I wrote mine the way I did because I want the domain part to be a part
of my ldap, like this:
ldap://ldap.domian.int/cn=%u,dc=%d,dc=domain,dc=int
_J
>>> "Westerhold, Axel" <Axel.Westerhold@dts.de> 11/21/06 1:19 PM >>>
Hi Jeremy,
see below what I did to 2.5 and 2.6. As it simply changes the username
when
supplied to ICAP I can make sure it never has any influence on the rest
of
the squid. This runs for installations up to 3000 Users
(Squid/webwasher)
and as such is stable.
I will more or less keep it this way on my squid3 patch.
If this is of interest I will send the patch tommorow.
Axel
diff -u --recursive squid-icap-2_5/src/cf.data.pre
squid-icap-2_5_dts_mod/src/cf.data.pre
--- squid-icap-2_5/src/cf.data.pre 2005-04-26 18:37:10.000000000
+0200
+++ squid-icap-2_5_dts_mod/src/cf.data.pre 2005-05-10
10:25:07.327766912 +0200
@@ -2760,6 +2760,17 @@
icap_auth_scheme Radius://radius-server/%u
DOC_END
+NAME: icap_auth_rmdomain
+TYPE: onoff
+IFDEF: HS_FEAT_ICAP
+COMMENT: on|off
+LOC: Config.icapcfg.auth_rmdomain
+DEFAULT: off
+DOC_START
+ Remove domain prefix if using possible before adding
+ "X-Authenticated-User" header
+DOC_END
+
NAME: icap_service
TYPE: icap_service_type
IFDEF: HS_FEAT_ICAP
diff -u --recursive squid-icap-2_5/src/icap_common.c
squid-icap-2_5_dts_mod/src/icap_common.c
--- squid-icap-2_5/src/icap_common.c 2005-03-20 19:11:47.000000000
+0100
+++ squid-icap-2_5_dts_mod/src/icap_common.c 2005-05-10
10:16:37.364293144 +0200
@@ -757,6 +757,29 @@
debug(81, 5) ("icapAddAuthUserHeader: NULL username\n");
return;
}
+
+
+ /*
+ Changed 2005/05/10 DTS Service GmbH Axel Westerhold
+ This addition was added to allow NTLM authenticated user
+ names to loose it's DOMAIN prefix so that we can use the
+ rest to do a ldap search for samaccountname. The additional
+ config parameter icap_auth_rmdomain will enable/disable this
+ feature
+ */
+ if ( Config.icapcfg.auth_rmdomain ) {
+ debug(81,3) ("icapUser before domain removal: %s\n",user);
+ char* tmpuser;
+ tmpuser = strchr(user,'\\');
+ debug(81,3) ("icaptmpUser %s\n",tmpuser);
+ if (tmpuser != NULL) {
+ if ( strlen(tmpuser) > 0 ) {
+ user=tmpuser+1;
+ }
+ }
+ debug(81,3) ("icapUser after domain removal: %s\n",user);
+ }
+
userlen = strlen(user);
schemelen = strlen(Config.icapcfg.auth_scheme);
len = userlen + schemelen + 1;
diff -u --recursive squid-icap-2_5/src/structs.h
squid-icap-2_5_dts_mod/src/structs.h
--- squid-icap-2_5/src/structs.h 2005-05-05 17:05:07.000000000
+0200
+++ squid-icap-2_5_dts_mod/src/structs.h 2005-05-10
10:19:47.629368456 +0200
@@ -395,6 +395,7 @@
int check_interval;
int send_client_ip;
int send_auth_user;
+ int auth_rmdomain;
char *auth_scheme;
};
Am 21.11.2006 18:59 Uhr schrieb "Jeremy Hall" unter
<jehall@central.unicor.gov>:
> I'm working with a patch I did for that purpose, only thing is that
> something I did caused a segv when it does a reconfig, which is why
I
> haven't committed to the icap branch.
>
> _J
>
>>>> "Westerhold, Axel" <Axel.Westerhold@dts.de> 11/21/06 12:54 PM >>>
> Hi All,
>
> I will have a look at the squid3 but I will need to modify it a
little
> bit
> so that I can split the Domain Part of the Username to make the
> webwasher
> happy on ist AD samaccount queries. From what I can see it should be
> easy
> enough to get this done inlcuding a way to enable/disable this
feature
> (like
> the one I did for 2.x).
>
> Also, I just shipped a 2.6 ICAP Patched Squid in a cluster setup to
a
> customer with 1000 Users. This Pilot Installation will get me a good
> feeling
> how stable 2.6 works.
>
> Regards,
> Axel
>
>
> Am 20.11.2006 22:57 Uhr schrieb "Tsantilas Christos" unter
> <chtsanti@users.sourceforge.net>:
>
>> Hi all,
>> The reported problems exists and are not webwasher related, exists
> for
>> every icap server.
>>
>> Axel's solutions causes crashes to squid in some cases. I think it
>> happens when http client closes the connection before the
connection
> to
>> the icap server closed. I am not sure it needs more debugging.
>> I am planning to give some more time...
>>
>> However, the squid3 with icap client is more stable than squid-26
> with
>> icap patch. I think the squid3 has only 2-3 bugs before the
release.
>> My opinion is that it does not make sense for someone to spend time
> in
>> squid26 icap client, it is good for testing and development but
only
>> that .....
>>
>> Regards,
>> Christos
>>
>> Westerhold, Axel wrote:
>>> Well,
>>>
>>> as I have a customer waiting for a fix I will just go with my
> modification
>>> and will try to pin down the real fault when I have some free time
>>> available. Setting the major version the way I do should not have
a
> real
>>> impact at least I can't see one right now on my test system.
>>>
>>> Regards,
>>> Axel
>>>
>>>
>>>
>>
Received on Tue Nov 21 2006 - 12:47:08 MST
This archive was generated by hypermail pre-2.1.9 : Wed Nov 29 2006 - 12:00:05 MST