Re: [squid-users] [NTLM Authentication] use of external NT database

From: Robert Collins <robert.collins@dont-contact.us>
Date: Sat, 2 Jun 2001 09:50:33 +1000

----- Original Message -----
From: "GUIDOUX R InfoEdpEtcDep" <Richard.Guidoux@socgen.com>
To: <squid-users@squid-cache.org>
Sent: Saturday, June 02, 2001 3:01 AM
Subject: [squid-users] [NTLM Authentication] use of external NT database

> Hello dear squid admins,
>
> I have read all the FAQs, and all documentation about NTLM
authentication
> project (on squid.sourceforge site)
>
> Though, I have still 1 or 2 questions : (one on NTLM and the othe more
> general)
>
> 1) Possibility to use external database
>
> it seems that it is possible to have such a scheme :
>
> Client -------------------------> Proxy Squid
> NTLM Auth
>
>
> Now, for the database, where Squid checks user/password sent by
client,
> has it to be local to Squid, or may Squid check the credentials after
an
> external NT base (and if so, how to tell it in NTLM module ?)

Squid requires an external database to provide NTLM challenges and
validate the response from the client. Configuring a ntlm auth helper in
squid is all that is needed. The specific ntlm auth helper will depend
on your site.

> 2) Proxy chaining
>
> About chaining proxy, it is said in FAQ, that
> "Only one proxy cahce in a chain is allowed to "use"
proxy-authentication
> request header. Once the header is used, it must not be passed on
other
> proxies."
>
>
> Client --------> Proxy Squid A ----------> Proxy Squid B ------->
> Internet
>
> So it means that Client cannot authenticate to both Proxy A and Proxy
B.
>
> But, is it possible to have client authenticate to Proxy A, and proxy
A
> authenticate to Proxy B ?
> If yes, how must I configure Proxy A ?
> (it should be possible after RFC 2616)

Firstly, NTLM Authentication is not RFC 2616 or RFC 2617 conformant. So,
no assumptions can be made :]

Squid supports a login parameter per cache peer to login to upstream
parents. At this point in time that parent must be using basic
authentication, not NTLM or Digest.

Rob

>
> TIA,
>
> Richard
>
************************************************************************
*
>
> Ce message et toutes les pieces jointes (ci-apres le "message") sont
> confidentiels et etablis a l'intention exclusive de ses destinataires.
> Toute utilisation ou diffusion non autorisee est interdite.
> Tout message electronique est susceptible d'alteration.
> La SOCIETE GENERALE et ses filiales declinent toute responsabilite au
titre de ce message s'il a ete altere, deforme ou falsifie.
>
> ********
>
> This message and any attachments (the "message") are confidential and
> intended solely for the addressees.
> Any unauthorised use or dissemination is prohibited.
> E-mails are susceptible to alteration.
> Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates
shall be liable for the message if altered, changed or falsified.
>
>
************************************************************************
*
>
Received on Fri Jun 01 2001 - 17:50:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:00:27 MST