Michael Steder wrote:
> I try to realize a sso-solution with a Squid-Proxy.
> So far the authentication is made against an LDAP-Server but with the
> user/password window popping up.
>
> NTLM offers the opportunity to makes this pop-up an end, but I don't want
> to authenticate against a NTDC, but against an LDAP-Server.
NTLM is the login mechanism used by Windows when you log onto a Windows NT
domain. It includes a mechansm where the user automatically logs in to
additional servers within the domain without having to retype their password
and this is what fileservers, proxies, databases etc use to verify who the
user it... For this to work, the proxy must verify the request to the same
Windows NT domain as the user logged in to.
If your users are not logging in to a Windows NT domain then they will be
prompted for a login+password+domain when talking to a NTLM enabled service.
Note: NTLM does not send the users password on the wire, and can therefore
only verify the supplied credentials to a NT Domain who understands NTLM.
> Is there any chance, to enter the NTLM authenticate mechanism, when the
> username is "known" to the c-code ? After that I can imagine it's pretty
> easy to ask an LDAP- Server, wether this user is allowed to enter the
> internet.
You could use fake_auth.. this only performs the NTLM handshake without any
attempt in verifying the validity of the user credentials. Spoofing a user
identify is obviously trivial when doing this, but it will give you the login
name of any logged in user..
> But the sourcecode for ntlm_auth is a little bit too complex to start
> searching without a chance of finding :)
Not really, but I suspect that what you are looking for is not really there..
-- Basic free Squid support provided thanks to MARA Systems AB Your source of advanced reverse proxy solutions or customized Squid solutions. http://www.marasystems.com/products/Received on Thu Jul 04 2002 - 07:06:30 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:02 MST