On Sat, 2004-11-06 at 20:24, Robert Collins wrote: > On Sat, 2004-11-06 at 19:48 +1100, Andrew Bartlett wrote: > > > I see no cache - the state of the authentication system is not reset > > yet, > > Thats not guaranteed.
As the author of ntlm_auth, I guarantee that after issuing an 'AF' (and no other commands), the client program may issue 'UG', to return the group list. Is that enough? :-) > > and squid still holds a handle to the helper. The request for the > > user groups (cookie) should be directly and immediately on receipt of > > 'AF' from the helper. > > > > However, I think I see your complaint - because it's technically (and > > potentially) a blocking call, Squid would need extra logic to defer > > 'authentication success' until this information is available. > > Right. How hard is it to add the extra step? > > > Surely just stuffing the answer in the result sent to squid is easier > > > for you? Its easier for squid. > > > > I didn't want to introduce an incompatible change to the protocol - > > which is now in use further than squid. > > I suggest adding an option to the helper to enable returning the info, > that way its site specific, and when squid has something implemented, it > will always just be 'use if present'. The other reason I avoided it was for simplicity of parsing - currently we define the username as everything from the 'AF' to the end of line. I suppose we should now define the 'AF' response as: AF username=url-encoded-username authtoken=url-encodedgrouplist How does that sound? What I would have liked was some way that this scheme could have been auto-negotiated. My previous proposal allowed squid to always try 'UG', and just swallow the failure reply if the helper was 'old'. Got any good ways we can handle this one? Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College [EMAIL PROTECTED]
signature.asc
Description: This is a digitally signed message part
