On Sat, 2004-11-06 at 20:24, Robert Collins wrote:
> On Sat, 2004-11-06 at 19:48 +1100, Andrew Bartlett wrote:
>
> > I see no cache - the state of the authentication system is not reset
> > yet,
>
> Thats not guaranteed.
As the author of ntlm_auth, I guarantee that after issuing an 'AF' (and
no other commands), the client program may issue 'UG', to return the
group list. Is that enough? :-)
> > and squid still holds a handle to the helper. The request for the
> > user groups (cookie) should be directly and immediately on receipt of
> > 'AF' from the helper.
> >
> > However, I think I see your complaint - because it's technically (and
> > potentially) a blocking call, Squid would need extra logic to defer
> > 'authentication success' until this information is available.
>
> Right.
How hard is it to add the extra step?
> > > Surely just stuffing the answer in the result sent to squid is easier
> > > for you? Its easier for squid.
> >
> > I didn't want to introduce an incompatible change to the protocol -
> > which is now in use further than squid.
>
> I suggest adding an option to the helper to enable returning the info,
> that way its site specific, and when squid has something implemented, it
> will always just be 'use if present'.
The other reason I avoided it was for simplicity of parsing - currently
we define the username as everything from the 'AF' to the end of line.
I suppose we should now define the 'AF' response as:
AF username=url-encoded-username authtoken=url-encodedgrouplist
How does that sound?
What I would have liked was some way that this scheme could have been
auto-negotiated. My previous proposal allowed squid to always try 'UG',
and just swallow the failure reply if the helper was 'old'.
Got any good ways we can handle this one?
Andrew Bartlett
-- Andrew Bartlett abartlet@samba.org Authentication Developer, Samba Team http://samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net
This archive was generated by hypermail pre-2.1.9 : Tue Nov 30 2004 - 12:00:03 MST