On 09/17/2010 03:28 PM, Amos Jeffries wrote:
Squid does not currently offer any way to selectively pick the auth
methods to advertise. There are a few possible designs and someone was
working on it a while back.
Offering a specific authentication method for a defined network would be
a nice feature, don't you think? ;-)
Stripping away auth methods which have failed is not possible. Due to
the problems of: How do you deal with a user typo'd in their password?
or who recently changed password but the browser still sends the old one
first?.
Ok, you are of course right, it sounds complicated. But isn't there a
basic-fallback mechanism for Kerberos/NTLM? Does this only work if there
is a technical error with either Kerberos or NTLM?
Or is it a client thing which has to pick the basic mechanism?
The workaround that comes to mind is to run a "shell" squid instance for
each client or at lest for each primary auth type which only does auth
then funnels requests through to some parent proxy for handling.
We are currently running 4 separate squid instances (each on it's own IP
address, all of them share common acl-files, each has it's own
independent cache) on any of two real servers (because Squid 3.1.x is
not SMP capable), we could dedicate two of them for LDAP-only with an
own VIP-address(loadbalancer is taking care of that) and the two others
per server for NTLM.
I am not happy with that setup, but there are not many other
possibilities. I have no idea how the instances will share the
resources, I would prefer 4 instances which share all requests instead
of 2 for handling LDAP and 2 for handling NTLM-requests. Could lead to
performance issues.
Anyway, thanks for your response, Squid is a great piece of software!
regards
Peter
