[squid-users] squid 3.5x: Active Directory accounts with space issue
Amos Jeffries
squid3 at treenet.co.nz
Sun Nov 30 08:08:10 UTC 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 30/11/2014 12:52 a.m., David Touzeau wrote:
>
> Le 26/11/2014 11:27, Amos Jeffries a écrit : On 24/11/2014 12:01
> a.m., David Touzeau wrote:
>>>> Hi
>>>>
>>>> We have connected 3.5.0.2-20141121-r13666 with Active
>>>> Directory. It seems where there are spaces in login account
>>>> squid use only the last argument.
>>>>
>>>> For example for an account "Jhon smith" squid use "smith"
>>>> only For example for an account "Dr Jhon smith" squid use
>>>> "smith" only
>>>>
>>>> In 3.3.13 there is no such issue, a "Jhon smith" account is
>>>> logged as "Jhon smith" and sended as Jhon%20smith to helpers
> Any information about the auth Scheme being performed? the helpers
> being used? and what is being sent to/from the helpers in 3.5
> different from the 3.3 version?
>
> Amos
>
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org
>> http://lists.squid-cache.org/listinfo/squid-users
> Hi
>
> I'm using this method
>
> auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ
> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25
> startup=5 idle=1 auth_param ntlm keep_alive off #Dynamic ACLs
> groups Enabled: [1] external_acl_type ads_group ttl=3600
> children-max=5 children-startup=1 children-idle=1 %LOGIN
> /usr/share/artica-postfix/external_acl_squid_ldap.php #Other
> settings authenticate_ttl 1 hour
> authenticate_cache_garbage_interval 10 seconds authenticate_ip_ttl
> 60 seconds # END NTLM Parameters --------------------------------
> #Basic authentication for other browser that did not supports
> NTLM: (KerbAuthMethod = ) auth_param basic program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param
> basic children 3 startup=1 idle=1 auth_param basic realm Basic
> Identification auth_param basic credentialsttl 2 hours
>
>
> On 3.3.13, everything works as expected. On 3.5x LOGIN are
> truncated where there is space on account.
By "LOGIN" are you meaning the log entries for user name labels?
the %LOGIN format code delivered to the external ACL helper?
the user=X labels delivered by the NTLM helper to Squid?
or the generic "login" concept?
The 'old' helper protocol was whitespace delimited set of fields with
fixed meaning for each column/field. If the helper is delivering an
un-encoded SP character inside an old-style response to Squid it will
be parsed as two values.
The 3.4+ helpers are parsing that protocol and upgrading it to the
new kv-pair protocol automatically. Garbage fields are discarded from
the input.
It looks like the 2-column AF (NTLM) response being confused for a
3-column AF (Kerberos) response. Since the only difference between the
two helpers outputs is the presence of a "token" column before the
username field.
You can workaround it with a script to convert the protocol explicitly
before delivering to Squid.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUetBqAAoJELJo5wb/XPRja6YH/1PpeTPb+BcfvWTKnsxDcy1O
deM+KEBK3nPz2IjTj6In73cH/UIkoFZaKIOViSR8MyjFtg517mz54tQcWWMkLIUQ
CId00veZcSlbpI1oJlg/eds6o0UXj+TZ4KpFGzLCnxLrAzwW93bneRuj6VeGUlpY
wlWwutZKFFlY1mHfIzlOkCE0f3AJZ/bK6XKP0x6UOfCzXjX4V/MW8KyhwCJXE0rz
Vr04GoJbMxSKR5JhMVZJV2uPteW9qFvX2efEkZA4coyV/E78YEp800et07eE+hRO
3O5Wswq7Lh+aZ0cMrjbdV/l4jcC/1UQnd9lM9rkiqoA3aXn63i5aUjxpbJJ9PWk=
=uEUQ
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list