[thirdparty/squid.git] / helpers / external_acl / ldap_group / squid_ldap_group.8

.TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Match"
.
.SH NAME
squid_ldap_group - Squid LDAP external acl group helper
.
.SH SYNOPSIS
squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI]
.
.SH DESCRIPTION
This helper allows Squid to connect to a LDAP directory to
authorize users via LDAP groups.
.P
The program operates by searching with a search filter based
on the users user name and requested group, and if a match
is found it is determined that the user belongs to the group.
.
.TP
.BI "-b " "basedn " (REQUIRED)
Specifies the base DN under which the groups are located.
.
.TP
.BI "-B " "basedn "
Specifies the base DN under which the users are located (if different)
.
.TP
.B "-g"
Specifies that the first query argument sent to the helper by Squid is
a extension to the basedn and will be temporarily added in front of the
global basedn for this query.
.
.TP
.BI "-f " filter
LDAP search filter used to search the LDAP directory for any
matching group memberships.
.BR
In the filter %u will be replaced by the user name (or DN if
the -F or -u options are used) and %g by the requested group name.
.
.TP
.BI "-F " filter
LDAP search filter used to search the LDAP directory for any
matching users.
.BR
In the filter %s will be replaced by the user name. If % is to be
included literally in the filter then use %%.
.
.TP
.BI "-u " attr
LDAP attribute used to construct the user DN from the user name and
base dn without needing to search for the user.
.
.TP
.BI "-s " base|one|sub
search scope. Defaults to 'sub'.
.IP
.B base
object only,
.B one
level below the base object or
.BR sub tree
below the base object
.
.TP
.BI "-D " "binddn " "-w " password
The DN and password to bind as while performing searches. Required
if the directory does not allow anonymous searches.
.IP
As the password needs to be printed in plain text in your Squid configuration
and will be sent on the command line to the helper it is strongly recommended
to use a account with minimal associated privileges.  This to limit the damage
in case someone could get hold of a copy of your Squid configuration file or
extracts the password used from a process listing.
.
.TP
.BI "-D " "binddn " "-W " "secretfile "
The DN and the name of a file containing the password
to bind as while performing searches. 
.IP
Less insecure version of the former parameter pair with two advantages:
The password does not occur in the process listing, 
and the password is not being compromised if someone gets the squid 
configuration file without getting the secretfile.
.
.TP
.BI -P
Use a persistent LDAP connection. Normally the LDAP connection
is only open while verifying a users group membership to preserve
resources at the LDAP server. This option causes the LDAP connection to
be kept open, allowing it to be reused for further user
validations. Recommended for larger installations.
.
.TP
.BI -R
do not follow referrals
.
.TP
.BI "-a " never|always|search|find
when to dereference aliases. Defaults to 'never'
.IP
.BI never
dereference aliases (default),
.BI always
dereference aliases, only while
.BR search ing
or only to
.B find
the base object
.
.TP
.BI -H " ldapuri"
Specity the LDAP server to connect to by a LDAP URI
.
.TP
.BI -h " ldapserver"
Specify the LDAP server to connect to
.TP
.BI -p " ldapport"
Specify an alternate TCP port where the ldap server is listening if
other than the default LDAP port 389.
.
.TP
.BI -S
Strip NT domain name component from user names (/ or \\ separated)
.
.SH SQUID CONFIGURATION
.
This helper is intended to be used as a external_acl_type helper from
squid.conf.
.P
.ft CR
.nf
external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
.br
acl group1 external ldap_group Group1
.br
acl group2 external ldap_group Group2
.fi
.ft
.
.SH NOTES
.
When constructing search filters it is recommended to first test the filter
using ldapsearch before you attempt to use squid_ldap_group. This to verify
that the filter matches what you expect.
.
