On Tue, 16 Feb 2010 14:51:19 +0100, Tom Tux <tomtux80_at_gmail.com> wrote:
> Hi all,
>
> I'm authentication with the ldap-helper "squid_ldap_auth" against an
> active directory. I can specify two credentials-ttls:
>
> One is possible in the "auth_param"-directive:
> auth_param basic credentialsttl 2 hour
>
> The other one looks like this:
> authenticate_ttl 1 hour
>
>
> What is the difference between this two options? Which option will be
> used, when I use the squid_ldap_auth-helper?
>
> Is the "authenticate_cache_garbage_interval" also possible, when I
> authenticate aginst an active-directory? Or is this directive in this
> case useless?
>
> Thanks a lot for your help.
> Tom
All the options you mention always are applied. They apply to different
parts of the auth sequencing.
* authenticate_cache_garbage_interval - how often squid checks its cached
user details and discards old ones. This happens regardless of visitors.
Squid will also do this for each login at the time of use, so garbage
collection only prevents buildups of memory waste where user is not active
for some time.
* authenticate_ttl - how often a user is questioned for their
credentials. To verify that the machine still is the same user.
* credentialsttl - how long to cache the credentials received with their
valid/invalid state.
If credentialsttl is shorter than authenticate_ttl then the stored
credentials will be re-verified more often than the client is asked to
update them. If they fail at any time, the client will be re-challenged on
next request.
If credentialsttl is longer than authenticate_ttl then the client will be
asked to update its credentials more often (re-validation will only occur
if they actually change).
The defaults are that squid checks the background auth system at most
every hour to verify its stored credentials and only trouble the client
every 2 hours.
Amos
Received on Tue Feb 16 2010 - 22:09:48 MST
This archive was generated by hypermail 2.2.0 : Thu Feb 18 2010 - 12:00:06 MST