mån 2007-03-05 klockan 16:35 +0500 skrev Eugene M. Zheganin:
> I have read about the squid_ldap_group and decided to use it, because it
> restores the config management scheme back to its base. I successfully
> created and set up all the needed acls, removed the blocking acls and
> start using squid_ldap_group.
Good.
> However, I've encountered some of regrettable weaknesses in it.
>
> 1) the best benefit of using 'ntlm_auth' and
> '--require-membership-of=[bla-bla]' was immediate effect on the user.
> Immidiately after the adding user in the 'Internet Users' group he was
> able to start using proxy. In the case of 'squid_ldap_group' changes are
> visible immidiately too, but only when using the helper from a shell.
> When using it with the proxy, squid needs to be '-k reconfigure'd after
> each LDAP group modification. Can this behavior be evaded ? Is this a
> squid limitation or some of my errors in its configuration ?
The same is true with squid_ldap_auth, but you need to shorten the
negative TTL. See the external_acl_type directive. The default is one
hour which is a bit much for what you are doing..
> 2) the RFC rfc2254 defined the excaping of the characeters. it doesnt
> say that spaces need to be escaped, but, since squid_ldap_group doesn't
> accept neither quotes nor doublequotes, I tried to use RFC2254 escaping
> when using squid_ldap_group from shell.
See the external_acl_type directive for a description of the format used
between Squid and the helper..
If protocol=3.0 (the default) then URL escaping is used to protect
each value in both requests and responses.
If using protocol=2.5 then all values need to be enclosed in quotes
if they may contain whitespace, or the whitespace escaped using \.
And quotes or \ characters within the keyword value must be \ escaped.
> It doesnt workd, because squid
> replaces '\20' to '\5c20' (for some reason).
\5c20 is the text \20 escaped per RFC2254.
> However, the RFC2254
> escaping works when using from 'ldapsearch' tool.
Yes, thats because you are specifying the LDAP search filter manually.
This syntax also has to be used in the filter argument(s) to
squid_ldap_group. But you should not need to escape the space character
in LDAP search filters, it's not a reserved character.
> So at the moment I'm
> limited to the use of the AD names without spaces in them. (and the
> question is of course - will this be fixed or may be extended ?)
Usernames with spaces in them should work fine in your Squid.
To test manually from the command line you need to properly escape the
input to the helper. As you are using Squid-2.6 the input should be
URL-escaped using %20 as space.
Regards
Henrik
This archive was generated by hypermail pre-2.1.9 : Sat Mar 31 2007 - 13:00:01 MDT