Provided by: squid3_3.1.19-1ubuntu2_amd64 bug


       squid_ldap_group - Squid LDAP external acl group helper


       squid_ldap_group     -b     "base     DN"    -f    "LDAP    search    filter"    [options]


       This helper allows Squid to connect to a  LDAP  directory  to  authorize  users  via  LDAP
       groups.   LDAP  options  are  specified  as  parameters  on  the  command  line, while the
       username(s) and group(s) to be  checked  against  the  LDAP  directory  are  specified  on
       subsequent  lines  of input to the helper, one username/group pair per line separated by a

       As expected by the external_acl construct of Squid, after specifying a username and  group
       followed by a new line, this helper will produce either OK or ERR on the following line to
       show if the user is a member of the specified group.

       The program operates by searching with a search filter based on the users  user  name  and
       requested  group,  and  if  a match is found it is determined that the user belongs to the

       -b basedn (REQUIRED)
              Specifies the base DN under which the groups are located.

       -B basedn
              Specifies the base DN under which the users are located (if different)

       -g     Specifies that the first query argument sent to the helper by Squid is a  extension
              to  the basedn and will be temporarily added in front of the global basedn for this

       -f filter
              LDAP search filter used to  search  the  LDAP  directory  for  any  matching  group
              memberships.    In the filter %u will be replaced by the user name (or DN if the -F
              or -u options are used) and %g by the requested group name.

       -F filter
              LDAP search filter used to search the LDAP directory for any matching users.     In
              the  filter  %s will be replaced by the user name. If % is to be included literally
              in the filter then use %%.

       -u attr
              LDAP attribute used to construct the user DN from the user name and base dn without
              needing to search for the user.

       -s base|one|sub
              search scope. Defaults to 'sub'.

              base object only, one level below the base object or subtree below the base object

       -D binddn -w password
              The DN and password to bind as while performing searches. Required if the directory
              does not allow anonymous searches.

              As the password needs to be printed in plain text in your Squid  configuration  and
              will  be sent on the command line to the helper it is strongly recommended to use a
              account with minimal associated privileges.  This  to  limit  the  damage  in  case
              someone  could  get hold of a copy of your Squid configuration file or extracts the
              password used from a process listing.

       -D binddn -W secretfile
              The DN and the name of a file containing the password to bind as  while  performing

              Less  insecure  version  of  the  former  parameter  pair  with two advantages: The
              password does not occur in the process listing,  and  the  password  is  not  being
              compromised  if  someone  gets  the  squid  configuration  file without getting the

       -P     Use a persistent LDAP connection. Normally the LDAP connection is only  open  while
              verifying  a  users group membership to preserve resources at the LDAP server. This
              option causes the LDAP connection to be kept open, allowing it  to  be  reused  for
              further user validations. Recommended for larger installations.

       -R     do not follow referrals

       -a never|always|search|find
              when to dereference aliases. Defaults to 'never'

              never  dereference  aliases  (default),  always  dereference  aliases,  only  while
              searching or only to find the base object

       -H ldapuri
              Specity the LDAP server to connect to by a LDAP URI (requires OpenLDAP libraries)

       -h ldapserver
              Specify the LDAP server to connect to

       -p ldapport
              Specify an alternate TCP port where the ldap server is listening if other than  the
              default LDAP port 389.

       -v 2|3 LDAP protocol version. Defaults to 3 if not specified.

       -Z     Use TLS encryption

              Enable LDAP over SSL (requires Netscape LDAP API libraries)

              Specify  timeout  used  when connecting to LDAP servers (requires Netscape LDAP API

              Specify time limit on LDAP search operations

       -S     Strip NT domain name component from user names (/ or \ separated)

       -K     Strip Kerberos Realm component from user names (@ separated)

       -d     Debug mode where  each  step  taken  will  get  reported  in  detail.   Useful  for
              understanding what goes wrong if the results is not what is expected.


       This helper is intended to be used as a external_acl_type helper from squid.conf.

       external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
       acl group1 external ldap_group Group1
       acl group2 external ldap_group Group2


       When  constructing  search  filters  it  is  recommended  to  first  test the filter using
       ldapsearch before you attempt to use squid_ldap_group. This  to  verify  that  the  filter
       matches what you expect.


       This manual page was written by Henrik Nordstrom <>

       squid_ldap_group   is  written  by  Flavio  Pescuma  <>  and  Henrik
       Nordstrom <>, based on prior work in  squid_ldap_auth  by  Glen  Newton


       Max 16 occurrences of %s in the -u argument is supported.


       Any  questions  on  usage  can be sent to Squid Users <>, or to
       your favorite LDAP list/friend if the question is more related to LDAP than Squid.


       Report bugs or bug-fixes to Squid  Bugs  <>  or  ideas  for  new
       improvements to Squid Developers <>


       squid_ldap_auth(8), ldapsearch(1),
       Your favorite LDAP documentation
       RFC2254 - The String Representation of LDAP Search Filters,