.
.SH SYNOPSIS
.if !'po4a'hide' .B ext_kerberos_ldap_group_acl
-.if !'po4a'hide' .B [\-h] [\-d] [\-i] [\-s] [\-a] [\-D Realm ] [\-N Netbios-Realm-List] [\-m Max-Depth] [\-u Ldap-User] [\-p Ldap-Password] [\-b Ldap-Bind-Path] [\-l Ldap-URL] [\-S ldap server list] \-g Group-Realm-List \-t Hex-Group-Realm-List \-T Hex-Group-Hex-Realm-List
+.if !'po4a'hide' .B [\-h] [\-d] [\-i] [\-s] [\-a] [\-D Realm ] [\-N Netbios\-Realm\-List] [\-m Max\-Depth] [\-u Ldap\-User] [\-p Ldap\-Password] [\-b Ldap\-Bind\-Path] [\-l Ldap\-URL] [\-S ldap server list] \-g Group\-Realm\-List \-t Hex\-Group\-Realm\-List \-T Hex\-Group\-Hex\-Realm\-List
.
.SH DESCRIPTION
.B ext_kerberos_ldap_group_acl
Default Kerberos domain to use for usernames which do not contain domain
information (e.g. for users using basic authentication).
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-N Netbios-Realm-List
+.if !'po4a'hide' .B \-N Netbios\-Realm\-List
A list of Netbios name mappings to Kerberos domain names of the form
-Netbios-Name@Kerberos-Realm[:Netbios-Name@Kerberos-Realm] (e.g. for users
+Netbios\-Name@Kerberos\-Realm[:Netbios\-Name@Kerberos\-Realm] (e.g. for users
using NTLM authentication).
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-m Max-Depth
+.if !'po4a'hide' .B \-m Max\-Depth
Maximal depth of recursive group search.
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-u Ldap-User
+.if !'po4a'hide' .B \-u Ldap\-User
Username for LDAP server.
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-u Ldap-Password
+.if !'po4a'hide' .B \-p Ldap\-Password
Password for LDAP server.
.IP
As the password needs to be printed in plain text in your Squid configuration
configuration file or extracts the password used from a process listing.
.
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-b Ldap-Bind-Path
+.if !'po4a'hide' .B \-b Ldap\-Bind\-Path
LDAP server bind path.
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-u Ldap-URL
+.if !'po4a'hide' .B \-l Ldap\-URL
LDAP server URL in form ldap[s]://server:port
.if !'po4a'hide' .TP 12
.if !'po4a'hide' .B \-S ldap server list
list of ldap servers of the form
lserver|lserver@|lserver@Realm[:lserver@|lserver@Realm]
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-g Group-Realm-List
+.if !'po4a'hide' .B \-g Group\-Realm\-List
A list of group name per Kerberos domain of the form
Group|Group@|Group@Realm[:Group@|Group@Realm]
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-t Hex-Group-Realm-List
+.if !'po4a'hide' .B \-t Hex\-Group\-Realm\-List
A list of group name per Kerberos domain of the
form Group|Group@|Group@Realm[:Group@|Group@Realm] where group is in
-UTF-8 hex format
+UTF\-8 hex format
.if !'po4a'hide' .TP 12
-.if !'po4a'hide' .B \-T Hex-Group-Hex-Realm-List
+.if !'po4a'hide' .B \-T Hex\-Group\-Hex\-Realm\-List
A list of group name per Kerberos domain of the form
Group|Group@|Group@Realm[:Group@|Group@Realm] where group and domain
-is in UTF-8 hex format
+is in UTF\-8 hex format
.
