RE: [SQU] SMB Authentication

From: Robert Collins <robert.collins@dont-contact.us>
Date: Mon, 22 Jan 2001 13:06:10 +1100

> -----Original Message-----
> From: Simon Bryan [mailto:sbryan@olmc.nsw.edu.au]
> Sent: Monday, 22 January 2001 12:56 PM
> To: Robert Collins
> Subject: RE: [SQU] SMB Authentication
>
>
> At 12:34 22/01/2001, you wrote:
>
> >use
> >
> >http_access allow domainusers !otheracl !otheracl
>
> not sure what you mean here

you said you had other acls that you wanted checked, and that you needed
the username logged for. Placing the proxy_auth acl at the beginning of
the access lines that allow/deny based on other criteria, will ensure
that the username check is made regardless.

What I should have said was, get rid of your
http_access allow domainusers
as it won't process other acls. Instead put domainusers or another
proxy_auth acl on the beginning of every http_access line.
 
 
 
> >!domainusers where domainusers is proxy_auth REQUIRED will
> never match
> >because REQUIRED always matches, and !1=0.
>
> it works for NCSA authentication!?
>

?!? Can't explain it.
for
acl foo proxy_auth bar
http_access allow !foo
means
if acl foo is matched go to the next http_access line. if acl foo is not
matched allow access.

Matching acl foo means
1) if a proxy_authenticate header was given and the password was correct
compare the username to the list in foo, and if it is present, or the
list in foo was REQUIRED the we have a match. If the username was not
present in foo then we do not have a match.
2) if the password was incorrect or no header was present, send a 407
response to the browser prompting them to get user credentials from the
user.

so !foo will work UNLESS foo's user list is 'REQUIRED'. It's got nothing
to do with the backend helper.

Rob

--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Sun Jan 21 2001 - 19:13:12 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:57:30 MST