fre 2007-05-11 klockan 11:30 +0100 skrev Duarte Lázaro: > But in NTLM i cannot ( i think ) restrict a user by an attribute, if > the user gets authenticated he has "net". You can. But it's two different things. Don't mix up authentication and authorization. The purpose of authentication is solely to verify the identity of the user. You then use this identity in authorization to grant or deny access. authentication is done by auth_param settings, and triggered by acls based on the user name. authorization is done by http_access, by using acls matching users and what they are allowed to do. > Basic/Digest (squid_ldap_auth/group) are more flexible, because u can > use a filter and restrict by attribute.The problem is that browsers are > always prompting for password allthought the password can be stored. You can still use squid_ldap_group with NTLM if you run a Windows Active Directory. Digest is a bit troublesome in that you can not use a user directory backend, and must have a local digest password file on the proxy. Regards Henrik
Attachment:
signature.asc
Description: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad meddelandedel
