Re: I know the Problem with ntlm

From: Robert Collins <robert.collins@dont-contact.us>
Date: Tue, 10 Oct 2000 19:28:12 +1100

----- Original Message -----
From: "Chemolli Francesco (USI)" <ChemolliF@GruppoCredit.it>
To: "'Robert Collins'" <robert.collins@itdomain.com.au>; "Thomas Goebel"
<thomas@an-netz.de>
Cc: <squid-users@ircache.net>
Sent: Tuesday, October 10, 2000 7:22 PM
Subject: RE: I know the Problem with ntlm

> > Thomas,
> > can you please cc your replies on this discussion to the list: I
> > am not the only squid-ntlm developer.
> >
> > Hacing looked into case-sensitivity for usernames, I don't know if
> > ldap/unix systems will allow test and Test to be different usercodes,
> > but in case they do I am not going to make the username check
> > case-insensitive for that reason. What I will do is make sure that the
> > username returned from NTLM is always uppercase.
>
> I can do that at the authenticator level, only with lower case
> (it's just a matter of personal taste, I dislike upper-case).
> If you want, I can make a command-line switch to change the behavior.
> The check against the domain is case-insensitive anyways...
> This is exactly the reason why I implemented the case-insensitive
> switch for http_auth acls. I don't know whether it's in the current
> CVS, if not I can send you a patch.

I can't recall the results of the discussion on squid-dev, but as it applies
to all auth acls I think it is a 'bad thing'. Still if the helper can be
consistently lowercase that'd solve one of Thomas's issue

> > The usernames are of the format domain\user because that is the couple
> > used by MS who wrote the spec. (It's not a feature it's what
> > the decode
> > process returns).
>
> I did it for consistency with the Microsoft Proxy behaviour.
> It would be nice however if logged entries weren't URLencoded,
> at least as far as the \ character goes.
>
> > A similar issue exists with domain names where you
> > have www.foo.net or www. Just using www can result in
> > confusion. So just
> > using GOEBELT could be a problem. I.E. what if you have two user
> > domains, and a repeated username across them?
>
> With the current domain code, it shouldn't work at all.
> The domain is _required_.
>
> > What we could do is get the helper to return just the
> > username component
> > (turned on or off with a command switch) - kinkie what do you
> > think? The
> > helper should do it as it is where caching and optimisations are being
> > placed at this point.
>
> Cannot do. What about the case where you have user foo\bar and gazonk\bar
> then? No, the domain part is to remain. Blame Microsoft for such a
> dumb design.

What if the user has only one domain, and like it that way? their choice...

Anyway lets move these details over to squid-dev, or offline?

>
> --
> /kinkie, going back to coding NOW.
>

:-]

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Tue Oct 10 2000 - 02:28:25 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:55:43 MST