RE: [squid-users] Logging username at parent cache using ntlm_aut h

From: Wilshire, Andrew <Andrew.Wilshire@dont-contact.us>
Date: Tue, 7 Oct 2003 12:14:06 +1300

Hi Robert,

This solution looks good to me! So my child cache would have a line that
looks like;
cache_peer 192.168.0.23 parent 3128 3130 login=*:secretkey no-query

But can you tell me what I should have in my parent cache's squid.conf would
look like?

The parent cache's squid.conf reads;

auth_param basic program /libexec/fakeauth_auth
auth_param basic children 5
acl user_passwords proxy_auth_regex -i "/etc/squid/squid.users"

And in the parent cache's cache.log I get

aclCheck: checking 'http_access allow user_passwords '
aclMatchAclList: checking user_passwords
aclMatchAcl: checking 'acl user_passwords proxy_auth_regex -i
"/etc/squid/squid.users"'
authenticateAuthenticate: header Basic QUlSTlotTlpcV0lMU0hBOg==.
authenticateAuthenticate: This is a new checklist test on FD:23
authenticateAuthenticate: no connection authentication type
aclMatchAcl: returning 0 sending authentication challenge.
aclMatchAclList: no match, returning 0
aclCheck: requiring Proxy Auth header.
aclCheck: match found, returning 2
aclCheckCallback: answer=2
aclCheckFast: list: (nil)

The 'no connection authentication type' (above) doesn't look good - but I
can't seem to make it go away.

Any tips/hints/suggestions on the squid.conf contents?

Many thanks again!
Andrew.

On Tue, 2003-10-07 at 20:19, Wilshire, Andrew wrote:

> I've tried re-ordering my http_access statements on the parent (see snip
of
> squid.conf below) to allow the child cache before the proxy_auth acl,
> however then the usernames don't show up in the log :(. I've tried running
> fakeauth_auth from the command line, but either I don't know the syntax or
> it's broken becuase I never seem to be able to get it to return an error
> code. I'm kinda hoping it just goes "OK" with any syntax, as that's
exactly
> what I'm looking for (hence if this is the case my IE session should stop
> prompting for password!)

You can't daisy chain NTLM authentication - it's incompatible with the
session based nature of NTLM.

What you can do is use the *:secret approach in your peer definition, to
have the child proxy log into the parent with the username and a known
secret. Then you'll have the username in the parent. The downside?
you'll probably need to disable all non child access to the parent.

Cheers,
Rob

-- 
GPG key available at: <http://members.aardvark.net.au/lifeless/keys.txt>.
____________________________________________________________________
CAUTION - This message may contain privileged and confidential 
information intended only for the use of the addressee named above.
If you are not the intended recipient of this message you are hereby 
notified that any use, dissemination, distribution or reproduction 
of this message is prohibited. If you have received this message in 
error please notify Air New Zealand immediately. Any views expressed 
in this message are those of the individual sender and may not 
necessarily reflect the views of Air New Zealand.
_____________________________________________________________________
For more information on the Air New Zealand Group, visit us online
at http://www.airnewzealand.com 
_____________________________________________________________________
Received on Mon Oct 06 2003 - 17:14:24 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:25 MST