]>
Commit | Line | Data |
---|---|---|
c152a447 AJ |
1 | .if !'po4a'hide' .TH ext_lm_group_acl 8 |
2 | . | |
3 | .SH NAME | |
4 | .if !'po4a'hide' .B ext_lm_group_acl | |
5 | .if !'po4a'hide' \- | |
6 | Squid external ACL helper to check Windows users group membership. | |
7 | .PP | |
8 | Version 1.22 | |
9 | . | |
10 | .SH SYNOPSIS | |
11 | .if !'po4a'hide' .B ext_lm_group_acl | |
12 | .if !'po4a'hide' .B "[\-D " | |
13 | domain | |
14 | .if !'po4a'hide' .B "] [\-cdhGP]" | |
15 | . | |
16 | .SH DESCRIPTION | |
17 | .B ext_lm_group_acl | |
18 | is an installed binary in Squid for Windows builds. | |
19 | .PP | |
20 | This helper must be used in with an authentication scheme (typically | |
21 | Basic or NTLM) based on Windows NT/2000 domain users (LM mode). | |
22 | .PP | |
23 | It reads from the standard input the domain username and a list of groups | |
24 | and tries to match each against the groups membership of the specified | |
25 | username. | |
26 | . | |
27 | .SH OPTIONS | |
28 | .if !'po4a'hide' .TP 12 | |
29 | .if !'po4a'hide' .B \-c | |
30 | Use case insensitive compare. | |
06fcded4 AJ |
31 | . |
32 | .if !'po4a'hide' .TP | |
c152a447 AJ |
33 | .if !'po4a'hide' .B \-d |
34 | Write debug info to stderr. | |
06fcded4 AJ |
35 | . |
36 | .if !'po4a'hide' .TP | |
c152a447 AJ |
37 | .if !'po4a'hide' .B \-D domain |
38 | Specify the default user's domain. | |
06fcded4 AJ |
39 | . |
40 | .if !'po4a'hide' .TP | |
c152a447 AJ |
41 | .if !'po4a'hide' .B \-G |
42 | Start helper in Domain Global Group mode. | |
06fcded4 AJ |
43 | . |
44 | .if !'po4a'hide' .TP | |
c152a447 AJ |
45 | .if !'po4a'hide' .B \-h |
46 | Display the binary help and command line syntax info using stderr. | |
06fcded4 AJ |
47 | . |
48 | .if !'po4a'hide' .TP | |
c152a447 AJ |
49 | .if !'po4a'hide' .B \-P |
50 | Use ONLY PDCs for group validation. | |
51 | . | |
52 | .SH CONFIGURATION | |
06fcded4 AJ |
53 | .if !'po4a'hide' .RS |
54 | .if !'po4a'hide' .B external_acl_type NT_global_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe -G | |
55 | .if !'po4a'hide' .br | |
56 | .if !'po4a'hide' .B external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe | |
57 | .if !'po4a'hide' .br | |
58 | .if !'po4a'hide' .br | |
59 | .if !'po4a'hide' .B acl GProxyUsers external NT_global_group GProxyUsers | |
60 | .if !'po4a'hide' .br | |
61 | .if !'po4a'hide' .B acl LProxyUsers external NT_local_group LProxyUsers | |
62 | .if !'po4a'hide' .br | |
63 | .if !'po4a'hide' .B acl password proxy_auth REQUIRED | |
64 | .if !'po4a'hide' .br | |
65 | .if !'po4a'hide' .br | |
66 | .if !'po4a'hide' .B http_access allow password GProxyUsers | |
67 | .if !'po4a'hide' .br | |
68 | .if !'po4a'hide' .B http_access allow password LProxyUsers | |
69 | .if !'po4a'hide' .br | |
70 | .if !'po4a'hide' .B http_access deny all | |
71 | .if !'po4a'hide' .RE | |
c152a447 AJ |
72 | . |
73 | .PP | |
74 | In the previous example all validated NT users member of GProxyUsers Global | |
75 | domain group or member of LProxyUsers machine local group are allowed to | |
76 | use the cache. | |
77 | . | |
78 | .PP | |
79 | Groups with spaces in name, for example | |
80 | .B "Domain Users" | |
81 | , must be quoted and the acl data ( | |
82 | .B "Domain Users" | |
83 | ) must be placed into a separate file included by specifying | |
84 | .B "/path/to/file" | |
85 | . | |
86 | The previous example will be: | |
06fcded4 | 87 | .if !'po4a'hide' .RS |
c152a447 | 88 | .if !'po4a'hide' acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers.txt" |
06fcded4 | 89 | .if !'po4a'hide' .RE |
c152a447 | 90 | . |
06fcded4 | 91 | The |
c152a447 | 92 | .B DomainUsers.txt |
06fcded4 AJ |
93 | file will contain only the following line: |
94 | .if !'po4a'hide' .RS | |
c152a447 | 95 | .B "Domain Users" |
