fre 2007-05-11 klockan 11:30 +0100 skrev Duarte Lázaro:
> But in NTLM i cannot ( i think ) restrict a user by an attribute, if
> the user gets authenticated he has "net".
You can. But it's two different things. Don't mix up authentication and
authorization.
The purpose of authentication is solely to verify the identity of the
user. You then use this identity in authorization to grant or deny
access.
authentication is done by auth_param settings, and triggered by acls
based on the user name.
authorization is done by http_access, by using acls matching users and
what they are allowed to do.
> Basic/Digest (squid_ldap_auth/group) are more flexible, because u can
> use a filter and restrict by attribute.The problem is that browsers are
> always prompting for password allthought the password can be stored.
You can still use squid_ldap_group with NTLM if you run a Windows Active
Directory.
Digest is a bit troublesome in that you can not use a user directory
backend, and must have a local digest password file on the proxy.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Fri Jun 01 2007 - 12:00:05 MDT