[squid-users] squid 3.5x: Active Directory accounts with space issue

[David Touzeau]

Le 30/11/2014 09:08, Amos Jeffries a écrit :
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 30/11/2014 12:52 a.m., David Touzeau wrote:
>> Le 26/11/2014 11:27, Amos Jeffries a écrit : On 24/11/2014 12:01
>> a.m., David Touzeau wrote:
>>>>> Hi
>>>>>
>>>>> We have connected 3.5.0.2-20141121-r13666 with Active
>>>>> Directory. It seems where there are spaces in login account
>>>>> squid use only the last argument.
>>>>>
>>>>> For example for an account "Jhon smith" squid use "smith"
>>>>> only For example for an account "Dr Jhon smith" squid use
>>>>> "smith" only
>>>>>
>>>>> In 3.3.13 there is no such issue, a "Jhon smith" account is
>>>>> logged as "Jhon smith" and sended as Jhon%20smith to helpers
>> Any information about the auth Scheme being performed? the helpers
>> being used? and what is being sent to/from the helpers in 3.5
>> different from the 3.3 version?
>>
>> Amos
>>
>>> _______________________________________________ squid-users
>>> mailing list squid-users at lists.squid-cache.org
>>> http://lists.squid-cache.org/listinfo/squid-users
>> Hi
>>
>> I'm using this method
>>
>> auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ
>> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25
>> startup=5 idle=1 auth_param ntlm keep_alive off #Dynamic ACLs
>> groups Enabled: [1] external_acl_type ads_group ttl=3600
>> children-max=5 children-startup=1 children-idle=1 %LOGIN
>> /usr/share/artica-postfix/external_acl_squid_ldap.php #Other
>> settings authenticate_ttl 1 hour
>> authenticate_cache_garbage_interval 10 seconds authenticate_ip_ttl
>> 60 seconds # END NTLM Parameters --------------------------------
>> #Basic authentication for other browser that did not supports
>> NTLM: (KerbAuthMethod =  ) auth_param basic program
>> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param
>> basic children 3 startup=1 idle=1 auth_param basic realm Basic
>> Identification auth_param basic credentialsttl 2 hours
>>
>>
>> On 3.3.13, everything works as expected. On 3.5x LOGIN are
>> truncated where there is space on account.
> By "LOGIN" are you meaning the log entries for user name labels?
>   the %LOGIN format code delivered to the external ACL helper?
>   the user=X labels delivered by the NTLM helper to Squid?
>   or the generic "login" concept?
>
> The 'old' helper protocol was whitespace delimited set of fields with
> fixed meaning for each column/field. If the helper is delivering an
> un-encoded SP character inside an old-style response to Squid it will
> be parsed as two values.
>   The 3.4+ helpers are parsing that protocol and upgrading it to the
> new kv-pair protocol automatically. Garbage fields are discarded from
> the input.
>
> It looks like the 2-column AF (NTLM) response being confused for a
> 3-column AF (Kerberos) response. Since the only difference between the
> two helpers outputs is the presence of a "token" column before the
> username field.
>
> You can workaround it with a script to convert the protocol explicitly
> before delivering to Squid.
>
> Amos
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2.0.22 (MingW32)
>
> iQEcBAEBAgAGBQJUetBqAAoJELJo5wb/XPRja6YH/1PpeTPb+BcfvWTKnsxDcy1O
> deM+KEBK3nPz2IjTj6In73cH/UIkoFZaKIOViSR8MyjFtg517mz54tQcWWMkLIUQ
> CId00veZcSlbpI1oJlg/eds6o0UXj+TZ4KpFGzLCnxLrAzwW93bneRuj6VeGUlpY
> wlWwutZKFFlY1mHfIzlOkCE0f3AJZ/bK6XKP0x6UOfCzXjX4V/MW8KyhwCJXE0rz
> Vr04GoJbMxSKR5JhMVZJV2uPteW9qFvX2efEkZA4coyV/E78YEp800et07eE+hRO
> 3O5Wswq7Lh+aZ0cMrjbdV/l4jcC/1UQnd9lM9rkiqoA3aXn63i5aUjxpbJJ9PWk=
> =uEUQ
> -----END PGP SIGNATURE-----
Thanks Amos.

I'm agree but helper answer just to OK if the user is a member of a 
group it doesn't send user=something
After removing the helper, Squid still write the truncated login
So i'm talking about the generic login concept.