[thirdparty/squid.git] / helpers / external_acl / ldap_group / squid_ldap_group.8

.TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Match"
.
.SH NAME
squid_ldap_group - Squid LDAP external acl group helper
.
.SH SYNOPSIS
squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI]
.
.SH DESCRIPTION
This helper allows Squid to connect to a LDAP directory to
authorize users via LDAP groups.
.P
The program operates by searching with a search filter based
on the users user name and requested group, and if a match
is found it is determined that the user belongs to the group.
.
.TP
.BI "-b " "basedn " (REQUIRED)
Specifies the base DN under which the groups are located.
.
.TP
.BI "-B " "basedn "
Specifies the base DN under which the users are located (if different)
.
.TP
.B "-g"
Specifies that the first query argument sent to the helper by Squid is
a extension to the basedn and will be temporarily added in front of the
global basedn for this query.
.
.TP
.BI "-f " filter
LDAP search filter used to search the LDAP directory for any
matching group memberships.
.BR
In the filter %u will be replaced by the user name (or DN if
the -F or -u options are used) and %g by the requested group name.
.
.TP
.BI "-F " filter
LDAP search filter used to search the LDAP directory for any
matching users.
.BR
In the filter %s will be replaced by the user name. If % is to be
included literally in the filter then use %%.
.
.TP
.BI "-u " attr
LDAP attribute used to construct the user DN from the user name and
base dn without needing to search for the user.
.
.TP
.BI "-s " base|one|sub
search scope. Defaults to 'sub'.
.IP
.B base
object only,
.B one
level below the base object or
.BR sub tree
below the base object
.
.TP
.BI "-D " "binddn " "-w " password
The DN and password to bind as while performing searches. Required
if the directory does not allow anonymous searches.
.IP
As the password needs to be printed in plain text in your Squid configuration
and will be sent on the command line to the helper it is strongly recommended
to use a account with minimal associated privileges.  This to limit the damage
in case someone could get hold of a copy of your Squid configuration file or
extracts the password used from a process listing.
.
.TP
.BI -P
Use a persistent LDAP connection. Normally the LDAP connection
is only open while verifying a users group membership to preserve
resources at the LDAP server. This option causes the LDAP connection to
be kept open, allowing it to be reused for further user
validations. Recommended for larger installations.
.
.TP
.BI -R
do not follow referrals
.
.TP
.BI "-a " never|always|search|find
when to dereference aliases. Defaults to 'never'
.IP
.BI never
dereference aliases (default),
.BI always
dereference aliases, only while
.BR search ing
or only to
.B find
the base object
.
.TP
.BI -H " ldapuri"
Specity the LDAP server to connect to by a LDAP URI
.
.TP
.BI -h " ldapserver"
Specify the LDAP server to connect to
.TP
.BI -p " ldapport"
Specify an alternate TCP port where the ldap server is listening if
other than the default LDAP port 389.
.
.TP
.BI -S
Strip NT domain name component from user names (/ or \\ separated)
.
.SH SQUID CONFIGURATION
.
This helper is intended to be used as a external_acl_type helper from
squid.conf.
.P
.ft CR
.nf
external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
.br
acl group1 external ldap_group Group1
.br
acl group2 external ldap_group Group2
.fi
.ft
.
.SH NOTES
.
When constructing search filters it is recommended to first test the filter
using ldapsearch before you attempt to use squid_ldap_group. This to verify
that the filter matches what you expect.
.
.SH AUTHOR
This manual page was written by 
.I Henrik Nordstrom <hno@marasystems.com>
.P
squid_ldap_group is written by 
.I Flavio Pescuma <flavio@marasystems.com>
and
.IR "Henrik Nordstrom <hno@squid-cache.org>" ,
based on prior work in squid_ldap_auth by
.I Glen Newton <glen.newton@nrc.ca>
.
.SH KNOWN LIMITATIONS
Max 16 occurrences of %s in the -u argument is supported.
.
.SH QUESTIONS
Any questions on usage can be sent to 
.IR "Squid Users <squid-users@squid-cache.org>" ,
or to your favorite LDAP list/friend if the question is more related to
LDAP than Squid.
.
.SH REPORTING BUGS
Report bugs or bug-fixes to
.I Squid Bugs <squid-bugs@squid-cache.org>
or ideas for new improvements to 
.I Squid Developers <squid-dev@squid-cache.org>
.
.SH "SEE ALSO"
.BR squid_ldap_auth ( 8 ),
.BR ldapsearch ( 1 ),
.br
Your favorite LDAP documentation
.br
.BR RFC2254 " - The String Representation of LDAP Search Filters,"
Commit	Line	Data
5eecb267	1	.TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Match"
28e81872	2	.
	3	.SH NAME
	4	squid_ldap_group - Squid LDAP external acl group helper
	5	.
	6	.SH SYNOPSIS
5eecb267	7	squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...\|URI]
28e81872	8	.
	9	.SH DESCRIPTION
	10	This helper allows Squid to connect to a LDAP directory to
	11	authorize users via LDAP groups.
	12	.P
	13	The program operates by searching with a search filter based
5eecb267	14	on the users user name and requested group, and if a match
28e81872	15	is found it is determined that the user belongs to the group.
	16	.
	17	.TP
	18	.BI "-b " "basedn " (REQUIRED)
	19	Specifies the base DN under which the groups are located.
	20	.
