On Tue, 16 Feb 2010 14:51:19 +0100, Tom Tux <tomtux80@xxxxxxxxx> wrote: > Hi all, > > I'm authentication with the ldap-helper "squid_ldap_auth" against an > active directory. I can specify two credentials-ttls: > > One is possible in the "auth_param"-directive: > auth_param basic credentialsttl 2 hour > > The other one looks like this: > authenticate_ttl 1 hour > > > What is the difference between this two options? Which option will be > used, when I use the squid_ldap_auth-helper? > > Is the "authenticate_cache_garbage_interval" also possible, when I > authenticate aginst an active-directory? Or is this directive in this > case useless? > > Thanks a lot for your help. > Tom All the options you mention always are applied. They apply to different parts of the auth sequencing. * authenticate_cache_garbage_interval - how often squid checks its cached user details and discards old ones. This happens regardless of visitors. Squid will also do this for each login at the time of use, so garbage collection only prevents buildups of memory waste where user is not active for some time. * authenticate_ttl - how often a user is questioned for their credentials. To verify that the machine still is the same user. * credentialsttl - how long to cache the credentials received with their valid/invalid state. If credentialsttl is shorter than authenticate_ttl then the stored credentials will be re-verified more often than the client is asked to update them. If they fail at any time, the client will be re-challenged on next request. If credentialsttl is longer than authenticate_ttl then the client will be asked to update its credentials more often (re-validation will only occur if they actually change). The defaults are that squid checks the background auth system at most every hour to verify its stored credentials and only trouble the client every 2 hours. Amos