[squid-users] Problem with digest authentification and credential backend
FredB
fredbmail at free.fr
Mon Nov 24 09:38:02 UTC 2014
>
>
> And it works great ! Thank you Amos for your patch.
> In previous Squid 3.3.x DIGEST was very buggy , crash, 407, banners,
> but now it seems very stable. Perhaps there are some little bugs
> like this, but now it's usable.
> Thanks for your works
>
Hi,
William to be more clear this patch is not related at all with authenticate_ttl directive.
authenticate_ttl doesn't works with Digest, but with basic and maybe another (ntlm, kerberos ?) there is no precision here http://www.squid-cache.org/Doc/config/authenticate_ttl/
The patch works like this:
At first banner Squid store the login/password HASH http://en.wikipedia.org/wiki/Digest_access_authentication http://wiki.squid-cache.org/KnowledgeBase/LdapBackedDigestAuthentication
When nonce is stalled (nonce_max_count reached) the helper compare the account stored in memory with a request to Ldap or/and when the nonce is expired, the helper makes the same thing.
In this two cases there are two possibilities, the account is right or wrong -> Bad password or/and bad login
- If the return is right Squid return a new nonce and there is no impact for the user, I mean no banner.
- If the return is wrong Squid present the authentication realm to the user and the browser prompt for a username and password.
There is also an another situation - if squid is restarted - the browser returns is HASH without banner (if the account is right of course)
So, without any change in LDAP the banner never appear, except when the browser start.
Fred
PS: About Digest you are right it's almost good now, still also a little problem with nonce count but not related with this
More information about the squid-users
mailing list