>>> Henrik Nordstrom <hno@squid-cache.org> 09/13/02 08:30AM >>>
Are you sure? So there is one call to clnttrus per TCP connection to the
proxy, verifying who the user of this specific TCP connection is similar
to how IDENT operates?
If not then it is the ip who is being authorized by which user is
currently logged in, and the protocol falls down on the floor if there
is multiuser stations such as terminal server, UNIX etc...
>>>
I'm quite sure that clntrust returns the username, because how else can a Bordermanager decide to grant/deny access to a url/domain based on acls that are made of usernames/containers? I might have to sniff that traffic some day if isn't encrypted.
AFAIK there's no such thing as a multi-user station in the Novell environment. Only one Novell user can be logged in on a Windows workstation. Maybe this could be a problem on an Unix server where multiple users can be logged in, but then again, there's no Client32/clntrust for Linux and there never will be. Novell strategy is to move environment where almost anything can be done webbased.
>>>
Maybe. Depends on what clntrust.exe is actually returning and what the
server side can do to verify the validity of the result.
>>>
I assume (I haven't yet really searched for some documentation on this, if there's anything available at all) that clntrust returns the username as reported back by Novell's Client32. The ident program I mentioned the other day does this also. And I assume again that Bordermanager finds this valid enough, because all of the crypto RSA stuff that's in the Client32. The user has allready authenticated itself to the NDS when it logged in.
But to wrap this subject up, I think that ident would work well enough in most environments. The only gripe I had with ident is the amount of ident request that Squid performs for the requests. In our environment with about 100-200 concurrent users that's just too much traffic. But I say had, because we recently upgraded our 256kbit/2 Mbit WAN lines to 100 Mbit :-D
Maybe I could throw in a feature request? :-) Could there be also an ident_ttl option so this would occur only once in 5 minutes or so? That would significantely reduce the amount of traffic (and maybe load on the server side)
I would really like to replace our Bordermanagers that aren't performing up to par and sometimes give us headaches. Maybe that's because of a lack of knowledge on our side, but we haven't got the resources (time and moneywise) to make this better. Squid out of the box on commodity hardware performs allready better than Bordermager on A-brand servers.
But we knew that allready, didn't we? :-)
Gerben.
Received on Fri Sep 13 2002 - 08:53:25 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:10:19 MST