[squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl
Amos Jeffries
squid3 at treenet.co.nz
Wed Jan 21 09:07:32 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 21/01/2015 8:12 p.m., Simon Staeheli wrote:
>> I think that refers to a work in progress. Markus maintains the
>> un-bundled version of his helpers a little in advance of what has
>> made it into the Squid stable branch. Some of what is available
>> in his helper downloads is only in the Squid-3.HEAD alpha
>> development code so far.
>>
>> I am working on obsoleting the need for external group helpers.
>> From 3.5 auth helpers can deliver to Squid a set of group=
>> kv-pair in their response. Those can be used with the note ACL
>> type to check group names without any external_acl_type helper
>> lookup (making group checks possible in 'fast' access controls).
>>
>> Markus joined me in this project and his latest kerberos auth
>> helper (in 3.HEAD and his versions - *not* the 3.5 bundled
>> version) produces group= kv-pair. Unfortunately they are in the
>> obscure S-*-*-* registry ID format MS uses. The external_acl_type
>> helper interface cannot yet be passed notes to decipher that to a
>> known group name.
>>
>> Amos
>
> This sounds like an awesome feature. Have you got an idea when
> this functionality will be added to the stable branch? Something
> like 'this year', 'next year' or later?
The annotatinos and notes are in 3.5 already. The bundled helpers a
year or so away.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUv2xUAAoJELJo5wb/XPRjjmIH/jHg9TEcfrEBagibMrX2ND1q
GX5JbUqYw9zhq9FE8HB7bafcifq/6nfhyxxgvvD8S9PIhLNX3Lf8BJUmrImnrHHi
8j09N7TSkoSYZMs5lnBzF3Jpn0xestgFpKYel2m8GGqoqNhcos53ayYljCTdtN78
6ZKRAMsdBprB2nePvvf393SZ67ng4PZLBE7184wUAiWJQxa8bGkA6ZujAL/r96n8
u5rQiDlehlvcqoZXSzzot5aCNa8RjzvMHwJk45nN3CyDRPRsQg6y07OqBQUC1Xpk
emcLE7Gr5jZSK31LcUgs6fzRAED60UaecCyvp0VENM8ehFG/pdsG1hE2MmGhpm0=
=ky5g
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list