Re: Squid 3 HEAD - ICAP Modifications

On Thu, 2006-12-14 at 08:47 +0100, Axel Westerhold wrote:

> There is one more change I am currently testing. The
> problem with this patch:
>
> It does not follow any ICAP document but only enables squid to get rid of
> the DOMAIN part frpm an NTLM Auth so I can use the result string as a query
> on samaccountname. Would it be possible to add this too ?

I assume we talking about modifying the authenticated client username,
passed via the icap_client_username_header to the ICAP server.

I believe the right thing to do here is similar to what Jeremy Hall did
with the icap_auth_scheme in
http://www.squid-cache.org/mail-archive/squid-dev/200611/0066.html

I would suggest to add an "icap_authenticated_user_header_value" option
that takes a string with the following supported substitutions:

    %U -- complete username, as is
    %N -- username without the domain part
    %% -- percent

I think we do not need a default value here, but would not object to
"Local://%U" if somebody insists on having a default.

The current "icap_client_username_header" option should be renamed to
"icap_authenticated_user_header_name".

The current "icap_client_username_encode" option should be renamed to
"icap_authenticated_user_header_encode". "On" should be the default, I
guess.

The three icap_authenticated_user_* options can be merged into one
multivalued option:
  icap_authenticated_user_header [<name>":"] [<encoding>"("] <value> [")"]

For example,
  icap_authenticated_user_header X-Authenticated-User: base64(Local://%U)
or
  icap_authenticated_user_header identity(%N)

Thank you,

Alex.

> Am 14.12.2006 6:25 Uhr schrieb "Alex Rousskov" unter
> <rousskov@measurement-factory.com>:
>
> > On Mon, 2006-12-04 at 12:57 +0100, Axel Westerhold wrote:
> >> Hi everyone,
> >>
> >> Second try this time hopefully complete.
> >>
> >> This is again patched against Squid 3 HEAD and includes 4 changes I would
> >> like to have when working with webwasher/squid systems.
> >>
> >>
> >> A.) ICAPServiceRep::TheSessionFailureLimit set through squid.conf
> >> B.) ICAPServiceRep delay for a down service set through squid.conf
> >> C.) Instead of hardcoding the Header used to transfer the username being
> >> able to set the used one through squid.conf
> >> D.) When using X-Authenticated-User in C I need the username to be base64
> >> encoded so I added another option to turn on encoding if needed.
> >
> > The above changes, with minor modifications are now committed to
> > squid3-icap branch. The corresponding patch is attached.
> >
> > I took the liberty to rename some of your new squid.conf options as well
> > as polish squid.conf comments and code. A negative value for the
> > icap_service_failure_limit disables the limit feature.
> >
> > Please test and let me know whether any further changes are needed.
> >
> > Thank you,
> >
> > Alex.
> >
>
Received on Thu Dec 14 2006 - 08:49:16 MST