Re: External ACL Problem from Guido Serassio on 2002-07-05 (squid-dev)

From: Guido Serassio <serassio@dont-contact.us>
Date: Fri, 05 Jul 2002 13:40:45 +0200

Hi Henrik,

Il 00.33 05/07/2002 Henrik Nordstrom ha scritto:
>The format used in authentication very much depends on the scheme
>used.
>
>You refer to the protocol used for Basic authentication helpers here.
>That protocol is fundamentally flawed in that it does not protect the
>data in any manner. I will not duplicate the same flaw in any new
>protocols.
>
>For the external_acl protocol I selected the simplicity of a single
>line request/response protocol, and used the standard escape syntax
>of using \ to escape sensitive characters. In future there is likely
>to be another variant of the protocol using URL escaped strings.
>
>In the long run we need to decide on a good style on how helper
>protocols should be designed, but what can be said for certain is
>that the way the Basic authentication protocol currently works is not
>the way to do things. That \ should either be \ escaped into \\, or
>URL encoded.
>
>Regards
>Henrik

Right, I remember the problems related to spaces with LDAP authenticator.
So, External ACL can handle (for example) groups with spaces in its name,
right ?

But a question/idea:

What about adding a "revision" option to the basic authenticator
configuration in squid.conf ? So, if revision is 1 (for example) or not
specified, squid runs the authenticator with the old interface, if revision
is 2, Squid runs it with the new interface, maintaining backward
compatibility.

Regards

Guido

>On Thursday 04 July 2002 22.25, Guido Serassio wrote:
> > Hi Henrik,
> >
> > Testing the winbind External ACL group helper, I have just found a
> > problem:
> >
> > All authentication helpers handle the Windows domain\username
> > syntax and the Squid interface give them usernames in this syntax.
> > But, external ACL interfaces, give me a domain\\username string.
> > So, i think that it will be better, if external ACL use the same
> > format as Authentication.
> >
> > About the winbind External ACL group helper: from command line it
> > seems to works fine.
> >
> > Regards
> >
> > Guido
> >
> >
> >
> > -
> > =======================================================
> > Serassio Guido
> > Via Albenga, 11/4 10134 -
> > Torino - ITALY E-mail: guido.serassio@serassio.it
> > WWW: http://www.serassio.it

-
=======================================================
Serassio Guido
Via Albenga, 11/4 10134 - Torino - ITALY
E-mail: guido.serassio@serassio.it
WWW: http://www.serassio.it
Received on Fri Jul 05 2002 - 05:40:55 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:46 MST