Re: [SQU] OT: Does the wonderous NTLM auth module exist for Apache?

It's the nature of NTLM to do that to servers :]. But on the other hand if
you are able to generate the challenge you can choose whether you can
cacheable responses or not. Have a look at the NTLMSSP code in the ntlm
branch of squid if you're interested.

Rob
----- Original Message -----
From: "DaveP" <davep@hmgcc.gov.uk>
To: <squid-users@ircache.net>
Sent: Wednesday, November 22, 2000 7:03 PM
Subject: Re: [SQU] OT: Does the wonderous NTLM auth module exist for Apache?

> Jason Haar wrote:
> >
> > On Tue, Nov 21, 2000 at 11:14:28AM +0100, Chemolli Francesco (USI)
wrote:
> > > There is a mod_smb_auth for Apache, but it's broken at the
> > > protocol level, I'd be very surprised if it worked.
> >
> > All the mod_auth_smb-style modules do is provide Basic auth - not NTLM
(i.e.
> > the "automatic" authentication).
> >
> > As you say they all suffer from the fact that they are single-process so
> > that you end up re-checking the password against the domain controller
for
> > every page - i.e. NO CACHING.
>
> Later versions of pam_smb (URL is in the Samba docs) do have a cacheing
> authentication daemon, but as you say this is BASIC authentication only.
> AFAIK it is impossible (by design) to cache NTLM authentication, since
> neither the plain-text password nor the password hash go over the air.
>
> Mod-ntlm uses the 'keepalive' option of Apache to avoid authenticating
> more than once per TCP/IP connect, and with the keepalive timeout set to
> 60 seconds that does reduce the workload for active web browsers, at the
> cost of more Apache processes.
>
> Dave
>
> --
> To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
>
>

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html