Re: [squid-users] strip domain/realm from icap header username

On 12/11/2010 13:59, "guest01" <guest01_at_gmail.com> wrote:

>Hi,
>
>We are using squid 3.1.8 (on RHEL5.5 64Bit) as authentication/caching
>forward proxy and an ICAP server for authorization and content
>filtering.
>
>At the moment, most of the users are authenticated by NTLM (we are
>planning for Kerberos) and the username is sent to our ICAP server
>which will do an LDAP lookup. This setup works pretty good for our
>default domain. If an user from a different, trusted domain will be
>authenticated by NTLM, then the username sent to the ICAP server will
>look like:
>DOMAIN+USERNAME
>
>The ICAP server cannot handle that during the LDAP lookup, the domain
>part has to be removed. I know that I can do that with Kerberos (there
>is an -r option in the negotiate_kerberos_auth-helper, at least in
>3.2x branch), but at the moment, I don't have that option for NTLM.
>Does anyone have any ideas how to easily solve that? (I know that in
>Freeradius, Freeradius will strip off the domain itself, that's why I
>am guessing that ntlm_auth cannot do that)
>
>Our plan is to upgrade to Kerberos and get rid of that problem, but if
>there occur troubles, we have to find a way to solve that problem by
>using NTLM. The "easiest" way I figured out is to modify the
>ModXact.cc-file and modify the icap header username, e.g. if there is
>a domain part, remove it. But that would cause some maintainance
>troubles after upgrades (we must not forget changing this file)
>
>I don't think it is a common problem (ntlm with multiple domains and
>icap), if I am wrong it may be a possible feature request. E.g. adding
>a new config option for squid.conf which will remove the domain part
>if enabled and an option for specifing the separator (most likely a +)
>
>best regards
>Peter

Not sure if this helps but Smb.conf can use the tag: winbind use
default domain = false OR true

If set to 'true' then DOMAIN\ is omitted. Might cause issues for
non-domain machines and other such, but it might help..? Otherwise, if
it's your own ICAP service can it be modified to exclude?

The information contained in this e-mail is of a confidential nature and is intended only for the addressee. If you are not the intended addressee, any disclosure, copying or distribution by you is prohibited and may be unlawful. Disclosure to any party other than the addressee, whether inadvertent or otherwise, is not intended to waive privilege or confidentiality. Internet communications are not secure and therefore Conde Nast does not accept legal responsibility for the contents of this message. Any views or opinions expressed are those of the author.

The Conde Nast Publications Ltd (No. 226900), Vogue House, Hanover Square, London W1S 1JU
Received on Fri Nov 12 2010 - 14:10:08 MST