1 .if !'po4a'hide' .TH ext_ad_group_acl.exe 8
4 .if !'po4a'hide' .B ext_ad_group_acl.exe
6 Squid external ACL helper to check Windows users group membership.
11 .if !'po4a'hide' .B ext_ad_group_acl.exe
12 .if !'po4a'hide' .B "[\-D "
14 .if !'po4a'hide' .B "] [\-cdGh]"
17 .B ext_ad_group_acl.exe
18 is an installed binary in Squid for Windows builds.
20 This helper must be used in with an authentication scheme (typically
21 Basic, NTLM or Negotiate) based on Windows Active Directory domain users.
23 It reads from the standard input the domain username and a list of groups
24 and tries to match each against the groups membership of the specified
27 Two running mode are available:
28 .if !'po4a'hide' .TP 12
30 membership is checked against machine's local groups, cannot be used when
31 running on a Domain Controller.
33 .if !'po4a'hide' .TP 12
34 .B "\- Active Directory Global mode:"
35 membership is checked against the whole Active Directory Forest of the
36 machine where Squid is running.
38 The minimal Windows version needed to run
39 .B ext_ad_group_acl.exe
40 is a Windows 2000 SP4 member of an Active Directory Domain.
42 When running in Active Directory Global mode, all types of Active Directory
43 security groups are supported:
49 and Active Directory group nesting is fully supported.
52 .if !'po4a'hide' .TP 12
53 .if !'po4a'hide' .B "\-c"
54 Use case insensitive compare (local mode only).
57 .if !'po4a'hide' .B "\-d"
58 Write debug info to stderr.
61 .if !'po4a'hide' .B "\-D" domain
62 Specify the default user's
66 .if !'po4a'hide' .B "\-G"
67 Start helper in Active Directory Global mode.
70 .if !'po4a'hide' .B "\-h"
71 Display the binary help and command line syntax info using stderr.
75 When running in Active Directory Global mode, the AD Group can be specified using the
78 .if !'po4a'hide' .TP 5
79 .B "1." Plain NT4 Group Name
82 .B "2." Full NT4 Group Name
85 .B "3." Active Directory Canonical name
89 .if !'po4a'hide' .TP 5
90 .if !'po4a'hide' .B "1." Proxy-Users
93 .if !'po4a'hide' .B "2." MYDOMAIN\Proxy-Users
96 .if !'po4a'hide' .B "3." mydomain.local/Groups/Proxy-Users
98 When using Plain NT4 Group Name, the Group is searched in the user's domain.
100 .if !'po4a'hide' .B external_acl_type AD_global_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe -G
102 .if !'po4a'hide' .B external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe
105 .if !'po4a'hide' .B "acl GProxyUsers external AD_global_group MYDOMAIN\GProxyUsers"
107 .if !'po4a'hide' .B acl LProxyUsers external NT_local_group LProxyUsers
109 .if !'po4a'hide' .B acl password proxy_auth REQUIRED
112 .if !'po4a'hide' .B http_access allow password GProxyUsers
114 .if !'po4a'hide' .B http_access allow password LProxyUsers
116 .if !'po4a'hide' .B http_access deny all
120 In the previous example all validated AD users member of
121 .I "MYDOMAIN\GProxyUsers"
122 domain group or member of
124 machine local group are allowed to
127 Groups with spaces in name, for example
129 , must be quoted and the acl data (
131 ) must be placed into a separate file included
134 The previous example will be:
136 .if !'po4a'hide' acl ProxyUsers external NT_global_group \"c:/squid/etc/DomainUsers\"
138 and the DomainUsers files will contain only the following line:
145 When running in Active Directory Global mode, for better performance,
146 all Domain Controllers of the Active Directory forest should be configured
151 When running in local mode, the standard group name comparison is case
152 sensitive, so group name must be specified with same case as in the
155 It is possible to enable case insensitive group name comparison (
158 but on some non\-English locales, the results can be unexpected.
162 Native WIN32 NTLM and Basic helpers must be used without the
169 Refer to Squid documentation for more details on
174 I strongly recommend that
175 .B ext_ad_group_acl.exe
176 is tested prior to being used in a
177 production environment. It may behave differently on different platforms.
180 To test it, run it from the command line. Enter username and group
181 pairs separated by a space (username must entered with URL-encoded
193 behaves the same as a carriage return.
200 Test that entering no details does not result in an
208 behaves the same as a carriage return.
215 Test that entering no details does not result in an
221 Test that entering an invalid username and group results in an
225 Test that entering an valid username and group results in an
230 This program was written by
231 .if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
233 Based on prior work in
234 .B "mswin_check_lm_group (ext_lm_group_acl)"
236 This manual was written by
237 .if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
238 .if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
242 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
244 * Squid software is distributed under GPLv2+ license and includes
245 * contributions from numerous individuals and organizations.
246 * Please see the COPYING and CONTRIBUTORS files for details.
248 This program and documentation is copyright to the authors named above.
250 Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
253 Questions on the usage of this program can be sent to the
254 .I Squid Users mailing list
255 .if !'po4a'hide' <squid-users@squid-cache.org>
258 Bug reports need to be made in English.
259 See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
261 Report bugs or bug fixes using http://bugs.squid-cache.org/
263 Report serious security bugs to
264 .I Squid Bugs <squid-bugs@squid-cache.org>
266 Report ideas for new improvements to the
267 .I Squid Developers mailing list
268 .if !'po4a'hide' <squid-dev@squid-cache.org>
271 .if !'po4a'hide' .BR squid "(8), "
272 .if !'po4a'hide' .BR GPL "(7), "
275 .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
277 The Squid Configuration Manual
278 .if !'po4a'hide' http://www.squid-cache.org/Doc/config/