On Fri, 2008-03-21 at 15:37 +0000, paul cooper wrote: > I think im also confused about the interaction between the browser, squid > and external authenticators in spite of reading Ch12 several times.
authentication and external acls is very different things. authentication is based on information the browser passes in the HTTP request, identifying the user. The exact details varies depending the scheme you use. basic: login+password, as entered by the user in his browser. digest: login+one time hash, based on login+password entered by the user in his browser. ntlm & negotiate: Microsoft authentication blobs, used for automatic domain authentication, same mechanisms as used between a windows station and file server. authentication details is processed by authentication helpers (auth_param) and these basically returns an "OK/ERR" to Squid. external acls (external_acl_type) can either use login information already provided by authentication (%LOGIN, also implicitly requires authentication), or use it's own out-of-band methods for figuring out the user using whatever means available to the helper and return this to Squid if they want. There is no standard out-of-band methods but some examples can be - static IP based registry, assigning the user based on which client station the request comes from. This is what I thought you wanted to do. - Separate session database keeping track of users per client IP. Used for example to integrate with various forms+cookie based authentication services. Both kinds of helpers runs as slaves to the Squid process, using the user identity of your Squid, not the requesting user. > request then goes : squid-> helper . the helper can do what it likes and > returns a string to squid. if the string is "ERR" then squid will deny > access. If it is "OK" then squid allows access to the cache . In addition > the user=xxx can also be passed back from the helper to squid. > > Can squid then use this user as the basis for an ACL ? Yes. > so why did my perl example that outputs a file to the disk not write the > file, which it did when executed from the CL. How do i see the data that > is going to and from the helper and verify its executing the helper as i > expect.? If the acl is reached successfully in your http_acces processing then the helper will be called. But remember that if you use %LOGIN then the helper is only called AFTER the client has provided successful login credentials to the proxy using any of the methods you define in auth_param.. > Sorry to have so many questions. Is there anything that goes into any more > detail than "Squid - the definitive guide?" This mailinglist. Regards Henrik
