Re: [squid-users] Sending on Group names after Kerb LDAP look-up

From: Nick Cairncross <Nick.Cairncross_at_condenast.co.uk>
Date: Thu, 25 Mar 2010 16:18:25 +0000

Amos,

Thanks for your help - you are right in that the connector has the ability to receive and manipulate ICAP, and using an NTLM authenticated user allows me to do the thing I need. All was nearly lost.

However, if I change to Kerberos authentication on my Squid then the connector breaks because it receives the user name as an UPN. Is it possible to send just the first part of the authenticated user (i.e. Username?) and not include the domain?

I read something interesting here: http://markmail.org/message/u3yoiykwkaykreoz about using string substitutions (%U, %N etc) Is this achievable with Squid? This could be the final piece in my puzzle...

Thanks,

Nick

On 24/03/2010 05:58, "Amos Jeffries" <squid3_at_treenet.co.nz> wrote:

Nick Cairncross wrote:
> Hi All,
>
> Things seem to be going well with my Squid project so far; a combined
> Mac/Windows AD environment using Kerberos authentication with fall
> back of NTLM. I (hopefully) seem to be getting the hang of it! I've
> been trying out the Kerberos LDAP look up tool and have a couple of
> questions (I think the answers will be no..):
>
> - Is it possible to wrap up the matched group name(s) in the header
> as it gets sent onwards to my peer? I used to use the authentication

I don't think so.
  There is a lot of manipulation magic you can do with the ICAP or eCAP
interfaces that is not possible directly in Squid though.

The risk is breaking back-end services that can't handle the altered
header. Since you say below about already doing so, I assume this is a
non-risk for your network.

> agent that came from our A/V provider. This tool ran as a service and
> linked into our ISA. Once a user authenticated their group membership
> was forwarded along with their username to my peer (Scansafe). The
> problem is that it only does NTLM auth. It added the group
> (WINNT://[group]) into the header and then a rule base at the peer
> site could be set up based on group. Since I am using Kerberos I
> wondered whether it's possible to send the results of the Kerb LDAP
> auth? I already see the user on the peer as the Kerberos login. It
> would be great if I could include the group or groups...

You can do transparent login pass-thru to the peer (login=PASS). You can
log Squid-3.1 into the peer with kerberos credentials.
  But I do not think the Kerberos details get decoded to a
username/password for Squid to pass back as a pair.

>
> This is what I use currently: cache_peer proxy44.scansafe.net parent
> 8080 7 no-query no-digest no-netdb-exchange login=* (From
> http://www.hutsby.net/2008/03/apple-mac-osx-squid-and-scansafe.html)
>
> - Are there plans to integrate the lookup tool in future versions of
> Squid? I've enjoyed learning about compiling but.. just wondering..
>

No. Plans are for all network-specific adaptation to be done via
external helper processes. The *CAP interfaces for add-on modules allow
all the adaptation extras to be plugged in as needed in a very powerful way.
  Check that AV tool, it likely has an ICAP interface Squid-3 can plug
into already.

Amos

--
Please be using
   Current Stable Squid 2.7.STABLE8 or 3.0.STABLE25
   Current Beta Squid 3.1.0.18
** Please consider the environment before printing this e-mail **
The information contained in this e-mail is of a confidential nature and is intended only for the addressee.  If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful.  Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality.  Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message.  Any views or opinions expressed are those of the author.
Company Registration details:
The Conde Nast Publications Ltd
Vogue House
Hanover Square
London W1S 1JU
Registered in London No. 226900
Received on Thu Mar 25 2010 - 16:19:36 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 29 2010 - 12:00:06 MDT