.SH CONFIGURATION
.PP
.if !'po4a'hide' .P
.if !'po4a'hide' .ft CR
.if !'po4a'hide' .nf
-.if !'po4a'hide' external_acl_type kerberos_ldap_group1 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP1
+.if !'po4a'hide' external_acl_type kerberos_ldap_group1 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl \-g GROUP1
.if !'po4a'hide' .br
-.if !'po4a'hide' external_acl_type kerberos_ldap_group2 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP2
+.if !'po4a'hide' external_acl_type kerberos_ldap_group2 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl \-g GROUP2
.if !'po4a'hide' .br
.if !'po4a'hide' acl group1 external kerberos_ldap_group1
.if !'po4a'hide' .br
.if !'po4a'hide' .P
.if !'po4a'hide' .ft CR
.if !'po4a'hide' .nf
-.if !'po4a'hide' KRB5_CONFIG=/etc/krb5-squid.conf
+.if !'po4a'hide' KRB5_CONFIG=/etc/krb5\-squid.conf
.if !'po4a'hide' export KRB5_CONFIG
.if !'po4a'hide' .fi
.if !'po4a'hide' .ft
c) Use LDAP_URL if given
2) For user
- a) Use domain -D REALM and follow step 1)
+ a) Use domain \-D REALM and follow step 1)
b) Use LDAP_URL if given
The Groups to check against are determined as follows:
1) For user@REALM
- a) Use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM
- b) Use values given by -g option which contain a @ only e.g. -g GROUP1@:GROUP2@
- c) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2
+ a) Use values given by \-g option which contain a @REALM e.g. \-g GROUP1@REALM:GROUP2@REALM
+ b) Use values given by \-g option which contain a @ only e.g. \-g GROUP1@:GROUP2@
+ c) Use values given by \-g option which do not contain a realm e.g. \-g GROUP1:GROUP2
2) For user
- a) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2
+ a) Use values given by \-g option which do not contain a realm e.g. \-g GROUP1:GROUP2
3) For NDOMAIN\\user
- a) Use realm given by -N NDOMAIN@REALM and then use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM
+ a) Use realm given by \-N NDOMAIN@REALM and then use values given by \-g option which contain a @REALM e.g. \-g GROUP1@REALM:GROUP2@REALM
-To support Non-ASCII character use -t GROUP or -t GROUP@REALM instead of -g where GROUP is the hex UTF-8 representation e.g.
+To support Non\-ASCII character use \-t GROUP or \-t GROUP@REALM instead of \-g where GROUP is the hex UTF\-8 representation e.g.
- -t 6d61726b7573 instead of -g markus
+ \-t 6d61726b7573 instead of \-g markus
-The REALM must still be based on the ASCII character set. If REALM contains also non ASCII characters use -T GROUP@REALM where GROUP and REALM are hex UTF-8 representation e.g.
+The REALM must still be based on the ASCII character set. If REALM contains also non ASCII characters use \-T GROUP@REALM where GROUP and REALM are hex UTF\-8 representation e.g.
- -T 6d61726b7573@57494e3230303352322e484f4d45 instead of -g markus@WIN2003R2.HOME
+ \-T 6d61726b7573@57494e3230303352322e484f4d45 instead of \-g markus@WIN2003R2.HOME
-For a translation of hex UTF-8 see for example http://www.utf8-chartable.de/unicode-utf8-table.pl
+For a translation of hex UTF\-8 see for example http://www.utf8\-chartable.de/unicode\-utf8\-table.pl
The ldap server list can be:
-server - In this case server can be used for all Kerberos domains
-server@ - In this case server can be used for all Kerberos domains
-server@domain - In this case server can be used for Kerberos domain domain
-server1a@domain1:server1b@domain1:server2@domain2:server3@:server4 - A list is build with a colon as seperator
+server \- In this case server can be used for all Kerberos domains
+server@ \- In this case server can be used for all Kerberos domains
+server@domain \- In this case server can be used for Kerberos domain domain
+server1a@domain1:server1b@domain1:server2@domain2:server3@:server4 \- A list is build with a colon as seperator
.
.SH AUTHOR
.
.SH COPYRIGHT
.PP
- * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
+ * Copyright (C) 1996\-2015 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
.SH QUESTIONS
Questions on the usage of this program can be sent to the
.I Squid Users mailing list
-.if !'po4a'hide' <squid-users@squid-cache.org>
+.if !'po4a'hide' <squid\-users@squid\-cache.org>
.
.SH REPORTING BUGS
Bug reports need to be made in English.
-See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
+See http://wiki.squid\-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
.PP
-Report bugs or bug fixes using http://bugs.squid-cache.org/
+Report bugs or bug fixes using http://bugs.squid\-cache.org/
.PP
Report serious security bugs to
-.I Squid Bugs <squid-bugs@squid-cache.org>
+.I Squid Bugs <squid\-bugs@squid\-cache.org>
.PP
Report ideas for new improvements to the
.I Squid Developers mailing list
-.if !'po4a'hide' <squid-dev@squid-cache.org>
+.if !'po4a'hide' <squid\-dev@squid\-cache.org>
.
