]>
Commit | Line | Data |
---|---|---|
5eecb267 | 1 | .TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Match" |
28e81872 | 2 | . |
3 | .SH NAME | |
4 | squid_ldap_group - Squid LDAP external acl group helper | |
5 | . | |
6 | .SH SYNOPSIS | |
5eecb267 | 7 | squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI] |
28e81872 | 8 | . |
9 | .SH DESCRIPTION | |
10 | This helper allows Squid to connect to a LDAP directory to | |
11 | authorize users via LDAP groups. | |
12 | .P | |
13 | The program operates by searching with a search filter based | |
5eecb267 | 14 | on the users user name and requested group, and if a match |
28e81872 | 15 | is found it is determined that the user belongs to the group. |
16 | . | |
17 | .TP | |
18 | .BI "-b " "basedn " (REQUIRED) | |
19 | Specifies the base DN under which the groups are located. | |
20 | . | |
6708c52c | 21 | .TP |
22 | .BI "-B " "basedn " | |
23 | Specifies the base DN under which the users are located (if different) | |
24 | . | |
25 | .TP | |
28e81872 | 26 | .B "-g" |
27 | Specifies that the first query argument sent to the helper by Squid is | |
5eecb267 | 28 | a extension to the basedn and will be temporarily added in front of the |
6708c52c | 29 | global basedn for this query. |
30 | . | |
28e81872 | 31 | .TP |
32 | .BI "-f " filter | |
33 | LDAP search filter used to search the LDAP directory for any | |
34 | matching group memberships. | |
35 | .BR | |
5eecb267 | 36 | In the filter %u will be replaced by the user name (or DN if |
6708c52c | 37 | the -F or -u options are used) and %g by the requested group name. |
38 | . | |
39 | .TP | |
40 | .BI "-F " filter | |
41 | LDAP search filter used to search the LDAP directory for any | |
42 | matching users. | |
43 | .BR | |
5eecb267 | 44 | In the filter %s will be replaced by the user name. If % is to be |
6708c52c | 45 | included literally in the filter then use %%. |
46 | . | |
47 | .TP | |
48 | .BI "-u " attr | |
5eecb267 | 49 | LDAP attribute used to construct the user DN from the user name and |
50 | base dn without needing to search for the user. | |
28e81872 | 51 | . |
52 | .TP | |
53 | .BI "-s " base|one|sub | |
54 | search scope. Defaults to 'sub'. | |
55 | .IP | |
56 | .B base | |
57 | object only, | |
58 | .B one | |
59 | level below the base object or | |
60 | .BR sub tree | |
61 | below the base object | |
62 | . | |
63 | .TP | |
64 | .BI "-D " "binddn " "-w " password | |
65 | The DN and password to bind as while performing searches. Required | |
66 | if the directory does not allow anonymous searches. | |
67 | .IP | |
68 | As the password needs to be printed in plain text in your Squid configuration | |
69 | and will be sent on the command line to the helper it is strongly recommended | |
70 | to use a account with minimal associated privileges. This to limit the damage | |
71 | in case someone could get hold of a copy of your Squid configuration file or | |
72 | extracts the password used from a process listing. | |
73 | . | |
74 | .TP | |
75 | .BI -P | |
76 | Use a persistent LDAP connection. Normally the LDAP connection | |
5eecb267 | 77 | is only open while verifying a users group membership to preserve |
78 | resources at the LDAP server. This option causes the LDAP connection to | |
28e81872 | 79 | be kept open, allowing it to be reused for further user |
80 | validations. Recommended for larger installations. | |
81 | . | |
82 | .TP | |
83 | .BI -R | |
84 | do not follow referrals | |
85 | . | |
86 | .TP | |
87 | .BI "-a " never|always|search|find | |
88 | when to dereference aliases. Defaults to 'never' | |
89 | .IP | |
90 | .BI never | |
91 | dereference aliases (default), | |
92 | .BI always | |
93 | dereference aliases, only while | |
94 | .BR search ing | |
95 | or only to | |
96 | .B find | |
97 | the base object | |
98 | . | |
99 | .TP | |
5eecb267 | 100 | .BI -H " ldapuri" |
101 | Specity the LDAP server to connect to by a LDAP URI | |
102 | . | |
103 | .TP | |
28e81872 | 104 | .BI -h " ldapserver" |
105 | Specify the LDAP server to connect to | |
106 | .TP | |
107 | .BI -p " ldapport" | |
108 | Specify an alternate TCP port where the ldap server is listening if | |
109 | other than the default LDAP port 389. | |
110 | . | |
6708c52c | 111 | .TP |
112 | .BI -S | |
5eecb267 | 113 | Strip NT domain name component from user names (/ or \\ separated) |
6708c52c | 114 | . |
115 | .SH SQUID CONFIGURATION | |
116 | . | |
117 | This helper is intended to be used as a external_acl_type helper from | |
118 | squid.conf. | |
119 | .P | |
120 | .ft CR | |
121 | .nf | |
122 | external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ... | |
123 | .br | |
5eecb267 | 124 | acl group1 external ldap_group Group1 |
6708c52c | 125 | .br |
5eecb267 | 126 | acl group2 external ldap_group Group2 |
6708c52c | 127 | .fi |
128 | .ft | |
129 | . | |
28e81872 | 130 | .SH NOTES |
131 | . | |
5eecb267 | 132 | When constructing search filters it is recommended to first test the filter |
28e81872 | 133 | using ldapsearch before you attempt to use squid_ldap_group. This to verify |
134 | that the filter matches what you expect. | |
135 | . | |
136 | .SH AUTHOR | |
137 | This manual page was written by | |
138 | .I Henrik Nordstrom <hno@marasystems.com> | |
139 | .P | |
140 | squid_ldap_group is written by | |
141 | .I Flavio Pescuma <flavio@marasystems.com> | |
142 | and | |
143 | .IR "Henrik Nordstrom <hno@squid-cache.org>" , | |
144 | based on prior work in squid_ldap_auth by | |
145 | .I Glen Newton <glen.newton@nrc.ca> | |
146 | . | |
147 | .SH KNOWN LIMITATIONS | |
5eecb267 | 148 | Max 16 occurrences of %s in the -u argument is supported. |
28e81872 | 149 | . |
150 | .SH QUESTIONS | |
151 | Any questions on usage can be sent to | |
152 | .IR "Squid Users <squid-users@squid-cache.org>" , | |
153 | or to your favorite LDAP list/friend if the question is more related to | |
154 | LDAP than Squid. | |
155 | . | |
156 | .SH REPORTING BUGS | |
157 | Report bugs or bug-fixes to | |
158 | .I Squid Bugs <squid-bugs@squid-cache.org> | |
159 | or ideas for new improvements to | |
160 | .I Squid Developers <squid-dev@squid-cache.org> | |
161 | . | |
162 | .SH "SEE ALSO" | |
163 | .BR squid_ldap_auth ( 8 ), | |
164 | .BR ldapsearch ( 1 ), | |
165 | .br | |
166 | Your favorite LDAP documentation | |
167 | .br | |
168 | .BR RFC2254 " - The String Representation of LDAP Search Filters," |