[thirdparty/squid.git] / src / acl / external / LDAP_group / ext_ldap_group_acl.8

.if !'po4a'hide' .TH ext_ldap_group_acl 8 "30 January 2005"
.
.SH NAME
ext_ldap_group_acl \- Squid LDAP external acl group helper
.PP
Version 2.18
.
.SH SYNOPSIS
.if !'po4a'hide' .B ext_ldap_group_acl
.if !'po4a'hide' .B \-b
base\-DN
.if !'po4a'hide' .B \-f
filter
.if !'po4a'hide' .B "["
options
.if !'po4a'hide' .B "] ["
server
.if !'po4a'hide' .B "[ ':' "
port
.if !'po4a'hide' .B "] |"
URI
.if !'po4a'hide' .B "] ..."
.
.SH DESCRIPTION
.B ext_ldap_group_acl
allows Squid to connect to a LDAP directory to authorize users via LDAP groups.
LDAP options are specified as parameters on the command line,
while the username(s) and group(s) to be checked against the
LDAP directory are specified on subsequent lines of input to the
helper, one username/group pair per line separated by a space.
.PP
As expected by the
.B external_acl_type
construct of Squid, after
specifying a username and group followed by a new line, this
helper will produce either
.B OK
or
.B ERR
on the following line
to show if the user is a member of the specified group.
.PP
The program operates by searching with a search filter based
on the users user name and requested group, and if a match
is found it is determined that the user belongs to the group.
.
.SH OPTIONS
.if !'po4a'hide' .TP 12
.if !'po4a'hide' .BI "\-a " never|always|search|find
When to dereference aliases. Defaults to 'never'
.IP
.BI never
dereference aliases (default),
.BI always
dereference aliases, only during a
.BR search
or only to
.B find
the base object
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "\-b " "basedn "
.B REQUIRED.
Specifies the base DN under which the groups are located.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "\-B " "basedn "
Specifies the base DN under which the users are located (if different)
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-c " connect_timeout"
Specify timeout used when connecting to LDAP servers (requires
Netscape LDAP API libraries)
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-d
Debug mode where each step taken will get reported in detail.
Useful for understanding what goes wrong if the result is
not what was expected.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "\-D " "binddn " "\-w " password
The DN and password to bind as while performing searches. Required
if the LDAP directory does not allow anonymous searches.
.IP
As the password needs to be printed in plain text in your Squid configuration
and will be sent on the command line to the helper it is strongly recommended
to use a account with minimal associated privileges.  This to limit the damage
in case someone could get hold of a copy of your Squid configuration file or
extracts the password used from a process listing.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "\-D " "binddn " "\-W " "secretfile "
The DN and the name of a file containing the password
to bind as while performing searches. 
.IP
Less insecure version of the former parameter pair with two advantages:
The password does not occur in the process listing, 
and the password is not being compromised if someone gets the squid 
configuration file without getting the secretfile.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "\-E " certpath
Enable LDAP over SSL (requires Netscape LDAP API libraries)
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "\-f " filter
LDAP search filter used to search the LDAP directory for any
matching group memberships.
.BR
In the filter
.B %u
will be replaced by the user name (or DN if
the
.B \-F
or
.B \-u
options are used) and
.B %g
by the requested group name.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "\-F " filter
LDAP search filter used to search the LDAP directory for any
matching users.
.BR
In the filter
.B %s
will be replaced by the user name. If
.B %
is to be included literally in the filter then use
.B %%
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .B "\-g"
Specifies that the first query argument sent to the helper by Squid is
a extension to the basedn and will be temporarily added in front of the
global basedn for this query.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-h " ldapserver"
Specify the LDAP server to connect to
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-H " ldapuri"
Specify the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-K
Strip Kerberos Realm component from user names (@ separated)
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-p " ldapport"
Specify an alternate TCP port where the LDAP server is listening if
other than the default LDAP port 389.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-P
Use a persistent LDAP connection. Normally the LDAP connection
is only open while verifying a users group membership to preserve
resources at the LDAP server. This option causes the LDAP connection to
be kept open, allowing it to be reused for further user
validations. Recommended for larger installations.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-R
Do not follow referrals
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "-s " base|one|sub
search scope. Defaults to
.B sub
.IP
.B base
object only,
.IP 
.B one
level below the base object or
.IP
.BR sub tree
below the base object
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-S
Strip NT domain name component from user names (/ or \\ separated)
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-t " search_timeout"
Specify time limit on LDAP search operations
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "\-u " attr
LDAP attribute used to construct the user DN from the user name and
base dn without needing to search for the user.