.SH SEE ALSO
.if !'po4a'hide' .BR squid "(8) "
.if !'po4a'hide' .BR negotiate_kerberos_auth "(8) "
.br
-.BR RFC1035 " - Domain names - implementation and specification,"
+.BR RFC1035 " \- Domain names \- implementation and specification,"
.br
-.BR RFC2782 " - A DNS RR for specifying the location of services (DNS SRV),"
+.BR RFC2782 " \- A DNS RR for specifying the location of services (DNS SRV),"
.br
-.BR RFC2254 " - The String Representation of LDAP Search Filters,"
+.BR RFC2254 " \- The String Representation of LDAP Search Filters,"
.br
-.BR RFC2307bis " - An Approach for Using LDAP as a Network Information Service
+.BR RFC2307bis " \- An Approach for Using LDAP as a Network Information Service
http://www.padl.com/~lukeh/rfc2307bis.txt,"
.br
The Squid FAQ wiki
-.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq
+.if !'po4a'hide' http://wiki.squid\-cache.org/SquidFaq
.br
The Squid Configuration Manual
-.if !'po4a'hide' http://www.squid-cache.org/Doc/config/
+.if !'po4a'hide' http://www.squid\-cache.org/Doc/config/
}
krb5_free_context(kparam.context);
}
+
+static void
+k5_error2(const char* msg, char* msg2, krb5_error_code code)
+{
+ const char *errmsg;
+ errmsg = krb5_get_error_message(kparam.context, code);
+ error((char *) "%s| %s: ERROR: %s%s : %s\n", LogTime(), PROGRAM, msg, msg2, errmsg);
+#if HAVE_KRB5_FREE_ERROR_MESSAGE
+ krb5_free_error_message(kparam.context, errmsg);
+#elif HAVE_KRB5_FREE_ERROR_STRING
+ krb5_free_error_string(kparam.context, (char *)errmsg);
+#else
+ xfree(errmsg);
+#endif
+}
+
+static void
+k5_error(const char* msg, krb5_error_code code)
+{
+ k5_error2(msg, (char *)"", code);
+}
+
/*
* create Kerberos memory cache
*/
}
code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc[ccindex]);
if (code) {
- error((char *) "%s| %s: ERROR: Error while resolving memory ccache : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while resolving memory ccache",code);
retval = 1;
goto cleanup;
}
if (principal)
krb5_free_principal(kparam.context, principal);
principal = NULL;
- debug((char *) "%s| %s: DEBUG: No default principal found in ccache : %s\n", LogTime(), PROGRAM, error_message(code));
-
+ k5_error("No default principal found in ccache",code);
} else {
/*
* Look for krbtgt and check if it is expired (or soon to be expired)
*/
code = krb5_cc_start_seq_get(kparam.context, kparam.cc[ccindex], &ccursor);
if (code) {
- error((char *) "%s| %s: ERROR: Error while starting ccache scan : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while starting ccache scan",code);
code = krb5_cc_close (kparam.context, kparam.cc[ccindex]);
if (code) {
- error((char *) "%s| %s: ERROR: while closing ccache : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while closing ccache",code);
}
if (kparam.cc[ccindex]) {
code = krb5_cc_destroy(kparam.context, kparam.cc[ccindex]);
if (code) {
- error((char *) "%s| %s: ERROR: while destroying ccache : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while destroying ccache",code);
}
}
} else {
while ((krb5_cc_next_cred(kparam.context, kparam.cc[ccindex], &ccursor, creds)) == 0) {
code2 = krb5_unparse_name(kparam.context, creds->server, &principal_name);
if (code2) {
- error((char *) "%s| %s: ERROR: Error while unparsing principal : %s\n", LogTime(), PROGRAM, error_message(code2));
+ k5_error("Error while unparsing principal",code2);
code = krb5_cc_destroy(kparam.context, kparam.cc[ccindex]);
if (code) {
- error((char *) "%s| %s: ERROR: while destroying ccache : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while destroying ccache",code);
}
if (creds)
krb5_free_creds(kparam.context, creds);
debug((char *) "%s| %s: DEBUG: Reset credential cache to %s\n", LogTime(), PROGRAM, mem_cache);
code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc[ccindex]);
if (code) {
- error((char *) "%s| %s: ERROR: Error while resolving memory ccache : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while resolving memory ccache",code);
retval = 1;
goto cleanup;
}
principal = NULL;
code = krb5_cc_destroy(kparam.context, kparam.cc[ccindex]);
if (code) {
- error((char *) "%s| %s: ERROR: while destroying ccache : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while destroying ccache",code);
}
if (creds)
krb5_free_creds(kparam.context, creds);
debug((char *) "%s| %s: DEBUG: Reset credential cache to %s\n", LogTime(), PROGRAM, mem_cache);
code = krb5_cc_resolve(kparam.context, mem_cache, &kparam.cc[ccindex]);
if (code) {
- error((char *) "%s| %s: ERROR: Error while resolving memory ccache : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while resolving ccache",code);
retval = 1;
goto cleanup;
}
creds = NULL;
code2 = krb5_cc_end_seq_get(kparam.context, kparam.cc[ccindex], &ccursor);
if (code2) {
- error((char *) "%s| %s: ERROR: Error while ending ccache scan : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while ending ccache scan",code2);
retval = 1;
goto cleanup;
}
code = krb5_kt_resolve(kparam.context, keytab_name, &keytab);
