--- /dev/null
+Version 2.12
+
+2003-03-01 Juerg Michel
+
+ Added support for ldap URI via the -H option
+
+Version 2.11
+
+2003-01-31 Henrik Nordstrom <hno@marasystems.com>
+
+ Packaged as a distribution, with Makefile, README
+ and INSTALL
+
+ Corrected the squid.conf examples in the manpage and
+ some spelling in the same
+
+ Separated the changelog/history to a separate
+ ChangeLog file (this file)
+
+2003-01-27 Henrik Nordstrom <hno@marasystems.com>
+
+ Cleaned up error messages shown when a nonexisting
+ user tries to log in
+
+Version 2.10
+
+2003-01-07 Jon Kinred
+
+ Fixed user search mode (-F/-u) when -g is not used
+
+Version 2.9
+
+2003-01-03 Henrik Nordstrom <hno@marasystems.com>
+
+ Fixed missing string termination on ldap_escape_vale,
+ and corrected build problem with LDAPv2 libraries
+
+Version 2.8
+
+2002-11-27 Henrik Nordstrom <hno@marasystems.com>
+
+ Replacement for ldap_build_filter. Also changed
+ the % codes to %u (user) and %g (group) which
+ is a bit more intuitive.
+
+2002-11-21 Gerard Eviston
+
+ Fix ldap_search_s error management. This fixes
+ a core dump if there is a LDAP search filter
+ syntax error (possibly caused by malformed input).
+
+Version 2.7
+
+2002-10-22: Henrik Nordstrom <hno@marasystems.com>
+
+ strwordtok bugfix
+
+Version 2.6
+
+2002-09-21: Gerard Eviston
+
+ -S option to strip NT domain names from
+ login names
+
+Version 2.5
+
+2002-09-09: Henrik Nordstrom <hno@marasystems.com>
+
+ Added support for user DN lookups
+ (-u -B -F options)
+
+Version 2.4
+
+2002-09-06: Henrik Nordstrom <hno@marasystems.com>
+
+ Many bugfixes in connection management
+
+ -g option added, and added support
+ for multiple groups. Prior versions
+ only supported one group and an optional
+ group base RDN
+
+Version 2.3
+
+2002-09-04: Henrik Nordstrom <hno@marasystems.com>
+
+ Minor cleanups
+
+Version 2.2
+
+2002-09-04: Henrik Nordstrom <hno@marasystems.com>
+
+ Merged changes from squid_ldap_auth.c
+ - TLS support (Michael Cunningham)
+ - -p option to specify port
+
+ Documented the % codes to use in -f
+
+Version 2.1
+
+2002-08-21: Henrik Nordstrom <hno@marasystems.com>
+
+ Support groups or usernames having spaces
+
+Version 2.0
+
+2002-01-22: Henrik Nordstrom <hno@marasystems.com>
+
+ Added optional third query argument for search RDN
+
+2002-01-22: Henrik Nordstrom <hno@marasystems.com>
+
+ Removed unused options, and fully changed name
+ to squid_ldap_match.
+
+Version 1.0
+
+2001-07-17: Flavio Pescuma <flavio@marasystems.com>
+
+ Using the main function from squid_ldap_auth
+ wrote squid_ldap_match. This program replaces
+ the %a and %v (ldapfilter.conf) from the filter
+ template supplied with -f with the two arguments
+ sent by squid. Returns OK if the ldap_search
+ using the composed filter succeeds.
+
+Changes from squid_ldap_auth.c:
+
+2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
+
+ - Added TLS support and partial ldap version 3 support.
+
+2001-09-05: Henrik Nordstrom <hno@squid-cache.org>
+
+ - Added ability to specify another default LDAP port to
+ connect to. Persistent connections moved to -P
+
+2001-05-02: Henrik Nordstrom <hno@squid-cache.org>
+
+ - Support newer OpenLDAP 2.x libraries using the
+ revised Internet Draft API which unfortunately
+ is not backwards compatible with RFC1823..
