[squid-users] benefits of using ext_kerberos_ldap_group_acl instead of ext_ldap_group_acl

[Amos Jeffries]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 21/01/2015 8:12 p.m., Simon Staeheli wrote:
>> I think that refers to a work in progress. Markus maintains the 
>> un-bundled version of his helpers a little in advance of what has
>> made it into the Squid stable branch. Some of what is available
>> in his helper downloads is only in the Squid-3.HEAD alpha
>> development code so far.
>> 
>> I am working on obsoleting the need for external group helpers.
>> From 3.5 auth helpers can deliver to Squid a set of group=
>> kv-pair in their response. Those can be used with the note ACL
>> type to check group names without any external_acl_type helper
>> lookup (making group checks possible in 'fast' access controls).
>> 
>> Markus joined me in this project and his latest kerberos auth
>> helper (in 3.HEAD and his versions - *not* the 3.5 bundled
>> version) produces group= kv-pair. Unfortunately they are in the
>> obscure S-*-*-* registry ID format MS uses. The external_acl_type
>> helper interface cannot yet be passed notes to decipher that to a
>> known group name.
>> 
>> Amos
> 
> This sounds like an awesome feature. Have you got an idea when
> this functionality will be added to the stable branch? Something
> like 'this year', 'next year' or later?

The annotatinos and notes are in 3.5 already. The bundled helpers a
year or so away.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUv2xUAAoJELJo5wb/XPRjjmIH/jHg9TEcfrEBagibMrX2ND1q
GX5JbUqYw9zhq9FE8HB7bafcifq/6nfhyxxgvvD8S9PIhLNX3Lf8BJUmrImnrHHi
8j09N7TSkoSYZMs5lnBzF3Jpn0xestgFpKYel2m8GGqoqNhcos53ayYljCTdtN78
6ZKRAMsdBprB2nePvvf393SZ67ng4PZLBE7184wUAiWJQxa8bGkA6ZujAL/r96n8
u5rQiDlehlvcqoZXSzzot5aCNa8RjzvMHwJk45nN3CyDRPRsQg6y07OqBQUC1Xpk
emcLE7Gr5jZSK31LcUgs6fzRAED60UaecCyvp0VENM8ehFG/pdsG1hE2MmGhpm0=
=ky5g
-----END PGP SIGNATURE-----