> Jason Haar wrote:
> >
> > On Tue, Nov 21, 2000 at 11:14:28AM +0100, Chemolli
> Francesco (USI) wrote:
> > > There is a mod_smb_auth for Apache, but it's broken at the
> > > protocol level, I'd be very surprised if it worked.
> >
> > All the mod_auth_smb-style modules do is provide Basic auth
> - not NTLM (i.e.
> > the "automatic" authentication).
> >
> > As you say they all suffer from the fact that they are
> single-process so
> > that you end up re-checking the password against the domain
> controller for
> > every page - i.e. NO CACHING.
>
> Later versions of pam_smb (URL is in the Samba docs) do have
> a cacheing
> authentication daemon, but as you say this is BASIC
> authentication only.
*bzzzzzttt* wrong answer
see http://modntlm.sourceforge.net/
Never used it, but it claims to be in beta status...
> AFAIK it is impossible (by design) to cache NTLM authentication, since
> neither the plain-text password nor the password hash go over the air.
Yes and no. We _do_ cache NTLM authentication, via an "ignorance is bliss"
system. Surprisingly enough, it works (but it needs checking).
> Mod-ntlm uses the 'keepalive' option of Apache to avoid authenticating
> more than once per TCP/IP connect, and with the keepalive
> timeout set to
> 60 seconds that does reduce the workload for active web
> browsers, at the
> cost of more Apache processes.
NTLM authentication RELIES on keepalive, so it's not an
insane choice.
-- /kinkie -- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Wed Nov 22 2000 - 04:56:04 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:32 MST