+
+2001-04-15: Henrik Nordstrom <hno@squid-cache.org>
+
+ - Added command line option for basedn
+
+ - Added the ability to search for the user DN
+
+2001-04-16: Henrik Nordstrom <hno@squid-cache.org>
+
+ - Added -D binddn -w bindpasswd.
+
+2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
+
+ - Added -R to disable referrals
+
+ - Added -a to control alias dereferencing
+
+2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
+
+ - Added -u, DN username attribute name
+
+2001-04-18: Henrik Nordstrom <hno@squid-cache.org>
+
+ - Allow full filter specifications in -f
+
+-- END --
-.TH squid_ldap_group 8 "7 September 2002" "Squid LDAP Match"
+.TH squid_ldap_group 8 "1 Mars 2003" "Squid LDAP Match"
.
.SH NAME
squid_ldap_group - Squid LDAP external acl group helper
.
.SH SYNOPSIS
-squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...]
+squid_ldap_group -b "base DN" -f "LDAP search filter" [options] [ldap_server_name[:port]...|URI]
.
.SH DESCRIPTION
This helper allows Squid to connect to a LDAP directory to
authorize users via LDAP groups.
.P
The program operates by searching with a search filter based
-on the users login name and requested group, and if a match
+on the users user name and requested group, and if a match
is found it is determined that the user belongs to the group.
.
.TP
.TP
.B "-g"
Specifies that the first query argument sent to the helper by Squid is
-a extension to the basedn and will be temporarily added infront of the
+a extension to the basedn and will be temporarily added in front of the
global basedn for this query.
.
.TP
LDAP search filter used to search the LDAP directory for any
matching group memberships.
.BR
-In the filter %u will be replaced by the user login name (or DN if
+In the filter %u will be replaced by the user name (or DN if
the -F or -u options are used) and %g by the requested group name.
.
.TP
LDAP search filter used to search the LDAP directory for any
matching users.
.BR
-In the filter %s will be replaced by the user login name. If % is to be
+In the filter %s will be replaced by the user name. If % is to be
included literally in the filter then use %%.
.
.TP
.BI "-u " attr
-LDAP attribute used to construct the user DN from the login name and
-base dn.
+LDAP attribute used to construct the user DN from the user name and
+base dn without needing to search for the user.
.
.TP
.BI "-s " base|one|sub
.TP
.BI -P
Use a persistent LDAP connection. Normally the LDAP connection
-is only open while validating a username to preserve resources
-at the LDAP server. This option causes the LDAP connection to
+is only open while verifying a users group membership to preserve
+resources at the LDAP server. This option causes the LDAP connection to
be kept open, allowing it to be reused for further user
validations. Recommended for larger installations.
.
the base object
.
.TP
+.BI -H " ldapuri"
+Specity the LDAP server to connect to by a LDAP URI
+.
+.TP
.BI -h " ldapserver"
Specify the LDAP server to connect to
.TP
.
.TP
.BI -S
-Strip NT domain name component from usernames (/ or \\ separated)
+Strip NT domain name component from user names (/ or \\ separated)
.
.SH SQUID CONFIGURATION
.
.nf
external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
.br
-acl group1 ldap_group Group1
+acl group1 external ldap_group Group1
.br
-acl group2 ldap_gorup Group2
+acl group2 external ldap_group Group2
.fi
.ft
.
.SH NOTES
.
-When constructing search filters it is strongly recommended to test the filter
+When constructing search filters it is recommended to first test the filter
using ldapsearch before you attempt to use squid_ldap_group. This to verify
that the filter matches what you expect.
.
.I Glen Newton <glen.newton@nrc.ca>
.
.SH KNOWN LIMITATIONS
-Max 16 occurances of %s in the -u argument is supported.
+Max 16 occurrences of %s in the -u argument is supported.
.
.SH QUESTIONS
Any questions on usage can be sent to
* Henrik Nordstrom <hno@marasystems.com>
* MARA Systems AB, Sweden <http://www.marasystems.com>
*
- * With contributions from others mentioned in the change histor section
- * below.
