[squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

Amos Jeffries squid3 at treenet.co.nz
Tue Jan 20 13:48:44 UTC 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21/01/2015 2:32 a.m., Brendan Kearney wrote:
> On Wed, 2015-01-21 at 02:10 +1300, Amos Jeffries wrote:
>> On 21/01/2015 1:38 a.m., Simon Staeheli wrote:
>>>> Whatever floats your boat. The point of the
>>>> Addon/Plugin/helpers API is that you can use scripts if thy
>>>> serve your needs better.
>>>> 
>>>> All the usual Open Source benefits of "many eyeballs" and 
>>>> somebody else doing code maintenance for you applies to using
>>>> a bundled helper over a custom written one.
>>>> 
>>>> Beyond that the kerberos helper also provides automatic
>>>> detection of which LDAP server to use via mutiple
>>>> auto-configuration methods.
>>>> 
>>>> If you can demonstrate that the ext_kerberos_ldap_group_acl
>>>> does provides a superset of the functionality of
>>>> ext_ldap_group_acl helper then I can de-duplicate the two
>>>> helpers.
>>>> 
>>>> Amos
>>> 
>>> Thanks for the hint regarding automatic detection of LDAP
>>> servers. I am just trying to find what the differences between
>>> the two helpers are and which one does fit my needs better. Any
>>> others?
>>> 
>> 
>> Nothing I can pick out easily.
>> 
>>> Do you know anything about the feature in 
>>> ext_kerberos_ldap_group_acl mentioned by Markus Moeller in an 
>>> earlier post?
>>> 
>>> "I have a new method in my squid 3.4 patch which uses the Group
>>>  Information MS is putting in the ticket. This would eliminate
>>> the ldap lookup completely." 
>>> (http://www.squid-cache.org/mail-archive/squid-users/201309/0046.html)
>>>
>>>
>>
>>> 
I think that refers to a work in progress. Markus maintains the
>> un-bundled version of his helpers a little in advance of what has
>> made it into the Squid stable branch. Some of what is available
>> in his helper downloads is only in the Squid-3.HEAD alpha
>> development code so far.
>> 
>> I am working on obsoleting the need for external group helpers.
>> From 3.5 auth helpers can deliver to Squid a set of group=
>> kv-pair in their response. Those can be used with the note ACL
>> type to check group names without any external_acl_type helper
>> lookup (making group checks possible in 'fast' access controls).
> 
> will the 'fast' acl's (or the underlying code) use the kerberos
> keytab as an option for authentication to ldap?  this will remove
> the credentials from a plain text file on the filesystem.

'fast' ACLs are limited to what state Squid has in memory at the point
in time when they are checked. There is no possibility of asynchronous
lookups, I/O, or filesystem access.

The note ACL compares a text string loaded from squid.conf (the ACL
defined value to match) with a text string kv-pair returned by the a
helper. In this case a "group=X" kv-pair from auth helper. It is up to
the helper what it uses to produce that kv-pair. I believe Markus
helper pulls the group field(s) directly from the keytab.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUvly7AAoJELJo5wb/XPRjQxsIAJIv8mVOlhzgIow7QxXS96q0
VZOT8BQFtKhPlB/pCIQztj1FKBIsnBB7TET41PBzjGe8wrpjJmLBuOCTIStx5j8I
dAVt9Rp0W7ILPx57vgnewAqoESRVIJtedSgAzblCX2bt3PIhJVECGH95JLIVSzDq
h1e1v0gy7evwJMkE+a9i6j3jCiFeYqnM3TTpVcxJRC0vRVIuyegBnqvLTWqX0sIT
Kmej+sDjPvQ+Jgub/V++JR4NMzXZy8H/oYgfcQaNVilxzANEsKEcmGhYg20FLEJv
5j4Q1a5k7MKeFSA3YwRFtIS/Jze7ji0K41O3kQYlZuHBe0xGnT5+rVD103fmlVs=
=m1FO
-----END PGP SIGNATURE-----


More information about the squid-users mailing list