Re: Contribution to Squid development.

Pierangelo Masarati wrote:

> Anyway, for the braves, see
> <http://www.sys-net.it/~ando/Download/squid-ldap-20070905.patch>
>
> Everything has been moved to libmiscutil, and squid_ldap_auth has been
> reworked to exploit it. The rationale is that common data is now placed
> in a global structure, and helper functions rely on finding it there.
> This design is far from ideal, but helpers are only supposed as "one
> shot" and single-threaded, so it's not really an issue. If this does
> not sound elegant, helper functions could be passed a pointer to the
> very same structure.
>
> Among the promised new features, only SASL bind has been added and
> (partially) tested (only EXTERNAL with ldapi:// right now; more will
> follow). It either uses parameters passed by command-line or defaults
> set via ldap.conf/ldaprc.

<http://www.sys-net.it/~ando/Download/squid-ldap-20070906.patch>

I've cleaned up SASL bind, added support for password policy during
LDAPBind with user's credentials, or proxied authorization during
LDAPCompare of the password attribute, and documented everything in the
usage() message and in the man page, so now squid_ldap_auth should be in
a somewhat better shape.

I've noticed that in Squid's main code anything following "ERR" can be
exploited, but there's no provision for extra stuff after "OK", which
prevents exploitation of the warning part of password policy. This
might not be important unless Squid has any means of reporting to the
user that an account is about to expire; however, if there's consensus,
I'd like to look also at allowing (and exploiting) this (optional) part
of successful response messages.

Cheers, p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------
Received on Thu Sep 06 2007 - 15:35:33 MDT