[squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl
Brendan Kearney
bpk678 at gmail.com
Tue Jan 20 13:32:15 UTC 2015
On Wed, 2015-01-21 at 02:10 +1300, Amos Jeffries wrote:
> On 21/01/2015 1:38 a.m., Simon Staeheli wrote:
> >> Whatever floats your boat. The point of the Addon/Plugin/helpers
> >> API is that you can use scripts if thy serve your needs better.
> >>
> >> All the usual Open Source benefits of "many eyeballs" and
> >> somebody else doing code maintenance for you applies to using a
> >> bundled helper over a custom written one.
> >>
> >> Beyond that the kerberos helper also provides automatic detection
> >> of which LDAP server to use via mutiple auto-configuration
> >> methods.
> >>
> >> If you can demonstrate that the ext_kerberos_ldap_group_acl does
> >> provides a superset of the functionality of ext_ldap_group_acl
> >> helper then I can de-duplicate the two helpers.
> >>
> >> Amos
> >
> > Thanks for the hint regarding automatic detection of LDAP servers.
> > I am just trying to find what the differences between the two
> > helpers are and which one does fit my needs better. Any others?
> >
>
> Nothing I can pick out easily.
>
> > Do you know anything about the feature in
> > ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an
> > earlier post?
> >
> > "I have a new method in my squid 3.4 patch which uses the Group
> > Information MS is putting in the ticket. This would eliminate the
> > ldap lookup completely."
> > (http://www.squid-cache.org/mail-archive/squid-users/201309/0046.html)
> >
> >
> I think that refers to a work in progress. Markus maintains the
> un-bundled version of his helpers a little in advance of what has made
> it into the Squid stable branch. Some of what is available in his
> helper downloads is only in the Squid-3.HEAD alpha development code so
> far.
>
> I am working on obsoleting the need for external group helpers. From
> 3.5 auth helpers can deliver to Squid a set of group= kv-pair in their
> response. Those can be used with the note ACL type to check group
> names without any external_acl_type helper lookup (making group checks
> possible in 'fast' access controls).
will the 'fast' acl's (or the underlying code) use the kerberos keytab
as an option for authentication to ldap? this will remove the
credentials from a plain text file on the filesystem.
> Markus joined me in this project and his latest kerberos auth helper
> (in 3.HEAD and his versions - *not* the 3.5 bundled version) produces
> group= kv-pair. Unfortunately they are in the obscure S-*-*-* registry
> ID format MS uses. The external_acl_type helper interface cannot yet
> be passed notes to decipher that to a known group name.
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list