On 09/17/2010 03:28 PM, Amos Jeffries wrote:
> Squid does not currently offer any way to selectively pick the auth
> methods to advertise. There are a few possible designs and someone was
> working on it a while back.
>
Offering a specific authentication method for a defined network would be
a nice feature, don't you think? ;-)
> Stripping away auth methods which have failed is not possible. Due to
> the problems of: How do you deal with a user typo'd in their password?
> or who recently changed password but the browser still sends the old one
> first?.
Ok, you are of course right, it sounds complicated. But isn't there a
basic-fallback mechanism for Kerberos/NTLM? Does this only work if there
is a technical error with either Kerberos or NTLM?
Or is it a client thing which has to pick the basic mechanism?
> The workaround that comes to mind is to run a "shell" squid instance for
> each client or at lest for each primary auth type which only does auth
> then funnels requests through to some parent proxy for handling.
We are currently running 4 separate squid instances (each on it's own IP
address, all of them share common acl-files, each has it's own
independent cache) on any of two real servers (because Squid 3.1.x is
not SMP capable), we could dedicate two of them for LDAP-only with an
own VIP-address(loadbalancer is taking care of that) and the two others
per server for NTLM.
I am not happy with that setup, but there are not many other
possibilities. I have no idea how the instances will share the
resources, I would prefer 4 instances which share all requests instead
of 2 for handling LDAP and 2 for handling NTLM-requests. Could lead to
performance issues.
Anyway, thanks for your response, Squid is a great piece of software!
regards
Peter
Received on Fri Sep 17 2010 - 20:00:06 MDT
This archive was generated by hypermail 2.2.0 : Sat Sep 18 2010 - 12:00:04 MDT