-.if !'po4a'hide' .TH basic_sspi_auth 8
+.if !'po4a'hide' .TH basic_sspi_auth.exe 8
.
.SH NAME
-.if !'po4a'hide' .B basic_sspi_auth
+.if !'po4a'hide' .B basic_sspi_auth.exe
.if !'po4a'hide' \-
Basic authentication protocol
.PP
Version 2.0
.
.SH SYNOPSIS
-.if !'po4a'hide' .B basic_sspi_auth
+.if !'po4a'hide' .B basic_sspi_auth.exe
.if !'po4a'hide' .B "[\-d] [\-A "
Group Name
.if !'po4a'hide' .B "] [\-D "
.if !'po4a'hide' .B "]"
.
.SH DESCRIPTION
-.B basic_sspi_auth
+.B basic_sspi_auth.exe
is a simple authentication module for the Squid proxy server running on Windows NT
to authenticate users on an NT domain in native WIN32 mode.
.
in the domain\\username Microsoft notation.
.
.SH OPTIONS
-.if !'po4a'hide' .B basic_sspi_auth
-.if !'po4a'hide' .B \-d
-Write debug info to stderr.
+.if !'po4a'hide' .TP 12
.if !'po4a'hide' .B \-A
A Windows Local Group name allowed to authenticate.
+.
+.if !'po4a'hide' .TP
+.if !'po4a'hide' .B \-d
+Write debug info to stderr.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-D
A Windows Local Group name not allowed to authenticate.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-O
The default Domain against to authenticate.
.
.B squid.conf
to enable the authenticator:
.if !'po4a'hide' .RS
-.if !'po4a'hide' auth_param basic program c:/squid/libexec/basic_sspi_auth.exe [options]
+.if !'po4a'hide' .B auth_param basic program c:/squid/libexec/basic_sspi_auth.exe [options]
.if !'po4a'hide' .RE
.
.PP
You will need to set the following lines in
.B squid.conf
-to enable authentication for your access list -
+to enable authentication for your access list:
.if !'po4a'hide' .RS
-.if !'po4a'hide' acl aclName proxy_auth REQUIRED
-.if !'po4a'hide' http_access allow aclName
+.if !'po4a'hide' .B acl aclName proxy_auth REQUIRED
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access allow aclName
.if !'po4a'hide' .RE
.
.PP
You will need to specify the absolute path to
-.B basic_sspi_auth
+.B basic_sspi_auth.exe
in the
.B "auth_param basic program"
directive.
.SH TESTING
.PP
I strongly urge that
-.B basic_sspi_auth
+.B basic_sspi_auth.exe
is tested prior to being used in a
production environment. It may behave differently on different platforms.
To test it, run it from the command line. Enter username and password
.B CTRL-C
aborts the program.
.PP
-Test that entering no details does not result in an OK or ERR message.
-.
-Test that entering an invalid username and password results in an ERR message.
-.
-Note that if NT guest user access is allowed on the PDC, an OK message
-may be returned instead of ERR.
-.
-Test that entering an valid username and password results in an OK message.
-.
+Test that entering no details does not result in an
+.B OK
+or
+.B ERR
+message.
+.PP
+Test that entering an invalid username and password results in an
+.B ERR
+message.
+.PP
+Note that if NT guest user access is allowed on the PDC, an
+.B OK
+message may be returned instead of
+.B ERR
+.PP
+Test that entering an valid username and password results in an
+.B OK
+message.
+.PP
Test that entering a guest username and password returns the correct
response for the site's access policy.
.
-.if !'po4a'hide' .TH ext_ad_group_acl 8
+.if !'po4a'hide' .TH ext_ad_group_acl.exe 8
.
.SH NAME
-.if !'po4a'hide' .B ext_ad_group_acl
+.if !'po4a'hide' .B ext_ad_group_acl.exe
.if !'po4a'hide' \-
Squid external ACL helper to check Windows users group membership.
.PP
Version 2.0
.
.SH SYNOPSIS
-.if !'po4a'hide' .B ext_ad_group_acl
+.if !'po4a'hide' .B ext_ad_group_acl.exe
.if !'po4a'hide' .B "[\-D "
domain
-.if !'po4a'hide' .B "[\-cdGh]"
+.if !'po4a'hide' .B "] [\-cdGh]"
.
