Re: [squid-users] NTLM authentication testing

From: Richard Wall <richard@dont-contact.us>
Date: Mon, 18 Feb 2008 13:41:52 +0000

Hi Adrian,

My comments are below.

On 2/18/08, Adrian Chadd <adrian@creative.net.au> wrote:
> I've got one customer who is asking for some testing of Squid in a large
> NTLM environment. The problem, as those who have tried it will have
> encountered, is that although Squid can keep up with it, the Samba/Winbind stuff
> plainly just can't.

This is something that I'm currently very interested in. I had heard
that NTLM auth could significantly reduce Squids throughput but
haven't seen any figures. I couldn't tell from your message above
whether you / your customer has already tried deploying Squid / NTLM
auth in live environment. If so, I'm really interested to know what
request rate Squid was able to maintain.

I understand from the documentation, that the three stage NTLM
authentication negotiation has to be repeated for every new connection
and that this is the bottleneck. I'd assumed that winbindd was able
to CACHE the NTLM user credentials, so that subsequent requests would
not result in network calls to the NTLM authentication server. Is this
your understanding?

> So I'm looking for some tools to let me craft and fire off NTLM type authentication
> stuff to a proxy. I don't really care if they're free or not, unix or windows.
> If anyone knows of anything that'll let me create -lots- of NTLM authentication
> requests and fire them through a proxy then please, please let me know.

We were considering the possibility of using something like Selenium
control the web browser and send requests that way, but some further
googling suggests that curl may be able to send NTLM Proxy auth
requests.

> Hopefully the result from all of this will be slightly better NTLM interoperability.

-RichardW.
Received on Mon Feb 18 2008 - 06:41:55 MST

This archive was generated by hypermail pre-2.1.9 : Sat Mar 01 2008 - 12:00:05 MST