[SQU] ANNOUNCEMENT: NTLM update

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 13 Nov 2000 09:59:12 +1100

This is to announce an update to the CVS tree for squid-ntlm.

The new code (like the existing code) is somewhere after alpha and
before production. YMMV.

Why upgrade?

* Nearly complete authentication rewrite.
* Full reconfigure support (Prior to this squid does not expire users in
the user cache according to the new authenticate ttl).
* Dynamic Authentication scheme support. Squid only offers and accepts
the authentication scheme that helpers are defined in squid.conf for.
I.E. if you need Basic support, simply list an authenticate_program.
* NTLM usernames are logged as domain\user, not domain%5cuser.
* At a source level authenticate.c now handles nearly all the
authentication functionality, and acl.c the access controls. This should
allow easy integration of digest/kerberos etc as acl.c should need
minimal (if any) changes.
* generic acl match caching function for acl.c (used by this update)
* acl match caching for proxy_auth and proxy_auth_regex with
authenticated users. This means that if you have long proxy_auth or
proxy_auth_regex acls, repeated requests for a given username (even from
multiple workstations) will short-circuit the username matching. For
sites with 1000's of users, or complex regex's this should produce
substantial CPU savings.
* user cache garbage collection. (we use more memory with NTLM and also
with acl match caching.)
* New config directive authenticate_cache_garbage_interval to tune user
cache garbage collection.
* multiplexed ntlm helper requests. fake_auth has been updated, I'm not
sure whether the NTLMSSP helper will respond 'optimally' to this or not.
It should work though (I can't test it :-[)
* IP address movement restrictions affect NTLM and basic authentication
equally. (shared code now).
* NTLM authenticated user timeouts & IP timeouts as per basic
authentication (shared code now).
* (hopefully) generally cleaner interfaces internally, should be a lot
easier to add digest et al in the future.
* removed --enable-basic-authentication and --enable-ntlm-authentication
configure options. Authentication schemes are now implicitly controlled
via squid.conf. (By setting a helper for a given scheme).

The helpers themselves have not changed substantially. In particular the
NTLMSSP helper is still using the same wire-level protocol to the Domain
Controller. If you have tuned your system to work well now, I suggest
keeping the same parameters and seeing how it runs.

To update:
do a cvs update in your source directory
then autoconf
then autoheader
the in your build directory
make clean
make
make install

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sun Nov 12 2000 - 16:03:59 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:19 MST