Re: 2.6stable5 icap client - reqmod problems with webwasher 5.x and 6

From: Jeremy Hall <jehall@dont-contact.us>
Date: Tue, 21 Nov 2006 14:46:13 -0500

I wrote mine the way I did because I want the domain part to be a part
of my ldap, like this:

ldap://ldap.domian.int/cn=%u,dc=%d,dc=domain,dc=int

_J
>>> "Westerhold, Axel" <Axel.Westerhold@dts.de> 11/21/06 1:19 PM >>>
Hi Jeremy,

see below what I did to 2.5 and 2.6. As it simply changes the username
when
supplied to ICAP I can make sure it never has any influence on the rest
of
the squid. This runs for installations up to 3000 Users
(Squid/webwasher)
and as such is stable.

I will more or less keep it this way on my squid3 patch.

If this is of interest I will send the patch tommorow.

Axel

diff -u --recursive squid-icap-2_5/src/cf.data.pre
squid-icap-2_5_dts_mod/src/cf.data.pre
--- squid-icap-2_5/src/cf.data.pre 2005-04-26 18:37:10.000000000
+0200
+++ squid-icap-2_5_dts_mod/src/cf.data.pre 2005-05-10
10:25:07.327766912 +0200
@@ -2760,6 +2760,17 @@
        icap_auth_scheme Radius://radius-server/%u
 DOC_END

+NAME: icap_auth_rmdomain
+TYPE: onoff
+IFDEF: HS_FEAT_ICAP
+COMMENT: on|off
+LOC: Config.icapcfg.auth_rmdomain
+DEFAULT: off
+DOC_START
+ Remove domain prefix if using possible before adding
+ "X-Authenticated-User" header
+DOC_END
+
 NAME: icap_service
 TYPE: icap_service_type
 IFDEF: HS_FEAT_ICAP
diff -u --recursive squid-icap-2_5/src/icap_common.c
squid-icap-2_5_dts_mod/src/icap_common.c
--- squid-icap-2_5/src/icap_common.c 2005-03-20 19:11:47.000000000
+0100
+++ squid-icap-2_5_dts_mod/src/icap_common.c 2005-05-10
10:16:37.364293144 +0200
@@ -757,6 +757,29 @@
        debug(81, 5) ("icapAddAuthUserHeader: NULL username\n");
        return;
     }
+
+
+ /*
+ Changed 2005/05/10 DTS Service GmbH Axel Westerhold
+ This addition was added to allow NTLM authenticated user
+ names to loose it's DOMAIN prefix so that we can use the
+ rest to do a ldap search for samaccountname. The additional
+ config parameter icap_auth_rmdomain will enable/disable this
+ feature
+ */
+ if ( Config.icapcfg.auth_rmdomain ) {
+ debug(81,3) ("icapUser before domain removal: %s\n",user);
+ char* tmpuser;
+ tmpuser = strchr(user,'\\');
+ debug(81,3) ("icaptmpUser %s\n",tmpuser);
+ if (tmpuser != NULL) {
+ if ( strlen(tmpuser) > 0 ) {
+ user=tmpuser+1;
+ }
+ }
+ debug(81,3) ("icapUser after domain removal: %s\n",user);
+ }
+
     userlen = strlen(user);
     schemelen = strlen(Config.icapcfg.auth_scheme);
     len = userlen + schemelen + 1;
diff -u --recursive squid-icap-2_5/src/structs.h
squid-icap-2_5_dts_mod/src/structs.h
--- squid-icap-2_5/src/structs.h 2005-05-05 17:05:07.000000000
+0200
+++ squid-icap-2_5_dts_mod/src/structs.h 2005-05-10
10:19:47.629368456 +0200
@@ -395,6 +395,7 @@
     int check_interval;
     int send_client_ip;
     int send_auth_user;
+ int auth_rmdomain;
     char *auth_scheme;
 };

Am 21.11.2006 18:59 Uhr schrieb "Jeremy Hall" unter
<jehall@central.unicor.gov>:

> I'm working with a patch I did for that purpose, only thing is that
> something I did caused a segv when it does a reconfig, which is why
I
> haven't committed to the icap branch.
>
> _J
>
>>>> "Westerhold, Axel" <Axel.Westerhold@dts.de> 11/21/06 12:54 PM >>>
> Hi All,
>
> I will have a look at the squid3 but I will need to modify it a
little
> bit
> so that I can split the Domain Part of the Username to make the
> webwasher
> happy on ist AD samaccount queries. From what I can see it should be
> easy
> enough to get this done inlcuding a way to enable/disable this
feature
> (like
> the one I did for 2.x).
>
> Also, I just shipped a 2.6 ICAP Patched Squid in a cluster setup to
a
> customer with 1000 Users. This Pilot Installation will get me a good
> feeling
> how stable 2.6 works.
>
> Regards,
> Axel
>
>
> Am 20.11.2006 22:57 Uhr schrieb "Tsantilas Christos" unter
> <chtsanti@users.sourceforge.net>:
>
>> Hi all,
>> The reported problems exists and are not webwasher related, exists
> for
>> every icap server.
>>
>> Axel's solutions causes crashes to squid in some cases. I think it
>> happens when http client closes the connection before the
connection
> to
>> the icap server closed. I am not sure it needs more debugging.
>> I am planning to give some more time...
>>
>> However, the squid3 with icap client is more stable than squid-26
> with
>> icap patch. I think the squid3 has only 2-3 bugs before the
release.
>> My opinion is that it does not make sense for someone to spend time
> in
>> squid26 icap client, it is good for testing and development but
only
>> that .....
>>
>> Regards,
>> Christos
>>
>> Westerhold, Axel wrote:
>>> Well,
>>>
>>> as I have a customer waiting for a fix I will just go with my
> modification
>>> and will try to pin down the real fault when I have some free time
>>> available. Setting the major version the way I do should not have
a
> real
>>> impact at least I can't see one right now on my test system.
>>>
>>> Regards,
>>> Axel
>>>
>>>
>>>
>>
Received on Tue Nov 21 2006 - 12:47:08 MST

This archive was generated by hypermail pre-2.1.9 : Wed Nov 29 2006 - 12:00:05 MST