On Mon, 8 Nov 2004, Andrew Bartlett wrote:
> As the author of ntlm_auth, I guarantee that after issuing an 'AF' (and
> no other commands), the client program may issue 'UG', to return the
> group list. Is that enough? :-)
For me it is.
For me it is equally acceptable to revise the protocol to have AF return
additional information including groups.
I would propose a extensible syntax similar to that used in external acls
AF user=username attribute=value ...
using URL-encoded strings.
and similarily in all the other replies if additional information need to
be returned.
Maybe (but only mabye) the AF should be defined as
AF username attribute=value
(still URL-encoded username)
> How hard is it to add the extra step?
Not hard, but the fact that it is needed is a good sign of a weakness in
the protocol to begin with.
> The other reason I avoided it was for simplicity of parsing - currently
> we define the username as everything from the 'AF' to the end of line.
> I suppose we should now define the 'AF' response as:
>
> AF username=url-encoded-username authtoken=url-encodedgrouplist
>
> How does that sound?
B-)
For parsing reasons the groups should be returned using a multi-valued
attribute repeated once per group.
> What I would have liked was some way that this scheme could have been
> auto-negotiated. My previous proposal allowed squid to always try 'UG',
> and just swallow the failure reply if the helper was 'old'.
I have no problem defining a new initial command for exchanging the
capabilities. Would also serve the good purpose of verifying the
connectivity to the helper, including the ability to run a
self-diagnostics.
Regards
Henrik
Received on Mon Nov 08 2004 - 07:04:03 MST
This archive was generated by hypermail pre-2.1.9 : Tue Nov 30 2004 - 12:00:03 MST