On Sat, 2004-11-06 at 19:38, Robert Collins wrote: > On Sat, 2004-11-06 at 19:28 +1100, Andrew Bartlett wrote: > > On Sat, 2004-11-06 at 12:26, Robert Collins wrote: > > > On Sat, 2004-11-06 at 12:24 +1100, Andrew Bartlett wrote: > > > > I wish to propose an extension to the NTLM helper/squid protocol, such > > > > that a squid redirector, or a external ACL helper, may access the list > > > > of groups. > > > > > > > > A new command to ntlm_auth, UG, would request the list of user groups > > > > from the last authentication. This uses the fact that in NTLM and > > > > SPNEGO authentication, the authentication produces the group list, that > > > > should be valid for a particular session. > > > > > > It shouldn't be a new command. The cookie should just be returned with > > > the auth. (Anything else races hugely with overlapped requests). > > > > How so? > > > > Squid controls when it asks for a new authentication, it can just do the > > extra round-trip after getting the AF. > > > > For the multiplexed helper, it is just prefixed with the multiplex > > integer, as for all other requests. > > In which case, you still have that bodgy caching you were telling me > about on IRC.
I see no cache - the state of the authentication system is not reset yet, and squid still holds a handle to the helper. The request for the user groups (cookie) should be directly and immediately on receipt of 'AF' from the helper. However, I think I see your complaint - because it's technically (and potentially) a blocking call, Squid would need extra logic to defer 'authentication success' until this information is available. > Surely just stuffing the answer in the result sent to squid is easier > for you? Its easier for squid. I didn't want to introduce an incompatible change to the protocol - which is now in use further than squid. An application that doesn't know of this extension won't request 'UG', so nothing changes. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part
