--------------------- PatchSet 7165 Date: 2005/11/05 23:08:29 Author: hno Branch: negotiate-2_5 Tag: (none) Log: Documentation cleanup Members: src/cf.data.pre:1.49.2.65.2.10->1.49.2.65.2.11 Index: squid/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid/src/cf.data.pre,v retrieving revision 1.49.2.65.2.10 retrieving revision 1.49.2.65.2.11 diff -u -r1.49.2.65.2.10 -r1.49.2.65.2.11 --- squid/src/cf.data.pre 22 Oct 2005 10:23:47 -0000 1.49.2.65.2.10 +++ squid/src/cf.data.pre 5 Nov 2005 23:08:29 -0000 1.49.2.65.2.11 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.49.2.65.2.10 2005/10/22 10:23:47 hno Exp $ +# $Id: cf.data.pre,v 1.49.2.65.2.11 2005/11/05 23:08:29 hno Exp $ # # # SQUID Web Proxy Cache http://www.squid-cache.org/ @@ -1326,11 +1326,11 @@ auth_param basic program @DEFAULT_PREFIX@/libexec/ncsa_auth @DEFAULT_PREFIX@/etc/passwd "children" numberofchildren - The number of authenticator processes to spawn. - If you start too few Squid will have to wait for them to process a - backlog of usercode/password verifications, slowing it down. When - password verifications are done via a (slow) network you are likely to - need lots of authenticator processes. + The number of authenticator processes to spawn. If you start too few + squid will have to wait for them to process a backlog of credential + verifications, slowing it down. When credential verifications are + done via a (slow) network you are likely to need lots of + authenticator processes. auth_param basic children 5 "realm" realmstring @@ -1382,11 +1382,11 @@ "children" numberofchildren - The number of authenticator processes to spawn (no default). If you - start too few Squid will have to wait for them to process a backlog of - H(A1) calculations, slowing it down. When the H(A1) calculations are - done via a (slow) network you are likely to need lots of authenticator - processes. + The number of authenticator processes to spawn. If you start too few + squid will have to wait for them to process a backlog of credential + verifications, slowing it down. When credential verifications are + done via a (slow) network you are likely to need lots of + authenticator processes. auth_param digest children 5 "realm" realmstring @@ -1443,11 +1443,11 @@ auth_param ntlm program /path/to/samba/bin/ntlm_auth --helper-protocol=squid-2.5-ntlmssp "children" numberofchildren - The number of authenticator processes to spawn (no default). If you - start too few Squid will have to wait for them to process a backlog - of credential verifications, slowing it down. When credential - verifications are done via a (slow) network you are likely to need - lots of authenticator processes. + The number of authenticator processes to spawn. If you start too few + squid will have to wait for them to process a backlog of credential + verifications, slowing it down. When credential verifications are + done via a (slow) network you are likely to need lots of + authenticator processes. auth_param ntlm children 5 "use_ntlm_negotiate" on|off @@ -1464,10 +1464,7 @@ all users must be allowed to log on the proxy servers too, or they'll get "invalid workstation" errors - and access denied - when trying to use Squid's services. - Use of ntlm NEGOTIATE is incompatible with challenge reuse, so - enabling this parameter will OVERRIDE the max_challenge_reuses and - max_challenge_lifetime parameters and set them to 0. - auth_param ntlm use_ntlm_negotiate off + auth_param ntlm use_ntlm_negotiate on "keep_alive" on|off This option enables the use of keep-alive on the initial @@ -1475,22 +1472,30 @@ have problems if this is enabled, but performance will be increased if enabled. - auth_param ntlm keep_alive off + auth_param ntlm keep_alive on === Negotiate scheme options follow === "program" cmdline - Specify the command for the external SPNEGO authenticator. Such a + Specify the command for the external Negotiate authenticator. Such a program participates in the SPNEGO exchanges between Squid and the client and reads commands according to the Squid ntlmssp helper protocol. See helpers/ntlm_auth/ for details. Recommended SPNEGO - authenticator is ntlm_auth from Samba-3.X. + authenticator is ntlm_auth from Samba-4.X. By default, the Negotiate authentication scheme is not used unless a program is specified. auth_param negotiate program /path/to/samba/bin/ntlm_auth --helper-protocol=gss-spnego + "children" numberofchildren + The number of authenticator processes to spawn. If you start too few + squid will have to wait for them to process a backlog of credential + verifications, slowing it down. When credential verifications are + done via a (slow) network you are likely to need lots of + authenticator processes. + auth_param negotiate children 5 + "keep_alive" on|off If you experience problems with PUT/POST requests when using the Negotiate authentication scheme then you can try setting this to @@ -1501,23 +1506,25 @@ auth_param negotiate keep_alive on NOCOMMENT_START -#Recommended minimum configuration: +#Recommended minimum configuration per scheme: +#auth_param negotiate program +#auth_param negotiate children 5 +#auth_param negotiate keep_alive on +#auth_param ntlm program +#auth_param ntlm children 5 +#auth_param ntlm use_ntlm_negotiate on +#auth_param ntlm keep_alive on #auth_param digest program #auth_param digest children 5 #auth_param digest realm Squid proxy-caching web server #auth_param digest nonce_garbage_interval 5 minutes #auth_param digest nonce_max_duration 30 minutes #auth_param digest nonce_max_count 50 -#auth_param ntlm program -#auth_param ntlm children 5 -#auth_param ntlm max_challenge_reuses 0 -#auth_param ntlm max_challenge_lifetime 2 minutes -#auth_param ntlm use_ntlm_negotiate off #auth_param basic program -auth_param basic children 5 -auth_param basic realm Squid proxy-caching web server -auth_param basic credentialsttl 2 hours -auth_param basic casesensitive off +#auth_param basic children 5 +#auth_param basic realm Squid proxy-caching web server +#auth_param basic credentialsttl 2 hours +#auth_param basic casesensitive off NOCOMMENT_END DOC_END