.SH AUTHOR
This manual page was written by 
.I Henrik Nordstrom <hno@marasystems.com>
.P
squid_ldap_group is written by 
.I Flavio Pescuma <flavio@marasystems.com>
and
.IR "Henrik Nordstrom <hno@squid-cache.org>" ,
based on prior work in squid_ldap_auth by
.I Glen Newton <glen.newton@nrc.ca>
.
.SH KNOWN LIMITATIONS
Max 16 occurrences of %s in the -u argument is supported.
.
.SH QUESTIONS
Any questions on usage can be sent to 
.IR "Squid Users <squid-users@squid-cache.org>" ,
or to your favorite LDAP list/friend if the question is more related to
LDAP than Squid.
.
.SH REPORTING BUGS
Report bugs or bug-fixes to
.I Squid Bugs <squid-bugs@squid-cache.org>
or ideas for new improvements to 
.I Squid Developers <squid-dev@squid-cache.org>
.
.SH "SEE ALSO"
.BR squid_ldap_auth ( 8 ),
.BR ldapsearch ( 1 ),
.br
Your favorite LDAP documentation
.br
.BR RFC2254 " - The String Representation of LDAP Search Filters,"
Commit	Line	Data
5eecb267	1	.TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Match"
28e81872	2	.
	3	.SH NAME
	4	squid_ldap_group - Squid LDAP external acl group helper
	5	.
	6	.SH SYNOPSIS
5eecb267	7	squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...\|URI]
28e81872	8	.
	9	.SH DESCRIPTION
	10	This helper allows Squid to connect to a LDAP directory to
	11	authorize users via LDAP groups.
	12	.P
	13	The program operates by searching with a search filter based
5eecb267	14	on the users user name and requested group, and if a match
28e81872	15	is found it is determined that the user belongs to the group.
	16	.
	17	.TP
	18	.BI "-b " "basedn " (REQUIRED)
	19	Specifies the base DN under which the groups are located.
	20	.
6708c52c	21	.TP
	22	.BI "-B " "basedn "
	23	Specifies the base DN under which the users are located (if different)
	24	.
	25	.TP
28e81872	26	.B "-g"
28e81872	27	Specifies that the first query argument sent to the helper by Squid is
5eecb267	28	a extension to the basedn and will be temporarily added in front of the
6708c52c	29	global basedn for this query.
6708c52c	30	.
28e81872	31	.TP
	32	.BI "-f " filter
	33	LDAP search filter used to search the LDAP directory for any
	34	matching group memberships.
	35	.BR
5eecb267	36	In the filter %u will be replaced by the user name (or DN if
6708c52c	37	the -F or -u options are used) and %g by the requested group name.
	38	.
	39	.TP
	40	.BI "-F " filter
	41	LDAP search filter used to search the LDAP directory for any
	42	matching users.
	43	.BR
5eecb267	44	In the filter %s will be replaced by the user name. If % is to be
6708c52c	45	included literally in the filter then use %%.
	46	.
	47	.TP
	48	.BI "-u " attr
5eecb267	49	LDAP attribute used to construct the user DN from the user name and
5eecb267	50	base dn without needing to search for the user.
28e81872	51	.
	52	.TP
	53	.BI "-s " base\|one\|sub
	54	search scope. Defaults to 'sub'.
	55	.IP
	56	.B base
	57	object only,
	58	.B one
	59	level below the base object or
	60	.BR sub tree
	61	below the base object
	62	.
	63	.TP
	64	.BI "-D " "binddn " "-w " password
	65	The DN and password to bind as while performing searches. Required
	66	if the directory does not allow anonymous searches.
	67	.IP
	68	As the password needs to be printed in plain text in your Squid configuration
	69	and will be sent on the command line to the helper it is strongly recommended
	70	to use a account with minimal associated privileges. This to limit the damage
	71	in case someone could get hold of a copy of your Squid configuration file or
	72	extracts the password used from a process listing.
	73	.
