[squid-users] ext_kerberos_ldap_group_acl and Kerberos cache

Amos Jeffries squid3 at treenet.co.nz
Wed May 18 11:29:17 UTC 2016

On 18/05/2016 5:57 p.m., Eugene M. Zheganin wrote:
> Hi.
> I've just checked that squid 3.5.19 sources, and discovered the
> following fact that is really disturbing:
> (first some explanation)
> Markus Moeller, the author of the external kerberos group helper, has
> implemented the Kerberos credentials cache in the
> ext_kerberos_ldap_group_acl  helper back in the 2014. The idea is to
> cache the credentials inside the helper instance, so when it encounters
> a request with user id and group that are already in the cache, the
> helper can skip the kerberos initialization sequence for this set of
> credentials. This cached version is times faster than original one, that
> doesn't use the cache.
> (now the disturbing fact)
> Surprisingly, the cached version didn't make it to the main tree for 2
> past years.
> Could this situation be corrected please ?

I don't know what you mean by "the main tree". But The feature you
describe does not qualify for adding to the 3.5 production release
series. The only features added to a series after is goes to "stable"
production releases are ones which resolve non-feature bugs or can be
done without affecting existing installations.

By changing the helper behaviour in all cases this clearly affects
existing installations. So only qualifies for including into the next
series, which is Squid-4.

It is a bit disappointing that 4.x is not yet in stable series itself.
But we need to get the major bugs in the new code fixed before that can


More information about the squid-users mailing list