1.if !'po4a'hide' .TH ext_kerberos_ldap_group_acl 8 2. 3.SH NAME 4ext_kerberos_ldap_group_acl \- Squid LDAP external acl group helper for Kerberos or NTLM credentials. 5.PP 6Version 1.3.0sq 7. 8.SH SYNOPSIS 9.if !'po4a'hide' .B ext_kerberos_ldap_group_acl 10.if !'po4a'hide' .B [\-h] [\-d] [\-i] [\-s] [\-a] [\-D Realm ] [\-N Netbios\-Realm\-List] [\-P service principal name] [\-m Max\-Depth] [\-u Ldap\-User] [\-p Ldap\-Password] [\-b Ldap\-Bind\-Path] [\-l Ldap\-URL] [\-S ldap server list] \-g Group\-Realm\-List \-t Hex\-Group\-Realm\-List \-T Hex\-Group\-Hex\-Realm\-List 11. 12.SH DESCRIPTION 13.B ext_kerberos_ldap_group_acl 14is an installed binary and allows Squid to connect to a LDAP directory to 15authorize users via LDAP groups. Options are specified as parameters on the 16command line, while the username (e.g. 17.B user 18, 19.B user@REALM 20, 21.B NDOMAIN\\user 22) to be checked against the LDAP directory are specified on subsequent lines of 23input to the helper, one username per line. 24.PP 25.B ext_kerberos_ldap_group_acl 26will determine the ldap server name from DNS SRV and/or A records or a 27local hosts file (e.g. for the Kerberos Realm 28.B SUSE.HOME 29it will look for an SRV record 30.B _ldap._tcp.SUSE.HOME 31and an A record 32.B SUSE.HOME 33or a 34.B SUSE.HOME 35hosts entry). If no domain information is available from the 36username the LDAP server will be determined through the command line options. 37.PP 38.B ext_kerberos_ldap_group_acl 39requires as a minimum the 40.B \-g 41, 42.B \-t 43or 44.B \-T 45option which provides the LDAP group name the user has to belong too. For Active Directory 46a recursive group lookup is implemented until a max depth specified by 47.B \-m 48depth. For other LDAP servers a RFC2307bis schema of groups is assumed. 49.PP 50Different group names can be specified for different domains using a 51group@domain syntax. 52As expected by the 53.B external_acl_type 54construct of Squid, after 55specifying a username and group followed by a new line, this 56helper will produce either 57.B OK 58or 59.B ERR 60on the following line 61to show if the user is a member of the specified group. 62. 63.SH OPTIONS 64.if !'po4a'hide' .TP 12 65.if !'po4a'hide' .B \-h 66Display the binary help and command line syntax info using stderr. 67.if !'po4a'hide' .TP 12 68.if !'po4a'hide' .B \-d 69Write debug messages to stderr. 70.if !'po4a'hide' .TP 12 71.if !'po4a'hide' .B \-i 72Write informational messages to stderr. 73.if !'po4a'hide' .TP 12 74.if !'po4a'hide' .B \-s 75Use SSL for the LDAP connection. 76.IP 77The CA certificate file can be set via the environment variable TLS_CACERTFILE (default /etc/ssl/certs/cert.pem) (OpenLDAP). 78.IP 79The SSL certificate database can be set via the environment variable SSL_CERTDBPATH (default /etc/certs) (Sun and Mozilla LDAP SDK). 80.if !'po4a'hide' .TP 12 81.if !'po4a'hide' .B \-a 82Allow SSL without certificate verification. 83.if !'po4a'hide' .TP 12 84.if !'po4a'hide' .B \-D Realm 85Default Kerberos domain to use for usernames which do not contain domain 86information (e.g. for users using basic authentication). 87.if !'po4a'hide' .TP 12 88.if !'po4a'hide' .B \-N Netbios\-Realm\-List 89A list of Netbios name mappings to Kerberos domain names of the form 90Netbios\-Name@Kerberos\-Realm[:Netbios\-Name@Kerberos\-Realm] (e.g. for users 91using NTLM authentication). 92.if !'po4a'hide' .B \-P service principal name 93The principal name in the keytab to use. Avoids automated selection of name. 94.if !'po4a'hide' .TP 12 95.if !'po4a'hide' .B \-m Max\-Depth 96Maximal depth of recursive group search. 