Re: Proposed extension to the NTLM helper protocol

From: Robert Collins <robertc@dont-contact.us>
Date: Sat, 06 Nov 2004 19:38:41 +1100

On Sat, 2004-11-06 at 19:28 +1100, Andrew Bartlett wrote:
> On Sat, 2004-11-06 at 12:26, Robert Collins wrote:
> > On Sat, 2004-11-06 at 12:24 +1100, Andrew Bartlett wrote:
> > > I wish to propose an extension to the NTLM helper/squid protocol, such
> > > that a squid redirector, or a external ACL helper, may access the list
> > > of groups.
> > >
> > > A new command to ntlm_auth, UG, would request the list of user groups
> > > from the last authentication. This uses the fact that in NTLM and
> > > SPNEGO authentication, the authentication produces the group list, that
> > > should be valid for a particular session.
> >
> > It shouldn't be a new command. The cookie should just be returned with
> > the auth. (Anything else races hugely with overlapped requests).
>
> How so?
>
> Squid controls when it asks for a new authentication, it can just do the
> extra round-trip after getting the AF.
>
> For the multiplexed helper, it is just prefixed with the multiplex
> integer, as for all other requests.

In which case, you still have that bodgy caching you were telling me
about on IRC.

Surely just stuffing the answer in the result sent to squid is easier
for you? Its easier for squid.

Rob

Received on Sat Nov 06 2004 - 01:38:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Nov 30 2004 - 12:00:03 MST