[squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

Simon Staeheli sis at open.ch
Wed Jan 21 07:12:38 UTC 2015


> I think that refers to a work in progress. Markus maintains the
> un-bundled version of his helpers a little in advance of what has made
> it into the Squid stable branch. Some of what is available in his
> helper downloads is only in the Squid-3.HEAD alpha development code so
> far.
> 
> I am working on obsoleting the need for external group helpers. From
> 3.5 auth helpers can deliver to Squid a set of group= kv-pair in their
> response. Those can be used with the note ACL type to check group
> names without any external_acl_type helper lookup (making group checks
> possible in 'fast' access controls).
> 
> Markus joined me in this project and his latest kerberos auth helper
> (in 3.HEAD and his versions - *not* the 3.5 bundled version) produces
> group= kv-pair. Unfortunately they are in the obscure S-*-*-* registry
> ID format MS uses. The external_acl_type helper interface cannot yet
> be passed notes to decipher that to a known group name.
> 
> Amos

This sounds like an awesome feature. Have you got an idea when this 
functionality will be added to the stable branch? Something like 'this 
year', 'next year' or later?


More information about the squid-users mailing list