Re: [squid-users] Digest + NTLM Auth

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 20 Sep 2005 13:44:45 +0200 (CEST)

On Tue, 20 Sep 2005, Dave Raven wrote:

> Is it possible to use digest as a failover to ntlmssp?

Yes. if your browser allows so. You can even configure all three shemes
(NTLM, Digest, Basic). Browsers are supposed to select the strongest of
the offered schemes, but in reality they tend to select the first they
support of the offered schemes. The order offered by Squid is the same as
your auth_param directives in squid.conf.

> So summed up - is it possible to authenticate against an ntlm server as
> basic does, but with digest between the client and the cache?

The use of digest requires a digest compatible backend. Currently this
only includes a local digest specific password file on the cache server.

In squid-3 there is an enhanced Digest helper also supporting LDAP storage
of the digest passwords (both plain-text and hashed formats supported),
but this still requires Digest specific attributes to be available in the
LDAP server and is not using the same password mechanisms as normal LDAP
authentication.

There is hope to eventually supporting integration with "real" Digest
capable authentication backends such as ADS or Radius but unfortunately
there is very little standard on how to integrate Digest authentication
with a authentication server and in addition the Squid Digest
implementation needs some redesign to allow for such integration. But
there is good hope both issues will resolve over time making Digest
authentication as easy to use as Basic authentication in most networks.

Regards
Henrik
Received on Tue Sep 20 2005 - 05:44:47 MDT

This archive was generated by hypermail pre-2.1.9 : Sat Oct 01 2005 - 12:00:03 MDT