1squid_ldap_group(8)         System Manager's Manual        squid_ldap_group(8)
2
3
4

NAME

6       squid_ldap_group - Squid LDAP external acl group helper
7

SYNOPSIS

9       squid_ldap_group  -b  "base  DN"  -f  "LDAP  search  filter"  [options]
10       [ldap_server_name[:port]|URI]...
11

DESCRIPTION

13       This helper allows Squid to connect to a LDAP  directory  to  authorize
14       users via LDAP groups.  LDAP options are specified as parameters on the
15       command line, while the username(s) and group(s) to be checked  against
16       the  LDAP  directory  are specified on subsequent lines of input to the
17       helper, one username/group pair per line separated by a space.
18
19       As expected by the external_acl construct of Squid, after specifying  a
20       username  and  group  followed  by a new line, this helper will produce
21       either OK or ERR on the following line to show if the user is a  member
22       of the specified group.
23
24       The  program  operates  by  searching with a search filter based on the
25       users user name and requested group, and if a  match  is  found  it  is
26       determined that the user belongs to the group.
27
28       -b basedn (REQUIRED)
29              Specifies the base DN under which the groups are located.
30
31       -B basedn
32              Specifies the base DN under which the users are located (if dif‐
33              ferent)
34
35       -g     Specifies that the first query argument sent to  the  helper  by
36              Squid is a extension to the basedn and will be temporarily added
37              in front of the global basedn for this query.
38
39       -f filter
40              LDAP search filter used to search the  LDAP  directory  for  any
41              matching  group memberships.   In the filter %u will be replaced
42              by the user name (or DN if the -F or -u options are used) and %g
43              by the requested group name.
44
45       -F filter
46              LDAP  search  filter  used  to search the LDAP directory for any
47              matching users.   In the filter %s will be replaced by the  user
48              name.  If  %  is to be included literally in the filter then use
49              %%.
50
51       -u attr
52              LDAP attribute used to construct the user DN from the user  name
53              and base dn without needing to search for the user.
54
55       -s base|one|sub
56              search scope. Defaults to 'sub'.
57
58              base  object  only,  one  level below the base object or subtree
59              below the base object
60
61       -D binddn -w password
62              The DN and  password  to  bind  as  while  performing  searches.
63              Required if the directory does not allow anonymous searches.
64
65              As  the password needs to be printed in plain text in your Squid
66              configuration and will be sent on the command line to the helper
67              it is strongly recommended to use a account with minimal associ‐
68              ated privileges.  This to limit the damage in case someone could
69              get  hold of a copy of your Squid configuration file or extracts
70              the password used from a process listing.
71
72       -D binddn -W secretfile
73              The DN and the name of a file containing the password to bind as
74              while performing searches.
75
76              Less  insecure  version  of  the  former parameter pair with two
77              advantages: The password does not occur in the process  listing,
78              and  the  password  is not being compromised if someone gets the
79              squid configuration file without getting the secretfile.
80
81       -P     Use a persistent LDAP connection. Normally the  LDAP  connection
82              is  only  open  while verifying a users group membership to pre‐
83              serve resources at the LDAP server. This option causes the  LDAP
84              connection to be kept open, allowing it to be reused for further
85              user validations. Recommended for larger installations.
86
87       -R     do not follow referrals
88
89       -a never|always|search|find
90              when to dereference aliases. Defaults to 'never'
91
92              never dereference aliases (default), always dereference aliases,
93              only while searching or only to find the base object
94
95       -H ldapuri
96              Specity  the  LDAP  server to connect to by a LDAP URI (requires
97              OpenLDAP libraries)
98
99       -h ldapserver
100              Specify the LDAP server to connect to
101
102       -p ldapport
103              Specify an alternate TCP port where the ldap server is listening
104              if other than the default LDAP port 389.
105
106       -v 2|3 LDAP protocol version. Defaults to 2 if not specified.
107
108       -Z     Use TLS encryption
109
110       -Ecertpath
111              Enable LDAP over SSL (requires Netscape LDAP API libraries)
112
113       -cconnect_timeout
114              Specify  timeout  used when connecting to LDAP servers (requires
115              Netscape LDAP API libraries)
116
117       -tsearch_timeout
118              Specify time limit on LDAP search operations
119
120       -S     Strip NT domain name component from user names  (/  or  \  sepa‐
121              rated)
122
123       -d     Debug  mode  where  each step taken will get reported in detail.
124              Useful for understanding what goes wrong if the results  is  not
125              what is expected.
126
127

SQUID CONFIGURATION

129       This  helper  is intended to be used as a external_acl_type helper from
130       squid.conf.
131
132       external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
133       acl group1 external ldap_group Group1
134       acl group2 external ldap_group Group2
135

NOTES

137       When constructing search filters it is recommended to  first  test  the
138       filter  using  ldapsearch  before  you attempt to use squid_ldap_group.
139       This to verify that the filter matches what you expect.
140

AUTHOR

142       This manual page was written by Henrik Nordstrom <hno@marasystems.com>
143
144       squid_ldap_group is written by Flavio Pescuma  <flavio@marasystems.com>
145       and  Henrik  Nordstrom  <hno@squid-cache.org>,  based  on prior work in
146       squid_ldap_auth by Glen Newton <glen.newton@nrc.ca>
147

KNOWN LIMITATIONS

149       Max 16 occurrences of %s in the -u argument is supported.
150

QUESTIONS

152       Any questions on usage can be sent to Squid  Users  <squid-users@squid-
153       cache.org>,  or  to  your  favorite LDAP list/friend if the question is
154       more related to LDAP than Squid.
155

REPORTING BUGS

157       Report bugs or bug-fixes to Squid Bugs <squid-bugs@squid-cache.org>  or
158       ideas  for  new  improvements  to  Squid  Developers  <squid-dev@squid-
159       cache.org>
160

SEE ALSO

162       squid_ldap_auth(8), ldapsearch(1),
163       Your favorite LDAP documentation
164       RFC2254 - The String Representation of LDAP Search Filters,
165
166
167
168Version 2.17                    30 January 2005            squid_ldap_group(8)
Impressum