On Fri, 2008-03-21 at 15:37 +0000, paul cooper wrote:
> I think im also confused about the interaction between the browser, squid
> and external authenticators in spite of reading Ch12 several times.
authentication and external acls is very different things.
authentication is based on information the browser passes in the HTTP
request, identifying the user. The exact details varies depending the
scheme you use.
basic: login+password, as entered by the user in his browser.
digest: login+one time hash, based on login+password entered by the user
in his browser.
ntlm & negotiate: Microsoft authentication blobs, used for automatic
domain authentication, same mechanisms as used between a windows station
and file server.
authentication details is processed by authentication helpers
(auth_param) and these basically returns an "OK/ERR" to Squid.
external acls (external_acl_type) can either use login information
already provided by authentication (%LOGIN, also implicitly requires
authentication), or use it's own out-of-band methods for figuring out
the user using whatever means available to the helper and return this to
Squid if they want. There is no standard out-of-band methods but some
examples can be
- static IP based registry, assigning the user based on which client
station the request comes from. This is what I thought you wanted to do.
- Separate session database keeping track of users per client IP. Used
for example to integrate with various forms+cookie based authentication
services.
Both kinds of helpers runs as slaves to the Squid process, using the
user identity of your Squid, not the requesting user.
> request then goes : squid-> helper . the helper can do what it likes and
> returns a string to squid. if the string is "ERR" then squid will deny
> access. If it is "OK" then squid allows access to the cache . In addition
> the user=xxx can also be passed back from the helper to squid.
>
> Can squid then use this user as the basis for an ACL ?
Yes.
> so why did my perl example that outputs a file to the disk not write the
> file, which it did when executed from the CL. How do i see the data that
> is going to and from the helper and verify its executing the helper as i
> expect.?
If the acl is reached successfully in your http_acces processing then
the helper will be called. But remember that if you use %LOGIN then the
helper is only called AFTER the client has provided successful login
credentials to the proxy using any of the methods you define in
auth_param..
> Sorry to have so many questions. Is there anything that goes into any more
> detail than "Squid - the definitive guide?"
This mailinglist.
Regards
Henrik
Received on Fri Mar 21 2008 - 16:30:50 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT