NTLM - log failed authentications

 Hi all!. I am using squid stable 2.6.stable18. and i need to log
failed authentications attempts or at least some info to look.  I
noticed that NTLM don't log the username if it is fails, ldap_auth do
that so i can parse the log to find something like TCP_DENIED/407, a
low ts value and a username to find a possible login attempt. Is there
any way i can do something about, when squid use ntlm to authenticate
the user?

Thanks in advance,
Cheers.

Alejandro Bednarik wrote:
>  Hi all!. I am using squid stable 2.6.stable18. and i need to log
> failed authentications attempts or at least some info to look.  I
> noticed that NTLM don't log the username if it is fails, ldap_auth do
> that so i can parse the log to find something like TCP_DENIED/407, a
> low ts value and a username to find a possible login attempt. Is there
> any way i can do something about, when squid use ntlm to authenticate
> the user?

Squid always logs the username when its available.

NTLM is an authentication mechanism that does not use usernames. It
pases around encoded binary hashes instead.

I think you need to change your concept a little bit. The real
identifier of whether a request is a login attempt is whether the
browser has included a Proxy-Authorization: header.

You can log that by adding %{Proxy-Authorization}>h to the log format if
you like. However be aware that one username cannot be derived out of
the hash and one username has multiple hashes over time.

Amos
--
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14