I have been looking through the FAQ and the mailing list to try to
understand which auth scheme might work best for us. In doing this, I
thought it might be useful for some of the more knowledgable members of the
group to compile a sort of grid for a FAQ entry (23.0? 23.1.1?) that
included something of the advantages (encrypted, supported by all browsers,
etc), disadvantages (another password file, not HTTP compliant, etc), the
configure switches needed, and any prerequisites (ident - server on each
client, etc) similar to the following:
auth scheme - advantages - disadvantages - configure switches -
prerequisites
ident
winbind
Radius
NTLM
basic
LDAP
digest
MSNT
SMB
NCSA
PAM
Others?
I could even try to compile the information comparing the different schemes
if those with greater knowledge than me could feed me the information.
Would it be a good idea?
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Tuesday, December 10, 2002 11:22 am
>
> The difference is in the authentication schemes configured in the
> auth_param directive of squid.conf.
>
> basic plain text username+password login box
>
> ntlm NTLM login. Automatic login for MSIE
> users logged on to domain
>
> digest Digest HTTP authentication. login+password
> login box shown, but
> the password is never sent in plain text over the network.
>
[snip]
> -----Original Message-----
> From: Henrik Nordstrom [mailto:hno@squid-cache.org]
> Sent: Tuesday, December 03, 2002 5:55 pm
> > as described in FAQ, winbind helper can be used in both
> Basic and NTLM
> > proxy-auth. it is also stated that Winbind itself doesn't
> operate well
> > with samba. on the other hand, there's another helpers
> which supposed to
> > understand NTLM. SMB, for instance.
>
> Note: winbind is currently the most stable and efficient Windows NT
> domain integration you can get for Squid, but the setup is
> probably also
> the most complex..
>
[snip]
> > 1) are Basic-SMB and NTLM-SMB the "same" helpers as there
> two winbind
> > helpers ? I looked through the code, they seem to be different.
>
> No, they are entirely different. Only common factor is that both uses
> the (way old) SMB protocol to talk to your NT domain.
>
[snip]
>
> The ntlm-SMB helper "ntlm_auth" has some serious performance and
> stability issues, partly due to Microsoft implementation of SMB in NT
> Server 4/2K/XP.. partly due to the helper doing a poor job at
> implementing NTLM. Also the ntlm-SMB helper only supports MS LANMAN
> challenge/responses which should not be used in a modern
> network due to
> their low security.
>
Received on Tue Dec 10 2002 - 13:01:16 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:12:02 MST