Re: External Auth

From: David Richards <dj.richards@dont-contact.us>
Date: Thu, 19 Nov 1998 10:58:48 +1000 (EST)

Henrik,

        The authenticator itself does not bother telling users, as far as
my code is concerned it is only matters what the answer is to
username/password. However, the "real" authentication process does want
to tell users clever things.

        This is the situation:

SAME MACHINE DIFFERENT MACHINES

Squid
  |
Authenticator
  |
Lauth ------------------ Authentication Server
  |
  |--------------------- Quota Server

The "lauth" process is the main process doing the authentication. It
queries the authentication server and the quota server and determines the
authentication status. This is only done in the first instance. The
"lauth" process has a local cache of authenticated users and each record
has an appropriate timeout associated.

So, in most cases the authentication system is very fast. We are also
making use of the internal squid cache. It validates the authentication
details of a user, via the process outlined above, every 60 secs.

Therefore, this process has been made as fast as possible, and in most
cases it is no slower that via the normal authentication scheme. The
"lauth" process "out sources" the messaging. It sends messages to a
message server which delivers the messages to the clients PC. Hence the
reason to pass the client IP and the URL.

The reason we have an external authentication process, "lauth", is it is a
generic authentication system. The same process is used to authenticate
both WWW and SOCKS traffic. Therefore, if a user authenticates for one
service, say SOCKS, the authentication server and quota server do not need
to be queried if the user then uses the proxy on the same machine.

This system is extended accross three machines, all running proxy and
SOCKS servers. There is also another machine, running a dynamic firewall
filtering mechanism, which requires authentication, which of course uses
"lauth" as well. Also, on this machine is the messaging server.

I see our point that the authenticator should only be worried with
authenticating. I am just outlining why I need other details. This level
of implementation can not be done easliy any other way, that I can see.

Seeya,

-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-
David Richards
Network Programmer
Internetworking Software Services, Computing Services
Queensland University of Technology
Level 12, 126 Margaret Street
Brisbane QLD 4001, Australia
E-mail: dj.richards@qut.edu.au
Ph: +61 7 3864 4347 Fax: +61 7 3864 5272
-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-#-

On Thu, 19 Nov 1998, Henrik Nordstrom wrote:

> David Richards wrote:
>
> > The URL is for a QUT specific. We have a messaging client here
> > at QUT the runs on PC's. We use this to tell users why they have failed
> > authentication. The message is usually something like so:
> >
> > 1) While trying to access "URL", your account went over quota.
> >
> > 2) Your username / password is incorrect.
> >
> > 3) The Authentication Server is currently unavailable.
>
>
> Why bother the authenticator with this?
>
> A better approach is to
> 1. Include it in the "access denied" message sent to the browser.
> 2. Install a error trap handler in Squid to take special actions on
> errors, like sending a network message to the user.
>
> > However, I would like to see the complete icpState being passed.
>
> I still don't think this makes sense. The authenticator program performs
> a isolated task (validating that the users authentication is valid) and
> it should not be bothered with information not relevant to this task.
> Having more information only complicates matters, and may fool people
> into thinking that the authenticator may be used for things not really
> possible at this place in Squid (like checking access based on the URL).
>
> There is no such thing as a "icpState" in Squid 2. State information is
> kept at several layers/subsystem (client connection, request being
> processed, user authentication, access control, ....) where each is
> partially independent of the other (and some are not very independent at
> all).
>
>
> ---
> Henrik Nordstrom
> Spare time Squid hacker
>
Received on Wed Nov 18 1998 - 18:06:40 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:43:10 MST