.SH DESCRIPTION
-.B ext_ad_group_acl
+.B ext_ad_group_acl.exe
is an installed binary in Squid for Windows builds.
.PP
This helper must be used in with an authentication scheme (typically
.B "\- Local mode:"
membership is checked against machine's local groups, cannot be used when
running on a Domain Controller.
+.PP
+.if !'po4a'hide' .TP 12
.B "\- Active Directory Global mode:"
membership is checked against the whole Active Directory Forest of the
machine where Squid is running.
.PP
-The minimal Windows version needed to run ext_ad_group_acl is
-a Windows 2000 SP4 member of an Active Directory Domain.
+The minimal Windows version needed to run
+.B ext_ad_group_acl.exe
+is a Windows 2000 SP4 member of an Active Directory Domain.
.PP
When running in Active Directory Global mode, all types of Active Directory
security groups are supported:
-.if !'po4a'hide' .TP 12
-.B \- Domain Global
-.B \- Domain Local from user's domain
-.B \- Universal
+.B "Domain Global"
+,
+.B "Domain Local"
+from user's domain,
+.B "Universal"
and Active Directory group nesting is fully supported.
.
.SH OPTIONS
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-c
+.if !'po4a'hide' .B "\-c"
Use case insensitive compare (local mode only).
-.if !'po4a'hide' .B \-d
+.
+.if !'po4a'hide' .TP
+.if !'po4a'hide' .B "\-d"
Write debug info to stderr.
-.if !'po4a'hide' .B \-D domain
-Specify the default user's domain.
-.if !'po4a'hide' .B \-G
+.
+.if !'po4a'hide' .TP
+.if !'po4a'hide' .B "\-D" domain
+Specify the default user's
+.B domain
+.
+.if !'po4a'hide' .TP
+.if !'po4a'hide' .B "\-G"
Start helper in Active Directory Global mode.
-.if !'po4a'hide' .B \-h
+.
+.if !'po4a'hide' .TP
+.if !'po4a'hide' .B "\-h"
Display the binary help and command line syntax info using stderr.
.
.SH CONFIGURATION
following syntax:
.
.if !'po4a'hide' .TP 5
-.PP 1. Plain NT4 Group Name
-.PP 2. Full NT4 Group Name
-.PP 3. Active Directory Canonical name
+.B "1." Plain NT4 Group Name
+.
+.if !'po4a'hide' .TP
+.B "2." Full NT4 Group Name
.
-.PP As Example:
+.if !'po4a'hide' .TP
+.B "3." Active Directory Canonical name
+.
+.PP As Exampled:
.if !'po4a'hide' .TP 5
-.if !'po4a'hide' .PP 1. Proxy-Users
-.if !'po4a'hide' .PP 2. MYDOMAIN\Proxy-Users
-.if !'po4a'hide' .PP 3. mydomain.local/Groups/Proxy-Users
+.if !'po4a'hide' .B "1." Proxy-Users
+.
+.if !'po4a'hide' .TP
+.if !'po4a'hide' .B "2." MYDOMAIN\Proxy-Users
+.
+.if !'po4a'hide' .TP
+.if !'po4a'hide' .B "3." mydomain.local/Groups/Proxy-Users
.PP
When using Plain NT4 Group Name, the Group is searched in the user's domain.
-.if !'po4a'hide' .
-.if !'po4a'hide' external_acl_type AD_global_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe -G
-.if !'po4a'hide' external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe
-.if !'po4a'hide' .
-.if !'po4a'hide' acl GProxyUsers external AD_global_group MYDOMAIN\GProxyUsers
-.if !'po4a'hide' acl LProxyUsers external NT_local_group LProxyUsers
-.if !'po4a'hide' acl password proxy_auth REQUIRED
-.if !'po4a'hide' .
-.if !'po4a'hide' http_access allow password GProxyUsers
-.if !'po4a'hide' http_access allow password LProxyUsers
-.if !'po4a'hide' http_access deny all
+.if !'po4a'hide' .RS
+.if !'po4a'hide' .B external_acl_type AD_global_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe -G
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe
+.if !'po4a'hide' .br
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B "acl GProxyUsers external AD_global_group MYDOMAIN\GProxyUsers"
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B acl LProxyUsers external NT_local_group LProxyUsers
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B acl password proxy_auth REQUIRED
+.if !'po4a'hide' .br
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access allow password GProxyUsers
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access allow password LProxyUsers
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access deny all
+.if !'po4a'hide' .RE
+.
