[squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

Amos Jeffries squid3 at treenet.co.nz
Tue Jan 20 13:10:10 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21/01/2015 1:38 a.m., Simon Staeheli wrote:
>> Whatever floats your boat. The point of the Addon/Plugin/helpers
>> API is that you can use scripts if thy serve your needs better.
>> 
>> All the usual Open Source benefits of "many eyeballs" and
>> somebody else doing code maintenance for you applies to using a
>> bundled helper over a custom written one.
>> 
>> Beyond that the kerberos helper also provides automatic detection
>> of which LDAP server to use via mutiple auto-configuration
>> methods.
>> 
>> If you can demonstrate that the ext_kerberos_ldap_group_acl does 
>> provides a superset of the functionality of ext_ldap_group_acl
>> helper then I can de-duplicate the two helpers.
>> 
>> Amos
> 
> Thanks for the hint regarding automatic detection of LDAP servers.
> I am just trying to find what the differences between the two
> helpers are and which one does fit my needs better. Any others?
> 

Nothing I can pick out easily.

> Do you know anything about the feature in
> ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an
> earlier post?
> 
> "I have a new method in my squid 3.4 patch which uses the Group 
> Information MS is putting in the ticket. This would eliminate the
> ldap lookup completely." 
> (http://www.squid-cache.org/mail-archive/squid-users/201309/0046.html)
>
> 
I think that refers to a work in progress. Markus maintains the
un-bundled version of his helpers a little in advance of what has made
it into the Squid stable branch. Some of what is available in his
helper downloads is only in the Squid-3.HEAD alpha development code so
far.

I am working on obsoleting the need for external group helpers. From
3.5 auth helpers can deliver to Squid a set of group= kv-pair in their
response. Those can be used with the note ACL type to check group
names without any external_acl_type helper lookup (making group checks
possible in 'fast' access controls).

Markus joined me in this project and his latest kerberos auth helper
(in 3.HEAD and his versions - *not* the 3.5 bundled version) produces
group= kv-pair. Unfortunately they are in the obscure S-*-*-* registry
ID format MS uses. The external_acl_type helper interface cannot yet
be passed notes to decipher that to a known group name.

Amos

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUvlOyAAoJELJo5wb/XPRjZskH/3VQdCv4juTHZ0QAOyQvCdLP
L1ZRDF/ix4MkVIsblsPL20G1KznKRbDBdDZ+DWM4lHDp7m1rwXD972GUmI7JZQDV
VvjQVMrXfZ3h8VcwpzPXKKiIOJp3+P5e7XpVDQGYAzOBJjnvs2OsIKGGsGwo4kXE
lElRU9WbspurY4ic07hjSCcM3VAdWMtIy8FVoq2bdegH6qor1dGeoVIMYVnSOBUG
9gTqWBYxkltI5S19f6zWjk2Kscn7ZYWvPezN38NHouL4ueM0rAHxvUNP2ueudUwR
tZBavBNpiCJ08dXbhU1nUivyTQX99w8t0VMmYeomTc2Q7znofsX0FefFRFZ1GcY=
=Yg6k
-----END PGP SIGNATURE-----


More information about the squid-users mailing list