6708c52c	21	.TP
	22	.BI "-B " "basedn "
	23	Specifies the base DN under which the users are located (if different)
	24	.
	25	.TP
28e81872	26	.B "-g"
28e81872	27	Specifies that the first query argument sent to the helper by Squid is
5eecb267	28	a extension to the basedn and will be temporarily added in front of the
6708c52c	29	global basedn for this query.
6708c52c	30	.
28e81872	31	.TP
	32	.BI "-f " filter
	33	LDAP search filter used to search the LDAP directory for any
	34	matching group memberships.
	35	.BR
5eecb267	36	In the filter %u will be replaced by the user name (or DN if
6708c52c	37	the -F or -u options are used) and %g by the requested group name.
	38	.
	39	.TP
	40	.BI "-F " filter
	41	LDAP search filter used to search the LDAP directory for any
	42	matching users.
	43	.BR
5eecb267	44	In the filter %s will be replaced by the user name. If % is to be
6708c52c	45	included literally in the filter then use %%.
	46	.
	47	.TP
	48	.BI "-u " attr
5eecb267	49	LDAP attribute used to construct the user DN from the user name and
5eecb267	50	base dn without needing to search for the user.
28e81872	51	.
	52	.TP
	53	.BI "-s " base\|one\|sub
	54	search scope. Defaults to 'sub'.
	55	.IP
	56	.B base
	57	object only,
	58	.B one
	59	level below the base object or
	60	.BR sub tree
	61	below the base object
	62	.
	63	.TP
	64	.BI "-D " "binddn " "-w " password
	65	The DN and password to bind as while performing searches. Required
	66	if the directory does not allow anonymous searches.
	67	.IP
	68	As the password needs to be printed in plain text in your Squid configuration
	69	and will be sent on the command line to the helper it is strongly recommended
	70	to use a account with minimal associated privileges. This to limit the damage
	71	in case someone could get hold of a copy of your Squid configuration file or
	72	extracts the password used from a process listing.
	73	.
	74	.TP
	75	.BI -P
	76	Use a persistent LDAP connection. Normally the LDAP connection
5eecb267	77	is only open while verifying a users group membership to preserve
5eecb267	78	resources at the LDAP server. This option causes the LDAP connection to
28e81872	79	be kept open, allowing it to be reused for further user
	80	validations. Recommended for larger installations.
	81	.
	82	.TP
	83	.BI -R
	84	do not follow referrals
	85	.
	86	.TP
	87	.BI "-a " never\|always\|search\|find
	88	when to dereference aliases. Defaults to 'never'
	89	.IP
	90	.BI never
	91	dereference aliases (default),
	92	.BI always
	93	dereference aliases, only while
	94	.BR search ing
	95	or only to
	96	.B find
	97	the base object
	98	.
	99	.TP
5eecb267	100	.BI -H " ldapuri"
	101	Specity the LDAP server to connect to by a LDAP URI
	102	.
	103	.TP
28e81872	104	.BI -h " ldapserver"
	105	Specify the LDAP server to connect to
	106	.TP
	107	.BI -p " ldapport"
	108	Specify an alternate TCP port where the ldap server is listening if
	109	other than the default LDAP port 389.
	110	.
6708c52c	111	.TP
6708c52c	112	.BI -S
5eecb267	113	Strip NT domain name component from user names (/ or \\ separated)
6708c52c	114	.
	115	.SH SQUID CONFIGURATION
	116	.
	117	This helper is intended to be used as a external_acl_type helper from
	118	squid.conf.
	119	.P
	120	.ft CR
	121	.nf
	122	external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
	123	.br
5eecb267	124	acl group1 external ldap_group Group1
6708c52c	125	.br
5eecb267	126	acl group2 external ldap_group Group2
6708c52c	127	.fi
	128	.ft
	129	.
28e81872	130	.SH NOTES
28e81872	131	.
5eecb267	132	When constructing search filters it is recommended to first test the filter
28e81872	133	using ldapsearch before you attempt to use squid_ldap_group. This to verify
	134	that the filter matches what you expect.
	135	.
	136	.SH AUTHOR
	137	This manual page was written by
	138	.I Henrik Nordstrom <hno@marasystems.com>
	139	.P
	140	squid_ldap_group is written by
	141	.I Flavio Pescuma <flavio@marasystems.com>
	142	and
	143	.IR "Henrik Nordstrom <hno@squid-cache.org>" ,
	144	based on prior work in squid_ldap_auth by
	145	.I Glen Newton <glen.newton@nrc.ca>
	146	.
	147	.SH KNOWN LIMITATIONS
5eecb267	148	Max 16 occurrences of %s in the -u argument is supported.
28e81872	149	.
	150	.SH QUESTIONS
	151	Any questions on usage can be sent to
	152	.IR "Squid Users <squid-users@squid-cache.org>" ,
	153	or to your favorite LDAP list/friend if the question is more related to
	154	LDAP than Squid.
	155	.
	156	.SH REPORTING BUGS
	157	Report bugs or bug-fixes to
	158	.I Squid Bugs <squid-bugs@squid-cache.org>
	159	or ideas for new improvements to
	160	.I Squid Developers <squid-dev@squid-cache.org>
	161	.
	162	.SH "SEE ALSO"
	163	.BR squid_ldap_auth ( 8 ),
	164	.BR ldapsearch ( 1 ),
	165	.br
	166	Your favorite LDAP documentation
	167	.br
	168	.BR RFC2254 " - The String Representation of LDAP Search Filters,"