1squid_ldap_group(8)         System Manager's Manual        squid_ldap_group(8)
2
3
4

NAME

6       squid_ldap_group - Squid LDAP external acl group helper
7

SYNOPSIS

9       squid_ldap_group  -b  "base  DN"  -f  "LDAP  search  filter"  [options]
10       [ldap_server_name[:port]|URI]...
11

DESCRIPTION

13       This helper allows Squid to connect to a LDAP  directory  to  authorize
14       users via LDAP groups.  LDAP options are specified as parameters on the
15       command line, while the username(s) and group(s) to be checked  against
16       the  LDAP  directory  are specified on subsequent lines of input to the
17       helper, one username/group pair per line separated by a space.
18
19       As expected by the external_acl construct of Squid, after specifying  a
20       username  and  group  followed  by a new line, this helper will produce
21       either OK or ERR on the following line to show if the user is a  member
22       of the specified group.
23
24       The  program  operates  by  searching with a search filter based on the
25       users user name and requested group, and if a  match  is  found  it  is
26       determined that the user belongs to the group.
27
28       -b basedn (REQUIRED)
29              Specifies the base DN under which the groups are located.
30
31       -B basedn
32              Specifies the base DN under which the users are located (if dif‐
33              ferent)
34
35       -g     Specifies that the first query argument sent to  the  helper  by
36              Squid is a extension to the basedn and will be temporarily added
37              in front of the global basedn for this query.
38
39       -f filter
40              LDAP search filter used to search the  LDAP  directory  for  any
41              matching  group memberships.   In the filter %u will be replaced
42              by the user name (or DN if the -F or -u options are used) and %g
43              by the requested group name.
44
45       -F filter
46              LDAP  search  filter  used  to search the LDAP directory for any
47              matching users.   In the filter %s will be replaced by the  user
48              name.  If  %  is to be included literally in the filter then use
49              %%.
50
51       -u attr
52              LDAP attribute used to construct the user DN from the user  name
53              and base dn without needing to search for the user.
54
55       -s base|one|sub
56              search scope. Defaults to 'sub'.
57
58              base  object  only,  one  level below the base object or subtree
59              below the base object
60
61       -D binddn -w password
62              The DN and  password  to  bind  as  while  performing  searches.
63              Required if the directory does not allow anonymous searches.
64
65              As  the password needs to be printed in plain text in your Squid
66              configuration and will be sent on the command line to the helper
67              it is strongly recommended to use a account with minimal associ‐
68              ated privileges.  This to limit the damage in case someone could
69              get  hold of a copy of your Squid configuration file or extracts
70              the password used from a process listing.
71
72       -D binddn -W secretfile
73              The DN and the name of a file containing the password to bind as
74              while performing searches.
75
76              Less  insecure  version  of  the  former parameter pair with two
77              advantages: The password does not occur in the process  listing,
78              and  the  password  is not being compromised if someone gets the
79              squid configuration file without getting the secretfile.
80
81       -P     Use a persistent LDAP connection. Normally the  LDAP  connection
82              is  only  open  while verifying a users group membership to pre‐
83              serve resources at the LDAP server. This option causes the  LDAP
84              connection to be kept open, allowing it to be reused for further
85              user validations. Recommended for larger installations.
86
87       -R     do not follow referrals
88
89       -a never|always|search|find
90              when to dereference aliases. Defaults to 'never'
91
92              never dereference aliases (default), always dereference aliases,
93              only while searching or only to find the base object
94
95       -H ldapuri
96              Specity  the  LDAP  server to connect to by a LDAP URI (requires
97              OpenLDAP libraries)
98
99       -h ldapserver
100              Specify the LDAP server to connect to
101
102       -p ldapport
103              Specify an alternate TCP port where the ldap server is listening
104              if other than the default LDAP port 389.
105
106       -v 2|3 LDAP protocol version. Defaults to 3 if not specified.
107
108       -Z     Use TLS encryption
109
110       -Ecertpath
111              Enable LDAP over SSL (requires Netscape LDAP API libraries)
112
113       -cconnect_timeout
114              Specify  timeout  used when connecting to LDAP servers (requires
115              Netscape LDAP API libraries)
116
117       -tsearch_timeout
118              Specify time limit on LDAP search operations
119
120       -S     Strip NT domain name component from user names  (/  or  \  sepa‐
121              rated)
122
123       -K     Strip Kerberos Realm component from user names (@ separated)
124
125       -d     Debug  mode  where  each step taken will get reported in detail.
126              Useful for understanding what goes wrong if the results  is  not
127              what is expected.
128
129

SQUID CONFIGURATION

131       This  helper  is intended to be used as a external_acl_type helper from
132       squid.conf.
133
134       external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
135       acl group1 external ldap_group Group1
136       acl group2 external ldap_group Group2
137

NOTES

139       When constructing search filters it is recommended to  first  test  the
140       filter  using  ldapsearch  before  you attempt to use squid_ldap_group.
141       This to verify that the filter matches what you expect.
142

AUTHOR

144       This manual page was written by Henrik Nordstrom <hno@marasystems.com>
145
146       squid_ldap_group is written by Flavio Pescuma  <flavio@marasystems.com>
147       and  Henrik  Nordstrom  <hno@squid-cache.org>,  based  on prior work in
148       squid_ldap_auth by Glen Newton <glen.newton@nrc.ca>
149

KNOWN LIMITATIONS

151       Max 16 occurrences of %s in the -u argument is supported.
152

QUESTIONS

154       Any questions on usage can be sent to Squid  Users  <squid-users@squid-
155       cache.org>,  or  to  your  favorite LDAP list/friend if the question is
156       more related to LDAP than Squid.
157

REPORTING BUGS

159       Report bugs or bug-fixes to Squid Bugs <squid-bugs@squid-cache.org>  or
160       ideas  for  new  improvements  to  Squid  Developers  <squid-dev@squid-
161       cache.org>
162

SEE ALSO

164       squid_ldap_auth(8), ldapsearch(1),
165       Your favorite LDAP documentation
166       RFC2254 - The String Representation of LDAP Search Filters,
167
168
169
170Version 2.17                    30 January 2005            squid_ldap_group(8)
Impressum