Well its not well documented yet... but here's a quick list of things to do &
notes about ntlm auth.
Hey kinkie have I missed anything drastic? I might turn this list into the
start of our HOW-TO ...
0. background
-within HTTP there are three common authentication types: BASIC,
DIGEST, NTLM. Of these only BASIC and DIGEST are official
http authenticaton protocols. Basic authentication is clear text. digest
uses a challenge-response format, as does NTLM.
-Challenge-response helpers in squid cannot be tested from the command-line
for two reasons. One: the helper needs the base64 data
from the client to correctly interpret and verify the authentication request.
Two: the authentication requests are stateful, so you need to
generate the correct response to the 1st result the helper gives you.
- NTLM and proxies. NTLM was not designed with stateless (ie HTTP)
environments in mind. MS have got it to work, via a massive hack on the
protocol. It DOES NOT WORK THROUGH PROXIES. Only the first hop can be NTLM
authenticatied. This includes MS's IIS based proxy products. NTLM will also
not work with transparent proxies (same reason as BASIC authentication
doesn't_)so please, don't ask.
1. key changes to squid
- the auth_modules directory is largely irrelevant for ntlm based
environments. The helpers in auth_modules are BASIC helpers only. This
includes the smb_auth,MSNT and multi-domain-NTLM.
- there is a new directory ntlm_auth_helpers that contains the NTLM helper
source programs.
- the default ./configure will not enable any authentication code in squid
(great for ISP's). New configuration directives allow
basic auth, the basic auth modules to build, ntlm-auth, and the ntlm auth
modules to build to be handled separately. Compiling in both
basic and ntlm auth will allow you to 'fall back' to basic authentication if a
browser does not support NTLM.
2. howto get NTLM authentication working
- download the source
- configure with (at a minimum) --enable-ntlm-authentication and
--enable-ntlm-auth-modules=NTLMSSP
- check the ntlmssp source code for any hardcoded parameters (it's only just
stablised, there may be some 'magic' in the source at the moment). Also the
command-line format is documented in the source.
- you can use fakeauth or no_check if you just want to validate the username,
but not check the password/login time limits.
-compile and install squid
- edit the squid.conf to specify the ntlm_authentication_helper command-line
and at least one proxy_auth acl entry.
-cross fingers (:-]) and use internet explorer FROM A DOMAIN USER ACCOUNT to
surf the web.
Rob
Thomas Goebel wrote:
> Hallo,
>
> sorry, i installed NTLM. But it does not work.
> I tried at comandline to authenticate with smp_auth.pl and this also not
> worked.
>
> Please help. Where can i get Information of NTLM.
>
> cu
>
> Thomas
>
> Robert Collins wrote:
> >
> > This is exactly what the recently developed NTLM authentication for squid
> > does.
> >
> > It uses MS challenge handshaking authentication protocol (CHAP) for the
> > browser. You need internet explorer 3 or newer to use it.
> >
> > Rob
> >
> > ----- Original Message -----
> > From: "Thomas Goebel" <thomas@an-netz.de>
> > To: <squid-users@ircache.net>; <linuxml@hekkihek.hacom.nl>
> > Sent: Tuesday, September 19, 2000 11:36 PM
> > Subject: [SQU] automatic smb_auth
> >
> > > Hallo,
> > >
> > > is it possible to perform the authentication against the
> > > proxy automatically, invisible to the Windows user.
> > > The Microsoft IIS authenticates the user, logged in at the workstation,
> > > automatically.
> > >
> > > cu
> > >
> > > Thomas
> > >
> > > --
> > > To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
> > >
> > >
-- To unsubscribe, see http://www.squid-cache.org/mailing-lists.htmlReceived on Tue Sep 19 2000 - 08:35:25 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:23 MST