A maximum of 16 occurrences of
.B %s
are supported.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-v " 2|3"
LDAP protocol version. Defaults to 
.B 3 
if not specified.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-Z
Use TLS encryption
.
.SH CONFIGURATION
This helper is intended to be used as an
.B external_acl_type
helper in
.B squid.conf .
.
.if !'po4a'hide' .RS
.if !'po4a'hide' .B external_acl_type ldap_group %LOGIN /path/to/ext_ldap_group_acl ...
.if !'po4a'hide' .br
.if !'po4a'hide' .B acl group1 external ldap_group Group1
.if !'po4a'hide' .br
.if !'po4a'hide' .B acl group2 external ldap_group Group2
.if !'po4a'hide' .RE
.
.PP
.B NOTE:
When constructing search filters it is recommended to first test the filter using
.B ldapsearch
to verify that the filter matches what you expect before you attempt to use
.B ext_ldap_group_acl
.
.SH AUTHOR
This program was written by 
.if !'po4a'hide' .I Flavio Pescuma <flavio@marasystems.com>
.if !'po4a'hide' .I Henrik Nordstrom <hno@squid-cache.org>
.PP
Based on prior work in
.B squid_ldap_auth
by
.if !'po4a'hide' .I Glen Newton <glen.newton@nrc.ca>
.PP
This manual was written by
.if !'po4a'hide' .I Henrik Nordstrom <hno@marasystems.com>
.
.SH COPYRIGHT
.PP
 * Copyright (C) 1996-2018 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
.PP
This program and documentation is copyright to the authors named above.
.PP
Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
.
.SH QUESTIONS
Questions on the usage of this program can be sent to the
.I Squid Users mailing list
.if !'po4a'hide' <squid-users@lists.squid-cache.org>
.PP
Or contact your favorite LDAP list/friend if the question is more related to
LDAP than Squid.
.
.SH REPORTING BUGS
Bug reports need to be made in English.
See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
.PP
Report bugs or bug fixes using http://bugs.squid-cache.org/
.PP
Report serious security bugs to
.I Squid Bugs <squid-bugs@lists.squid-cache.org>
.PP
Report ideas for new improvements to the
.I Squid Developers mailing list
.if !'po4a'hide' <squid-dev@lists.squid-cache.org>
.
.SH SEE ALSO
.if !'po4a'hide' .BR squid "(8), "
.if !'po4a'hide' .BR basic_ldap_auth "(8), "
.if !'po4a'hide' .BR ldapsearch "(1), "
.if !'po4a'hide' .BR GPL "(7), "
.br
Your favorite LDAP documentation
.br
.BR RFC2254 " - The String Representation of LDAP Search Filters,"
.br
The Squid FAQ wiki
.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
.br
The Squid Configuration Manual
.if !'po4a'hide' http://www.squid-cache.org/Doc/config/
Commit	Line	Data
c152a447	1	.if !'po4a'hide' .TH ext_ldap_group_acl 8 "30 January 2005"
28e81872	2	.
28e81872	3	.SH NAME
d632afde	4	ext_ldap_group_acl \- Squid LDAP external acl group helper
83915266	5	.PP
5a14d64b	6	Version 2.18
28e81872	7	.
28e81872	8	.SH SYNOPSIS
c152a447	9	.if !'po4a'hide' .B ext_ldap_group_acl
30133696 AJ	10	.if !'po4a'hide' .B \-b
	11	base\-DN
	12	.if !'po4a'hide' .B \-f
	13	filter
	14	.if !'po4a'hide' .B "["
83915266 AJ	15	options
83915266 AJ	16	.if !'po4a'hide' .B "] ["
30133696 AJ	17	server
30133696 AJ	18	.if !'po4a'hide' .B "[ ':' "
83915266	19	port
30133696	20	.if !'po4a'hide' .B "] \|"
83915266	21	URI
30133696	22	.if !'po4a'hide' .B "] ..."
