Re: [squid-users] Sending on Group names after Kerb LDAP look-up from Amos Jeffries on 2010-03-23 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 24 Mar 2010 18:58:21 +1300

Nick Cairncross wrote:
> Hi All,
>
> Things seem to be going well with my Squid project so far; a combined
> Mac/Windows AD environment using Kerberos authentication with fall
> back of NTLM. I (hopefully) seem to be getting the hang of it! I've
> been trying out the Kerberos LDAP look up tool and have a couple of
> questions (I think the answers will be no..):
>
> - Is it possible to wrap up the matched group name(s) in the header
> as it gets sent onwards to my peer? I used to use the authentication

I don't think so.
There is a lot of manipulation magic you can do with the ICAP or eCAP
interfaces that is not possible directly in Squid though.

The risk is breaking back-end services that can't handle the altered
header. Since you say below about already doing so, I assume this is a
non-risk for your network.

> agent that came from our A/V provider. This tool ran as a service and
> linked into our ISA. Once a user authenticated their group membership
> was forwarded along with their username to my peer (Scansafe). The
> problem is that it only does NTLM auth. It added the group
> (WINNT://[group]) into the header and then a rule base at the peer
> site could be set up based on group. Since I am using Kerberos I
> wondered whether it's possible to send the results of the Kerb LDAP
> auth? I already see the user on the peer as the Kerberos login. It
> would be great if I could include the group or groups...

You can do transparent login pass-thru to the peer (login=PASS). You can
log Squid-3.1 into the peer with kerberos credentials.
But I do not think the Kerberos details get decoded to a
username/password for Squid to pass back as a pair.

>
> This is what I use currently: cache_peer proxy44.scansafe.net parent
> 8080 7 no-query no-digest no-netdb-exchange login=* (From
> http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html)
>
> - Are there plans to integrate the lookup tool in future versions of
> Squid? I've enjoyed learning about compiling but.. just wondering..
>

No. Plans are for all network-specific adaptation to be done via
external helper processes. The *CAP interfaces for add-on modules allow
all the adaptation extras to be plugged in as needed in a very powerful way.
Check that AV tool, it likely has an ICAP interface Squid-3 can plug
into already.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18

Received on Wed Mar 24 2010 - 05:58:32 MDT

This archive was generated by hypermail 2.2.0 : Thu Mar 25 2010 - 12:00:07 MDT