]>
Commit | Line | Data |
---|---|---|
c152a447 AJ |
1 | .if !'po4a'hide' .TH ext_lm_group_acl 8 |
2 | . | |
3 | .SH NAME | |
d632afde | 4 | ext_lm_group_acl \- Squid external ACL helper to check Windows users group membership. |
c152a447 AJ |
5 | .PP |
6 | Version 1.22 | |
7 | . | |
8 | .SH SYNOPSIS | |
9 | .if !'po4a'hide' .B ext_lm_group_acl | |
10 | .if !'po4a'hide' .B "[\-D " | |
11 | domain | |
12 | .if !'po4a'hide' .B "] [\-cdhGP]" | |
13 | . | |
14 | .SH DESCRIPTION | |
15 | .B ext_lm_group_acl | |
16 | is an installed binary in Squid for Windows builds. | |
17 | .PP | |
18 | This helper must be used in with an authentication scheme (typically | |
19 | Basic or NTLM) based on Windows NT/2000 domain users (LM mode). | |
20 | .PP | |
21 | It reads from the standard input the domain username and a list of groups | |
22 | and tries to match each against the groups membership of the specified | |
23 | username. | |
24 | . | |
25 | .SH OPTIONS | |
26 | .if !'po4a'hide' .TP 12 | |
27 | .if !'po4a'hide' .B \-c | |
28 | Use case insensitive compare. | |
06fcded4 AJ |
29 | . |
30 | .if !'po4a'hide' .TP | |
c152a447 AJ |
31 | .if !'po4a'hide' .B \-d |
32 | Write debug info to stderr. | |
06fcded4 AJ |
33 | . |
34 | .if !'po4a'hide' .TP | |
c152a447 AJ |
35 | .if !'po4a'hide' .B \-D domain |
36 | Specify the default user's domain. | |
06fcded4 AJ |
37 | . |
38 | .if !'po4a'hide' .TP | |
c152a447 AJ |
39 | .if !'po4a'hide' .B \-G |
40 | Start helper in Domain Global Group mode. | |
06fcded4 AJ |
41 | . |
42 | .if !'po4a'hide' .TP | |
c152a447 AJ |
43 | .if !'po4a'hide' .B \-h |
44 | Display the binary help and command line syntax info using stderr. | |
06fcded4 AJ |
45 | . |
46 | .if !'po4a'hide' .TP | |
c152a447 AJ |
47 | .if !'po4a'hide' .B \-P |
48 | Use ONLY PDCs for group validation. | |
49 | . | |
50 | .SH CONFIGURATION | |
06fcded4 AJ |
51 | .if !'po4a'hide' .RS |
52 | .if !'po4a'hide' .B external_acl_type NT_global_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe -G | |
53 | .if !'po4a'hide' .br | |
54 | .if !'po4a'hide' .B external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe | |
55 | .if !'po4a'hide' .br | |
56 | .if !'po4a'hide' .br | |
57 | .if !'po4a'hide' .B acl GProxyUsers external NT_global_group GProxyUsers | |
58 | .if !'po4a'hide' .br | |
59 | .if !'po4a'hide' .B acl LProxyUsers external NT_local_group LProxyUsers | |
60 | .if !'po4a'hide' .br | |
61 | .if !'po4a'hide' .B acl password proxy_auth REQUIRED | |
62 | .if !'po4a'hide' .br | |
63 | .if !'po4a'hide' .br | |
64 | .if !'po4a'hide' .B http_access allow password GProxyUsers | |
65 | .if !'po4a'hide' .br | |
66 | .if !'po4a'hide' .B http_access allow password LProxyUsers | |
67 | .if !'po4a'hide' .br | |
68 | .if !'po4a'hide' .B http_access deny all | |
69 | .if !'po4a'hide' .RE | |
c152a447 AJ |
70 | . |
71 | .PP | |
72 | In the previous example all validated NT users member of GProxyUsers Global | |
73 | domain group or member of LProxyUsers machine local group are allowed to | |
74 | use the cache. | |
75 | . | |
76 | .PP | |
77 | Groups with spaces in name, for example | |
78 | .B "Domain Users" | |
79 | , must be quoted and the acl data ( | |
80 | .B "Domain Users" | |
81 | ) must be placed into a separate file included by specifying | |
82 | .B "/path/to/file" | |
83 | . | |
84 | The previous example will be: | |
06fcded4 | 85 | .if !'po4a'hide' .RS |
c152a447 | 86 | .if !'po4a'hide' acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers.txt" |
06fcded4 | 87 | .if !'po4a'hide' .RE |
c152a447 | 88 | . |
06fcded4 | 89 | The |
c152a447 | 90 | .B DomainUsers.txt |
06fcded4 AJ |
91 | file will contain only the following line: |
92 | .if !'po4a'hide' .RS | |
c152a447 | 93 | .B "Domain Users" |
06fcded4 | 94 | .if !'po4a'hide' .RE |
c152a447 | 95 | . |
06fcded4 AJ |
96 | .PP |
97 | .B NOTE: | |
c152a447 AJ |
98 | The standard group name comparison is case sensitive, so group name |
