Re: fake user and group, and new icap header X-Authenticated-Groups proposition

From: Alex Rousskov <rousskov@dont-contact.us>
Date: Mon, 07 Apr 2008 23:44:04 -0600

On Mon, 2008-04-07 at 13:09 +0200, Arno _ wrote:

> I'm my configuration I have 2 bluecoat proxy talking to a webwasher via ICAP to control the URL.
> And I also have a squid 3.0 for my test and some special production purpose.
> My squid is doing a limited authentication, using basic or none for some IP range. I can't and don't want to do any other kind of authentication as I do on the production proxy.
>
> So to be able to make it work with the ICAP server (webwasher in my case) I need to send user name and user group to it so that I can control on the Webwasher the URL accessed from the test user and some production server.
>
> Since on the current squid (3 stable 4) there is nothing to let me cheat with the ICAP entry I decide to add some feature to it.
>
> I add the following ICAP option:
> icap_fake_client_username: let me specifies the client username that has to be put into the icap-client-username ICAP header, applied only if the icap_send_client_username is set; no default.
>
> icap_client_group_header: let me create a header to be send into the ICAP header, be default it's set to X-Client-Groups, and, for now, only used if the next field is present
>
> icap_fake_client_group: let me specifies the client group that has to be put into the icap-client-group ICAP header; no default.
>
>
> TODO if possible: retrieve the client-group from the authentication procedure, if done in NTLM, AD, LDAP or other method that will allow this information. But I think it will need a lot of change
>
>
> The change are made to the following file:
> cf.data.pre
> ICAP/ICAPConfig.h
> ICAP/ICAPModXact.cc
>
>
> Sound interesting ?
> Someone willing to give me instruction on how to continue the job ?
> Suggestion on way to improve it ?

Please file a bug report with your patches. That way they will not be
forgotten and may be reviewed.

It would also be great if you could ask on squid-users whether anybody
ever felt the need to fake these ICAP headers. The patches are much more
likely to be accepted if it is a common need.

Thank you,

Alex.
Received on Mon Apr 07 2008 - 23:44:15 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 30 2008 - 12:00:07 MDT