On 24/12/2013 6:59 a.m., Markus Moeller wrote: > Hi Amos, > > Which helper has to do which rfc1738_(un)escape ? The helper which is generating the response needs to encode. The helepr which is consuming the response from Squid needs to un-encode. > I am running the > negotiate wrapper with NTLM and Kerberos. When I authenticate with NTLM > I see the following in the log > > 2013/12/23 17:45:48| negotiate_wrapper: received type 3 NTLM token > 2013/12/23 17:45:48| negotiate_wrapper: Return 'AF = WIN2003R2\mm > ' > > But my external helper does not get the \. Does the wrapper need to > escape the return value ( I would have thought the wrapper just forwards > waht is gets from the real auth helper) ? Yes, I expect the same. The helper being run by the wrapper should be doing that encode/decode work. > > kerberos_ldap_group.cc(329): pid=16122 :2013/12/23 17:45:58| > kerberos_ldap_group: MM: Got User: WIN2003R2mm Squid-3.4 is hitting a bug in the word tokenizer where it decodes \-escaped characters outside of quoted strings. You could perhapse workaround this by doing the old->new helper response format conversion in the worker. Amos
