I wish to propose an extension to the NTLM helper/squid protocol, such that a squid redirector, or a external ACL helper, may access the list of groups.
A new command to ntlm_auth, UG, would request the list of user groups from the last authentication. This uses the fact that in NTLM and SPNEGO authentication, the authentication produces the group list, that should be valid for a particular session. The resulting string, actually a sid list, could be passed as a cookie in squid, for processing elsewhere. This avoids us touching and managing global caches for this per-session information. I have an example implementation, in Samba4's ntlm_auth. (which, when run with --option='auth methods = winbind', drops into an existing Samba3 winbindd setup). Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part