06fcded4 | 96 | .if !'po4a'hide' .RE |
c152a447 | 97 | . |
06fcded4 AJ |
98 | .PP |
99 | .B NOTE: | |
c152a447 AJ |
100 | The standard group name comparison is case sensitive, so group name |
101 | must be specified with same case as in the NT/2000 Domain. | |
102 | It's possible to enable case insensitive group name comparison ( | |
103 | .B \-c | |
104 | ), but on some not-english locales, the results can be unexpected. | |
105 | . | |
06fcded4 AJ |
106 | .PP |
107 | .B NOTE: | |
c152a447 AJ |
108 | Native WIN32 NTLM and Basic Helpers must be used without the |
109 | .B \-A | |
110 | and | |
111 | .B \-D | |
112 | switches. | |
113 | .PP | |
114 | Refer to Squid documentation for the more details on squid.conf. | |
115 | . | |
116 | .SH TESTING | |
117 | .PP | |
118 | I strongly recommend that | |
119 | .B ext_lm_group_acl | |
06fcded4 | 120 | is tested prior to being used in a production environment. It may behave differently on different platforms. |
c152a447 AJ |
121 | . |
122 | .PP | |
123 | To test it, run it from the command line. Enter username and group | |
124 | pairs separated by a space (username must entered with URL-encoded | |
125 | .I domain%5Cusername | |
126 | syntax). Press | |
127 | .B ENTER | |
128 | to get an | |
129 | .B OK | |
130 | or | |
131 | .B ERR | |
132 | message. | |
133 | .PP | |
134 | Make sure pressing | |
135 | .B CTRL+D | |
136 | behaves the same as a carriage return. | |
137 | .PP | |
138 | Make sure pressing | |
139 | .B CTRL+C | |
140 | aborts the program. | |
141 | . | |
142 | .PP | |
143 | Test that entering no details does not result in an | |
144 | .B OK | |
145 | or | |
146 | .B ERR | |
147 | message. | |
148 | .PP | |
149 | Test that entering an invalid username and group results in an | |
150 | .B ERR | |
151 | message. | |
152 | .PP | |
153 | Test that entering an valid username and group results in an | |
154 | .B OK | |
155 | message. | |
156 | . | |
157 | .SH AUTHOR | |
158 | This program was written by | |
159 | .if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it> | |
160 | with contributions by | |
161 | .if !'po4a'hide' .I Henrik Nordstrom <hno@squid-cache.org> | |
162 | .PP | |
163 | Based in part on prior work in | |
164 | .B check_group | |
165 | by | |
166 | .if !'po4a'hide' .I Rodrigo Albani de Campos | |
167 | .PP | |
168 | This manual was written by | |
169 | .if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it> | |
170 | .if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org> | |
171 | . | |
172 | .SH COPYRIGHT | |
173 | This program and documentation is copyright to the authors named above. | |
174 | .PP | |
175 | Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). | |
176 | . | |
177 | .SH QUESTIONS | |
178 | Questions on the usage of this program can be sent to the | |
179 | .I Squid Users mailing list | |
180 | .if !'po4a'hide' <squid-users@squid-cache.org> | |
181 | . | |
182 | .SH REPORTING BUGS | |
183 | Bug reports need to be made in English. | |
184 | See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. | |
185 | .PP | |
186 | Report bugs or bug fixes using http://bugs.squid-cache.org/ | |
187 | .PP | |
188 | Report serious security bugs to | |
189 | .I Squid Bugs <squid-bugs@squid-cache.org> | |
190 | .PP | |
191 | Report ideas for new improvements to the | |
192 | .I Squid Developers mailing list | |
193 | .if !'po4a'hide' <squid-dev@squid-cache.org> | |
194 | . | |
195 | .SH SEE ALSO | |
196 | .if !'po4a'hide' .BR squid "(8), " | |
197 | .if !'po4a'hide' .BR GPL "(7), " | |
198 | .br | |
199 | The Squid FAQ wiki | |
200 | .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq | |
201 | .br | |
202 | The Squid Configuration Manual | |
203 | .if !'po4a'hide' http://www.squid-cache.org/Doc/config/ |