[squid-users] strip domain/realm from icap header username

From: guest01 <guest01_at_gmail.com>
Date: Fri, 12 Nov 2010 14:59:41 +0100

Hi,

We are using squid 3.1.8 (on RHEL5.5 64Bit) as authentication/caching
forward proxy and an ICAP server for authorization and content
filtering.

At the moment, most of the users are authenticated by NTLM (we are
planning for Kerberos) and the username is sent to our ICAP server
which will do an LDAP lookup. This setup works pretty good for our
default domain. If an user from a different, trusted domain will be
authenticated by NTLM, then the username sent to the ICAP server will
look like:
DOMAIN+USERNAME

The ICAP server cannot handle that during the LDAP lookup, the domain
part has to be removed. I know that I can do that with Kerberos (there
is an -r option in the negotiate_kerberos_auth-helper, at least in
3.2x branch), but at the moment, I don't have that option for NTLM.
Does anyone have any ideas how to easily solve that? (I know that in
Freeradius, Freeradius will strip off the domain itself, that's why I
am guessing that ntlm_auth cannot do that)

Our plan is to upgrade to Kerberos and get rid of that problem, but if
there occur troubles, we have to find a way to solve that problem by
using NTLM. The "easiest" way I figured out is to modify the
ModXact.cc-file and modify the icap header username, e.g. if there is
a domain part, remove it. But that would cause some maintainance
troubles after upgrades (we must not forget changing this file)

I don't think it is a common problem (ntlm with multiple domains and
icap), if I am wrong it may be a possible feature request. E.g. adding
a new config option for squid.conf which will remove the domain part
if enabled and an option for specifing the separator (most likely a +)

best regards
Peter
Received on Fri Nov 12 2010 - 13:59:48 MST

This archive was generated by hypermail 2.2.0 : Fri Nov 12 2010 - 12:00:02 MST