97.if !'po4a'hide' .TP 12 98.if !'po4a'hide' .B \-u Ldap\-User 99Username for LDAP server. 100.if !'po4a'hide' .TP 12 101.if !'po4a'hide' .B \-p Ldap\-Password 102Password for LDAP server. 103.IP 104As the password needs to be printed in plain text in your Squid configuration 105it is strongly recommended to use an account with minimal associated privileges. 106 107This to limit the damage in case someone could get hold of a copy of your Squid 108configuration file or extracts the password used from a process listing. 109. 110.if !'po4a'hide' .TP 12 111.if !'po4a'hide' .B \-b Ldap\-Bind\-Path 112LDAP server bind path. 113.if !'po4a'hide' .TP 12 114.if !'po4a'hide' .B \-l Ldap\-URL 115LDAP server URL in form ldap[s]://server:port 116.if !'po4a'hide' .TP 12 117.if !'po4a'hide' .B \-S ldap server list 118list of ldap servers of the form 119lserver|lserver@|lserver@Realm[:lserver@|lserver@Realm] 120.if !'po4a'hide' .TP 12 121.if !'po4a'hide' .B \-g Group\-Realm\-List 122A list of group name per Kerberos domain of the form 123Group|Group@|Group@Realm[:Group@|Group@Realm] 124.if !'po4a'hide' .TP 12 125.if !'po4a'hide' .B \-t Hex\-Group\-Realm\-List 126A list of group name per Kerberos domain of the 127form Group|Group@|Group@Realm[:Group@|Group@Realm] where group is in 128UTF\-8 hex format 129.if !'po4a'hide' .TP 12 130.if !'po4a'hide' .B \-T Hex\-Group\-Hex\-Realm\-List 131A list of group name per Kerberos domain of the form 132Group|Group@|Group@Realm[:Group@|Group@Realm] where group and domain 133is in UTF\-8 hex format 134. 135.SH CONFIGURATION 136.PP 137This helper is intended to be used as an 138.B external_acl_type 139helper in 140.B squid.conf. 141.if !'po4a'hide' .P 142.if !'po4a'hide' .ft CR 143.if !'po4a'hide' .nf 144.if !'po4a'hide' external_acl_type kerberos_ldap_group1 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl \-g GROUP1 145.if !'po4a'hide' .br 146.if !'po4a'hide' external_acl_type kerberos_ldap_group2 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl \-g GROUP2 147.if !'po4a'hide' .br 148.if !'po4a'hide' acl group1 external kerberos_ldap_group1 149.if !'po4a'hide' .br 150.if !'po4a'hide' acl group2 external kerberos_ldap_group2 151.if !'po4a'hide' .fi 152.if !'po4a'hide' .ft 153.PP 154.B NOTE: 155The following squid startup file modification may be required: 156. 157Add the following lines to the squid startup script to point squid to a keytab file which 158contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be 159the proxy name set in IE or firefox. You can not use an IP address. 160.if !'po4a'hide' .P 161.if !'po4a'hide' .ft CR 162.if !'po4a'hide' .nf 163.if !'po4a'hide' KRB5_KTNAME=/etc/squid/HTTP.keytab 164.if !'po4a'hide' export KRB5_KTNAME 165.if !'po4a'hide' .fi 166.if !'po4a'hide' .ft 167. 168If you use a different Kerberos domain than the machine itself is in you can point squid to 169the separate Kerberos config file by setting the following environment variable in the startup 170script. 171.if !'po4a'hide' .P 172.if !'po4a'hide' .ft CR 173.if !'po4a'hide' .nf 174.if !'po4a'hide' KRB5_CONFIG=/etc/krb5\-squid.conf 175.if !'po4a'hide' export KRB5_CONFIG 176.if !'po4a'hide' .fi 177.if !'po4a'hide' .ft 178. 