projects / thirdparty / squid.git / blame
| Commit | Line | Data |
|---|---|---|
| 736a9a4d | 1 | |
| 2 | This is the readme.txt file for mswin_check_lm_group, an external | |
| 1d09e43e | 3 | helper for the External ACL Scheme for Squid. |
| 736a9a4d | 4 | |
| 5 | ||
| 1d09e43e GS |
6 | This helper must be used in with an authentication scheme (tipically |
| 7 | basic or NTLM) based on Windows NT/2000 domain users (LM mode). | |
| 736a9a4d | 8 | It reads from the standard input the domain username and a list of groups |
| 9 | and tries to match it against the groups membership of the specified | |
| 10 | username. | |
| 11 | ||
| 12 | ||
| 13 | ============== | |
| 14 | Program Syntax | |
| 15 | ============== | |
| 16 | ||
| 17 | mswin_check_lm_group [-D domain][-G][-P][-c][-d][-h] | |
| 18 | ||
| 19 | -D domain specify the default user's domain | |
| 20 | -G start helper in Domain Global Group mode | |
| 21 | -P use ONLY PDCs for group validation | |
| 22 | -c use case insensitive compare | |
| 23 | -d enable debugging | |
| 24 | -h this message | |
| 25 | ||
| 26 | ||
| 27 | ================ | |
| 28 | squid.conf usage | |
| 29 | ================ | |
| 30 | ||
| 31 | external_acl_type NT_global_group %LOGIN c:/squid/libexec/mswin_check_lm_group.exe -G | |
| 32 | external_acl_type NT_local_group %LOGIN c:/squid/libexec/mswin_check_lm_group.exe | |
| 33 | ||
| 34 | acl GProxyUsers external NT_global_group GProxyUsers | |
| 35 | acl LProxyUsers external NT_local_group LProxyUsers | |
| 36 | acl password proxy_auth REQUIRED | |
| 37 | ||
| 38 | http_access allow password GProxyUsers | |
| 39 | http_access allow password LProxyUsers | |
| 40 | http_access deny all | |
| 41 | ||
| 42 | In the previous example all validated NT users member of GProxyUsers Global | |
| 43 | domain group or member of LProxyUsers machine local group are allowed to | |
| 44 | use the cache. | |
| 45 | ||
| 46 | Groups with spaces in name, for example "Domain Users", must be quoted and | |
| 47 | the acl data ("Domain Users") must be placed into a separate file included | |
| 48 | by specifying "/path/to/file". The previous example will be: | |
| 49 | ||
| 50 | acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers" | |
| 51 | ||
| 52 | and the DomainUsers files will contain only the following line: | |
| 53 | ||
| 54 | "Domain Users" | |
| 55 | ||
| 56 | NOTES: | |
| 1d09e43e | 57 | - The standard group name comparison is case sensitive, so group name |
| 736a9a4d | 58 | must be specified with same case as in the NT/2000 Domain. |
| 1d09e43e GS |
59 | It's possible to enable case insensitive group name comparison (-c), |
| 60 | but on some not-english locales, the results can be unexpected. | |
| 736a9a4d | 61 | - Native WIN32 NTLM and Basic Helpers must be used without the |
| 62 | -A & -D switches. | |
| 63 | ||
| 64 | Refer to Squid documentation for the more details on squid.conf. | |
| 65 | ||
| 66 | ||
| 67 | ======= | |
| 68 | Testing | |
| 69 | ======= | |
| 70 | ||
| 71 | I strongly reccomend that mswin_check_lm_group is tested prior to being used in a | |
| 72 | production environment. It may behave differently on different platforms. | |
| 73 | To test it, run it from the command line. Enter username and group | |
| 1d09e43e | 74 | pairs separated by a space (username must entered with domain%5cusername |
| 736a9a4d | 75 | syntax). Press ENTER to get an OK or ERR message. |
| 76 | Make sure pressing <CTRL><D> behaves the same as a carriage return. | |
| 77 | Make sure pressing <CTRL><C> aborts the program. | |
| 78 | ||
| 79 | Test that entering no details does not result in an OK or ERR message. | |
| 80 | Test that entering an invalid username and group results in an ERR message. | |
| 81 | Test that entering an valid username and group results in an OK message. | |
| 82 |