On Thu, 2006-12-14 at 11:04 -0500, Jeremy Hall wrote: > I do have need of the %d construct that I formulated.
I only looked at squid.conf portion of your patch and did not notice the %d substitution. My apologies. All useful substitutions should be supported, of course! > I am also > formulating something with X-Authenticated-Groups that I got some > recommendations from a vendor on how they want to see it. Should we use > \n or %n for a newline character? I'm hoping for \n since that seems > more intuitive, Why do we need a newline character support? Is this for the HTTP/ICAP linear white space (multiline header), for the end of the header value, or for something inside the user name value? > but the logic I wrote will need to be modified such that > multiple %d, %u, and %n constructs might exist in the same uri. Squid customized log format uses substitutions, right? Can we have a single class that handles both cases? A simple single virtual method can provide specific substitution values, or we may have a virtual method for every substitution letter supported by some child (so that we can have a [character->method] table. The substitution code is relatively complex, low-level, error-prone, and performance-sensitive so it would be nice to have a single implementation that we can clean and optimize as time allows. This approach may also help to have a configuration validator that checks at Squid startup time that all used substitutions are actually supported. Thank you, Alex. > >>> Alex Rousskov <[EMAIL PROTECTED]> 12/14/06 10:48 AM > >>> > On Thu, 2006-12-14 at 08:47 +0100, Axel Westerhold wrote: > > > There is one more change I am currently testing. The > > problem with this patch: > > > > It does not follow any ICAP document but only enables squid to get > rid of > > the DOMAIN part frpm an NTLM Auth so I can use the result string as a > query > > on samaccountname. Would it be possible to add this too ? > > I assume we talking about modifying the authenticated client username, > passed via the icap_client_username_header to the ICAP server. > > I believe the right thing to do here is similar to what Jeremy Hall > did > with the icap_auth_scheme in > http://www.squid-cache.org/mail-archive/squid-dev/200611/0066.html > > I would suggest to add an "icap_authenticated_user_header_value" > option > that takes a string with the following supported substitutions: > > %U -- complete username, as is > %N -- username without the domain part > %% -- percent > > I think we do not need a default value here, but would not object to > "Local://%U" if somebody insists on having a default. > > The current "icap_client_username_header" option should be renamed to > "icap_authenticated_user_header_name". > > The current "icap_client_username_encode" option should be renamed to > "icap_authenticated_user_header_encode". "On" should be the default, I > guess. > > The three icap_authenticated_user_* options can be merged into one > multivalued option: > icap_authenticated_user_header [<name>":"] [<encoding>"("] <value> > [")"] > > For example, > icap_authenticated_user_header X-Authenticated-User: > base64(Local://%U) > or > icap_authenticated_user_header identity(%N) > > Thank you, > > Alex. > > > Am 14.12.2006 6:25 Uhr schrieb "Alex Rousskov" unter > > <[EMAIL PROTECTED]>: > > > > > On Mon, 2006-12-04 at 12:57 +0100, Axel Westerhold wrote: > > >> Hi everyone, > > >> > > >> Second try this time hopefully complete. > > >> > > >> This is again patched against Squid 3 HEAD and includes 4 changes > I would > > >> like to have when working with webwasher/squid systems. > > >> > > >> > > >> A.) ICAPServiceRep::TheSessionFailureLimit set through squid.conf > > >> B.) ICAPServiceRep delay for a down service set through > squid.conf > > >> C.) Instead of hardcoding the Header used to transfer the username > being > > >> able to set the used one through squid.conf > > >> D.) When using X-Authenticated-User in C I need the username to be > base64 > > >> encoded so I added another option to turn on encoding if needed. > > > > > > The above changes, with minor modifications are now committed to > > > squid3-icap branch. The corresponding patch is attached. > > > > > > I took the liberty to rename some of your new squid.conf options as > well > > > as polish squid.conf comments and code. A negative value for the > > > icap_service_failure_limit disables the limit feature. > > > > > > Please test and let me know whether any further changes are > needed. > > > > > > Thank you, > > > > > > Alex. > > > > >
