Re: [squid-users] squid 3.5x: Active Directory accounts with space issue
Le 30/11/2014 09:08, Amos Jeffries a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 30/11/2014 12:52 a.m., David Touzeau wrote: Le 26/11/2014 11:27, Amos Jeffries a écrit : On 24/11/2014 12:01 a.m., David Touzeau wrote: Hi We have connected 3.5.0.2-20141121-r13666 with Active Directory. It seems where there are spaces in login account squid use only the last argument. For example for an account Jhon smith squid use smith only For example for an account Dr Jhon smith squid use smith only In 3.3.13 there is no such issue, a Jhon smith account is logged as Jhon smith and sended as Jhon%20smith to helpers Any information about the auth Scheme being performed? the helpers being used? and what is being sent to/from the helpers in 3.5 different from the 3.3 version? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users Hi I'm using this method auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25 startup=5 idle=1 auth_param ntlm keep_alive off #Dynamic ACLs groups Enabled: [1] external_acl_type ads_group ttl=3600 children-max=5 children-startup=1 children-idle=1 %LOGIN /usr/share/artica-postfix/external_acl_squid_ldap.php #Other settings authenticate_ttl 1 hour authenticate_cache_garbage_interval 10 seconds authenticate_ip_ttl 60 seconds # END NTLM Parameters #Basic authentication for other browser that did not supports NTLM: (KerbAuthMethod = ) auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 3 startup=1 idle=1 auth_param basic realm Basic Identification auth_param basic credentialsttl 2 hours On 3.3.13, everything works as expected. On 3.5x LOGIN are truncated where there is space on account. By LOGIN are you meaning the log entries for user name labels? the %LOGIN format code delivered to the external ACL helper? the user=X labels delivered by the NTLM helper to Squid? or the generic login concept? The 'old' helper protocol was whitespace delimited set of fields with fixed meaning for each column/field. If the helper is delivering an un-encoded SP character inside an old-style response to Squid it will be parsed as two values. The 3.4+ helpers are parsing that protocol and upgrading it to the new kv-pair protocol automatically. Garbage fields are discarded from the input. It looks like the 2-column AF (NTLM) response being confused for a 3-column AF (Kerberos) response. Since the only difference between the two helpers outputs is the presence of a token column before the username field. You can workaround it with a script to convert the protocol explicitly before delivering to Squid. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUetBqAAoJELJo5wb/XPRja6YH/1PpeTPb+BcfvWTKnsxDcy1O deM+KEBK3nPz2IjTj6In73cH/UIkoFZaKIOViSR8MyjFtg517mz54tQcWWMkLIUQ CId00veZcSlbpI1oJlg/eds6o0UXj+TZ4KpFGzLCnxLrAzwW93bneRuj6VeGUlpY wlWwutZKFFlY1mHfIzlOkCE0f3AJZ/bK6XKP0x6UOfCzXjX4V/MW8KyhwCJXE0rz Vr04GoJbMxSKR5JhMVZJV2uPteW9qFvX2efEkZA4coyV/E78YEp800et07eE+hRO 3O5Wswq7Lh+aZ0cMrjbdV/l4jcC/1UQnd9lM9rkiqoA3aXn63i5aUjxpbJJ9PWk= =uEUQ -END PGP SIGNATURE- Thanks Amos. I'm agree but helper answer just to OK if the user is a member of a group it doesn't send user=something After removing the helper, Squid still write the truncated login So i'm talking about the generic login concept. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5x: Active Directory accounts with space issue
Le 26/11/2014 11:27, Amos Jeffries a écrit : -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/11/2014 12:01 a.m., David Touzeau wrote: Hi We have connected 3.5.0.2-20141121-r13666 with Active Directory. It seems where there are spaces in login account squid use only the last argument. For example for an account Jhon smith squid use smith only For example for an account Dr Jhon smith squid use smith only In 3.3.13 there is no such issue, a Jhon smith account is logged as Jhon smith and sended as Jhon%20smith to helpers Any information about the auth Scheme being performed? the helpers being used? and what is being sent to/from the helpers in 3.5 different from the 3.3 version? Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUdasMAAoJELJo5wb/XPRjRPUH/2aVKrtNdmJzupzsN9JtcOK0 1e+NIxNSaDiyu9R03eJrwlAy7g9zFGEj+0dI1HgJz36Mf2i03ahbyinD4GwFDVPh a6iYyCPrhy2XDeL16qcSqsX0i2e8yXO/WRbFTJymKMOFhVDS05Bg6KuE1FroNjHG OkhpzN/T3O1fUW2k0XSRZEWFV1YnriwcCLdKXdsXEXEIIA3J9ZN0WQZ8I/oGXfWV S4xHKh4jnDFJCEO5lwYxT1CDe53CCHnPfV9Uf1Dhq6AkKnDZAR8U53Uyhji4V6ck UzwZEPMAtK73O3uXn0J2l2S9v0ga5ymHRhiWADG2jC/8dyAc0ICaWFjK7o6wMfE= =GaV2 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users Hi I'm using this method auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25 startup=5 idle=1 auth_param ntlm keep_alive off #Dynamic ACLs groups Enabled: [1] external_acl_type ads_group ttl=3600 children-max=5 children-startup=1 children-idle=1 %LOGIN /usr/share/artica-postfix/external_acl_squid_ldap.php #Other settings authenticate_ttl 1 hour authenticate_cache_garbage_interval 10 seconds authenticate_ip_ttl 60 seconds # END NTLM Parameters #Basic authentication for other browser that did not supports NTLM: (KerbAuthMethod = ) auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 3 startup=1 idle=1 auth_param basic realm Basic Identification auth_param basic credentialsttl 2 hours On 3.3.13, everything works as expected. On 3.5x LOGIN are truncated where there is space on account. I have tested by removing external_acl_type ads_group, no change issue is still displayed. ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5x: Active Directory accounts with space issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 30/11/2014 12:52 a.m., David Touzeau wrote: Le 26/11/2014 11:27, Amos Jeffries a écrit : On 24/11/2014 12:01 a.m., David Touzeau wrote: Hi We have connected 3.5.0.2-20141121-r13666 with Active Directory. It seems where there are spaces in login account squid use only the last argument. For example for an account Jhon smith squid use smith only For example for an account Dr Jhon smith squid use smith only In 3.3.13 there is no such issue, a Jhon smith account is logged as Jhon smith and sended as Jhon%20smith to helpers Any information about the auth Scheme being performed? the helpers being used? and what is being sent to/from the helpers in 3.5 different from the 3.3 version? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users Hi I'm using this method auth_param ntlm program /usr/bin/ntlm_auth --domain=TOUZEAU.BIZ --helper-protocol=squid-2.5-ntlmssp auth_param ntlm children 25 startup=5 idle=1 auth_param ntlm keep_alive off #Dynamic ACLs groups Enabled: [1] external_acl_type ads_group ttl=3600 children-max=5 children-startup=1 children-idle=1 %LOGIN /usr/share/artica-postfix/external_acl_squid_ldap.php #Other settings authenticate_ttl 1 hour authenticate_cache_garbage_interval 10 seconds authenticate_ip_ttl 60 seconds # END NTLM Parameters #Basic authentication for other browser that did not supports NTLM: (KerbAuthMethod = ) auth_param basic program /usr/bin/ntlm_auth --helper-protocol=squid-2.5-basic auth_param basic children 3 startup=1 idle=1 auth_param basic realm Basic Identification auth_param basic credentialsttl 2 hours On 3.3.13, everything works as expected. On 3.5x LOGIN are truncated where there is space on account. By LOGIN are you meaning the log entries for user name labels? the %LOGIN format code delivered to the external ACL helper? the user=X labels delivered by the NTLM helper to Squid? or the generic login concept? The 'old' helper protocol was whitespace delimited set of fields with fixed meaning for each column/field. If the helper is delivering an un-encoded SP character inside an old-style response to Squid it will be parsed as two values. The 3.4+ helpers are parsing that protocol and upgrading it to the new kv-pair protocol automatically. Garbage fields are discarded from the input. It looks like the 2-column AF (NTLM) response being confused for a 3-column AF (Kerberos) response. Since the only difference between the two helpers outputs is the presence of a token column before the username field. You can workaround it with a script to convert the protocol explicitly before delivering to Squid. Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUetBqAAoJELJo5wb/XPRja6YH/1PpeTPb+BcfvWTKnsxDcy1O deM+KEBK3nPz2IjTj6In73cH/UIkoFZaKIOViSR8MyjFtg517mz54tQcWWMkLIUQ CId00veZcSlbpI1oJlg/eds6o0UXj+TZ4KpFGzLCnxLrAzwW93bneRuj6VeGUlpY wlWwutZKFFlY1mHfIzlOkCE0f3AJZ/bK6XKP0x6UOfCzXjX4V/MW8KyhwCJXE0rz Vr04GoJbMxSKR5JhMVZJV2uPteW9qFvX2efEkZA4coyV/E78YEp800et07eE+hRO 3O5Wswq7Lh+aZ0cMrjbdV/l4jcC/1UQnd9lM9rkiqoA3aXn63i5aUjxpbJJ9PWk= =uEUQ -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] squid 3.5x: Active Directory accounts with space issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/11/2014 12:01 a.m., David Touzeau wrote: Hi We have connected 3.5.0.2-20141121-r13666 with Active Directory. It seems where there are spaces in login account squid use only the last argument. For example for an account Jhon smith squid use smith only For example for an account Dr Jhon smith squid use smith only In 3.3.13 there is no such issue, a Jhon smith account is logged as Jhon smith and sended as Jhon%20smith to helpers Any information about the auth Scheme being performed? the helpers being used? and what is being sent to/from the helpers in 3.5 different from the 3.3 version? Amos -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (MingW32) iQEcBAEBAgAGBQJUdasMAAoJELJo5wb/XPRjRPUH/2aVKrtNdmJzupzsN9JtcOK0 1e+NIxNSaDiyu9R03eJrwlAy7g9zFGEj+0dI1HgJz36Mf2i03ahbyinD4GwFDVPh a6iYyCPrhy2XDeL16qcSqsX0i2e8yXO/WRbFTJymKMOFhVDS05Bg6KuE1FroNjHG OkhpzN/T3O1fUW2k0XSRZEWFV1YnriwcCLdKXdsXEXEIIA3J9ZN0WQZ8I/oGXfWV S4xHKh4jnDFJCEO5lwYxT1CDe53CCHnPfV9Uf1Dhq6AkKnDZAR8U53Uyhji4V6ck UzwZEPMAtK73O3uXn0J2l2S9v0ga5ymHRhiWADG2jC/8dyAc0ICaWFjK7o6wMfE= =GaV2 -END PGP SIGNATURE- ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
[squid-users] squid 3.5x: Active Directory accounts with space issue
Hi We have connected 3.5.0.2-20141121-r13666 with Active Directory. It seems where there are spaces in login account squid use only the last argument. For example for an account Jhon smith squid use smith only For example for an account Dr Jhon smith squid use smith only In 3.3.13 there is no such issue, a Jhon smith account is logged as Jhon smith and sended as Jhon%20smith to helpers Best regards ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users