Re: [squid-users] Passing ident username with cache_peer

From: Henrik Nordstrom <[email protected]>
Date: Tue, 21 Oct 2003 22:45:50 +0200 (CEST)

On Tue, 21 Oct 2003, David Rippel wrote:

> Squid(1) is passing the username for users that authenticate via basic
> auth, but not for users that get access through an ident acl. The ident
> username is showing up in squid(1)'s logs, but it's passing a null
> username in the auth header.

Probably correct. ident is not an authentication method.

adding support to the login= option to forward the ident user name in the
login=*:.. sounds like a good idea, but unfortunately it is not as easy
(the ident is a property of the client connection, not the request, and
http.c does not know the client connection)

> For ident I'm using an external acl that passes the ident info to a program that checks to see if the username is in an LDAP group. I saw something in the squid.conf comments under external_acl_type that mentions a user= keyword, so I tried having my program return "OK user=foo" but I think that was just me heading in the wrong direction... I saw a patch at http://www.squid-cache.org/mail-archive/squid-dev/200201/0001.html that would help my situation (although it would require dg to parse the additional header), but it looks like it was denied (something about it not being as secure as the basic auth method). I'm not sure where src/http.c gets it's username from for HDR_PROXY_AUTHORIZATION (see line 885 -> 891) but maybe that's a starting point?

The user= return from external_acl helpers has mostly the same problem as
ident above..

Regards
Henrik>
Received on Tue Oct 21 2003 - 14:45:54 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:20:34 MST