	74	.TP
954a8513	75	.BI "-D " "binddn " "-W " "secretfile "
	76	The DN and the name of a file containing the password
	77	to bind as while performing searches.
	78	.IP
	79	Less insecure version of the former parameter pair with two advantages:
	80	The password does not occur in the process listing,
	81	and the password is not being compromised if someone gets the squid
	82	configuration file without getting the secretfile.
	83	.
	84	.TP
28e81872	85	.BI -P
28e81872	86	Use a persistent LDAP connection. Normally the LDAP connection
5eecb267	87	is only open while verifying a users group membership to preserve
5eecb267	88	resources at the LDAP server. This option causes the LDAP connection to
28e81872	89	be kept open, allowing it to be reused for further user
	90	validations. Recommended for larger installations.
	91	.
	92	.TP
	93	.BI -R
	94	do not follow referrals
	95	.
	96	.TP
	97	.BI "-a " never\|always\|search\|find
	98	when to dereference aliases. Defaults to 'never'
	99	.IP
	100	.BI never
	101	dereference aliases (default),
	102	.BI always
	103	dereference aliases, only while
	104	.BR search ing
	105	or only to
	106	.B find
	107	the base object
	108	.
	109	.TP
5eecb267	110	.BI -H " ldapuri"
	111	Specity the LDAP server to connect to by a LDAP URI
	112	.
	113	.TP
28e81872	114	.BI -h " ldapserver"
	115	Specify the LDAP server to connect to
	116	.TP
	117	.BI -p " ldapport"
	118	Specify an alternate TCP port where the ldap server is listening if
	119	other than the default LDAP port 389.
	120	.
6708c52c	121	.TP
6708c52c	122	.BI -S
5eecb267	123	Strip NT domain name component from user names (/ or \\ separated)
6708c52c	124	.
	125	.SH SQUID CONFIGURATION
	126	.
	127	This helper is intended to be used as a external_acl_type helper from
	128	squid.conf.
	129	.P
	130	.ft CR
	131	.nf
	132	external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
	133	.br
5eecb267	134	acl group1 external ldap_group Group1
6708c52c	135	.br
5eecb267	136	acl group2 external ldap_group Group2
6708c52c	137	.fi
	138	.ft
	139	.
28e81872	140	.SH NOTES
28e81872	141	.
5eecb267	142	When constructing search filters it is recommended to first test the filter
28e81872	143	using ldapsearch before you attempt to use squid_ldap_group. This to verify
	144	that the filter matches what you expect.
	145	.
	146	.SH AUTHOR
	147	This manual page was written by
	148	.I Henrik Nordstrom <hno@marasystems.com>
	149	.P
	150	squid_ldap_group is written by
	151	.I Flavio Pescuma <flavio@marasystems.com>
	152	and
	153	.IR "Henrik Nordstrom <hno@squid-cache.org>" ,
	154	based on prior work in squid_ldap_auth by
	155	.I Glen Newton <glen.newton@nrc.ca>
	156	.
	157	.SH KNOWN LIMITATIONS
5eecb267	158	Max 16 occurrences of %s in the -u argument is supported.
28e81872	159	.
	160	.SH QUESTIONS
	161	Any questions on usage can be sent to
	162	.IR "Squid Users <squid-users@squid-cache.org>" ,
	163	or to your favorite LDAP list/friend if the question is more related to
	164	LDAP than Squid.
	165	.
	166	.SH REPORTING BUGS
	167	Report bugs or bug-fixes to
	168	.I Squid Bugs <squid-bugs@squid-cache.org>
	169	or ideas for new improvements to
	170	.I Squid Developers <squid-dev@squid-cache.org>
	171	.
	172	.SH "SEE ALSO"
	173	.BR squid_ldap_auth ( 8 ),
	174	.BR ldapsearch ( 1 ),
	175	.br
	176	Your favorite LDAP documentation
	177	.br
	178	.BR RFC2254 " - The String Representation of LDAP Search Filters,"