Authentication rewrite project
Webpage courtesy Robert Collins.
The auth_rewrite project aims at providing an extensible
authentication mechanism for Squid, and at generally enhancing the
existing authentication support.
Current status (08/12/2000)
- NTLM project is based on the
projects work.
- Feature-complete.
- Awaits serious testing.
Available documentation
Should you decide to write your own helper modules, you could read the auth
scheme API documentation.
Change List (In this branch)
- Config file driven 407 responses. (Each scheme is given the opportunity to
present a challenge. The client chooses the challenge to use, and any
further challenges only use that scheme.
- User cache garbage collection
- Updated authentication framework. Authentication scheme and access control
(including IP address movement, user expiry timeouts) are now disjointed.
- Nearly complete authentication rewrite.
- Full reconfigure support (Prior to this squid does not expire users in the
user cache according to the new authenticate ttl).
- Dynamic Authentication scheme support. Squid only offers and accepts the
authentication scheme that helpers are defined in squid.conf for. I.E. if
you need Basic support, simply list an authenticate_program.
- Escaping for logged usernames changed (to allow for the \ in MS domain
usercodes - see the ntlm project).
- At a source level authenticate.c now handles nearly all the authentication
functionality, and acl.c the access controls. This should allow easy
integration of digest/kerberos etc as acl.c should need minimal (if any)
changes.
- acl match caching for proxy_auth and proxy_auth_regex with authenticated
users. This means that if you have long proxy_auth or proxy_auth_regex acls,
repeated requests for a given username (even from
multiple workstations) will short-circuit the username matching. For sites
with 1000's of users, or complex regex's this should produce substantial CPU
savings.
- New config directive authenticate_cache_garbage_interval to tune user
cache garbage collection.
- (hopefully) generally cleaner interfaces internally, should be a lot
easier to add digest et al in the future.
- ntlm scheme. The ntlm scheme is currently only up-to-date in the
auth_rewrite branch. As soon as the branches get switched around further
development to ntlm will be taking place in the ntlm CVS branch.
Future things that would be nice to do (that this work makes easier/is
needed for)
- Finish the details of the authentication framework so we have an API for adding
authentication schemes. (This is in progress).
- split out the auth scheme specific data so no squid changes are needed to
add a new helper.
- Digest authentication scheme module
- Kerberos authentication scheme module
- Add a new deny state - authentication in progress. This is specifically
for multi-step authentication protocols a la NTLM.
$Id: index.html,v 1.5 2003/06/03 21:55:55 serassio Exp $