Re: [SQU] Fw: IBM Host on Demand

From: Colin Campbell <sgcccdc@dont-contact.us>
Date: Fri, 23 Feb 2001 08:44:33 +1000 (EST)

Hi,

On Thu, 22 Feb 2001, Adam Lang wrote:

> So it is username/password authentication. It verifies against the local
> security scheme? (whatever you have installed for PAM)

With squid, no. It authenticates against whatever you have configured in
squid.conf under "authenticate_program". This gives great flexibility. If
you have been following this list you'll have seen people discussing
authentication schemes using NCSA authentication, LDAP, NTLM and a host of
others. There are (at least) 3 shipped with squid itself in the
auth_modules directory (NCSA, getpwnam, SMB).

My understanding is that if you

a) configure and authentication program, AND
b) specify and acl using "proxy_auth" AND
c) specify an http_access line using that acl

squid will, for an unauthenticated user (no proxy-auth info in the http
headers of the request from the browser), send back a 407 to the browser
(except when using NTLM and IE cos the auth info is always there
apparently). The browser will pop a window, the user will fill in username
and password, the browser will "encode" (I use the term loosley here) the
username and password and resend the original request, this time with
proxy-auth info in the HTTP headers. This time, squid gets the request,
sees the proxy-auth info, strips it out and passes it to the
"authentication_program". This program will look up whatever it has been
designed to and return "OK" or "ERR". This will result in the request
being processed or an error code (407) being sent back to the user.

Colin

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Thu Feb 22 2001 - 15:48:07 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:58:09 MST