RE: [squid-users] Challenge/Response with Cache Peers (NTLM)

From: Kinkie <[email protected]>
Date: Sun, 06 Feb 2005 16:17:37 +0100

On Mon, 2005-01-31 at 15:25, fx wrote:
> Hello,
>
> the "main cache" unit forwards requests to the two peers, which are
> set as parents with icp enabled. There is no logging or authentication until
> the "squid NTLM" unit at which stage the user is authenticated against the
> Windows 2003 machine. I have it working perfectly if I point directly to
> "squid NTLM", but if I point to "main cache" it fails. If I look in the log
> when its successful I get DOMAIN\user - when it fails all I see is user...
>
> I hope this has explained it more...
>
> The main goal is to do single signon through multiple cache's with
> login=PASS set on the peers

Let me sum if I understood correctly: users need to be able to access
any cache using NTLM; caches are in a hierarchy, child caches need to
forward user credentials to the parent cache, right?

If so, it can't be done out of the box, and it's not trivial to
implement (but possible).
What can be done out of the box is either

- not logging user credentials for forwarded requests on the parent
cache

- distinguishing cache roles, so that users MUST go through the child
proxy. If so, there is no need to forward credentials at all; all the
user logging is done at the child cache level.

        Kinkie

>
> -----Original Message-----
> From: Kinkie [mailto:kinkie-squid@kinkie.it]
> Sent: 29 January 2005 11:34 AM
> To: squid-users@squid-cache.org
> Subject: Re: [squid-users] Challenge/Response with Cache Peers (NTLM)
>
> On Thu, 2005-01-27 at 21:26 +0200, Dave Raven wrote:
> > Hi all,
> > I've been testing the behavior of Challenge/Response today with
> > cache peers. the versions etc are not relevant as I have
> Challenge/Response
> > and BASIC working fine if I point directly to the unit. Below is a
> makeshift
> > diagram of how I've set this up now:
> >
> > ---------
> > | squid |
> > | NTLM | ----> Windows 2003
> > ---------
> > |
> > / \
> > peer1 -- peer2
> > \ /
> > \ /
> > main cache
> >
> > I point to "main cache", which has two parents which are the only routes
> > (never_direct + always_direct) - login=PASS is on my peer lines. On those
> > two I have setup each of them as siblings with login=PASS, and a parent of
> > the squid NTLM authenticating unit (which works fine if I point direct),
> > also with login=PASS.
> >
> > The behavior I see is that if I'm using the auth box, I have to login
> (with
> > basic) with DOMAIN\user (and challenge response works). If I go through
> the
> > peers I have to login with only the user - if I add the domain it doesn't
> > work at _all_. When I try challenge response it naturally doesn't work as
> > the username gets passed with no domain...
>
> Could you paste the relevant lines in the three boxes' squid.conf?
>
> > Is the fix for this as simple as it seems? Or is the problem more
> > complicated. I'd really like to get this working...
>
> Do you want the two peers to be directly accessed? If the purpose is for
> them to only cache, you might want to distinguish roles: main cache does
> auth + logging + request routing, the others do caching (you might want
> use CARP to balance the parents to maximize efficiency). If so, it would
> be enough for you to use a 'src' type acl on the parents locked on the
> main cache ip and log usernames only on the main cache log.
>
> Kinkie
>
Received on Sun Feb 06 2005 - 08:17:46 MST

This archive was generated by hypermail pre-2.1.9 : Tue Mar 01 2005 - 12:00:01 MST