.PP
In the previous example all validated AD users member of
-.I MYDOMAIN\GProxyUsers
+.I "MYDOMAIN\GProxyUsers"
domain group or member of
.I LProxyUsers
machine local group are allowed to
by specifying
.B "/path/to/file" .
The previous example will be:
-.if !'po4a'hide' .
-.if !'po4a'hide' acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers"
-.if !'po4a'hide' .
+.if !'po4a'hide' .RS
+.if !'po4a'hide' acl ProxyUsers external NT_global_group \"c:/squid/etc/DomainUsers\"
+.if !'po4a'hide' .RE
and the DomainUsers files will contain only the following line:
+.if !'po4a'hide' .RS
"Domain Users"
-.PP NOTE:
+.if !'po4a'hide' .RE
+.
+.PP
+.B NOTE 1:
When running in Active Directory Global mode, for better performance,
all Domain Controllers of the Active Directory forest should be configured
as Global Catalog.
-.PP NOTE:
+.
+.PP
+.B NOTE 2:
When running in local mode, the standard group name comparison is case
sensitive, so group name must be specified with same case as in the
local SAM database.
.B \-c
),
but on some non\-english locales, the results can be unexpected.
-.PP NOTE:
-Native WIN32 NTLM and Basic Helpers must be used without the
+.
+.PP
+.B NOTE 3:
+Native WIN32 NTLM and Basic helpers must be used without the
.B \-A
and
.B \-D
switches.
+.
.PP
-Refer to Squid documentation for the more details on squid.conf.
+Refer to Squid documentation for more details on
+.B squid.conf
.
.SH TESTING
.PP
I strongly recommend that
-.B ext_lm_group_acl
+.B ext_ad_group_acl.exe
is tested prior to being used in a
production environment. It may behave differently on different platforms.
.
.if !'po4a'hide' .BI \-E certpath
Enable LDAP over SSL (requires Netscape LDAP API libraries)
.
-.TP
+.if !'po4a'hide' .TP
.if !'po4a'hide' .BI "\-f " filter
LDAP search filter used to search the LDAP directory for any
matching group memberships.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-v " 2|3"
-LDAP protocol version. Defaults to 3 if not specified.
+LDAP protocol version. Defaults to
+.B 3
+ if not specified.
.
.if !'po4a'hide' .TP
.if !'po4a'hide' .BI \-Z
This helper is intended to be used as an
.B external_acl_type
helper in
-.B squid.conf.
-.if !'po4a'hide' .P
-.if !'po4a'hide' .ft CR
-.if !'po4a'hide' .nf
-.if !'po4a'hide' external_acl_type ldap_group %LOGIN /path/to/ext_ldap_group_acl ...
+.B squid.conf .
+.
+.if !'po4a'hide' .RS
+.if !'po4a'hide' .B external_acl_type ldap_group %LOGIN /path/to/ext_ldap_group_acl ...
.if !'po4a'hide' .br
-.if !'po4a'hide' acl group1 external ldap_group Group1
+.if !'po4a'hide' .B acl group1 external ldap_group Group1
.if !'po4a'hide' .br
-.if !'po4a'hide' acl group2 external ldap_group Group2
-.if !'po4a'hide' .fi
-.if !'po4a'hide' .ft
+.if !'po4a'hide' .B acl group2 external ldap_group Group2
+.if !'po4a'hide' .RE
+.
.PP
.B NOTE:
-When constructing search filters it is recommended to first test the filter
-using
+When constructing search filters it is recommended to first test the filter using
.B ldapsearch
to verify that the filter matches what you expect before you attempt to use
.B ext_ldap_group_acl
.if !'po4a'hide' .TP 12
.if !'po4a'hide' .B \-c
Use case insensitive compare.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-d
Write debug info to stderr.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-D domain
Specify the default user's domain.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-G
Start helper in Domain Global Group mode.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-h
Display the binary help and command line syntax info using stderr.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-P
Use ONLY PDCs for group validation.
.
.SH CONFIGURATION
-.
-.if !'po4a'hide' external_acl_type NT_global_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe -G
-.if !'po4a'hide' external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe
-.if !'po4a'hide' .
