Re: returning a group name from the external authenticator.

From: Dancer <dancer@dont-contact.us>
Date: Mon, 23 Aug 1999 16:22:46 +1000

I have a patch which does this correctly:

http://www.simegen.com/~dancer/patches/ipauth.patch

Bart Bunting wrote:
>
> hi,
>
> could you please reply directly as well as to the list. I have tried
> to subscribe, but have received no response bounce or otherwise from
> the listserv software.
>
> I've been trying to get squid to accept a group name along with the
> authenticator's response.
>
> I then want to use this group name instead of the username when
> passing requests to the redirector.
>
> forgive me if some of these questions are basic, as i'm still trying
> to get my head arround how the internals of squid actually work.
>
> I first modified the _acl_proxy_auth_user structure to take a group
> name as below.
>
> struct _acl_proxy_auth_user {
> /* first two items must be same as hash_link */
> char *user;
> acl_proxy_auth_user *next;
> /* extra fields for proxy_auth */
> char *passwd;
> char *group; /* to hold the group name returned from the authenticator */
> int passwd_ok; /* 1 = passwd checked OK */
> long expiretime;
> };
>
> next i commented out the two lines in the below function that truncate
> the reply to the first word. my logic for doing this was that i need
> to pass through the entire string returned by the authenticator to the
> function handling the reply. please tell me if this is a bad way of
> going about this?
>
> static void
> authenticateHandleReply(void *data, char *reply)
> {
> authenticateStateData *r = data;
> int valid;
> char *t = NULL;
> debug(29, 5) ("authenticateHandleReply: {%s}\n", reply ? reply : "<NULL>");
> if (reply) {
> /* if ((t = strchr(reply, ' ')))
> *t = '\0';
> */
> if (*reply == '\0')
> reply = NULL;
> }
> valid = cbdataValid(r->data);
> cbdataUnlock(r->data);
> if (valid)
> r->handler(r->data, reply);
> authenticateStateFree(r);
> }
>
> next i modified the aclLookupProxyAuthDone function in acl.c which
> appears to handle the reply from the authenticator.
>
> static void
> aclLookupProxyAuthDone(void *data, char *result)
> {
> char *group ; /* added by bart */
> aclCheck_t *checklist = data;
> checklist->state[ACL_PROXY_AUTH] = ACL_LOOKUP_DONE;
> debug(28, 4) ("aclLookupProxyAuthDone: result = %s\n",
> result ? result : "NULL");
>
> if (result && (strncasecmp(result, "OK", 2) == 0)) {
> if ((group = strchr(result, ' ')))
> group ++; /* increment group pointer so we don't get the space. */
>
> checklist->auth_user->group = strdup( group);
> debug(28,4) ("group = %s %d\n", checklist->auth_user->group, strlen(group));
> checklist->auth_user->passwd_ok = 1;
> } else
> checklist->auth_user->passwd_ok = 0;
> aclCheck(checklist);
> }
>
> all the above code appears to work correctly. where i run into trouble is trying to get the group name back to pass it to the redirector. I'm guessing i've done something silly like not initialise one of the pointers correctly, but i'm totally stuck. below is the function in redirect.c that i modified and where i suspect the error is:
>
> void
> redirectStart(clientHttpRequest * http, RH * handler, void *data)
> {
> ConnStateData *conn = http->conn;
> redirectStateData *r = NULL;
> const char *fqdn;
> char buf[8192];
> assert(http);
> assert(handler);
> debug(29, 5) ("redirectStart: '%s'\n", http->uri);
> if (Config.Program.redirect == NULL) {
> handler(data, NULL);
> return;
> }
> r = xcalloc(1, sizeof(redirectStateData));
> cbdataAdd(r, cbdataXfree, 0);
> r->orig_url = xstrdup(http->uri);
> r->client_addr = conn->log_addr;
> debug(29, 5) ("redirectStart: groupnamestart start'\n");
> /* this is where squid dies. */
> debug(29, 5) ("redirectStart: groupnamestart %s'\n", http->acl_checklist->auth_user->group);
> if (http->request->user_ident == NULL || *http->request->user_ident == '\0') {
> r->client_ident = dash_str;
> } else {
> debug(29, 5) ("redirectStart: groupname %s'\n", http->acl_checklist->auth_user->group);
> r->client_ident = http->acl_checklist->auth_user->group;
> debug(29, 5) ("redirectStart: 2ndgroupname %s'\n", r->client_ident);
