[squid-users] Problem with digest authentification and credential backend
wmunny william
wmunny at mail.com
Wed Nov 26 10:45:45 UTC 2014
>
> William to be more clear this patch is not related at all with authenticate_ttl directive.
> authenticate_ttl doesn't works with Digest, but with basic and maybe another (ntlm, kerberos ?) there is no precision here http://www.squid-cache.org/Doc/config/authenticate_ttl/
>
> The patch works like this:
>
> At first banner Squid store the login/password HASH http://en.wikipedia.org/wiki/Digest_access_authentication http://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication
>
> When nonce is stalled (nonce_max_count reached) the helper compare the account stored in memory with a request to Ldap or/and when the nonce is expired, the helper makes the same thing.
>
> In this two cases there are two possibilities, the account is right or wrong -> Bad password or/and bad login
>
> - If the return is right Squid return a new nonce and there is no impact for the user, I mean no banner.
> - If the return is wrong Squid present the authentication realm to the user and the browser prompt for a username and password.
>
> There is also an another situation - if squid is restarted - the browser returns is HASH without banner (if the account is right of course)
>
> So, without any change in LDAP the banner never appear, except when the browser start.
>
> Fred
>
> PS: About Digest you are right it's almost good now, still also a little problem with nonce count but not related with this
>
Hi,
Ok, thanks,
Tested with both nonce_count and nonce_max_duration, no problem. Do you known if it works with squid 3.5 ?
More information about the squid-users
mailing list