]>
Commit | Line | Data |
---|---|---|
5eecb267 | 1 | .TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Match" |
28e81872 | 2 | . |
3 | .SH NAME | |
4 | squid_ldap_group - Squid LDAP external acl group helper | |
5 | . | |
6 | .SH SYNOPSIS | |
5eecb267 | 7 | squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI] |
28e81872 | 8 | . |
9 | .SH DESCRIPTION | |
10 | This helper allows Squid to connect to a LDAP directory to | |
11 | authorize users via LDAP groups. | |
12 | .P | |
13 | The program operates by searching with a search filter based | |
5eecb267 | 14 | on the users user name and requested group, and if a match |
28e81872 | 15 | is found it is determined that the user belongs to the group. |
16 | . | |
17 | .TP | |
18 | .BI "-b " "basedn " (REQUIRED) | |
19 | Specifies the base DN under which the groups are located. | |
20 | . | |
6708c52c | 21 | .TP |
22 | .BI "-B " "basedn " | |
23 | Specifies the base DN under which the users are located (if different) | |
24 | . | |
25 | .TP | |
28e81872 | 26 | .B "-g" |
27 | Specifies that the first query argument sent to the helper by Squid is | |
5eecb267 | 28 | a extension to the basedn and will be temporarily added in front of the |
6708c52c | 29 | global basedn for this query. |
30 | . | |
28e81872 | 31 | .TP |
32 | .BI "-f " filter | |
33 | LDAP search filter used to search the LDAP directory for any | |
34 | matching group memberships. | |
35 | .BR | |
5eecb267 | 36 | In the filter %u will be replaced by the user name (or DN if |
6708c52c | 37 | the -F or -u options are used) and %g by the requested group name. |
38 | . | |
39 | .TP | |
40 | .BI "-F " filter | |
41 | LDAP search filter used to search the LDAP directory for any | |
42 | matching users. | |
43 | .BR | |
5eecb267 | 44 | In the filter %s will be replaced by the user name. If % is to be |
6708c52c | 45 | included literally in the filter then use %%. |
46 | . | |
47 | .TP | |
48 | .BI "-u " attr | |
5eecb267 | 49 | LDAP attribute used to construct the user DN from the user name and |
50 | base dn without needing to search for the user. | |
28e81872 | 51 | . |
52 | .TP | |
53 | .BI "-s " base|one|sub | |
54 | search scope. Defaults to 'sub'. | |
55 | .IP | |
56 | .B base | |
57 | object only, | |
58 | .B one | |
59 | level below the base object or | |
60 | .BR sub tree | |
61 | below the base object | |
62 | . | |
63 | .TP | |
64 | .BI "-D " "binddn " "-w " password | |
65 | The DN and password to bind as while performing searches. Required | |
66 | if the directory does not allow anonymous searches. | |
67 | .IP | |
68 | As the password needs to be printed in plain text in your Squid configuration | |
69 | and will be sent on the command line to the helper it is strongly recommended | |
70 | to use a account with minimal associated privileges. This to limit the damage | |
71 | in case someone could get hold of a copy of your Squid configuration file or | |
72 | extracts the password used from a process listing. | |
73 | . | |
74 | .TP | |
954a8513 | 75 | .BI "-D " "binddn " "-W " "secretfile " |
76 | The DN and the name of a file containing the password | |
77 | to bind as while performing searches. | |
78 | .IP | |
79 | Less insecure version of the former parameter pair with two advantages: | |
80 | The password does not occur in the process listing, | |
81 | and the password is not being compromised if someone gets the squid | |
82 | configuration file without getting the secretfile. | |
83 | . | |
84 | .TP | |
28e81872 | 85 | .BI -P |
86 | Use a persistent LDAP connection. Normally the LDAP connection | |
5eecb267 | 87 | is only open while verifying a users group membership to preserve |
88 | resources at the LDAP server. This option causes the LDAP connection to | |
28e81872 | 89 | be kept open, allowing it to be reused for further user |
90 | validations. Recommended for larger installations. | |
91 | . | |
92 | .TP | |
93 | .BI -R | |
94 | do not follow referrals | |
95 | . | |
96 | .TP | |
97 | .BI "-a " never|always|search|find | |
98 | when to dereference aliases. Defaults to 'never' | |
99 | .IP | |
100 | .BI never | |
101 | dereference aliases (default), | |
102 | .BI always | |
103 | dereference aliases, only while | |
104 | .BR search ing | |
105 | or only to | |
106 | .B find | |
107 | the base object | |
108 | . | |
109 | .TP | |
5eecb267 | 110 | .BI -H " ldapuri" |
111 | Specity the LDAP server to connect to by a LDAP URI | |
112 | . | |
113 | .TP | |
28e81872 | 114 | .BI -h " ldapserver" |
115 | Specify the LDAP server to connect to | |
116 | .TP | |
117 | .BI -p " ldapport" | |
118 | Specify an alternate TCP port where the ldap server is listening if | |
119 | other than the default LDAP port 389. | |
120 | . | |
6708c52c | 121 | .TP |
122 | .BI -S | |
5eecb267 | 123 | Strip NT domain name component from user names (/ or \\ separated) |
6708c52c | 124 | . |
125 | .SH SQUID CONFIGURATION | |
126 | . | |
127 | This helper is intended to be used as a external_acl_type helper from | |
128 | squid.conf. | |
129 | .P | |
130 | .ft CR | |
131 | .nf | |
132 | external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ... | |
133 | .br | |
5eecb267 | 134 | acl group1 external ldap_group Group1 |
6708c52c | 135 | .br |
5eecb267 | 136 | acl group2 external ldap_group Group2 |
6708c52c | 137 | .fi |
138 | .ft | |
139 | . | |
28e81872 | 140 | .SH NOTES |
141 | . | |
5eecb267 | 142 | When constructing search filters it is recommended to first test the filter |
28e81872 | 143 | using ldapsearch before you attempt to use squid_ldap_group. This to verify |
144 | that the filter matches what you expect. | |
145 | . | |
146 | .SH AUTHOR | |
147 | This manual page was written by | |
148 | .I Henrik Nordstrom <hno@marasystems.com> | |
149 | .P | |
150 | squid_ldap_group is written by | |
151 | .I Flavio Pescuma <flavio@marasystems.com> | |
152 | and | |
153 | .IR "Henrik Nordstrom <hno@squid-cache.org>" , | |
154 | based on prior work in squid_ldap_auth by | |
155 | .I Glen Newton <glen.newton@nrc.ca> | |
156 | . | |
157 | .SH KNOWN LIMITATIONS | |
5eecb267 | 158 | Max 16 occurrences of %s in the -u argument is supported. |
28e81872 | 159 | . |
160 | .SH QUESTIONS | |
161 | Any questions on usage can be sent to | |
162 | .IR "Squid Users <squid-users@squid-cache.org>" , | |
163 | or to your favorite LDAP list/friend if the question is more related to | |
164 | LDAP than Squid. | |
165 | . | |
166 | .SH REPORTING BUGS | |
167 | Report bugs or bug-fixes to | |
168 | .I Squid Bugs <squid-bugs@squid-cache.org> | |
169 | or ideas for new improvements to | |
170 | .I Squid Developers <squid-dev@squid-cache.org> | |
171 | . | |
172 | .SH "SEE ALSO" | |
173 | .BR squid_ldap_auth ( 8 ), | |
174 | .BR ldapsearch ( 1 ), | |
175 | .br | |
176 | Your favorite LDAP documentation | |
177 | .br | |
178 | .BR RFC2254 " - The String Representation of LDAP Search Filters," |