Re: Patch to authenticate securely to upstream ISA server(or others)

Markus Moeller wrote:
> Henrik,
>
> I updated the patch. I also said that I removed the configure from
> squid_kerb_auth by replacing the whole squid_kerb_auth directory with
> the attached tar file (to the previous post) which hopefully fixes the
> fedora build.

Markus,
   these changes won't help the Fedora build with Squid-3.1 frozen. That
will require a minimal change of probably just the configure.in.

Peer login bits are done and committed.

I'm in the process of bumping the helpers to C++ with their new names
for 3.2. Seeing as this helper change is pretty fundamental/big I'm
using it as step 1 of the upgrade/rename merge.

FYI: by the end of the weekend I hope to have your new code in the
directory negotiate_auth/kerberos/ producing the C++ binary helper
negotiate_kerberos_auth.

Amos

>
> Thank you
> Markus
>
> "Henrik Nordstrom" <henrik_at_henriknordstrom.net> wrote in message
> news:1251770416.16800.65.camel_at_henriknordstrom.net...
>> Needs quoting:
>> + KRB5INCS=`$krb5confpath --cflags krb5 2>/dev/null`
>> + KRB5LIBS=`$krb5confpath --libs krb5 2>/dev/null`
>>
>> (seen twice, Solaris & generic)
>>
>>
>> Would also be nice if you could update squid_kerb_auth/configure with
>> this simplified kerberos configure dance. The squid_kerb_auth/configure
>> in Squid-3.0 adds a bit too many linker flags adding -Lno/lib -Rno/lib
>> for me and currently prevents it from being packaged for Fedora (build
>> QA check failure, incorrect run-path)
>>
>> Regards
>> Henrik
>>
>>
>> mån 2009-08-31 klockan 14:03 +0100 skrev Markus Moeller:
>>> Hi Amos,
>>>
>>> find attached a patch against the head release. since I now need
>>> Kerberos and GSSAPI for the main source I removed the squid_kerb_auth
>>> configure and replaced the squid_kerb_auth directory with the attached.
>>>
>>> I tested on OpenSuse 11 with MIT Kerberos 1.6.3(the default) and
>>> Freebsd 7.0
>>> with Heimdal 1.2.1(added as the older freebsd base Heimdal package
>>> creates
>>> problems as squids asn1.h and krb5_asn1.h have conflicts with oid
>>> definitions)
>>>
>>> Regards
>>> Markus
>>>
>>> ----- Original Message ----- From: "Amos Jeffries"
>>> <squid3_at_treenet.co.nz>
>>> To: "Markus Moeller" <huaraz_at_moeller.plus.com>
>>> Cc: <squid-dev_at_squid-cache.org>
>>> Sent: Tuesday, August 25, 2009 12:38 PM
>>> Subject: Re: Patch to authenticate securely to upstream ISA server(or
>>> others)
>>>
>>>
>>> > Markus Moeller wrote:
>>> >> In some setups the upstream proxy requires a secue authentication
>>> >> method
>>> >> (Negotiate, NTLM). The attached patches (2.7 and 3.0) allow this with
>>> >> Negotiate.
>>> >>
>>> >> Regards
>>> >> Markus
>>> >
>>> > Hi Markus,
>>> > Good to see this feature appearing.
>>> >
>>> > Just a few things to fix up before this can go in:
>>> >
>>> > * Makefile.am lines for linking peer_proxy_negotiate_auth.cc seem
>>> to > be
>>> > indented with spaces instead of the automake required tabs.
>>> >
>>> > * Unfortunately 3.0 is closed for new features. Can we get a diff
>>> > against 3.HEAD code please?
>>> >
>>> > * there is zero documentation for the new option settings. Please
>>> add > to
>>> > the cache_peer entry of src/cf.data.pre with the new details for
>>> > login=NEGOTIATE.
>>> >
>>> > * there is also no documentation for any of the code. Please
>>> prefix > each
>>> > new function and global in your new code with at least an overview
>>> > description of what it does.
>>> >
>>> >
>>> > Amos
>>> > -- > Please be using
>>> > Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
>>> > Current Beta Squid 3.1.0.13
>>> >
>>
>>

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
   Current Beta Squid 3.1.0.13