Re: Squid 3 HEAD - ICAP Modifications

From: Jeremy Hall <jehall@dont-contact.us>
Date: Thu, 14 Dec 2006 11:04:21 -0500

I do have need of the %d construct that I formulated. I am also
formulating something with X-Authenticated-Groups that I got some
recommendations from a vendor on how they want to see it. Should we use
\n or %n for a newline character? I'm hoping for \n since that seems
more intuitive, but the logic I wrote will need to be modified such that
multiple %d, %u, and %n constructs might exist in the same uri.

It doesn't m atter to me greatly what the form looks like, I just want
to be able to understand what to put in my configuration file to get the
desired results.

I also understand that this cannot support ou's at this time. If there
is an ldap squid authenticator that I'm not aware of so we can get the
ou infos that'd be awesome.

_J

>>> Alex Rousskov <rousskov@measurement-factory.com> 12/14/06 10:48 AM
>>>
On Thu, 2006-12-14 at 08:47 +0100, Axel Westerhold wrote:

> There is one more change I am currently testing. The
> problem with this patch:
>
> It does not follow any ICAP document but only enables squid to get
rid of
> the DOMAIN part frpm an NTLM Auth so I can use the result string as a
query
> on samaccountname. Would it be possible to add this too ?

I assume we talking about modifying the authenticated client username,
passed via the icap_client_username_header to the ICAP server.

I believe the right thing to do here is similar to what Jeremy Hall
did
with the icap_auth_scheme in
http://www.squid-cache.org/mail-archive/squid-dev/200611/0066.html

I would suggest to add an "icap_authenticated_user_header_value"
option
that takes a string with the following supported substitutions:

    %U -- complete username, as is
    %N -- username without the domain part
    %% -- percent

I think we do not need a default value here, but would not object to
"Local://%U" if somebody insists on having a default.

The current "icap_client_username_header" option should be renamed to
"icap_authenticated_user_header_name".

The current "icap_client_username_encode" option should be renamed to
"icap_authenticated_user_header_encode". "On" should be the default, I
guess.

The three icap_authenticated_user_* options can be merged into one
multivalued option:
  icap_authenticated_user_header [<name>":"] [<encoding>"("] <value>
[")"]

For example,
  icap_authenticated_user_header X-Authenticated-User:
base64(Local://%U)
or
  icap_authenticated_user_header identity(%N)

Thank you,

Alex.

> Am 14.12.2006 6:25 Uhr schrieb "Alex Rousskov" unter
> <rousskov@measurement-factory.com>:
>
> > On Mon, 2006-12-04 at 12:57 +0100, Axel Westerhold wrote:
> >> Hi everyone,
> >>
> >> Second try this time hopefully complete.
> >>
> >> This is again patched against Squid 3 HEAD and includes 4 changes
I would
> >> like to have when working with webwasher/squid systems.
> >>
> >>
> >> A.) ICAPServiceRep::TheSessionFailureLimit set through squid.conf
> >> B.) ICAPServiceRep delay for a down service set through
squid.conf
> >> C.) Instead of hardcoding the Header used to transfer the username
being
> >> able to set the used one through squid.conf
> >> D.) When using X-Authenticated-User in C I need the username to be
base64
> >> encoded so I added another option to turn on encoding if needed.
> >
> > The above changes, with minor modifications are now committed to
> > squid3-icap branch. The corresponding patch is attached.
> >
> > I took the liberty to rename some of your new squid.conf options as
well
> > as polish squid.conf comments and code. A negative value for the
> > icap_service_failure_limit disables the limit feature.
> >
> > Please test and let me know whether any further changes are
needed.
> >
> > Thank you,
> >
> > Alex.
> >
>
Received on Thu Dec 14 2006 - 09:05:15 MST

This archive was generated by hypermail pre-2.1.9 : Sat Dec 30 2006 - 12:00:04 MST