Re: [squid-users] Squid farm, share auth from Luis Daniel Lucio Quiroz on 2007-09-28 (squid-users)

From: Luis Daniel Lucio Quiroz <dlucio@dont-contact.us>
Date: Fri, 28 Sep 2007 08:41:20 -0500

Thanks Chris,

You solve my auth crypt problem, how ever, still have a doubt about a
single-authentication in a squid farm.
You tell:
"As long as all the proxies use the same data source to authenticate
against, no extra work will be required. HTTP is a stateless protocol,
so the browser passes authentication details along with every request
that should require it."

So this mean that the horrible login box asking user/password will apear just
once???
I told about using squid with domain passwords so single-sign-on domain
capability will be great, but they dont want to use domain passwords, so this
is not an option.

Regards,

Le Thursday 27 September 2007 18:50:02 Chris Robertson, vous avez écrit :
> Luis Daniel Lucio Quiroz wrote:
> > Hi All,
> >
> > We are planning to install a farm of -nsquids to provide our company
> > enhanced web suffering experience and to control security on who is
> > where. However, we have some requirements I'm not really sure that squid
> > is captable of them, here they are:
> > - Squids need to be auth, however, auth must be agains an openldap (I
> > know this is possible). The fact is that auth MUST be crypted. I was
> > thinking about Cipher auth that is done with MD5 but we really dont know
> > what is the crypt hash of ldap.
>
> See
> http://www.squid-cache.org/mail-archive/squid-users/200212/0005.html,
> http://www.squid-cache.org/mail-archive/squid-users/200407/0697.html and
> finally
> http://wiki.squid-cache.org/KnowledgeBase/Using_the_digest_LDAP_autheticati
>on_helper
>
> In the last link, where it talks about Installing and testing the
> helper, Squid 2.6 is equivalent to Squid 2 HEAD, as the digest_ldap_auth
> helper is included with Squid 2.6
>
> > - Authentication must be share, in the way that if I've already authed in
> > squid1, then squid2 shouldnt ask me authentication. I'm not really shure
> > if ICP or HTCP cand do this. Squis farm is balanced by an external
> > apliance so we dont know what squidN is responding to replay.
>
> As long as all the proxies use the same data source to authenticate
> against, no extra work will be required. HTTP is a stateless protocol,
> so the browser passes authentication details along with every request
> that should require it.
>
> > I home someone could give me any clue.
> >
> > Regards,
> >
> > LD
>
> Chris
Received on Fri Sep 28 2007 - 07:29:48 MDT

This archive was generated by hypermail pre-2.1.9 : Mon Oct 01 2007 - 12:00:03 MDT