x-authenticated-groups header attribute for icap content filtering by group membership

From: guest01 <guest01_at_gmail.com>
Date: Fri, 16 Apr 2010 09:44:01 +0200

Hi,

I am using Squid as a caching/authentication proxy with a webwasher
appliance as ICAP server. This webwasher appliance assigns policies
based on group membership. Unfortunately, squid only sends the client
ip and username in an ICAP request to the ICAP server. I suppose this
is a feature also common to other ICAP server vendors?

I suggest enhancing the squid icap client capabilities with the
x-authenticated-groups header attribut. Based on Squid 3.1.1 we could
just extend the ModXact.cc file with something like:

void Adaptation::Icap::ModXact::makeGroupHeader(const HttpRequest
*request, MemBuf &buf)
{
    if (const AuthUserRequest *auth = request->auth_user_request) {
        if (auth->username()) {
            const char *valuegroup = base64_encode("LDAP:///TESTGROUP");
            buf.Printf("X-Authenticated-Groups: %s\r\n", valuegroup);
        }
    }
}

In that case, I add the attribute LDAP:///TESTGROUP to every ICAP
request (at least ICAP requests with valid usernames) and can assign
a policy to this group on my webwasher. This is just a proof of
concept, we have to get this groups from the directory (LDAP would be
sufficient to access LDAP servers and even MS AD). It is not a problem
to add ldapsearch code to this file, but I am not sure this is a good
idea. I suppose there are better ways to solve this problem? For LDAP
operations, squid uses external helpers, maybe that would be a good
idea to solve this kind of issue too? Any suggestions?

regards
Received on Fri Apr 16 2010 - 07:44:09 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 16 2010 - 12:00:08 MDT