[squid-users] squid 3.5x: Active Directory accounts with space issue

Amos Jeffries squid3 at treenet.co.nz
Sun Nov 30 08:08:10 UTC 2014

Hash: SHA1

On 30/11/2014 12:52 a.m., David Touzeau wrote:
> Le 26/11/2014 11:27, Amos Jeffries a écrit : On 24/11/2014 12:01
> a.m., David Touzeau wrote:
>>>> Hi
>>>> We have connected with Active
>>>> Directory. It seems where there are spaces in login account
>>>> squid use only the last argument.
>>>> For example for an account "Jhon smith" squid use "smith"
>>>> only For example for an account "Dr Jhon smith" squid use
>>>> "smith" only
>>>> In 3.3.13 there is no such issue, a "Jhon smith" account is
>>>> logged as "Jhon smith" and sended as Jhon%20smith to helpers
> Any information about the auth Scheme being performed? the helpers
> being used? and what is being sent to/from the helpers in 3.5
> different from the 3.3 version?
> Amos
>> _______________________________________________ squid-users
>> mailing list squid-users at lists.squid-cache.org 
>> http://lists.squid-cache.org/listinfo/squid-users
> Hi
> I'm using this method
> auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ 
> --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25
> startup=5 idle=1 auth_param ntlm keep_alive off #Dynamic ACLs
> groups Enabled: [1] external_acl_type ads_group ttl=3600
> children-max=5 children-startup=1 children-idle=1 %LOGIN 
> /usr/share/artica-postfix/external_acl_squid_ldap.php #Other
> settings authenticate_ttl 1 hour 
> authenticate_cache_garbage_interval 10 seconds authenticate_ip_ttl
> 60 seconds # END NTLM Parameters -------------------------------- 
> #Basic authentication for other browser that did not supports
> NTLM: (KerbAuthMethod =  ) auth_param basic program
> /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param
> basic children 3 startup=1 idle=1 auth_param basic realm Basic
> Identification auth_param basic credentialsttl 2 hours
> On 3.3.13, everything works as expected. On 3.5x LOGIN are
> truncated where there is space on account.

By "LOGIN" are you meaning the log entries for user name labels?
 the %LOGIN format code delivered to the external ACL helper?
 the user=X labels delivered by the NTLM helper to Squid?
 or the generic "login" concept?

The 'old' helper protocol was whitespace delimited set of fields with
fixed meaning for each column/field. If the helper is delivering an
un-encoded SP character inside an old-style response to Squid it will
be parsed as two values.
 The 3.4+ helpers are parsing that protocol and upgrading it to the
new kv-pair protocol automatically. Garbage fields are discarded from
the input.

It looks like the 2-column AF (NTLM) response being confused for a
3-column AF (Kerberos) response. Since the only difference between the
two helpers outputs is the presence of a "token" column before the
username field.

You can workaround it with a script to convert the protocol explicitly
before delivering to Squid.

Version: GnuPG v2.0.22 (MingW32)


More information about the squid-users mailing list