Robert Collins wrote:
>
> That makes more sense. Thanks
>
> My response from squid is the same - I was quoting from memory. I will get
> an IE4 client together that should match? the environment development was
> being done on and see how it plays.
>
> Could you also confirm that (AFAUK) a config entry like
>
> acl nltmauth proxy_auth ntlm REQUIRED
>
> should request ntlm authentication, not allow basic and grab the username?
Squid will offer to accept both Basic and NTLM from the client. It is up
to the client to select which of them it will use based on what it
supports.
Yes, an IE client configured to use NTLM authentication should get the
challenge-response flow going, and finally Squid should be able to get
the username from it. However, to get this far you must also write a
proxy_authenticate program which responds to the queries. In the previou
version it was enought to simply return OK on every request, but I think
Andy Doran got started on extending the proxy_authenticate exchange
protocol to support NTLM and Digest, but I am not sure how far that has
gone.
As you probably know the basic flow of what is supposed to happen in
HTTP is described on http://squid.sourceforge.net/ntlm/. Based on this
info and the code it should be possible to understand what is (not)
being done in the current source..
Hint:
To get a diff of all the changes in a given branch on SourceFourge you
can run
cvs rdiff -kk -u -r Z-<branchname>_merge_<basebranch> \
-r <branchname> squid
i.e. for the ntlm branch which is based on devel:
cvs rdiff -kk -u -r Z-ntlm_merge_devel -r devel squid
/Henrik
Received on Mon Jul 10 2000 - 18:05:55 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:32 MST