28e81872	23	.
28e81872	24	.SH DESCRIPTION
c152a447	25	.B ext_ldap_group_acl
83915266	26	allows Squid to connect to a LDAP directory to authorize users via LDAP groups.
b10eaeab	27	LDAP options are specified as parameters on the command line,
	28	while the username(s) and group(s) to be checked against the
	29	LDAP directory are specified on subsequent lines of input to the
	30	helper, one username/group pair per line separated by a space.
83915266	31	.PP
8c2b74bc AJ	32	As expected by the
	33	.B external_acl_type
	34	construct of Squid, after
b10eaeab	35	specifying a username and group followed by a new line, this
8c2b74bc AJ	36	helper will produce either
	37	.B OK
	38	or
	39	.B ERR
	40	on the following line
b10eaeab	41	to show if the user is a member of the specified group.
83915266	42	.PP
28e81872	43	The program operates by searching with a search filter based
5eecb267	44	on the users user name and requested group, and if a match
28e81872	45	is found it is determined that the user belongs to the group.
28e81872	46	.
83915266 AJ	47	.SH OPTIONS
	48	.if !'po4a'hide' .TP 12
	49	.if !'po4a'hide' .BI "\-a " never\|always\|search\|find
	50	When to dereference aliases. Defaults to 'never'
	51	.IP
	52	.BI never
	53	dereference aliases (default),
	54	.BI always
2b61af8e LU	55	dereference aliases, only during a
2b61af8e LU	56	.BR search
83915266 AJ	57	or only to
	58	.B find
	59	the base object
	60	.
	61	.if !'po4a'hide' .TP
	62	.if !'po4a'hide' .BI "\-b " "basedn "
	63	.B REQUIRED.
28e81872	64	Specifies the base DN under which the groups are located.
28e81872	65	.
83915266 AJ	66	.if !'po4a'hide' .TP
83915266 AJ	67	.if !'po4a'hide' .BI "\-B " "basedn "
6708c52c	68	Specifies the base DN under which the users are located (if different)
6708c52c	69	.
83915266 AJ	70	.if !'po4a'hide' .TP
	71	.if !'po4a'hide' .BI \-c " connect_timeout"
	72	Specify timeout used when connecting to LDAP servers (requires
	73	Netscape LDAP API libraries)
28e81872	74	.
83915266 AJ	75	.if !'po4a'hide' .TP
	76	.if !'po4a'hide' .BI \-d
	77	Debug mode where each step taken will get reported in detail.
c152a447 AJ	78	Useful for understanding what goes wrong if the result is
c152a447 AJ	79	not what was expected.
28e81872	80	.
83915266 AJ	81	.if !'po4a'hide' .TP
83915266 AJ	82	.if !'po4a'hide' .BI "\-D " "binddn " "\-w " password
28e81872	83	The DN and password to bind as while performing searches. Required
c152a447	84	if the LDAP directory does not allow anonymous searches.
28e81872	85	.IP
	86	As the password needs to be printed in plain text in your Squid configuration
	87	and will be sent on the command line to the helper it is strongly recommended
	88	to use a account with minimal associated privileges. This to limit the damage
	89	in case someone could get hold of a copy of your Squid configuration file or
	90	extracts the password used from a process listing.
	91	.
83915266 AJ	92	.if !'po4a'hide' .TP
83915266 AJ	93	.if !'po4a'hide' .BI "\-D " "binddn " "\-W " "secretfile "
954a8513	94	The DN and the name of a file containing the password
	95	to bind as while performing searches.
	96	.IP
	97	Less insecure version of the former parameter pair with two advantages:
	98	The password does not occur in the process listing,
	99	and the password is not being compromised if someone gets the squid
	100	configuration file without getting the secretfile.
	101	.
83915266	102	.if !'po4a'hide' .TP
30133696	103	.if !'po4a'hide' .BI "\-E " certpath
83915266	104	Enable LDAP over SSL (requires Netscape LDAP API libraries)
28e81872	105	.
06fcded4	106	.if !'po4a'hide' .TP
83915266 AJ	107	.if !'po4a'hide' .BI "\-f " filter
	108	LDAP search filter used to search the LDAP directory for any
	109	matching group memberships.