+ * With contributions from others mentioned in the ChangeLog file
*
* In part based on squid_ldap_auth by Glen Newton and Henrik Nordstrom.
*
* and/or modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2,
* or (at your option) any later version.
- *
- * History:
- *
- * Version 2.9
- * 2003-01-03 Henrik Nordstrom <hno@marasystems.com>
- * Fixed missing string termination on ldap_escape_vale,
- * and corrected build problem with LDAPv2 libraries
- * Version 2.8
- * 2002-11-27 Henrik Nordstrom <hno@marasystems.com>
- * Replacement for ldap_build_filter. Also changed
- * the % codes to %u (user) and %g (group) which
- * is a bit more intuitive.
- * 2002-11-21 Gerard Eviston
- * Fix ldap_search_s error management. This fixes
- * a core dump if there is a LDAP search filter
- * syntax error (possibly caused by malformed input).
- * Version 2.7
- * 2002-10-22: Henrik Nordstrom <hno@marasystems.com>
- * strwordtok bugfix
- * Version 2.6
- * 2002-09-21: Gerard Eviston
- * -S option to strip NT domain names from
- * login names
- * Version 2.5
- * 2002-09-09: Henrik Nordstrom <hno@marasystems.com>
- * Added support for user DN lookups
- * (-u -B -F options)
- * Version 2.4
- * 2002-09-06: Henrik Nordstrom <hno@marasystems.com>
- * Many bugfixes in connection management
- * -g option added, and added support
- * for multiple groups. Prior versions
- * only supported one group and an optional
- * group base RDN
- * Version 2.3
- * 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
- * Minor cleanups
- * Version 2.2
- * 2002-09-04: Henrik Nordstrom <hno@marasystems.com>
- * Merged changes from squid_ldap_auth.c
- * - TLS support (Michael Cunningham)
- * - -p option to specify port
- * Documented the % codes to use in -f
- * Version 2.1
- * 2002-08-21: Henrik Nordstrom <hno@marasystems.com>
- * Support groups or usernames having spaces
- * Version 2.0
- * 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
- * Added optional third query argument for search RDN
- * 2002-01-22: Henrik Nordstrom <hno@marasystems.com>
- * Removed unused options, and fully changed name
- * to squid_ldap_group.
- * Version 1.0
- * 2001-07-17: Flavio Pescuma <flavio@marasystems.com>
- * Using the main function from squid_ldap_auth
- * wrote squid_ldap_group. This program replaces
- * the %a and %v (ldapfilter.conf) from the filter
- * template supplied with -f with the two arguments
- * sent by squid. Returns OK if the ldap_search
- * using the composed filter succeeds.
- *
- * Changes from squid_ldap_auth.c:
- *
- * 2001-12-12: Michael Cunningham <m.cunningham@xpedite.com>
- * - Added TLS support and partial ldap version 3 support.
- * 2001-09-05: Henrik Nordstrom <hno@squid-cache.org>
- * - Added ability to specify another default LDAP port to
- * connect to. Persistent connections moved to -P
- * 2001-05-02: Henrik Nordstrom <hno@squid-cache.org>
- * - Support newer OpenLDAP 2.x libraries using the
- * revised Internet Draft API which unfortunately
- * is not backwards compatible with RFC1823..
- * 2001-04-15: Henrik Nordstrom <hno@squid-cache.org>
- * - Added command line option for basedn
- * - Added the ability to search for the user DN
- * 2001-04-16: Henrik Nordstrom <hno@squid-cache.org>
- * - Added -D binddn -w bindpasswd.
- * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
- * - Added -R to disable referrals
- * - Added -a to control alias dereferencing
- * 2001-04-17: Henrik Nordstrom <hno@squid-cache.org>
- * - Added -u, DN username attribute name
- * 2001-04-18: Henrik Nordstrom <hno@squid-cache.org>
- * - Allow full filter specifications in -f
*/
#include <stdio.h>
}
#endif
+#ifdef LDAP_API_FEATURE_X_OPENLDAP
+ #if LDAP_VENDOR_VERSION > 194
+ #define HAS_URI_SUPPORT 1
+ #endif
+#endif
+
static char *
strwordtok(char *buf, char **t)
{
argv++;
argc--;
switch (option) {
+ case 'H':
+#if !HAS_URI_SUPPORT
+ fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n");
+ exit(1);
+#endif
+ /* Fall thru to -h */
case 'h':
if (ldapServer) {
int len = strlen(ldapServer) + 1 + strlen(value) + 1;
ldapServer = strdup(value);
}
break;
-
case 'b':
basedn = value;
break;
fprintf(stderr, "\t-s base|one|sub\t\tsearch scope\n");
fprintf(stderr, "\t-D binddn\t\tDN to bind as to perform searches\n");
fprintf(stderr, "\t-w bindpasswd\t\tpassword for binddn\n");
+#if HAS_URI_SUPPORT
+ fprintf(stderr, "\t-H URI\t\t\tLDAPURI (defaults to ldap://localhost)\n");
+#endif
fprintf(stderr, "\t-h server\t\tLDAP server (defaults to localhost)\n");
fprintf(stderr, "\t-p port\t\t\tLDAP server port (defaults to %d)\n", LDAP_PORT);
fprintf(stderr, "\t-P\t\t\tpersistent LDAP connection\n");
fprintf(stderr, "\t-R\t\t\tdo not follow referrals\n");
fprintf(stderr, "\t-a never|always|search|find\n\t\t\t\twhen to dereference aliases\n");
- fprintf(stderr, "\t-v 1|2\t\t\tLDAP version\n");
+#ifdef LDAP_VERSION3
+ fprintf(stderr, "\t-v 2|3\t\t\tLDAP version\n");
fprintf(stderr, "\t-Z\t\t\tTLS encrypt the LDAP connection, requires\n\t\t\t\tLDAP version 3\n");
+#endif
fprintf(stderr, "\t-g\t\t\tfirst query parameter is base DN extension\n\t\t\t\tfor this query\n");
fprintf(stderr, "\t-S\t\t\tStrip NT domain from usernames\n");
fprintf(stderr, "\n");
recover:
if (ld == NULL) {
+#if HAS_URI_SUPPORT
+ if (strstr(ldapServer, "://") != NULL) {
+ rc = ldap_initialize( &ld, ldapServer );
+ if( rc != LDAP_SUCCESS ) {
+ fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer);
+ break;
+ }
+ } else
+#endif
if ((ld = ldap_init(ldapServer, port)) == NULL) {
- fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",
- ldapServer, port);
+ fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n",ldapServer, port);
break;
}
+
#ifdef LDAP_VERSION3
if (version == -1) {
version = LDAP_VERSION2;
}
if (debug)
- fprintf(stderr, "filter %s\n", filter);
+ fprintf(stderr, "group filter '%s', searchbase '%s'\n", filter, searchbase);
rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
if (rc != LDAP_SUCCESS) {
char *userdn;
if (extension_dn && *extension_dn)
snprintf(searchbase, sizeof(searchbase), "%s,%s", extension_dn, userbasedn ? userbasedn : basedn);
+ else
+ snprintf(searchbase, sizeof(searchbase), "%s", userbasedn ? userbasedn : basedn);
ldap_escape_value(escaped_login, sizeof(escaped_login), login);
snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login);
if (debug)
- fprintf(stderr, "user filter %s\n", filter);
+ fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, searchbase);
rc = ldap_search_s(ld, searchbase, searchscope, filter, NULL, 1, &res);
if (rc != LDAP_SUCCESS) {
if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
}
entry = ldap_first_entry(ld, res);
if (!entry) {
- fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found\n", filter);
+ fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found in '%s'\n", login, searchbase);
ldap_msgfree(res);
return 1;
}
projects / thirdparty / squid.git / commitdiff
