On Tue, 21 Oct 2003, David Rippel wrote:
> Squid(1) is passing the username for users that authenticate via basic > auth, but not for users that get access through an ident acl. The ident > username is showing up in squid(1)'s logs, but it's passing a null > username in the auth header. Probably correct. ident is not an authentication method. adding support to the login= option to forward the ident user name in the login=*:.. sounds like a good idea, but unfortunately it is not as easy (the ident is a property of the client connection, not the request, and http.c does not know the client connection) > For ident I'm using an external acl that passes the ident info to a program that > checks to see if the username is in an LDAP group. I saw something in the squid.conf > comments under external_acl_type that mentions a user= keyword, so I tried having my > program return "OK user=foo" but I think that was just me heading in the wrong > direction... I saw a patch at > http://www.squid-cache.org/mail-archive/squid-dev/200201/0001.html that would help > my situation (although it would require dg to parse the additional header), but it > looks like it was denied (something about it not being as secure as the basic auth > method). I'm not sure where src/http.c gets it's username from for > HDR_PROXY_AUTHORIZATION (see line 885 -> 891) but maybe that's a starting point? The user= return from external_acl helpers has mostly the same problem as ident above.. Regards Henrik>
