Re: winbindd NTLMSSP helper

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Sun, 8 Sep 2002 11:47:36 +0200

On Sunday 08 September 2002 09.12, Andrew Bartlett wrote:

> So, where do we go from here? For anything that looks at all like
> unix, the published unix interfaces are the way to go - we
> implement nsswitch and PAM in particular. For NTLMSSP, I've
> poposed one earlier in this thread.

Is this the NTLMSSP helper ASCII interface proposal I sent to
squid-dev, or do you have another proposal? Or what are we talking
about here?

> For the other interfaces, somebody (not me!) needs to define
> an interface, and propose it to samba-technical.

In Squid we currently use the following simple protocol

Query sent by Squid:
username groupname ...\n

Response sent by the helper
OK/ERR [reason="..."]\n

OK if the user belongs to any of the groups (and matches command line
criterias if any, depending on the helper used)

If there is whitespace or \ in the username or groupname then these
must be escaped with \ or quoted with ".

There is a fair bit more to the capabilities of interface in Squid
used for this, but the above is the aspects that apply to group
lookups.

In Squid-2.6 we are likely to also support the use of URL escaping as
an alternative quoting mechanims in these lookups. Maybe also the
concept of returning a list of groups in response to authentication.

Regards
Henrik
Received on Sun Sep 08 2002 - 03:49:17 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:16:29 MST