[squid-users] external_acl_type (%LOGIN %EXT_USER %{Proxy-Authorization}) NTLM vs Basic

From: Bartel Viljoen <bartel_at_ncc.co.za>
Date: Sat, 11 Apr 2009 09:41:01 +0200

Dear Squid users.

I've wrote a external ACL helper in perl connecting to a database to
check if a authenticated users is still within his/her quota.

Currently it's 2 separate perl scripts one for basic authentication and
the other for NTLM.

For the basic external helper I pass the %{Proxy-Authorization} format
to the script.
Then base64 decode it to get the value of the ALREADY authenticated
user. This external ACL helper will only work if the user was
authenticated from a previously called auth helper. So why don't I pass
%LOGIN to the script ? Because if I pass %LOGIN squid will automatically
think it's an external auth helper which in this case it's not. It will
still work but squid will infinitely prompt the user on a ERR return
from the helper. Only when the user press cancel he/she will get my
custom err page which say "QUOTA EXCEEDED". This is not a good idea
because the user will think it's the authentication that failed and not
the quota.

For NTLM authentication I can not afford to pass the
%{Proxy-Authorization} to the script because it will take way to much
resources to decode it :-) I can't pass %LOGIN because of the same
behavior as the above problem with basic authentication.

I've seen that squid 3 stable 18 does have additional formats for
external helpers.
I thought %EXT_USER will do the trick but that will only have a value if
the external auth help return OK user=.

So my question is how do I get the value of a already NTLM authenticated
user to be pass to my external acl helper ? Without using %LOGIN and
still make use of the buildin NTLM auth helper, or if I can disable the
infinite prompt behavior when passing %LOGIN will also do.

A simple example.
external_acl_type InQuota %{???????} in_quota.pl

Regards
Bartel Viljoen

-----------------------------------------------------------------
Network & Computing Consultants
Tel: 0861-555444 | Fax: 0861-555445
http://www.ncc.co.za

This e-mail is subjected to a disclaimer that can be viewed at:
http://www.ncc.co.za/legal/email-disclaimer.html

Email Managed by MailXServer - http://www.mailxserver.com
-----------------------------------------------------------------
Received on Sat Apr 11 2009 - 07:41:49 MDT

This archive was generated by hypermail 2.2.0 : Sat Apr 11 2009 - 12:00:02 MDT