99 | must be specified with same case as in the NT/2000 Domain. | |
100 | It's possible to enable case insensitive group name comparison ( | |
101 | .B \-c | |
102 | ), but on some not-english locales, the results can be unexpected. | |
103 | . | |
06fcded4 AJ |
104 | .PP |
105 | .B NOTE: | |
c152a447 AJ |
106 | Native WIN32 NTLM and Basic Helpers must be used without the |
107 | .B \-A | |
108 | and | |
109 | .B \-D | |
110 | switches. | |
111 | .PP | |
112 | Refer to Squid documentation for the more details on squid.conf. | |
113 | . | |
114 | .SH TESTING | |
115 | .PP | |
116 | I strongly recommend that | |
117 | .B ext_lm_group_acl | |
06fcded4 | 118 | is tested prior to being used in a production environment. It may behave differently on different platforms. |
c152a447 AJ |
119 | . |
120 | .PP | |
121 | To test it, run it from the command line. Enter username and group | |
122 | pairs separated by a space (username must entered with URL-encoded | |
123 | .I domain%5Cusername | |
124 | syntax). Press | |
125 | .B ENTER | |
126 | to get an | |
127 | .B OK | |
128 | or | |
129 | .B ERR | |
130 | message. | |
131 | .PP | |
132 | Make sure pressing | |
133 | .B CTRL+D | |
134 | behaves the same as a carriage return. | |
135 | .PP | |
136 | Make sure pressing | |
137 | .B CTRL+C | |
138 | aborts the program. | |
139 | . | |
140 | .PP | |
141 | Test that entering no details does not result in an | |
142 | .B OK | |
143 | or | |
144 | .B ERR | |
145 | message. | |
146 | .PP | |
147 | Test that entering an invalid username and group results in an | |
148 | .B ERR | |
149 | message. | |
150 | .PP | |
151 | Test that entering an valid username and group results in an | |
152 | .B OK | |
153 | message. | |
154 | . | |
155 | .SH AUTHOR | |
156 | This program was written by | |
157 | .if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it> | |
158 | with contributions by | |
159 | .if !'po4a'hide' .I Henrik Nordstrom <hno@squid-cache.org> | |
160 | .PP | |
161 | Based in part on prior work in | |
162 | .B check_group | |
163 | by | |
164 | .if !'po4a'hide' .I Rodrigo Albani de Campos | |
165 | .PP | |
166 | This manual was written by | |
167 | .if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it> | |
168 | .if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org> | |
169 | . | |
170 | .SH COPYRIGHT | |
ca02e0ec AJ |
171 | .PP |
172 | * Copyright (C) 1996-2014 The Squid Software Foundation and contributors | |
173 | * | |
174 | * Squid software is distributed under GPLv2+ license and includes | |
175 | * contributions from numerous individuals and organizations. | |
176 | * Please see the COPYING and CONTRIBUTORS files for details. | |
177 | .PP | |
c152a447 AJ |
178 | This program and documentation is copyright to the authors named above. |
179 | .PP | |
180 | Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). | |
181 | . | |
182 | .SH QUESTIONS | |
183 | Questions on the usage of this program can be sent to the | |
184 | .I Squid Users mailing list | |
185 | .if !'po4a'hide' <squid-users@squid-cache.org> | |
186 | . | |
187 | .SH REPORTING BUGS | |
188 | Bug reports need to be made in English. | |
189 | See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. | |
190 | .PP | |
191 | Report bugs or bug fixes using http://bugs.squid-cache.org/ | |
192 | .PP | |
193 | Report serious security bugs to | |
194 | .I Squid Bugs <squid-bugs@squid-cache.org> | |
195 | .PP | |
196 | Report ideas for new improvements to the | |
197 | .I Squid Developers mailing list | |
198 | .if !'po4a'hide' <squid-dev@squid-cache.org> | |
199 | . | |
200 | .SH SEE ALSO | |
201 | .if !'po4a'hide' .BR squid "(8), " | |
202 | .if !'po4a'hide' .BR GPL "(7), " | |
203 | .br | |
204 | The Squid FAQ wiki | |
205 | .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq | |
206 | .br | |
207 | The Squid Configuration Manual | |
208 | .if !'po4a'hide' http://www.squid-cache.org/Doc/config/ |