Re: External Auth

From: Henrik Nordstrom <[email protected]>
Date: Thu, 19 Nov 1998 01:08:21 +0100

George Michaelson wrote:

> Um.. Are you saying "you don't perceive it as useful" or are you
> saying "it cannot work" because they are not the same thing at *all*

Both sort of. Se below.

> It is (to me at least) tenable to suggest that if you have a tuple of
> {user,password,client-ip,URL}

User validation and access control is two separate issues, and should be
dealt with separately.

I see is as {user,password} to check the user identity, or perhaps
{user,password,client-ip} if IP is needed to determine if the
user,password is valid (if you have two users with the same name but
different IP addresses).

plus

{URL,user,IP,...} to check if this user has access to the requested
resource.

> and you have decided you can live with the delay of an IPC to an
> external auth process, the added delay to do some hash on client-ip
> and URL to derive a complete "this person, *FROM THIS LOCATION* can
> get this data" outcome.

I am not arguing with this. Only how it should be done. The
authenticator is not the right place as it is intended for password
validation and not access control. These two tasks are very much
different and should not be mixed.

By keeping the authenticator interface simple then authentication
queries may be cached, and caching of password validations is badly
needed in most configurations using a external authentication service
(LDAP, SMB, whatever).

---
Henrik Nordstrom
Spare time Squid hacker
Received on Wed Nov 18 1998 - 17:19:22 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:09 MST