Re: Authentication Via Another Server

From: John Hammond <JOHN@dont-contact.us>
Date: Sun, 14 Nov 99 15:29:49 EST

On Wed, 10 Nov 1999 09:17:29 +0100 you said:
>At 19:15 11/09/1999 -0500, John Hammond wrote:
>> I'd like to know if the following could be implemented using Squid.
>>We want to have Squid running on an AIX or Linux box make a call (open
>>an HTTP connection) to another host for the purpose of passing the userid
>>and password combination for authentication via the other host. The
>>authenticating host would pass back to the Squid host whatever was
>>required (ERR or OK, I believe) via the HTTP connection opened by the
>>host running Squid. Essentially, the Squid authentication routine will
>>just call another host via HTTP which will actually do the authentication.
>>Possible with Squid?
>
>(Please treat this as coming from someone who knows way to little about Squid)
>
>If you must use another host to do the authentication, and you must use
>http for the authentication 'call', then I'm not sure.
  Yes, we must use the other host for authentication. It contains the
large number of existing accounts against which we want to authenticate.
We don't want to have to create an entire other accounts management
system for the host which will run Squid. We want to use all the
existing accounts without alteration or without having to recreate them.
  We want to use HTTP because we have a web server for the authentication
host. I don't want to have to write a sockets interface on that host to
communicate with the Squid host. We want to leverage the existing web
interface. We have written a Perl script on the host where Squid would
run. It opens an HTTP connection to the web server on the authentication
host which then runs a CGI and passes back an ERR or OK which proves the
basic concept will work. The question is can we insert it (or something
like it) into Squid as the authentication routine.
  If the url of the resource which the proxy server is protecting is
available to the authentication routine in Squid, we can concatenate
it to the password and pass the userid and "password|url" to the
authentication host which can then process the information to determine
whether the user should be granted access to the url via the proxy
server.
  At least, that is what we hope we can do. Having heard no other
responses, I'm not so sure it will be possible.
Received on Sun Nov 14 1999 - 14:03:59 MST

This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT