Man Linux: Main Page and Category List

NAME

       squid_ldap_group - Squid LDAP external acl group helper

SYNOPSIS

       squid_ldap_group  -b  "base  DN"  -f  "LDAP  search  filter"  [options]
       [ldap_server_name[:port]|URI]...

DESCRIPTION

       This helper allows Squid to connect to a LDAP  directory  to  authorize
       users via LDAP groups.  LDAP options are specified as parameters on the
       command line, while the username(s) and group(s) to be checked  against
       the  LDAP  directory  are specified on subsequent lines of input to the
       helper, one username/group pair per line separated by a space.

       As expected by the external_acl construct of Squid, after specifying  a
       username  and  group  followed  by a new line, this helper will produce
       either OK or ERR on the following line to show if the user is a  member
       of the specified group.

       The  program  operates  by  searching with a search filter based on the
       users user name and requested group, and if a  match  is  found  it  is
       determined that the user belongs to the group.

       -b basedn (REQUIRED)
              Specifies the base DN under which the groups are located.

       -B basedn
              Specifies  the  base  DN  under  which the users are located (if
              different)

       -g     Specifies that the first query argument sent to  the  helper  by
              Squid is a extension to the basedn and will be temporarily added
              in front of the global basedn for this query.

       -f filter
              LDAP search filter used to search the  LDAP  directory  for  any
              matching  group memberships.   In the filter %u will be replaced
              by the user name (or DN if the -F or -u options are used) and %g
              by the requested group name.

       -F filter
              LDAP  search  filter  used  to search the LDAP directory for any
              matching users.   In the filter %s will be replaced by the  user
              name.  If  %  is to be included literally in the filter then use
              %%.

       -u attr
              LDAP attribute used to construct the user DN from the user  name
              and base dn without needing to search for the user.

       -s base|one|sub
              search scope. Defaults to ’sub’.

              base  object  only,  one  level below the base object or subtree
              below the base object

       -D binddn -w password
              The DN and  password  to  bind  as  while  performing  searches.
              Required if the directory does not allow anonymous searches.

              As  the password needs to be printed in plain text in your Squid
              configuration and will be sent on the command line to the helper
              it  is  strongly  recommended  to  use  a  account  with minimal
              associated privileges.  This to limit the damage in case someone
              could  get  hold  of  a copy of your Squid configuration file or
              extracts the password used from a process listing.

       -D binddn -W secretfile
              The DN and the name of a file containing the password to bind as
              while performing searches.

              Less  insecure  version  of  the  former parameter pair with two
              advantages: The password does not occur in the process  listing,
              and  the  password  is not being compromised if someone gets the
              squid configuration file without getting the secretfile.

       -P     Use a persistent LDAP connection. Normally the  LDAP  connection
              is  only  open  while  verifying  a  users  group  membership to
              preserve resources at the LDAP server. This  option  causes  the
              LDAP  connection  to  be kept open, allowing it to be reused for
              further user validations. Recommended for larger  installations.

       -R     do not follow referrals

       -a never|always|search|find
              when to dereference aliases. Defaults to ’never’

              never dereference aliases (default), always dereference aliases,
              only while searching or only to find the base object

       -H ldapuri
              Specity the LDAP server to connect to by a  LDAP  URI  (requires
              OpenLDAP libraries)

       -h ldapserver
              Specify the LDAP server to connect to

       -p ldapport
              Specify an alternate TCP port where the ldap server is listening
              if other than the default LDAP port 389.

       -v 2|3 LDAP protocol version. Defaults to 2 if not specified.

       -Z     Use TLS encryption

       -Ecertpath
              Enable LDAP over SSL (requires Netscape LDAP API libraries)

       -cconnect_timeout
              Specify timeout used when connecting to LDAP  servers  (requires
              Netscape LDAP API libraries)

       -tsearch_timeout
              Specify time limit on LDAP search operations

       -S     Strip  NT  domain  name  component  from  user  names  (/  or  \
              separated)

       -K     Strip Kerberos Realm component from user names (@ separated)

       -d     Debug mode where each step taken will get  reported  in  detail.
              Useful  for  understanding what goes wrong if the results is not
              what is expected.

SQUID CONFIGURATION

       This helper is intended to be used as a external_acl_type  helper  from
       squid.conf.

       external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
       acl group1 external ldap_group Group1
       acl group2 external ldap_group Group2

NOTES

       When  constructing  search  filters it is recommended to first test the
       filter using ldapsearch before you  attempt  to  use  squid_ldap_group.
       This to verify that the filter matches what you expect.

AUTHOR

       This manual page was written by Henrik Nordstrom <hno@marasystems.com>

       squid_ldap_group  is written by Flavio Pescuma <flavio@marasystems.com>
       and Henrik Nordstrom <hno@squid-cache.org>,  based  on  prior  work  in
       squid_ldap_auth by Glen Newton <glen.newton@nrc.ca>

KNOWN LIMITATIONS

       Max 16 occurrences of %s in the -u argument is supported.

QUESTIONS

       Any  questions  on usage can be sent to Squid Users <squid-users@squid-
       cache.org>, or to your favorite LDAP list/friend  if  the  question  is
       more related to LDAP than Squid.

REPORTING BUGS

       Report  bugs or bug-fixes to Squid Bugs <squid-bugs@squid-cache.org> or
       ideas  for  new  improvements  to  Squid  Developers  <squid-dev@squid-
       cache.org>

SEE ALSO

       squid_ldap_auth(8), ldapsearch(1),
       Your favorite LDAP documentation
       RFC2254 - The String Representation of LDAP Search Filters,