[squid-dev] [RFC] Auth design changes
squid3 at treenet.co.nz
Wed Oct 22 03:07:40 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Negotiate auth protocol is a bit nasty since it is a wrapper protocol
around both NTLM and Kerberos.
We are facing issues where Negotiate/NTLM handling differs from plain
NTLM and the negotiate_wrapper helper can fail as a result.
Markus has requested I look into merging the wrapper helper
functionality into the Negotiate auth module itself instead of a
separate helper. It has been a long task trying to figure it out but I
think I may have a way forward finally.
What I would like to do is:
* adjust the module APIs such that the label they emit on headers was
configurable and could be changed at runtime independent of the type()
name they are configured and indexed by.
* move most of the existing Negotiate code to a module called
Kerberos. Which would think its native scheme type() was "Kerberos"
[albeit unused], and emit the helper blobs as-is.
* write a new Negotiate module that has Config::decode() probe the
GSSAPI header for protocol sub-type then generates a Ntlm::UserRequest
or Kerberos::UserRequest object. Calling the new API methods to set
their header label "Negotiate".
- this would only happen for the sub-protocols which were configured
* the Negotiate module would completely lack its own UserRequest and
User objects, and helpers. Emitting the NTLM or Kerberos module
objects instead which use the appropriate other sub-protocol specific
* the Negotiate module configuration would disappear and be
auto-enabled whenever a) the Kerberos scheme was configured, or b) a
flag on NTLM module auth_param was enabled.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
-----END PGP SIGNATURE-----
More information about the squid-dev