-.if !'po4a'hide' acl GProxyUsers external NT_global_group GProxyUsers
-.if !'po4a'hide' acl LProxyUsers external NT_local_group LProxyUsers
-.if !'po4a'hide' acl password proxy_auth REQUIRED
-.if !'po4a'hide' .
-.if !'po4a'hide' http_access allow password GProxyUsers
-.if !'po4a'hide' http_access allow password LProxyUsers
-.if !'po4a'hide' http_access deny all
+.if !'po4a'hide' .RS
+.if !'po4a'hide' .B external_acl_type NT_global_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe -G
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe
+.if !'po4a'hide' .br
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B acl GProxyUsers external NT_global_group GProxyUsers
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B acl LProxyUsers external NT_local_group LProxyUsers
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B acl password proxy_auth REQUIRED
+.if !'po4a'hide' .br
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access allow password GProxyUsers
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access allow password LProxyUsers
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access deny all
+.if !'po4a'hide' .RE
.
.PP
In the previous example all validated NT users member of GProxyUsers Global
.B "/path/to/file"
.
The previous example will be:
-.
+.if !'po4a'hide' .RS
.if !'po4a'hide' acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers.txt"
+.if !'po4a'hide' .RE
.
-and the
+The
.B DomainUsers.txt
-files will contain only the following line:
+file will contain only the following line:
+.if !'po4a'hide' .RS
.B "Domain Users"
+.if !'po4a'hide' .RE
.
-.PP NOTE:
+.PP
+.B NOTE:
The standard group name comparison is case sensitive, so group name
must be specified with same case as in the NT/2000 Domain.
It's possible to enable case insensitive group name comparison (
.B \-c
), but on some not-english locales, the results can be unexpected.
.
-.PP NOTE:
+.PP
+.B NOTE:
Native WIN32 NTLM and Basic Helpers must be used without the
.B \-A
and
.PP
I strongly recommend that
.B ext_lm_group_acl
-is tested prior to being used in a
-production environment. It may behave differently on different platforms.
+is tested prior to being used in a production environment. It may behave differently on different platforms.
.
.PP
To test it, run it from the command line. Enter username and group
.if !'po4a'hide' .TP 12
.if !'po4a'hide' .B \-d
Write debug info to stderr.
-.if !'po4a'hide' .B \-f
-Configuration file to load.
+.
+.if !'po4a'hide' .TP
+.if !'po4a'hide' .B \-f file
+Configuration
+.B file
+ to load.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-h
Display the binary help and command line syntax info using stderr.
.
The
.B squid.conf
configuration for the external ACL should be:
-.if !'po4a'hide' .
-.if !'po4a'hide' external_acl_type type-name %SRC %LOGIN /path/to/ext_file_userip_acl -f /path/to/config.file
-.if !'po4a'hide' .
+.if !'po4a'hide' .RS
+.if !'po4a'hide' .B external_acl_type type-name %SRC %LOGIN /path/to/ext_file_userip_acl -f /path/to/config.file
+.if !'po4a'hide' .RE
.PP
If the helper program finds a matching username/ip in the configuration file, it returns
.B OK
.B ERR .
.PP
The configuration file format is as follows:
-.
-ip_addr[/netmask] username|@group|ALL|NONE
+.if !'po4a'hide' .RS
+.if !'po4a'hide' ip_addr[/netmask] username|@group|ALL|NONE
+.if !'po4a'hide' .RE
.PP
Where
.B ip_addr
.PP
Configuration example using the default automatic mode
.if !'po4a'hide' .RS
-.if !'po4a'hide' external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %LOGIN /usr/local/squid/libexec/ext_session_acl
-.if !'po4a'hide' acl session external session
-.if !'po4a'hide' http_access deny !session
-.if !'po4a'hide' deny_info http://your.server.example.com/bannerpage?url=%s session
+.if !'po4a'hide' .B external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %LOGIN /usr/local/squid/libexec/ext_session_acl
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B acl session external session
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access deny !session
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B deny_info http://your.server.example.com/bannerpage?url=%s session
.if !'po4a'hide' .RE
.PP
-Then set up http://your.server.example.com/bannerpage to display a session startup
-page and then redirect the user back to the requested URL given in the url query parameter.
+Then set up
+.B http://your.server.example.com/bannerpage
+to display a session startup page and then redirect the user back to the requested URL given in the url query parameter.
.
.SH AUTHOR
This program and documentation was written by
.I group2
or
.I group3
+.