	110	.BR
	111	In the filter
	112	.B %u
	113	will be replaced by the user name (or DN if
	114	the
	115	.B \-F
	116	or
	117	.B \-u
	118	options are used) and
	119	.B %g
	120	by the requested group name.
28e81872	121	.
83915266 AJ	122	.if !'po4a'hide' .TP
	123	.if !'po4a'hide' .BI "\-F " filter
	124	LDAP search filter used to search the LDAP directory for any
	125	matching users.
	126	.BR
	127	In the filter
	128	.B %s
	129	will be replaced by the user name. If
	130	.B %
	131	is to be included literally in the filter then use
	132	.B %%
	133	.
	134	.if !'po4a'hide' .TP
	135	.if !'po4a'hide' .B "\-g"
	136	Specifies that the first query argument sent to the helper by Squid is
	137	a extension to the basedn and will be temporarily added in front of the
	138	global basedn for this query.
28e81872	139	.
83915266 AJ	140	.if !'po4a'hide' .TP
	141	.if !'po4a'hide' .BI \-h " ldapserver"
	142	Specify the LDAP server to connect to
	143	.
	144	.if !'po4a'hide' .TP
	145	.if !'po4a'hide' .BI \-H " ldapuri"
2b61af8e	146	Specify the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)
5eecb267	147	.
83915266 AJ	148	.if !'po4a'hide' .TP
	149	.if !'po4a'hide' .BI \-K
	150	Strip Kerberos Realm component from user names (@ separated)
	151	.
	152	.if !'po4a'hide' .TP
	153	.if !'po4a'hide' .BI \-p " ldapport"
c152a447	154	Specify an alternate TCP port where the LDAP server is listening if
28e81872	155	other than the default LDAP port 389.
28e81872	156	.
83915266 AJ	157	.if !'po4a'hide' .TP
	158	.if !'po4a'hide' .BI \-P
	159	Use a persistent LDAP connection. Normally the LDAP connection
	160	is only open while verifying a users group membership to preserve
	161	resources at the LDAP server. This option causes the LDAP connection to
	162	be kept open, allowing it to be reused for further user
	163	validations. Recommended for larger installations.
b10eaeab	164	.
83915266 AJ	165	.if !'po4a'hide' .TP
	166	.if !'po4a'hide' .BI \-R
	167	Do not follow referrals
653b264e	168	.
83915266 AJ	169	.if !'po4a'hide' .TP
	170	.if !'po4a'hide' .BI "-s " base\|one\|sub
	171	search scope. Defaults to
	172	.B sub
	173	.IP
	174	.B base
	175	object only,
	176	.IP
	177	.B one
	178	level below the base object or
	179	.IP
	180	.BR sub tree
	181	below the base object
653b264e	182	.
83915266 AJ	183	.if !'po4a'hide' .TP
	184	.if !'po4a'hide' .BI \-S
	185	Strip NT domain name component from user names (/ or \\ separated)
	186	.
	187	.if !'po4a'hide' .TP
	188	.if !'po4a'hide' .BI \-t " search_timeout"
653b264e	189	Specify time limit on LDAP search operations
653b264e	190	.
83915266 AJ	191	.if !'po4a'hide' .TP
	192	.if !'po4a'hide' .BI "\-u " attr
	193	LDAP attribute used to construct the user DN from the user name and
	194	base dn without needing to search for the user.
	195	A maximum of 16 occurrences of
	196	.B %s
	197	are supported.
6708c52c	198	.
83915266 AJ	199	.if !'po4a'hide' .TP
83915266 AJ	200	.if !'po4a'hide' .BI \-v " 2\|3"
06fcded4	201	LDAP protocol version. Defaults to
a2c8080d AJ	202	.B 3
a2c8080d AJ	203	if not specified.
0b9ea7bb	204	.
83915266 AJ	205	.if !'po4a'hide' .TP
	206	.if !'po4a'hide' .BI \-Z
	207	Use TLS encryption
6708c52c	208	.
83915266	209	.SH CONFIGURATION
8c2b74bc AJ	210	This helper is intended to be used as an
	211	.B external_acl_type
	212	helper in
06fcded4 AJ	213	.B squid.conf .
