Re: [squid2.5-icap] patch: X-Server-IP support

2005-12-22 Thread Olivier \"oliv3\" Girondel 
Duane Wessels wrote:
> The patch is nice and simple, so I don't have any problems with it.

Cool :)

> There is this, however:
> 
> + if (Config.icapcfg.send_server_ip || service->flags.need_x_server_ip)
> 
> The Squid admin might believe that setting 'icap_send_server_ip off'
> means Squid would never send the IP address to ICAP. But Squid
> will in fact send the IP if the ICAP server asks for it.

Sure, this is a negociation question (OPTIONS). I took the default
behavior that was implemented in squid, to be consistent.

> Its probably not a big deal because most people don't care about
> the "privacy" of an origin server IP address.  But some might.
> 
> I suggest adding a comment to squid.conf to explain that the server
> IP address would be sent regardless of the icap_send_server_ip
> setting if the ICAP server OPTIONS response says "X-Include:
> X-Server-IP"
> 
> Otherwise, maybe the logic should be && instead of || ?

I agree with your last proposal: in squid.conf, it could be defined
as: "Allow Squid to send the origin ip if asked by the ICAP server"
(on/off)

Since this is a X-ICAP-* header (optional), Squid must have the last
word on the subject.

/olivier

Re: [squid2.5-icap] patch: X-Server-IP support

2005-12-22 Thread Duane Wessels 




On Wed, 14 Dec 2005, olivier wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Hi all,

I recently made a small patch to add the X-Server-IP feature in
Squid2.5. Basically: send the origin server ip in the ICAP headers
if it's available from the ip cache.

I've been using it in (pre)production for some weeks now without any
problems.

Can someone give a look at http://labs.biniou.info/squid-icap-2_5.diff ?


The patch is nice and simple, so I don't have any problems with it.

There is this, however:

+ if (Config.icapcfg.send_server_ip || service->flags.need_x_server_ip)

The Squid admin might believe that setting 'icap_send_server_ip off'
means Squid would never send the IP address to ICAP. But Squid
will in fact send the IP if the ICAP server asks for it.

Its probably not a big deal because most people don't care about
the "privacy" of an origin server IP address.  But some might.

I suggest adding a comment to squid.conf to explain that the server
IP address would be sent regardless of the icap_send_server_ip
setting if the ICAP server OPTIONS response says "X-Include:
X-Server-IP"

Otherwise, maybe the logic should be && instead of || ?

Duane W.

squid_ldap_group : domain stripping for use against AD : configurable separator

2005-12-22 Thread François Verbeek 

Hello,

please find enclosed a small patch for squid_ldap_group.c
This allows the user to add a parameter to the -S flag, allowing the  
user to choose the separator when stripping domain name from users  
name instead of only allowing / or \\



for 2.5-Stable12:
--- squid-2.5.STABLE12/helpers/external_acl/ldap_group/ 
squid_ldap_group.c	2005-09-11 02:53:23.0 +0200

+++ squid_ldap_group.c.mod-2.5-rc   2005-12-22 12:56:29.0 +0100
@@ -218,6 +218,7 @@
 char buf[8192];
 char *user, *group, *extension_dn = NULL;
 char *ldapServer = NULL;
+char nt_domain_separator=0;
 LDAP *ld = NULL;
 int tryagain = 0, rc;
 int port = LDAP_PORT;
@@ -236,8 +237,16 @@
case 'Z':
case 'd':
case 'g':
+   break;
case 'S':
-   break;
+ if (argv[2][0] == '-' )
+ break;
+  if (strlen(argv[2]) > 1) {
+	  fprintf(stderr,"ERROR: -S takes only single character argument,  
you provided %s \n", argv[2]);

+ exit(1);
+ }
+ nt_domain_separator = argv[2][0];
+ break;
default:
if (strlen(argv[1]) > 2) {
value = argv[1] + 2;
@@ -375,6 +384,9 @@
use_extension_dn = 1;
break;
case 'S':
+   if (value[0]) {
+   nt_domain_separator = value[0];
+   };
strip_nt_domain = 1;
break;
default:
@@ -430,7 +442,7 @@
	fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires 
\n\t\t\t\tLDAP version 3\n");

#endif
	fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension 
\n\t\t\t\tfor this query\n");

-   fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
+	fprintf(stderr, "\t-S char\t\t\tStrip NT domain from usernames  
using 'char' as domain separator. 'char' defaults to both / and \\ \n");

fprintf(stderr, "\n");
	fprintf(stderr, "\tIf you need to bind as a user to perform searches  
then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile  
options\n\n");

exit(1);
@@ -440,11 +452,16 @@
int found = 0;
user = strwordtok(buf, &tptr);
if (user && strip_nt_domain) {
-   char *u = strchr(user, '\\');
-   if (!u)
-   u = strchr(user, '/');
-   if (u && u[1])
-   user = u + 1;
+char *u = NULL;
+if (nt_domain_separator) {
+u = strchr(user, nt_domain_separator);
+} else {
+ u = strchr(user, '\\');
+ if (!u)
+ u = strchr(user, '/');
+ }
+ if (u && u[1])
+user = u + 1;
}
if (use_extension_dn)
extension_dn = strwordtok(NULL, &tptr);



for 3.0-pre3-20051221

--- squid-3.0-PRE3-20051221/helpers/external_acl/ldap_group/ 
squid_ldap_group.c	2005-09-11 03:02:33.0 +0200

+++ squid_ldap_group.c.mod-3.0  2005-12-22 13:22:52.0 +0100
@@ -208,6 +208,7 @@
 char buf[8192];
 char *user, *group, *extension_dn = NULL;
 char *ldapServer = NULL;
+char nt_domain_separator=0;
 LDAP *ld = NULL;
 int tryagain = 0, rc;
 int port = LDAP_PORT;
@@ -227,8 +228,16 @@
case 'Z':
case 'd':
case 'g':
+   break;
case 'S':
-   break;
+ if (argv[2][0] == '-' )
+ break;
+  if (strlen(argv[2]) > 1) {
+	  fprintf(stderr,"ERROR: -S takes only single character argument,  
you provided %s \n", argv[2]);

+ exit(1);
+ }
+ nt_domain_separator = argv[2][0];
+ break;
default:
if (strlen(argv[1]) > 2) {
value = argv[1] + 2;
@@ -366,6 +375,9 @@
use_extension_dn = 1;
break;
case 'S':
+   if (value[0]) {
+   nt_domain_separator = value[0];
+   };
strip_nt_domain = 1;
break;
default:
@@ -421,7 +433,7 @@
	fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires 
\n\t\t\t\tLDAP version 3\n");

#endif
	fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension 
\n\t\t\t\tfor this query\n");

-   fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
+	fprintf(stderr, "\t-S char\t\t\tStrip NT domain from usernames  
using 'char' as domain separator. 'char' defaults to both / and \\ \n");

fprintf(stderr, "\n");
	fprintf(stderr, "\tIf you need to bind as a user to perform searches  
then use the\n\t-D binddn -w bindpasswd or -D binddn -W secretfile  
options\n\n");

exit(1);
@@ -462,11 +474,16 @@
}
rfc1738_unescape(user);
if (strip_nt_domain) {
-   char *u = strchr(user, '\\');
+   char *u = NULL;
+   if (nt_domain_separator) {
+  u = strchr(user, nt_domain_separator);
+   } else {
+  u = strchr(user, '\\');
if (!u)
-   u = strchr(user, '/');
+