]>
Commit | Line | Data |
---|---|---|
736a9a4d | 1 | |
2 | This is the readme.txt file for mswin_check_lm_group, an external | |
1d09e43e | 3 | helper for the External ACL Scheme for Squid. |
736a9a4d | 4 | |
5 | ||
1d09e43e GS |
6 | This helper must be used in with an authentication scheme (tipically |
7 | basic or NTLM) based on Windows NT/2000 domain users (LM mode). | |
736a9a4d | 8 | It reads from the standard input the domain username and a list of groups |
9 | and tries to match it against the groups membership of the specified | |
10 | username. | |
11 | ||
12 | ||
13 | ============== | |
14 | Program Syntax | |
15 | ============== | |
16 | ||
17 | mswin_check_lm_group [-D domain][-G][-P][-c][-d][-h] | |
18 | ||
19 | -D domain specify the default user's domain | |
20 | -G start helper in Domain Global Group mode | |
21 | -P use ONLY PDCs for group validation | |
22 | -c use case insensitive compare | |
23 | -d enable debugging | |
24 | -h this message | |
25 | ||
26 | ||
27 | ================ | |
28 | squid.conf usage | |
29 | ================ | |
30 | ||
31 | external_acl_type NT_global_group %LOGIN c:/squid/libexec/mswin_check_lm_group.exe -G | |
32 | external_acl_type NT_local_group %LOGIN c:/squid/libexec/mswin_check_lm_group.exe | |
33 | ||
34 | acl GProxyUsers external NT_global_group GProxyUsers | |
35 | acl LProxyUsers external NT_local_group LProxyUsers | |
36 | acl password proxy_auth REQUIRED | |
37 | ||
38 | http_access allow password GProxyUsers | |
39 | http_access allow password LProxyUsers | |
40 | http_access deny all | |
41 | ||
42 | In the previous example all validated NT users member of GProxyUsers Global | |
43 | domain group or member of LProxyUsers machine local group are allowed to | |
44 | use the cache. | |
45 | ||
46 | Groups with spaces in name, for example "Domain Users", must be quoted and | |
47 | the acl data ("Domain Users") must be placed into a separate file included | |
48 | by specifying "/path/to/file". The previous example will be: | |
49 | ||
50 | acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers" | |
51 | ||
52 | and the DomainUsers files will contain only the following line: | |
53 | ||
54 | "Domain Users" | |
55 | ||
56 | NOTES: | |
1d09e43e | 57 | - The standard group name comparison is case sensitive, so group name |
736a9a4d | 58 | must be specified with same case as in the NT/2000 Domain. |
1d09e43e GS |
59 | It's possible to enable case insensitive group name comparison (-c), |
60 | but on some not-english locales, the results can be unexpected. | |
736a9a4d | 61 | - Native WIN32 NTLM and Basic Helpers must be used without the |
62 | -A & -D switches. | |
63 | ||
64 | Refer to Squid documentation for the more details on squid.conf. | |
65 | ||
66 | ||
67 | ======= | |
68 | Testing | |
69 | ======= | |
70 | ||
71 | I strongly reccomend that mswin_check_lm_group is tested prior to being used in a | |
72 | production environment. It may behave differently on different platforms. | |
73 | To test it, run it from the command line. Enter username and group | |
1d09e43e | 74 | pairs separated by a space (username must entered with domain%5cusername |
736a9a4d | 75 | syntax). Press ENTER to get an OK or ERR message. |
76 | Make sure pressing <CTRL><D> behaves the same as a carriage return. | |
77 | Make sure pressing <CTRL><C> aborts the program. | |
78 | ||
79 | Test that entering no details does not result in an OK or ERR message. | |
80 | Test that entering an invalid username and group results in an ERR message. | |
81 | Test that entering an valid username and group results in an OK message. | |
82 |