if (code) {
- error((char *) "%s| %s: ERROR: Error while resolving keytab %s : %s\n", LogTime(), PROGRAM, keytab_name, error_message(code));
+ k5_error2("Error while resolving keytab ",keytab_name,code);
retval = 1;
goto cleanup;
}
code = krb5_kt_start_seq_get(kparam.context, keytab, &cursor);
if (code) {
- error((char *) "%s| %s: ERROR: Error while starting keytab scan : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while starting keytab scan",code);
retval = 1;
goto cleanup;
}
{
code = krb5_unparse_name(kparam.context, entry.principal, &principal_name);
if (code) {
- error((char *) "%s| %s: ERROR: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while unparsing principal name",code);
} else {
debug((char *) "%s| %s: DEBUG: Found principal name: %s\n", LogTime(), PROGRAM, principal_name);
found = 1;
code = krb5_free_keytab_entry_contents(kparam.context, &entry);
#endif
if (code) {
- error((char *) "%s| %s: ERROR: Error while freeing keytab entry : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while freeing keytab entry",code);
retval = 1;
break;
}
*/
code = krb5_parse_name(kparam.context, principal_name, &principal);
if (code) {
- error((char *) "%s| %s: ERROR: Error while parsing name %s : %s\n", LogTime(), PROGRAM, principal_name, error_message(code));
+ k5_error2("Error while parsing name ", principal_name,code);
safe_free(principal_name);
if (principal)
krb5_free_principal(kparam.context, principal);
#endif
if (code) {
- error((char *) "%s| %s: ERROR: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while initialising credentials from keytab" ,code);
safe_free(principal_name);
if (principal)
krb5_free_principal(kparam.context, principal);
}
code = krb5_cc_initialize(kparam.context, kparam.cc[ccindex], principal);
if (code) {
- error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while initialising memory caches" ,code);
safe_free(principal_name);
if (principal)
krb5_free_principal(kparam.context, principal);
}
code = krb5_cc_store_cred(kparam.context, kparam.cc[ccindex], creds);
if (code) {
- error((char *) "%s| %s: ERROR: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while storing credentials" ,code);
if (principal)
krb5_free_principal(kparam.context, principal);
safe_free(principal_name);
}
if (code && code != KRB5_KT_END) {
- error((char *) "%s| %s: ERROR: Error while scanning keytab : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while scanning keytab" ,code);
retval = 1;
goto cleanup;
}
code = krb5_kt_end_seq_get(kparam.context, keytab, &cursor);
if (code) {
- error((char *) "%s| %s: ERROR: Error while ending keytab scan : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while ending keytab scan" ,code);
retval = 1;
goto cleanup;
}
*/
code = krb5_unparse_name(kparam.context, principal_list[i], &principal_name);
if (code) {
- debug((char *) "%s| %s: DEBUG: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while unparsing principal name" ,code);
goto loop_end;
}
debug((char *) "%s| %s: DEBUG: Keytab entry has principal: %s\n", LogTime(), PROGRAM, principal_name);
code = krb5_get_in_tkt_with_keytab(kparam.context, 0, NULL, NULL, NULL, keytab, NULL, creds, 0);
#endif
if (code) {
- debug((char *) "%s| %s: DEBUG: Error while initialising credentials from keytab : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while initialising credentials from keytab" ,code);
goto loop_end;
}
code = krb5_cc_initialize(kparam.context, kparam.cc[ccindex], principal_list[i]);
if (code) {
- error((char *) "%s| %s: ERROR: Error while initializing memory caches : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while initialising memory caches" ,code);
goto loop_end;
}
code = krb5_cc_store_cred(kparam.context, kparam.cc[ccindex], creds);
if (code) {
- debug((char *) "%s| %s: DEBUG: Error while storing credentials : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while storing credentials" ,code);
goto loop_end;
}
if (creds->server)
code = krb5_parse_name(kparam.context, service, &creds->server);
xfree(service);
if (code) {
- error((char *) "%s| %s: ERROR: Error while initialising TGT credentials : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while initialising TGT credentials" ,code);
goto loop_end;
}
code = krb5_get_credentials(kparam.context, 0, kparam.cc[ccindex], creds, &tgt_creds);
if (code) {
- debug((char *) "%s| %s: DEBUG: Error while getting tgt : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while getting tgt" ,code);
goto loop_end;
} else {
debug((char *) "%s| %s: DEBUG: Found trusted principal name: %s\n", LogTime(), PROGRAM, principal_name);
*/
code = krb5_unparse_name(kparam.context, principal, &principal_name);
if (code) {
- debug((char *) "%s| %s: DEBUG: Error while unparsing principal name : %s\n", LogTime(), PROGRAM, error_message(code));
+ k5_error("Error while unparsing principal name" ,code);
retval = 1;
goto cleanup;
}
projects / thirdparty / squid.git / commitdiff