	214	.
	215	.if !'po4a'hide' .RS
	216	.if !'po4a'hide' .B external_acl_type ldap_group %LOGIN /path/to/ext_ldap_group_acl ...
8c2b74bc	217	.if !'po4a'hide' .br
06fcded4	218	.if !'po4a'hide' .B acl group1 external ldap_group Group1
8c2b74bc	219	.if !'po4a'hide' .br
06fcded4 AJ	220	.if !'po4a'hide' .B acl group2 external ldap_group Group2
	221	.if !'po4a'hide' .RE
	222	.
83915266 AJ	223	.PP
83915266 AJ	224	.B NOTE:
06fcded4	225	When constructing search filters it is recommended to first test the filter using
92a0c1e0 AJ	226	.B ldapsearch
92a0c1e0 AJ	227	to verify that the filter matches what you expect before you attempt to use
c152a447	228	.B ext_ldap_group_acl
28e81872	229	.
28e81872	230	.SH AUTHOR
8c2b74bc AJ	231	This program was written by
	232	.if !'po4a'hide' .I Flavio Pescuma <flavio@marasystems.com>
	233	.if !'po4a'hide' .I Henrik Nordstrom <hno@squid-cache.org>
83915266	234	.PP
8c2b74bc AJ	235	Based on prior work in
	236	.B squid_ldap_auth
	237	by
	238	.if !'po4a'hide' .I Glen Newton <glen.newton@nrc.ca>
83915266	239	.PP
8c2b74bc AJ	240	This manual was written by
8c2b74bc AJ	241	.if !'po4a'hide' .I Henrik Nordstrom <hno@marasystems.com>
28e81872	242	.
83915266	243	.SH COPYRIGHT
ca02e0ec	244	.PP
5b74111a	245	* Copyright (C) 1996-2018 The Squid Software Foundation and contributors
ca02e0ec AJ	246	*
	247	* Squid software is distributed under GPLv2+ license and includes
	248	* contributions from numerous individuals and organizations.
	249	* Please see the COPYING and CONTRIBUTORS files for details.
	250	.PP
83915266 AJ	251	This program and documentation is copyright to the authors named above.
83915266 AJ	252	.PP
c871f41e	253	Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
28e81872	254	.
28e81872	255	.SH QUESTIONS
83915266 AJ	256	Questions on the usage of this program can be sent to the
83915266 AJ	257	.I Squid Users mailing list
8311b837	258	.if !'po4a'hide' <squid-users@lists.squid-cache.org>
83915266 AJ	259	.PP
83915266 AJ	260	Or contact your favorite LDAP list/friend if the question is more related to
28e81872	261	LDAP than Squid.
	262	.
	263	.SH REPORTING BUGS
c871f41e AJ	264	Bug reports need to be made in English.
	265	See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
	266	.PP
8c2b74bc	267	Report bugs or bug fixes using http://bugs.squid-cache.org/
83915266	268	.PP
8c2b74bc	269	Report serious security bugs to
8311b837	270	.I Squid Bugs <squid-bugs@lists.squid-cache.org>
83915266	271	.PP
8c2b74bc AJ	272	Report ideas for new improvements to the
8c2b74bc AJ	273	.I Squid Developers mailing list
8311b837	274	.if !'po4a'hide' <squid-dev@lists.squid-cache.org>
28e81872	275	.
83915266 AJ	276	.SH SEE ALSO
83915266 AJ	277	.if !'po4a'hide' .BR squid "(8), "
6d5cbee6	278	.if !'po4a'hide' .BR basic_ldap_auth "(8), "
83915266	279	.if !'po4a'hide' .BR ldapsearch "(1), "
6d5cbee6	280	.if !'po4a'hide' .BR GPL "(7), "
28e81872	281	.br
	282	Your favorite LDAP documentation
	283	.br
	284	.BR RFC2254 " - The String Representation of LDAP Search Filters,"
6d5cbee6 AJ	285	.br
	286	The Squid FAQ wiki
	287	.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
	288	.br
	289	The Squid Configuration Manual
	290	.if !'po4a'hide' http://www.squid-cache.org/Doc/config/