On sön, 2008-06-29 at 08:48 -0700, nairb rotsak wrote:
> I am used to running Squid/Dansguardian/Samba with ntlm auth. But I
> have always used it as a stand-alone proxy.. never at the gateway. I
> do it this way because I was always told that the usernames will not
> show up in logs (ntlm's fault.. not Squid) when Squid is in
> transparent mode.
True..
> Is this still true? How the heck does the iPrism do it? ;-)
They may have hacked Squid to allow NTLM WWW authentication (not proxy
authentication) in transparent interception mode. Highly unstandard, and
only works for the non-standard connection oriented auth schemes
(NTLM/Negotiate/Kerberos).
Another possibility is that they use an IP session cache, redirecting
the user to "the gateway webserver" for authentication if no already
established session, and link this to Squid via external_acl_type
providing the username of the session based on the client IP. Have done
this myself in another product (also squid based), and requires some
additional software to keep track of the sessions.
Regards
Henrik
This archive was generated by hypermail 2.2.0 : Mon Jun 30 2008 - 12:00:05 MDT