179.B ext_kerberos_ldap_group_acl 180will determine automagically the right ldap server. The following method is used: 181 1821) For user@REALM 183 a) Query DNS for SRV record _ldap._tcp.REALM 184 b) Query DNS for A record REALM 185 c) Use LDAP_URL if given 186 1872) For user 188 a) Use domain \-D REALM and follow step 1) 189 b) Use LDAP_URL if given 190 191The Groups to check against are determined as follows: 192 1931) For user@REALM 194 a) Use values given by \-g option which contain a @REALM e.g. \-g GROUP1@REALM:GROUP2@REALM 195 b) Use values given by \-g option which contain a @ only e.g. \-g GROUP1@:GROUP2@ 196 c) Use values given by \-g option which do not contain a realm e.g. \-g GROUP1:GROUP2 197 1982) For user 199 a) Use values given by \-g option which do not contain a realm e.g. \-g GROUP1:GROUP2 200 2013) For NDOMAIN\\user 202 a) Use realm given by \-N NDOMAIN@REALM and then use values given by \-g option which contain a @REALM e.g. \-g GROUP1@REALM:GROUP2@REALM 203 204To support Non\-ASCII character use \-t GROUP or \-t GROUP@REALM instead of \-g where GROUP is the hex UTF\-8 representation e.g. 205 206 \-t 6d61726b7573 instead of \-g markus 207 208The REALM must still be based on the ASCII character set. If REALM contains also non ASCII characters use \-T GROUP@REALM where GROUP and REALM are hex UTF\-8 representation e.g. 209 210 \-T 6d61726b7573@57494e3230303352322e484f4d45 instead of \-g markus@WIN2003R2.HOME 211 212For a translation of hex UTF\-8 see for example http://www.utf8\-chartable.de/unicode\-utf8\-table.pl 213 214The ldap server list can be: 215server \- In this case server can be used for all Kerberos domains 216server@ \- In this case server can be used for all Kerberos domains 217server@domain \- In this case server can be used for Kerberos domain domain 218server1a@domain1:server1b@domain1:server2@domain2:server3@:server4 \- A list is build with a colon as separator 219 220. 221.SH AUTHOR 222This program was written by 223.if !'po4a'hide' .I Markus Moeller <markus_moeller@compuserve.com> 224.PP 225This manual was written by 226.if !'po4a'hide' .I Markus Moeller <markus_moeller@compuserve.com> 227. 228.SH COPYRIGHT 229.PP 230 * Copyright (C) 1996\-2015 The Squid Software Foundation and contributors 231 * 232 * Squid software is distributed under GPLv2+ license and includes 233 * contributions from numerous individuals and organizations. 234 * Please see the COPYING and CONTRIBUTORS files for details. 235.PP 236This program and documentation is copyright to the authors named above. 237.PP 238Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). 239. 240.SH QUESTIONS 241Questions on the usage of this program can be sent to the 242.I Squid Users mailing list 243.if !'po4a'hide' <squid\-users@lists.squid\-cache.org> 244. 245.SH REPORTING BUGS 246Bug reports need to be made in English. 247See http://wiki.squid\-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. 248.PP 249Report bugs or bug fixes using http://bugs.squid\-cache.org/ 250.PP 251Report serious security bugs to 252.I Squid Bugs <squid\-bugs@lists.squid\-cache.org> 253.PP 254Report ideas for new improvements to the 255.I Squid Developers mailing list 256.if !'po4a'hide' <squid\-dev@lists.squid\-cache.org> 257. 258.SH SEE ALSO 259.if !'po4a'hide' .BR squid "(8) " 260.if !'po4a'hide' .BR negotiate_kerberos_auth "(8) " 261.br 262.BR RFC1035 " \- Domain names \- implementation and specification," 263.br 264.BR RFC2782 " \- A DNS RR for specifying the location of services (DNS SRV)," 265.br 266.BR RFC2254 " \- The String Representation of LDAP Search Filters," 267.br 268.BR RFC2307bis " \- An Approach for Using LDAP as a Network Information Service 269http://www.padl.com/~lukeh/rfc2307bis.txt," 270.br 271The Squid FAQ wiki 272.if !'po4a'hide' http://wiki.squid\-cache.org/SquidFaq 273.br 274The Squid Configuration Manual 275.if !'po4a'hide' http://www.squid\-cache.org/Doc/config/ 276