1 .if !'po4a'hide' .TH ext_ad_group_acl.exe 8
4 ext_ad_group_acl.exe \- Squid external ACL helper to check Windows users group membership.
9 .if !'po4a'hide' .B ext_ad_group_acl.exe
10 .if !'po4a'hide' .B "[\-D "
12 .if !'po4a'hide' .B "] [\-cdGh]"
15 .B ext_ad_group_acl.exe
16 is an installed binary in Squid for Windows builds.
18 This helper must be used in with an authentication scheme (typically
19 Basic, NTLM or Negotiate) based on Windows Active Directory domain users.
21 It reads from the standard input the domain username and a list of groups
22 and tries to match each against the groups membership of the specified
25 Two running mode are available:
26 .if !'po4a'hide' .TP 12
28 membership is checked against machine's local groups, cannot be used when
29 running on a Domain Controller.
31 .if !'po4a'hide' .TP 12
32 .B "\- Active Directory Global mode:"
33 membership is checked against the whole Active Directory Forest of the
34 machine where Squid is running.
36 The minimal Windows version needed to run
37 .B ext_ad_group_acl.exe
38 is a Windows 2000 SP4 member of an Active Directory Domain.
40 When running in Active Directory Global mode, all types of Active Directory
41 security groups are supported:
47 and Active Directory group nesting is fully supported.
50 .if !'po4a'hide' .TP 12
51 .if !'po4a'hide' .B "\-c"
52 Use case insensitive compare (local mode only).
55 .if !'po4a'hide' .B "\-d"
56 Write debug info to stderr.
59 .if !'po4a'hide' .B "\-D" domain
60 Specify the default user's
64 .if !'po4a'hide' .B "\-G"
65 Start helper in Active Directory Global mode.
68 .if !'po4a'hide' .B "\-h"
69 Display the binary help and command line syntax info using stderr.
73 When running in Active Directory Global mode, the AD Group can be specified using the
76 .if !'po4a'hide' .TP 5
77 .B "1." Plain NT4 Group Name
80 .B "2." Full NT4 Group Name
83 .B "3." Active Directory Canonical name
87 .if !'po4a'hide' .TP 5
88 .if !'po4a'hide' .B "1." Proxy-Users
91 .if !'po4a'hide' .B "2." MYDOMAIN\Proxy-Users
94 .if !'po4a'hide' .B "3." mydomain.local/Groups/Proxy-Users
96 When using Plain NT4 Group Name, the Group is searched in the user's domain.
98 .if !'po4a'hide' .B external_acl_type AD_global_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe -G
100 .if !'po4a'hide' .B external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe
103 .if !'po4a'hide' .B "acl GProxyUsers external AD_global_group MYDOMAIN\GProxyUsers"
105 .if !'po4a'hide' .B acl LProxyUsers external NT_local_group LProxyUsers
107 .if !'po4a'hide' .B acl password proxy_auth REQUIRED
110 .if !'po4a'hide' .B http_access allow password GProxyUsers
112 .if !'po4a'hide' .B http_access allow password LProxyUsers
114 .if !'po4a'hide' .B http_access deny all
118 In the previous example all validated AD users member of
119 .I "MYDOMAIN\GProxyUsers"
120 domain group or member of
122 machine local group are allowed to
125 Groups with spaces in name, for example
127 , must be quoted and the acl data (
129 ) must be placed into a separate file included
132 The previous example will be:
134 .if !'po4a'hide' acl ProxyUsers external NT_global_group \"c:/squid/etc/DomainUsers\"
136 and the DomainUsers files will contain only the following line:
143 When running in Active Directory Global mode, for better performance,
144 all Domain Controllers of the Active Directory forest should be configured
149 When running in local mode, the standard group name comparison is case
150 sensitive, so group name must be specified with same case as in the
153 It is possible to enable case insensitive group name comparison (
156 but on some non\-English locales, the results can be unexpected.
160 Native WIN32 NTLM and Basic helpers must be used without the
167 Refer to Squid documentation for more details on
172 I strongly recommend that
173 .B ext_ad_group_acl.exe
174 is tested prior to being used in a
175 production environment. It may behave differently on different platforms.
178 To test it, run it from the command line. Enter username and group
179 pairs separated by a space (username must entered with URL-encoded
191 behaves the same as a carriage return.
198 Test that entering no details does not result in an
206 behaves the same as a carriage return.
213 Test that entering no details does not result in an
219 Test that entering an invalid username and group results in an
223 Test that entering an valid username and group results in an
228 This program was written by
229 .if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
231 Based on prior work in
232 .B "mswin_check_lm_group (ext_lm_group_acl)"
234 This manual was written by
235 .if !'po4a'hide' .I Guido Serassio <guido.serassio@acmeconsulting.it>
236 .if !'po4a'hide' .I Amos Jeffries <amosjeffries@squid-cache.org>
240 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
242 * Squid software is distributed under GPLv2+ license and includes
243 * contributions from numerous individuals and organizations.
244 * Please see the COPYING and CONTRIBUTORS files for details.
246 This program and documentation is copyright to the authors named above.
248 Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
251 Questions on the usage of this program can be sent to the
252 .I Squid Users mailing list
253 .if !'po4a'hide' <squid-users@squid-cache.org>
256 Bug reports need to be made in English.
257 See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
259 Report bugs or bug fixes using http://bugs.squid-cache.org/
261 Report serious security bugs to
262 .I Squid Bugs <squid-bugs@squid-cache.org>
264 Report ideas for new improvements to the
265 .I Squid Developers mailing list
266 .if !'po4a'hide' <squid-dev@squid-cache.org>
269 .if !'po4a'hide' .BR squid "(8), "
270 .if !'po4a'hide' .BR GPL "(7), "
273 .if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
275 The Squid Configuration Manual
276 .if !'po4a'hide' http://www.squid-cache.org/Doc/config/