Re: [squid-users] auth_param username rewrite

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sat, 15 Jan 2005 01:05:07 +0100 (CET)

On Wed, 12 Jan 2005, Scott wrote:

> Currently a user must log in using a username@domain to authenticate. This
> works fine but as time goes by I end up with a large amount of users wishing
> that they could drop the domain authentication from the auth request.
>
> I would like to do this but I have hit a brick wall in regards to how to
> handle multiple matching usernames (and passwords unfortunetly) without a
> domain.

Indeed a problem, and no easy short term solution available today other
than to use one Squid instance per user population, each with their own
auth_param settings, and possibly forwarding all requests to a common
Squid for caching.

The long term solution is to implement something called "Authentication
Realms", allowing multiple different auth_param settings in the same Squid
allowing different settings to be used for different clients.

> A) allowing %SRC to be passed with <username> <password> to the auth helper

There was a patch for this for Squid-2.4, but not really doing what you
ask. <url:http://devel.squid-cache.org/old_projects.html#authinfo>.

What this patch does not is that it doesn't differentiate between user a
from IP 1 or user a from IP 2. If only allows the helper to verify the IP
of the initial login.

> I might be looking at this wrong but all the things that I have looked at so
> far have said that squid will not pass any args to the auth helper at all.

Squid uniquely identifies users by their login, not including the IP. This
is required for the max_user_ip acl and a few other constructs. We do not
intend to change this.

Regards
Henrik
Received on Fri Jan 14 2005 - 17:05:13 MST

This archive was generated by hypermail pre-2.1.9 : Mon Mar 07 2005 - 12:59:35 MST