1.if !'po4a'hide' .TH ext_lm_group_acl 8 2. 3.SH NAME 4ext_lm_group_acl \- Squid external ACL helper to check Windows users group membership. 5.PP 6Version 1.22 7. 8.SH SYNOPSIS 9.if !'po4a'hide' .B ext_lm_group_acl 10.if !'po4a'hide' .B "[\-D " 11domain 12.if !'po4a'hide' .B "] [\-cdhGP]" 13. 14.SH DESCRIPTION 15.B ext_lm_group_acl 16is an installed binary in Squid for Windows builds. 17.PP 18This helper must be used in with an authentication scheme (typically 19Basic or NTLM) based on Windows NT/2000 domain users (LM mode). 20.PP 21It reads from the standard input the domain username and a list of groups 22and tries to match each against the groups membership of the specified 23username. 24. 25.SH OPTIONS 26.if !'po4a'hide' .TP 12 27.if !'po4a'hide' .B \-c 28Use case insensitive compare. 29. 30.if !'po4a'hide' .TP 31.if !'po4a'hide' .B \-d 32Write debug info to stderr. 33. 34.if !'po4a'hide' .TP 35.if !'po4a'hide' .B \-D domain 36Specify the default user's domain. 37. 38.if !'po4a'hide' .TP 39.if !'po4a'hide' .B \-G 40Start helper in Domain Global Group mode. 41. 42.if !'po4a'hide' .TP 43.if !'po4a'hide' .B \-h 44Display the binary help and command line syntax info using stderr. 45. 46.if !'po4a'hide' .TP 47.if !'po4a'hide' .B \-P 48Use ONLY PDCs for group validation. 49. 50.SH CONFIGURATION 51.if !'po4a'hide' .RS 52.if !'po4a'hide' .B external_acl_type NT_global_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe -G 53.if !'po4a'hide' .br 54.if !'po4a'hide' .B external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe 55.if !'po4a'hide' .br 56.if !'po4a'hide' .br 57.if !'po4a'hide' .B acl GProxyUsers external NT_global_group GProxyUsers 58.if !'po4a'hide' .br 59.if !'po4a'hide' .B acl LProxyUsers external NT_local_group LProxyUsers 60.if !'po4a'hide' .br 61.if !'po4a'hide' .B acl password proxy_auth REQUIRED 62.if !'po4a'hide' .br 63.if !'po4a'hide' .br 64.if !'po4a'hide' .B http_access allow password GProxyUsers 65.if !'po4a'hide' .br 66.if !'po4a'hide' .B http_access allow password LProxyUsers 67.if !'po4a'hide' .br 68.if !'po4a'hide' .B http_access deny all 69.if !'po4a'hide' .RE 70. 71.PP 72In the previous example all validated NT users member of GProxyUsers Global 73domain group or member of LProxyUsers machine local group are allowed to 74use the cache. 75. 76.PP 77Groups with spaces in name, for example 78.B "Domain Users" 79, must be quoted and the acl data ( 80.B "Domain Users" 81) must be placed into a separate file included by specifying 82.B "/path/to/file" 83. 84The previous example will be: 85.if !'po4a'hide' .RS 86.if !'po4a'hide' acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers.txt" 87.if !'po4a'hide' .RE 88. 89The 90.B DomainUsers.txt 91file will contain only the following line: 92.if !'po4a'hide' .RS 93.B "Domain Users" 94.if !'po4a'hide' .RE 95. 96.PP 97.B NOTE: 98The standard group name comparison is case sensitive, so group name 99must be specified with same case as in the NT/2000 Domain. 100It's possible to enable case insensitive group name comparison ( 101.B \-c 102), but on some not-english locales, the results can be unexpected. 103. 104.PP 105.B NOTE: 106Native WIN32 NTLM and Basic Helpers must be used without the 107.B \-A 108and 109.B \-D 110switches. 111.PP 112Refer to Squid documentation for the more details on squid.conf. 113. 114.SH TESTING 115.PP 116I strongly recommend that 117.B ext_lm_group_acl 118is tested prior to being used in a production environment. It may behave differently on different platforms. 119. 120.PP 121To test it, run it from the command line. Enter username and group 122pairs separated by a space (username must entered with URL-encoded 123.I domain%5Cusername 124syntax). Press 125.B ENTER 126to get an 127.B OK 128or 129.B ERR 130message. 131.PP 132Make sure pressing 133.B CTRL+D 134behaves the same as a carriage return. 135.PP 136Make sure pressing 137.B CTRL+C 138aborts the program. 139. 140.PP 141Test that entering no details does not result in an 142.B OK 143or 144.B ERR 145message. 146.PP 147Test that entering an invalid username and group results in an 148.B ERR 149message. 150.PP 151Test that entering an valid username and group results in an 152.B OK 153message. 154. 155.SH AUTHOR 156This program was written by 157.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it> 158with contributions by 159.if !'po4a'hide' .I Henrik Nordstrom <hno@squid-cache.org> 160.PP 161Based in part on prior work in 162.B check_group 163by 164.if !'po4a'hide' .I Rodrigo Albani de Campos 165.PP 166This manual was written by 167.if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it> 168.if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org> 169. 170.SH COPYRIGHT 171.PP 172 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors 173 * 174 * Squid software is distributed under GPLv2+ license and includes 175 * contributions from numerous individuals and organizations. 176 * Please see the COPYING and CONTRIBUTORS files for details. 177.PP 178This program and documentation is copyright to the authors named above. 179.PP 180Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). 181. 182.SH QUESTIONS 183Questions on the usage of this program can be sent to the 184.I Squid Users mailing list 185.if !'po4a'hide' <squid-users@lists.squid-cache.org> 186. 187.SH REPORTING BUGS 188Bug reports need to be made in English. 189See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. 190.PP 191Report bugs or bug fixes using http://bugs.squid-cache.org/ 192.PP 193Report serious security bugs to 194.I Squid Bugs <squid-bugs@lists.squid-cache.org> 195.PP 196Report ideas for new improvements to the 197.I Squid Developers mailing list 198.if !'po4a'hide' <squid-dev@lists.squid-cache.org> 199. 200.SH SEE ALSO 201.if !'po4a'hide' .BR squid "(8), " 202.if !'po4a'hide' .BR GPL "(7), " 203.br 204The Squid FAQ wiki 205.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq 206.br 207The Squid Configuration Manual 208.if !'po4a'hide' http://www.squid-cache.org/Doc/config/ 209