On Wed, 2015-01-21 at 02:10 +1300, Amos Jeffries wrote: > On 21/01/2015 1:38 a.m., Simon Staeheli wrote: > >> Whatever floats your boat. The point of the Addon/Plugin/helpers > >> API is that you can use scripts if thy serve your needs better. > >> > >> All the usual Open Source benefits of "many eyeballs" and > >> somebody else doing code maintenance for you applies to using a > >> bundled helper over a custom written one. > >> > >> Beyond that the kerberos helper also provides automatic detection > >> of which LDAP server to use via mutiple auto-configuration > >> methods. > >> > >> If you can demonstrate that the ext_kerberos_ldap_group_acl does > >> provides a superset of the functionality of ext_ldap_group_acl > >> helper then I can de-duplicate the two helpers. > >> > >> Amos > > > > Thanks for the hint regarding automatic detection of LDAP servers. > > I am just trying to find what the differences between the two > > helpers are and which one does fit my needs better. Any others? > > > > Nothing I can pick out easily. > > > Do you know anything about the feature in > > ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an > > earlier post? > > > > "I have a new method in my squid 3.4 patch which uses the Group > > Information MS is putting in the ticket. This would eliminate the > > ldap lookup completely." > > (http://www.squid-cache.org/mail-archive/squid-users/201309/0046.html) > > > > > I think that refers to a work in progress. Markus maintains the > un-bundled version of his helpers a little in advance of what has made > it into the Squid stable branch. Some of what is available in his > helper downloads is only in the Squid-3.HEAD alpha development code so > far. > > I am working on obsoleting the need for external group helpers. From > 3.5 auth helpers can deliver to Squid a set of group= kv-pair in their > response. Those can be used with the note ACL type to check group > names without any external_acl_type helper lookup (making group checks > possible in 'fast' access controls). will the 'fast' acl's (or the underlying code) use the kerberos keytab as an option for authentication to ldap? this will remove the credentials from a plain text file on the filesystem. > Markus joined me in this project and his latest kerberos auth helper > (in 3.HEAD and his versions - *not* the 3.5 bundled version) produces > group= kv-pair. Unfortunately they are in the obscure S-*-*-* registry > ID format MS uses. The external_acl_type helper interface cannot yet > be passed notes to decipher that to a known group name. > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@xxxxxxxxxxxxxxxxxxxxx > http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
