[squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

Brendan Kearney bpk678 at gmail.com
Tue Jan 20 13:32:15 UTC 2015


On Wed, 2015-01-21 at 02:10 +1300, Amos Jeffries wrote:
> On 21/01/2015 1:38 a.m., Simon Staeheli wrote:
> >> Whatever floats your boat. The point of the Addon/Plugin/helpers
> >> API is that you can use scripts if thy serve your needs better.
> >> 
> >> All the usual Open Source benefits of "many eyeballs" and
> >> somebody else doing code maintenance for you applies to using a
> >> bundled helper over a custom written one.
> >> 
> >> Beyond that the kerberos helper also provides automatic detection
> >> of which LDAP server to use via mutiple auto-configuration
> >> methods.
> >> 
> >> If you can demonstrate that the ext_kerberos_ldap_group_acl does 
> >> provides a superset of the functionality of ext_ldap_group_acl
> >> helper then I can de-duplicate the two helpers.
> >> 
> >> Amos
> > 
> > Thanks for the hint regarding automatic detection of LDAP servers.
> > I am just trying to find what the differences between the two
> > helpers are and which one does fit my needs better. Any others?
> > 
> 
> Nothing I can pick out easily.
> 
> > Do you know anything about the feature in
> > ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an
> > earlier post?
> > 
> > "I have a new method in my squid 3.4 patch which uses the Group 
> > Information MS is putting in the ticket. This would eliminate the
> > ldap lookup completely." 
> > (http://www.squid-cache.org/mail-archive/squid-users/201309/0046.html)
> >
> > 
> I think that refers to a work in progress. Markus maintains the
> un-bundled version of his helpers a little in advance of what has made
> it into the Squid stable branch. Some of what is available in his
> helper downloads is only in the Squid-3.HEAD alpha development code so
> far.
> 
> I am working on obsoleting the need for external group helpers. From
> 3.5 auth helpers can deliver to Squid a set of group= kv-pair in their
> response. Those can be used with the note ACL type to check group
> names without any external_acl_type helper lookup (making group checks
> possible in 'fast' access controls).

will the 'fast' acl's (or the underlying code) use the kerberos keytab
as an option for authentication to ldap?  this will remove the
credentials from a plain text file on the filesystem.

> Markus joined me in this project and his latest kerberos auth helper
> (in 3.HEAD and his versions - *not* the 3.5 bundled version) produces
> group= kv-pair. Unfortunately they are in the obscure S-*-*-* registry
> ID format MS uses. The external_acl_type helper interface cannot yet
> be passed notes to decipher that to a known group name.
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users





More information about the squid-users mailing list