Hello,
the "main cache" unit forwards requests to the two peers, which are
set as parents with icp enabled. There is no logging or authentication until
the "squid NTLM" unit at which stage the user is authenticated against the
Windows 2003 machine. I have it working perfectly if I point directly to
"squid NTLM", but if I point to "main cache" it fails. If I look in the log
when its successful I get DOMAIN\user - when it fails all I see is user...
I hope this has explained it more...
The main goal is to do single signon through multiple cache's with
login=PASS set on the peers
-----Original Message-----
From: Kinkie [mailto:[EMAIL PROTECTED]
Sent: 29 January 2005 11:34 AM
To: squid-users@squid-cache.org
Subject: Re: [squid-users] Challenge/Response with Cache Peers (NTLM)
On Thu, 2005-01-27 at 21:26 +0200, Dave Raven wrote:
> Hi all,
> I've been testing the behavior of Challenge/Response today with
> cache peers. the versions etc are not relevant as I have
Challenge/Response
> and BASIC working fine if I point directly to the unit. Below is a
makeshift
> diagram of how I've set this up now:
>
> ---------
> | squid |
> | NTLM | ----> Windows 2003
> ---------
> |
> / \
> peer1 -- peer2
> \ /
> \ /
> main cache
>
> I point to "main cache", which has two parents which are the only routes
> (never_direct + always_direct) - login=PASS is on my peer lines. On those
> two I have setup each of them as siblings with login=PASS, and a parent of
> the squid NTLM authenticating unit (which works fine if I point direct),
> also with login=PASS.
>
> The behavior I see is that if I'm using the auth box, I have to login
(with
> basic) with DOMAIN\user (and challenge response works). If I go through
the
> peers I have to login with only the user - if I add the domain it doesn't
> work at _all_. When I try challenge response it naturally doesn't work as
> the username gets passed with no domain...
Could you paste the relevant lines in the three boxes' squid.conf?
> Is the fix for this as simple as it seems? Or is the problem more
> complicated. I'd really like to get this working...
Do you want the two peers to be directly accessed? If the purpose is for
them to only cache, you might want to distinguish roles: main cache does
auth + logging + request routing, the others do caching (you might want
use CARP to balance the parents to maximize efficiency). If so, it would
be enough for you to use a 'src' type acl on the parents locked on the
main cache ip and log usernames only on the main cache log.
Kinkie
