-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 30/11/2014 12:52 a.m., David Touzeau wrote: > > Le 26/11/2014 11:27, Amos Jeffries a écrit : On 24/11/2014 12:01 > a.m., David Touzeau wrote: >>>> Hi >>>> >>>> We have connected 3.5.0.2-20141121-r13666 with Active >>>> Directory. It seems where there are spaces in login account >>>> squid use only the last argument. >>>> >>>> For example for an account "Jhon smith" squid use "smith" >>>> only For example for an account "Dr Jhon smith" squid use >>>> "smith" only >>>> >>>> In 3.3.13 there is no such issue, a "Jhon smith" account is >>>> logged as "Jhon smith" and sended as Jhon%20smith to helpers > Any information about the auth Scheme being performed? the helpers > being used? and what is being sent to/from the helpers in 3.5 > different from the 3.3 version? > > Amos > >> _______________________________________________ squid-users >> mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx >> http://lists.squid-cache.org/listinfo/squid-users > Hi > > I'm using this method > > auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ > --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25 > startup=5 idle=1 auth_param ntlm keep_alive off #Dynamic ACLs > groups Enabled: [1] external_acl_type ads_group ttl=3600 > children-max=5 children-startup=1 children-idle=1 %LOGIN > /usr/share/artica-postfix/external_acl_squid_ldap.php #Other > settings authenticate_ttl 1 hour > authenticate_cache_garbage_interval 10 seconds authenticate_ip_ttl > 60 seconds # END NTLM Parameters -------------------------------- > #Basic authentication for other browser that did not supports > NTLM: (KerbAuthMethod = ) auth_param basic program > /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param > basic children 3 startup=1 idle=1 auth_param basic realm Basic > Identification auth_param basic credentialsttl 2 hours > > > On 3.3.13, everything works as expected. On 3.5x LOGIN are > truncated where there is space on account. By "LOGIN" are you meaning the log entries for user name labels? the %LOGIN format code delivered to the external ACL helper? the user=X labels delivered by the NTLM helper to Squid? or the generic "login" concept? The 'old' helper protocol was whitespace delimited set of fields with fixed meaning for each column/field. If the helper is delivering an un-encoded SP character inside an old-style response to Squid it will be parsed as two values. The 3.4+ helpers are parsing that protocol and upgrading it to the new kv-pair protocol automatically. Garbage fields are discarded from the input. It looks like the 2-column AF (NTLM) response being confused for a 3-column AF (Kerberos) response. Since the only difference between the two helpers outputs is the presence of a "token" column before the username field. You can workaround it with a script to convert the protocol explicitly before delivering to Squid. Amos -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUetBqAAoJELJo5wb/XPRja6YH/1PpeTPb+BcfvWTKnsxDcy1O deM+KEBK3nPz2IjTj6In73cH/UIkoFZaKIOViSR8MyjFtg517mz54tQcWWMkLIUQ CId00veZcSlbpI1oJlg/eds6o0UXj+TZ4KpFGzLCnxLrAzwW93bneRuj6VeGUlpY wlWwutZKFFlY1mHfIzlOkCE0f3AJZ/bK6XKP0x6UOfCzXjX4V/MW8KyhwCJXE0rz Vr04GoJbMxSKR5JhMVZJV2uPteW9qFvX2efEkZA4coyV/E78YEp800et07eE+hRO 3O5Wswq7Lh+aZ0cMrjbdV/l4jcC/1UQnd9lM9rkiqoA3aXn63i5aUjxpbJJ9PWk= =uEUQ -----END PGP SIGNATURE----- _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
