Hi, We are using squid 3.1.8 (on RHEL5.5 64Bit) as authentication/caching forward proxy and an ICAP server for authorization and content filtering. At the moment, most of the users are authenticated by NTLM (we are planning for Kerberos) and the username is sent to our ICAP server which will do an LDAP lookup. This setup works pretty good for our default domain. If an user from a different, trusted domain will be authenticated by NTLM, then the username sent to the ICAP server will look like: DOMAIN+USERNAME The ICAP server cannot handle that during the LDAP lookup, the domain part has to be removed. I know that I can do that with Kerberos (there is an -r option in the negotiate_kerberos_auth-helper, at least in 3.2x branch), but at the moment, I don't have that option for NTLM. Does anyone have any ideas how to easily solve that? (I know that in Freeradius, Freeradius will strip off the domain itself, that's why I am guessing that ntlm_auth cannot do that) Our plan is to upgrade to Kerberos and get rid of that problem, but if there occur troubles, we have to find a way to solve that problem by using NTLM. The "easiest" way I figured out is to modify the ModXact.cc-file and modify the icap header username, e.g. if there is a domain part, remove it. But that would cause some maintainance troubles after upgrades (we must not forget changing this file) I don't think it is a common problem (ntlm with multiple domains and icap), if I am wrong it may be a possible feature request. E.g. adding a new config option for squid.conf which will remove the domain part if enabled and an option for specifing the separator (most likely a +) best regards Peter