> /* r->client_ident = http->request->user_ident;*/
> }
> r->method_s = RequestMethodStr[http->request->method];
> r->handler = handler;
> r->data = data;
> cbdataLock(r->data);
> if ((fqdn = fqdncache_gethostbyaddr(r->client_addr, 0)) == NULL)
> fqdn = dash_str;
> snprintf(buf, 8192, "%s %s/%s %s %s\n",
> r->orig_url,
> inet_ntoa(r->client_addr),
> fqdn,
> r->client_ident,
> r->method_s);
> helperSubmit(redirectors, buf, redirectHandleReply, r);
> }
>
> and finally :) some of my cache.log which may help explain what is
> going wrong:
>
> 1999/08/23 15:48:22| aclMatchAcl: checking ' acl ldap_auth proxy_auth REQUIRED ...'
> 1999/08/23 15:48:22| aclDecodeProxyAuth: cleartext = 'demo:demo'
> 1999/08/23 15:48:22| aclMatchProxyAuth: checking user 'demo'
> 1999/08/23 15:48:22| aclMatchProxyAuth: user 'demo' not yet known
> 1999/08/23 15:48:22| aclMatchAclList: returning 0
> 1999/08/23 15:48:22| aclCheck: checking password via authenticator
> 1999/08/23 15:48:22| aclDecodeProxyAuth: cleartext = 'demo:demo'
> 1999/08/23 15:48:22| aclLookupProxyAuthStart: going to ask authenticator on demo
> 1999/08/23 15:48:22| authenticateStart: 'demo:demo'
> 1999/08/23 15:48:22| cbdataAdd: 0x8547360
> 1999/08/23 15:48:22| cbdataLock: 0x856b6b8
> 1999/08/23 15:48:22| cbdataLock: 0x8547360
> 1999/08/23 15:48:22| cbdataValid: 0x8547360
> 1999/08/23 15:48:22| comm_write: FD 16: sz 20: hndl (nil): data (nil).
> 1999/08/23 15:48:22| commSetSelect: FD 16 type 2
> 1999/08/23 15:48:22| commSetSelect: FD 16 type 1
> 1999/08/23 15:48:22| helperDispatch: Request sent to authenticator #1, 20 bytes
> 1999/08/23 15:48:22| comm_select: 1 FDs ready at 935387302
> 1999/08/23 15:48:22| comm_select: FD 16 ready for writing
> 1999/08/23 15:48:22| commHandleWrite: FD 16: off 0, sz 20.
> 1999/08/23 15:48:22| commHandleWrite: write() returns 20
> 1999/08/23 15:48:22| comm_select: 0 FDs ready at 935387302
> 1999/08/23 15:48:22| comm_select: 0 FDs ready at 935387302
> 1999/08/23 15:48:22| comm_select: 1 FDs ready at 935387302
> 1999/08/23 15:48:22| comm_select: FD 16 ready for reading
> 1999/08/23 15:48:22| cbdataValid: 0x822dae0
> 1999/08/23 15:48:22| helperHandleRead: 11 bytes from authenticator #1.
> 1999/08/23 15:48:22| helperHandleRead: end of reply found
> 1999/08/23 15:48:22| cbdataValid: 0x8547360
> 1999/08/23 15:48:22| authenticateHandleReply: {OK student}
> 1999/08/23 15:48:22| cbdataValid: 0x856b6b8
> 1999/08/23 15:48:22| cbdataUnlock: 0x856b6b8
> 1999/08/23 15:48:22| aclLookupProxyAuthDone: result = OK student
> 1999/08/23 15:48:22| group = student 7
> 1999/08/23 15:48:22| cbdataValid: 0x8213a60
> 1999/08/23 15:48:22| aclCheck: checking 'http_access allow ldap_auth'
> 1999/08/23 15:48:22| aclMatchAclList: checking ldap_auth
> 1999/08/23 15:48:22| aclMatchAcl: checking ' acl ldap_auth proxy_auth REQUIRED ...'
> 1999/08/23 15:48:22| aclDecodeProxyAuth: cleartext = 'demo:demo'
> 1999/08/23 15:48:22| aclMatchProxyAuth: checking user 'demo'
> 1999/08/23 15:48:22| aclMatchProxyAuth: user 'demo' validated OK
> 1999/08/23 15:48:22| aclMatchProxyAuth: user 'demo' previously validated
> 1999/08/23 15:48:22| aclMatchUser: checking 'demo'
> 1999/08/23 15:48:22| aclMatchUser: looking for 'REQUIRED'
> 1999/08/23 15:48:22| aclMatchAclList: returning 1
> 1999/08/23 15:48:22| cbdataUnlock: 0x8213a60
> 1999/08/23 15:48:22| aclCheck: match found, returning 1
> 1999/08/23 15:48:22| aclCheckCallback: answer=1
> 1999/08/23 15:48:22| cbdataValid: 0x850c0c8
> 1999/08/23 15:48:22| clientAccessCheckDone: 'http://www.altavista.com' answer=1
> 1999/08/23 15:48:22| redirectStart: 'http://www.altavista.com'
> 1999/08/23 15:48:22| cbdataAdd: 0x85489a0
> 1999/08/23 15:48:22| redirectStart: groupnamestart start'
> FATAL: Received Segment Violation...dying.
> 1999/08/23 15:48:22| storeDirWriteCleanLogs: Starting...
> 1999/08/23 15:48:22| fileOpenComplete: FD 20, data 0x8537588, errcode 0
> 1999/08/23 15:48:22| fileOpenComplete: FD 20
>
> Any hints/explanations/suggestions are most welcome.
>
> Thanks in advance
>
> Bart
Received on Tue Jul 29 2003 - 13:16:00 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:12:17 MST