.if !'po4a'hide' .RS
-.if !'po4a'hide' .IP external_acl_type unix_group %LOGIN /usr/local/squid/libexec/ext_unix_group_acl -p
-.if !'po4a'hide' .IP acl usergroup1 external unix_group group1
-.if !'po4a'hide' .IP acl usergroup2 external unix_group group2 group3
+.if !'po4a'hide' .B external_acl_type unix_group %LOGIN /usr/local/squid/libexec/ext_unix_group_acl -p
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B acl usergroup1 external unix_group group1
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B acl usergroup2 external unix_group group2 group3
.if !'po4a'hide' .RE
.PP
-By default up to 11 groups can be matched in one acl (including commandline specified
-groups). This limit is defined by
+By default up to 11 groups can be matched in one acl (including commandline specified groups). This limit is defined by
.B MAX_GROUPS
in the source code.
.
.SH KNOWN ISSUES
+.PP
Does not understand GID aliased groups sometimes used to work around groups size
limitations. If you are using GID aliased groups then you must specify each alias
by name.
.
.SH OPTIONS
.if !'po4a'hide' .TP 12
+.if !'po4a'hide' .B \-A
+Specify a Windows Local Group name allowed to authenticate.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-d
Write debug info to stderr.
+.
+.if !'po4a'hide' .TP
+.if !'po4a'hide' .B \-D
+Specify a Windows Local Group name which is to be denied authentication.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-h
Display the binary help and command line syntax info using stderr.
+.
+.if !'po4a'hide' .TP
.if !'po4a'hide' .B \-v
Enables verbose NTLM packet debugging.
-.if !'po4a'hide' .B \-A
-Specify a Windows Local Group name allowed to authenticate.
-.if !'po4a'hide' .B \-D
-Specify a Windows Local Group name which is to be denied authentication.
.
.SH CONFIGURATION
-.PP Allowing Users
+.PP
+.B Allowing Users
.PP
Users that are allowed to access the web proxy must have the Windows NT
User Rights "logon from the network".
grant the privilege, and adding users to it, it works only with MACHINE
Local Groups, not Domain Local Groups.
.PP
-Better group checking is available with External Acl, see mswin_check_group
+Better group checking is available with external ACL, see
+.B ext_ad_group_acl.exe
documentation.
.PP
.B squid.conf
typical minimal required changes:
.if !'po4a'hide' .RS
-.if !'po4a'hide' auth_param ntlm program c:/squid/libexec/mswin_ntlm_auth.exe
-.if !'po4a'hide' auth_param ntlm children 5
-.if !'po4a'hide'
-.if !'po4a'hide' acl password proxy_auth REQUIRED
-.if !'po4a'hide'
-.if !'po4a'hide' http_access allow password
-.if !'po4a'hide' http_access deny all
+.if !'po4a'hide' .B auth_param ntlm program c:/squid/libexec/ntlm_sspi_auth.exe
+.if !'po4a'hide' .B auth_param ntlm children 5
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B acl password proxy_auth REQUIRED
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access allow password
+.if !'po4a'hide' .B http_access deny all
+.if !'po4a'hide' .RE
.
.PP Refer to Squid documentation for more details.
.
.B squid.conf
ACL works around this when placed before the authentication ACL:
.if !'po4a'hide' .RS
-.if !'po4a'hide' acl internal_icons urlpath_regex -i /squid-internal-static/icons/
-.if !'po4a'hide'
-.if !'po4a'hide' http_access allow our_networks internal_icons
+.if !'po4a'hide' .B acl internal_icons urlpath_regex \-i /squid-internal-static/icons/
+.if !'po4a'hide' .br
+.if !'po4a'hide' .B http_access allow our_networks internal_icons
+.if !'po4a'hide' .RE
.
.SH AUTHOR
This program was written by
by specifying TCP_RESET.
Or you can specify an error URL or URL pattern. The browsers will
- get redirected (302) to the specified URL after formattgin tags have
+ get redirected (302) to the specified URL after formatting tags have
been replaced.
URL FORMAT TAGS:
iterations (0 to loop until interrupted).
.
.if !'po4a'hide' .TP
-.if !'po4a'hide' .IP "\-h host"
+.if !'po4a'hide' .B "\-h host"
Retrieve URL from cache on hostname. Default is
.B localhost
.
projects / thirdparty / squid.git / commitdiff
