ext_kerberos_ldap_group_acl
NAMESYNOPSIS
DESCRIPTION
OPTIONS
CONFIGURATION
AUTHOR
COPYRIGHT
QUESTIONS
REPORTING BUGS
SEE ALSO
NAME
ext_kerberos_ldap_group_acl - Squid LDAP external acl group helper for Kerberos or NTLM credentials.
Version 1.3.0sq
SYNOPSIS
ext_kerberos_ldap_group_acl [-h] [-d] [-i] [-s] [-a] [-D Realm ] [-N Netbios-Realm-List] [-P service principal name] [-m Max-Depth] [-u Ldap-User] [-p Ldap-Password] [-b Ldap-Bind-Path] [-l Ldap-URL] [-S ldap server list] -g Group-Realm-List -t Hex-Group-Realm-List -T Hex-Group-Hex-Realm-List
DESCRIPTION
ext_kerberos_ldap_group_acl is an installed binary and allows Squid to connect to a LDAP directory to authorize users via LDAP groups. Options are specified as parameters on the command line, while the username (e.g. user , user@REALM , NDOMAINser ) to be checked against the LDAP directory are specified on subsequent lines of input to the helper, one username per line.
ext_kerberos_ldap_group_acl will determine the ldap server name from DNS SRV and/or A records or a local hosts file (e.g. for the Kerberos Realm SUSE.HOME it will look for an SRV record _ldap._tcp.SUSE.HOME and an A record SUSE.HOME or a SUSE.HOME hosts entry). If no domain information is available from the username the LDAP server will be determined through the command line options.
ext_kerberos_ldap_group_acl requires as a minimum the -g , -t or -T option which provides the LDAP group name the user has to belong too. For Active Directory a recursive group lookup is implemented until a max depth specified by -m depth. For other LDAP servers a RFC2307bis schema of groups is assumed.
Different group names can be specified for different domains using a group@domain syntax. As expected by the external_acl_type construct of Squid, after specifying a username and group followed by a new line, this helper will produce either OK or ERR on the following line to show if the user is a member of the specified group.
OPTIONS
-h |
Display the binary help and command line syntax info using stderr. | ||
-d |
Write debug messages to stderr. | ||
-i |
Write informational messages to stderr. | ||
-s |
Use SSL for the LDAP connection. |
The CA certificate file can be set via the environment variable TLS_CACERTFILE (default /etc/ssl/certs/cert.pem) (OpenLDAP).
The SSL certificate database can be set via the environment variable SSL_CERTDBPATH (default /etc/certs) (Sun and Mozilla LDAP SDK).
-a |
Allow SSL without certificate verification. | ||
-D Realm |
Default Kerberos domain to use for usernames which do not contain domain information (e.g. for users using basic authentication). |
-N Netbios-Realm-List
A list of Netbios name mappings to Kerberos domain names of the form Netbios-Name@Kerberos-Realm[:Netbios-Name@Kerberos-Realm] (e.g. for users using NTLM authentication). -P service principal name The principal name in the keytab to use. Avoids automated selection of name.
-m Max-Depth
Maximal depth of recursive group search.
-u Ldap-User
Username for LDAP server.
-p Ldap-Password
Password for LDAP server.
As the password needs to be printed in plain text in your Squid configuration it is strongly recommended to use an account with minimal associated privileges.
This to limit the damage in case someone could get hold of a copy of your Squid configuration file or extracts the password used from a process listing.
-b Ldap-Bind-Path
LDAP server bind path.
-l Ldap-URL |
LDAP server URL in form ldap[s]://server:port |
-S ldap server list
list of ldap servers of the form lserver|lserver@|lserver@Realm[:lserver@|lserver@Realm]
-g Group-Realm-List
A list of group name per Kerberos domain of the form Group|Group@|Group@Realm[:Group@|Group@Realm]
-t Hex-Group-Realm-List
A list of group name per Kerberos domain of the form Group|Group@|Group@Realm[:Group@|Group@Realm] where group is in UTF-8 hex format
-T Hex-Group-Hex-Realm-List
A list of group name per Kerberos domain of the form Group|Group@|Group@Realm[:Group@|Group@Realm] where group and domain is in UTF-8 hex format
CONFIGURATION
This helper is intended to be used as an external_acl_type helper in squid.conf.
external_acl_type
kerberos_ldap_group1 ttl=3600 negative_ttl=3600 %LOGIN
/path/to/ext_kerberos_ldap_group_acl -g GROUP1
external_acl_type kerberos_ldap_group2 ttl=3600
negative_ttl=3600 %LOGIN
/path/to/ext_kerberos_ldap_group_acl -g GROUP2
acl group1 external kerberos_ldap_group1
acl group2 external kerberos_ldap_group2
NOTE: The following squid startup file modification may be required: Add the following lines to the squid startup script to point squid to a keytab file which contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be the proxy name set in IE or firefox. You can not use an IP address.
KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME
If you use a different Kerberos domain than the machine
itself is in you can point squid to the separate Kerberos
config file by setting the following environment variable in
the startup script.
KRB5_CONFIG=/etc/krb5-squid.conf
export KRB5_CONFIG
ext_kerberos_ldap_group_acl will determine automagically
the right ldap server. The following method is used:
1) For
user@REALM
a) Query DNS for SRV record _ldap._tcp.REALM
b) Query DNS for A record REALM
c) Use LDAP_URL if given
2) For user
a) Use domain -D REALM and follow step 1)
b) Use LDAP_URL if given
The Groups to check against are determined as follows:
1) For
user@REALM
a) Use values given by -g option which contain a @REALM e.g.
-g GROUP1@REALM:GROUP2@REALM
b) Use values given by -g option which contain a @ only e.g.
-g GROUP1@:GROUP2@
c) Use values given by -g option which do not contain a
realm e.g. -g GROUP1:GROUP2
2) For user
a) Use values given by -g option which do not contain a
realm e.g. -g GROUP1:GROUP2
3) For
NDOMAIN\user
a) Use realm given by -N NDOMAIN@REALM and then use values
given by -g option which contain a @REALM e.g. -g
GROUP1@REALM:GROUP2@REALM
To support Non-ASCII character use -t GROUP or -t GROUP@REALM instead of -g where GROUP is the hex UTF-8 representation e.g.
-t 6d61726b7573 instead of -g markus
The REALM must still be based on the ASCII character set. If REALM contains also non ASCII characters use -T GROUP@REALM where GROUP and REALM are hex UTF-8 representation e.g.
-T 6d61726b7573@57494e3230303352322e484f4d45 instead of -g [email protected]
For a translation of hex UTF-8 see for example http://www.utf8-chartable.de/unicode-utf8-table.pl
The ldap server list can be: server - In this case server can be used for all Kerberos domains server@ - In this case server can be used for all Kerberos domains server@domain - In this case server can be used for Kerberos domain domain server1a@domain1:server1b@domain1:server2@domain2:server3@:server4 - A list is build with a colon as separator
AUTHOR
This program was written by Markus Moeller <[email protected]>
This manual was written by Markus Moeller <[email protected]>
COPYRIGHT
* Copyright (C)
1996-2015 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and
includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for
details.
This program and documentation is copyright to the authors named above.
Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
QUESTIONS
Questions on the usage of this program can be sent to the Squid Users mailing list <[email protected]>
REPORTING BUGS
Bug reports need to be made in English. See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
Report bugs or bug fixes using http://bugs.squid-cache.org/
Report serious security bugs to Squid Bugs <[email protected]>
Report ideas for new improvements to the Squid Developers mailing list <[email protected]>
SEE ALSO
squid(8)
negotiate_kerberos_auth(8)
RFC1035 - Domain names - implementation and
specification,
RFC2782 - A DNS RR for specifying the location of
services (DNS SRV),
RFC2254 - The String Representation of LDAP Search
Filters,
RFC2307bis - An Approach for Using LDAP as a Network
Information Service
http://www.padl.com/˜lukeh/rfc2307bis.txt,"
The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual
http://www.squid-cache.org/Doc/config/
Introduction
- About Squid
- Why Squid?
- Squid Developers
- How to Donate
- How to Help Out
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
Documentation
- Quick Setup
- Configuration:
- FAQ and Wiki
- Guide Books:
- Non-English
- More...
Support
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products
Miscellaneous
- Developer Resources
- Related Writings
- Related Software:
- Squid Artwork
Web Site Translations
Mirrors
- Website:
- gr il pl ... full list
- FTP Package Archive