RE: [squid-users] [NTLM Authentication] use of external NT database

Hello !

thanks for you reply, could you please detail just two things ?

 ----------
| De: Chemolli Francesco (USI)
| A: 'GUIDOUX R InfoEdpEtcDep'; squid-users@squid-cache.org
| Objet: RE: [squid-users] [NTLM Authentication] use of external NT database
| Date: lundi 4 juin 2001 09:10
|
|
|
| > -----Original Message-----
| > From: GUIDOUX R InfoEdpEtcDep [mailto:Richard.Guidoux@socgen.com]
| > Sent: Friday, June 01, 2001 7:01 PM
| > To: squid-users@squid-cache.org
| > Subject: [squid-users] [NTLM Authentication] use of external
| > NT database
| >
| >
| > Hello dear squid admins,
| >
| > I have read all the FAQs, and all documentation about NTLM
| > authentication
| > project (on squid.sourceforge site)
| >
| > Though, I have still 1 or 2 questions : (one on NTLM and the othe more
| > general)
| >
| > 1) Possibility to use external database
| >
| > it seems that it is possible to have such a scheme :
| >
| > Client -------------------------> Proxy Squid
| > NTLM Auth
| >
| >
| > Now, for the database, where Squid checks user/password sent
| > by client,
| > has it to be local to Squid, or may Squid check the
| > credentials after an
| > external NT base (and if so, how to tell it in NTLM module ?)
|
| It is possible, but such a module hasn't been written yet.
| You can use some nthash-storage such as the smbpasswd file, or
| a database of plaintext passwords.
| It will be added as soon as the framework is stable enough for
| Robert and I to consider moving beyond debugging.

>>> OK, I think I will wait that the NTLM module be developed before I use
NTLM with Squid ...
(I've got thousands of users to deal with, so too much for a plain text file
!) :-)

|
| > 2) Proxy chaining
| >
| > About chaining proxy, it is said in FAQ, that
| > "Only one proxy cahce in a chain is allowed to "use"
| > proxy-authentication
| > request header. Once the header is used, it must not be
| > passed on other
| > proxies."
| >
| >
| > Client --------> Proxy Squid A ----------> Proxy Squid B ------->
| > Internet
| >
| > So it means that Client cannot authenticate to both Proxy A
| > and Proxy B.
|
| Correct.
|
| >
| > But, is it possible to have client authenticate to Proxy A,
| > and proxy A
| > authenticate to Proxy B ?
| > If yes, how must I configure Proxy A ?
| > (it should be possible after RFC 2616)
|
| Sure, and in fact it can be done. But only using ONE user.
| Username propagation has been considered but not yet implemented.
|

>>> What do U mean by ONE user ? (that Proxy A can only be seen as one user,
even if it has 2 parents ?)
Anyway, for my needs, one username per proxy is enough for authentication
between proxys.

About username propagation, which one is not implemented ?
X-Forwarded-for is implemented, isn't it ?

Thanks to Rob and Kinkie for your answers,

Ric.

| --
| /kinkie
|
*************************************************************************

Ce message et toutes les pieces jointes (ci-apres le "message") sont
confidentiels et etablis a l'intention exclusive de ses destinataires.
Toute utilisation ou diffusion non autorisee est interdite.
Tout message electronique est susceptible d'alteration.
La SOCIETE GENERALE et ses filiales declinent toute responsabilite au titre de ce message s'il a ete altere, deforme ou falsifie.

                                ********

This message and any attachments (the "message") are confidential and
intended solely for the addressees.
Any unauthorised use or dissemination is prohibited.
E-mails are susceptible to alteration.
Neither SOCIETE GENERALE nor any of its subsidiaries or affiliates shall be liable for the message if altered, changed or falsified.

*************************************************************************
Received on Tue Jun 05 2001 - 07:13:05 MDT