > > > * acl match caching for proxy_auth and proxy_auth_regex with
> > > > > > > > authenticated users. This means that if you have long
proxy_auth
> > or
> > > > > > > > proxy_auth_regex acls, repeated requests for a given
username
> > (even
> > > > from
> > > > > > > > multiple workstations) will short-circuit the username
matching.
> > For
> > > > > > > > sites with 1000's of users, or complex regex's this should
> > produce
> > > > > > > > substantial CPU savings.
> > > > > > > > * user cache garbage collection. (we use more memory with
NTLM
> > and
> > > > also
> > > > > > > > with acl match caching.)
> > > > > > > > * New config directive authenticate_cache_garbage_interval
to
> > tune
> > > > user
> > > > > > > > cache garbage collection.
> > > > > > > > * multiplexed ntlm helper requests. fake_auth has been
updated,
> > I'm
> > > > not
> > > > > > > > sure whether the NTLMSSP helper will respond 'optimally' to
this
> > or
> > > > not.
> > > > > > > > It should work though (I can't test it :-[)
> > > > > > > > * IP address movement restrictions affect NTLM and basic
> > > > authentication
> > > > > > > > equally. (shared code now).
> > > > > > > > * NTLM authenticated user timeouts & IP timeouts as per
basic
> > > > > > > > authentication (shared code now).
> > > > > > > > * (hopefully) generally cleaner interfaces internally,
should be
> > a
> > > > lot
> > > > > > > > easier to add digest et al in the future.
> > > > > > > > * removed --enable-basic-authentication
> > > > and --enable-ntlm-authentication
> > > > > > > > configure options. Authentication schemes are now implicitly
> > > > controlled
> > > > > > > > via squid.conf. (By setting a helper for a given scheme).
> > > > > > > >
> > > > > > > > The helpers themselves have not changed substantially. In
> > particular
> > > > the
> > > > > > > > NTLMSSP helper is still using the same wire-level protocol
to
> > the
> > > > Domain
> > > > > > > > Controller. If you have tuned your system to work well now,
I
> > > > suggest
> > > > > > > > keeping the same parameters and seeing how it runs.
> > > > > > > >
> > > > > > > > To update:
> > > > > > > > do a cvs update in your source directory
> > > > > > > > then autoconf
> > > > > > > > then autoheader
> > > > > > > > the in your build directory
> > > > > > > > make clean
> > > > > > > > make
> > > > > > > > make install
> > > > > > > >
> > > > > > > > --
> > > > > > > > To unsubscribe, see
> > http://www.squid-cache.org/mailing-lists.html
> > > > > > >
> > > > >
> > >
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Mon Nov 13 2000 - 04:30:31 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:21 MST