On Tue, 2006-11-21 at 19:25 -0500, Jeremy Hall wrote:
> If I knew what the X-Authenticated-Groups header was supposed to
> look like, I would come up with something.
Does Section 3.5 "X-Authenticated-Groups" of the ICAP extensions draft
below help?
http://www.i-cap.org/spec/draft-stecher-icap-subid-00.txt
While the draft has expired long time ago and probably has many bugs, it
is pretty much a de facto reference for many implementations.
Alex.
> >>> "Westerhold, Axel" <Axel.Westerhold@dts.de> 11/21/06 3:42 PM >>>
> Nop, it won't ! Actually there are several reasons it won't
>
> 1.) Webwasher expects a group or a username to be used within a
> webwasher
> defined LDAP query. That way I do not need the auth_scheme
>
> 2.) the auth_sheme as proposed is short of fullfilling the needed
> abstaction
>
> Let's assume your AD is based on root dc=test,dc=intra. Users can be
> based
> on ou=admin_users or ou=normal_users. So the needed URI would either
> be
>
> LDAP://<server>/cn=%u,ou=%o,dc=%d,dc=intra
>
> None of the infos you can get from a SMB/NTLM/ADS auth will supply the
> needed OU (%o) info for your auth sheme. Actually this is a rather
> simple
> setup. Actually I know of more then one customer to spread it's
> userbase
> throughout several OU's.
>
> As there is a rather small base of commercially available ICAP
> implementations and none of those I know of actually use the auth-sheme
> we
> can still think about writing our own ICAP Server. In this case such a
> server would rather need an new auth sheme like
>
> AD://user:%u,domain:%d
>
> This would work in any LDAP query like
>
> Ldapsearch -X -h <server> -b %d,dc=intra samaccountname=%u
>
> Regards,
> Axel
>
>
>
>
>
> Am 21.11.2006 20:46 Uhr schrieb "Jeremy Hall" unter
> <jehall@central.unicor.gov>:
>
> > Does it work for your setup?
> >
> > _J
> >
> >>>> "Westerhold, Axel" <Axel.Westerhold@dts.de> 11/21/06 1:32 PM >>>
> > Hi Jeremy,
> >
> > That definately more then I need to do :-) ! I will just have to get
> > rid of
> > the domain but your approach might be better for the future.
> >
> > Axel
> >
> >
> >
> > Am 21.11.2006 19:26 Uhr schrieb "Jeremy Hall" unter
> > <jehall@central.unicor.gov>:
> >
> >> Hello,
> >>
> >> Here is the icap patch I am working on. It might not fully work,
> >> probably won't break much tho. It's not ready for merging, and the
> >> debug statements are wrong (shouldn't be prio 1) but I'm trying to
> > work
> >> out the kinks before readying it for merge.
> >>
> >> _J
> >>
> >>>>> "Westerhold, Axel" <Axel.Westerhold@dts.de> 11/21/06 12:54 PM
> >>>
> >> Hi All,
> >>
> >> I will have a look at the squid3 but I will need to modify it a
> > little
> >> bit
> >> so that I can split the Domain Part of the Username to make the
> >> webwasher
> >> happy on ist AD samaccount queries. From what I can see it should
> be
> >> easy
> >> enough to get this done inlcuding a way to enable/disable this
> > feature
> >> (like
> >> the one I did for 2.x).
> >>
> >> Also, I just shipped a 2.6 ICAP Patched Squid in a cluster setup
> to
> > a
> >> customer with 1000 Users. This Pilot Installation will get me a
> good
> >> feeling
> >> how stable 2.6 works.
> >>
> >> Regards,
> >> Axel
> >>
> >>
> >> Am 20.11.2006 22:57 Uhr schrieb "Tsantilas Christos" unter
> >> <chtsanti@users.sourceforge.net>:
> >>
> >>> Hi all,
> >>> The reported problems exists and are not webwasher related, exists
> >> for
> >>> every icap server.
> >>>
> >>> Axel's solutions causes crashes to squid in some cases. I think it
> >>> happens when http client closes the connection before the
> > connection
> >> to
> >>> the icap server closed. I am not sure it needs more debugging.
> >>> I am planning to give some more time...
> >>>
> >>> However, the squid3 with icap client is more stable than squid-26
> >> with
> >>> icap patch. I think the squid3 has only 2-3 bugs before the
> > release.
> >>> My opinion is that it does not make sense for someone to spend
> time
> >> in
> >>> squid26 icap client, it is good for testing and development but
> > only
> >>> that .....
> >>>
> >>> Regards,
> >>> Christos
> >>>
> >>> Westerhold, Axel wrote:
> >>>> Well,
> >>>>
> >>>> as I have a customer waiting for a fix I will just go with my
> >> modification
> >>>> and will try to pin down the real fault when I have some free
> time
> >>>> available. Setting the major version the way I do should not have
> > a
> >> real
> >>>> impact at least I can't see one right now on my test system.
> >>>>
> >>>> Regards,
> >>>> Axel
> >>>>
> >>>>
> >>>>
> >>>
Received on Wed Nov 22 2006 - 07:27:08 MST
This archive was generated by hypermail pre-2.1.9 : Wed Nov 29 2006 - 12:00:05 MST