On Mon, 8 Nov 2004, Andrew Bartlett wrote:
As the author of ntlm_auth, I guarantee that after issuing an 'AF' (and no other commands), the client program may issue 'UG', to return the group list. Is that enough? :-)
For me it is.
For me it is equally acceptable to revise the protocol to have AF return additional information including groups.
I would propose a extensible syntax similar to that used in external acls
AF user=username attribute=value ...
using URL-encoded strings.
and similarily in all the other replies if additional information need to be returned.
Maybe (but only mabye) the AF should be defined as
AF username attribute=value
(still URL-encoded username)
How hard is it to add the extra step?
Not hard, but the fact that it is needed is a good sign of a weakness in the protocol to begin with.
The other reason I avoided it was for simplicity of parsing - currently we define the username as everything from the 'AF' to the end of line. I suppose we should now define the 'AF' response as:
AF username=url-encoded-username authtoken=url-encodedgrouplist
How does that sound?
B-)
For parsing reasons the groups should be returned using a multi-valued attribute repeated once per group.
What I would have liked was some way that this scheme could have been auto-negotiated. My previous proposal allowed squid to always try 'UG', and just swallow the failure reply if the helper was 'old'.
I have no problem defining a new initial command for exchanging the capabilities. Would also serve the good purpose of verifying the connectivity to the helper, including the ability to run a self-diagnostics.
Regards Henrik
