Re: [squid-users] external acl code examples

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 29 Feb 2012 13:34:12 +1300

On 29.02.2012 01:51, Erwann Pencreach wrote:
> Hi,
>
> I don't really understand the trick with the Id, but I'll have a look
> at it

Its a concurrency support. Allowing Squid to schedule more than one
lookup at a time for the helper. You then add concurrency=N with some N
value greater than 1 for the number of requests for Squid to queue.

>
> I wrote this script, because I wasn't able to get authentication
> information from distant client or distant samba pdc (All tricks I
> have
> found are for an configuration where Squid is on the same host as the
> pdc). Password doesn't matter, but username is mandatory. When I have
> username, I have some ldap checks to do, some whitlist and blacklist
> to
> check.

Something seems wrong there.

For Squid lookup helpers to validate credentials the only requirement
is that the backend accept validation requests from them. In the PDC
case there may be some security around which servers are allowed to
lookup user credentials, you need to ensure the Squid box (IP? security
token?) is in that accepted set. It sounds to me like the default
security at the PDC is for the localhost connections to be accepted, but
not external servers.

Certain of the Squid lookup helpers do need certain tools from Samba to
be installed (ntlm_auth or winbind or smbclient) in order to run. But
those tools are not the PDC, only other types of lookup helper.

Amos
Received on Wed Feb 29 2012 - 00:34:16 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 29 2012 - 12:00:06 MST