Search squid archive

Re: squid 3.5x: Active Directory accounts with space issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




Le 30/11/2014 09:08, Amos Jeffries a écrit :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 30/11/2014 12:52 a.m., David Touzeau wrote:
Le 26/11/2014 11:27, Amos Jeffries a écrit : On 24/11/2014 12:01
a.m., David Touzeau wrote:
Hi

We have connected 3.5.0.2-20141121-r13666 with Active
Directory. It seems where there are spaces in login account
squid use only the last argument.

For example for an account "Jhon smith" squid use "smith"
only For example for an account "Dr Jhon smith" squid use
"smith" only

In 3.3.13 there is no such issue, a "Jhon smith" account is
logged as "Jhon smith" and sended as Jhon%20smith to helpers
Any information about the auth Scheme being performed? the helpers
being used? and what is being sent to/from the helpers in 3.5
different from the 3.3 version?

Amos

_______________________________________________ squid-users
mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
Hi

I'm using this method

auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ
--helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25
startup=5 idle=1 auth_param ntlm keep_alive off #Dynamic ACLs
groups Enabled: [1] external_acl_type ads_group ttl=3600
children-max=5 children-startup=1 children-idle=1 %LOGIN
/usr/share/artica-postfix/external_acl_squid_ldap.php #Other
settings authenticate_ttl 1 hour
authenticate_cache_garbage_interval 10 seconds authenticate_ip_ttl
60 seconds # END NTLM Parameters --------------------------------
#Basic authentication for other browser that did not supports
NTLM: (KerbAuthMethod =  ) auth_param basic program
/usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param
basic children 3 startup=1 idle=1 auth_param basic realm Basic
Identification auth_param basic credentialsttl 2 hours


On 3.3.13, everything works as expected. On 3.5x LOGIN are
truncated where there is space on account.
By "LOGIN" are you meaning the log entries for user name labels?
  the %LOGIN format code delivered to the external ACL helper?
  the user=X labels delivered by the NTLM helper to Squid?
  or the generic "login" concept?

The 'old' helper protocol was whitespace delimited set of fields with
fixed meaning for each column/field. If the helper is delivering an
un-encoded SP character inside an old-style response to Squid it will
be parsed as two values.
  The 3.4+ helpers are parsing that protocol and upgrading it to the
new kv-pair protocol automatically. Garbage fields are discarded from
the input.

It looks like the 2-column AF (NTLM) response being confused for a
3-column AF (Kerberos) response. Since the only difference between the
two helpers outputs is the presence of a "token" column before the
username field.

You can workaround it with a script to convert the protocol explicitly
before delivering to Squid.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUetBqAAoJELJo5wb/XPRja6YH/1PpeTPb+BcfvWTKnsxDcy1O
deM+KEBK3nPz2IjTj6In73cH/UIkoFZaKIOViSR8MyjFtg517mz54tQcWWMkLIUQ
CId00veZcSlbpI1oJlg/eds6o0UXj+TZ4KpFGzLCnxLrAzwW93bneRuj6VeGUlpY
wlWwutZKFFlY1mHfIzlOkCE0f3AJZ/bK6XKP0x6UOfCzXjX4V/MW8KyhwCJXE0rz
Vr04GoJbMxSKR5JhMVZJV2uPteW9qFvX2efEkZA4coyV/E78YEp800et07eE+hRO
3O5Wswq7Lh+aZ0cMrjbdV/l4jcC/1UQnd9lM9rkiqoA3aXn63i5aUjxpbJJ9PWk=
=uEUQ
-----END PGP SIGNATURE-----
Thanks Amos.

I'm agree but helper answer just to OK if the user is a member of a group it doesn't send user=something
After removing the helper, Squid still write the truncated login
So i'm talking about the generic login concept.
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users





[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux