Provided by: squid_3.5.12-1ubuntu7_i386 bug


       ext_ldap_group_acl - Squid LDAP external acl group helper

       Version 2.18


       ext_ldap_group_acl -b base-DN -f filter [ options ] [ server [ ':' port
       ] | URI ] ...


       ext_ldap_group_acl allows Squid to  connect  to  a  LDAP  directory  to
       authorize  users  via  LDAP  groups.   LDAP  options  are  specified as
       parameters on the command line, while the username(s) and  group(s)  to
       be checked against the LDAP directory are specified on subsequent lines
       of input to the helper, one username/group pair per line separated by a

       As   expected  by  the  external_acl_type  construct  of  Squid,  after
       specifying a username and group followed by a  new  line,  this  helper
       will produce either OK or ERR on the following line to show if the user
       is a member of the specified group.

       The program operates by searching with a search  filter  based  on  the
       users  user  name  and  requested  group, and if a match is found it is
       determined that the user belongs to the group.


       -a never|always|search|find
                   When to dereference aliases. Defaults to 'never'

                   never dereference  aliases  (default),  always  dereference
                   aliases,  only  while  searching  or  only to find the base

       -b basedn   REQUIRED.  Specifies the base DN under which the groups are

       -B basedn   Specifies the base DN under which the users are located (if

       -c connect_timeout
                   Specify  timeout  used  when  connecting  to  LDAP  servers
                   (requires Netscape LDAP API libraries)

       -d          Debug  mode  where  each  step  taken  will get reported in
                   detail.  Useful for understanding what goes  wrong  if  the
                   result is not what was expected.

       -D binddn -w password
                   The  DN  and password to bind as while performing searches.
                   Required if the LDAP directory  does  not  allow  anonymous

                   As  the  password needs to be printed in plain text in your
                   Squid configuration and will be sent on the command line to
                   the helper it is strongly recommended to use a account with
                   minimal associated privileges.  This to limit the damage in
                   case  someone  could  get  hold  of  a  copy  of your Squid
                   configuration file or extracts the  password  used  from  a
                   process listing.

       -D binddn -W secretfile
                   The  DN  and  the name of a file containing the password to
                   bind as while performing searches.

                   Less insecure version of the former parameter pair with two
                   advantages:  The  password  does  not  occur in the process
                   listing, and the  password  is  not  being  compromised  if
                   someone  gets  the squid configuration file without getting
                   the secretfile.

       -E certpath Enable LDAP over SSL (requires Netscape LDAP API libraries)

       -f filter   LDAP search filter used to search the  LDAP  directory  for
                   any  matching group memberships.   In the filter %u will be
                   replaced by the user name (or DN if the -F  or  -u  options
                   are used) and %g by the requested group name.

       -F filter   LDAP  search  filter  used to search the LDAP directory for
                   any matching users.   In the filter %s will be replaced  by
                   the  user  name.  If  %  is to be included literally in the
                   filter then use %%

       -g          Specifies that the first query argument sent to the  helper
                   by  Squid  is  a  extension  to  the  basedn  and  will  be
                   temporarily added in front of the global  basedn  for  this

       -h ldapserver
                   Specify the LDAP server to connect to

       -H ldapuri  Specity  the  LDAP  server  to  connect  to  by  a LDAP URI
                   (requires OpenLDAP libraries)

       -K          Strip  Kerberos  Realm  component  from   user   names   (@

       -p ldapport Specify  an  alternate  TCP  port  where the LDAP server is
                   listening if other than the default LDAP port 389.

       -P          Use  a  persistent  LDAP  connection.  Normally  the   LDAP
                   connection  is  only  open  while  verifying  a users group
                   membership to preserve resources at the LDAP  server.  This
                   option causes the LDAP connection to be kept open, allowing
                   it to be reused for further user  validations.  Recommended
                   for larger installations.

       -R          Do not follow referrals

       -s base|one|sub
                   search scope. Defaults to sub

                   base object only,

                   one level below the base object or

                   subtree below the base object

       -S          Strip  NT  domain  name  component  from user names (/ or \

       -t search_timeout
                   Specify time limit on LDAP search operations

       -u attr     LDAP attribute used to construct the user DN from the  user
                   name and base dn without needing to search for the user.  A
                   maximum of 16 occurrences of %s are supported.

       -v 2|3      LDAP protocol version. Defaults to 3 if not specified.

       -Z          Use TLS encryption


       This helper is intended to be used as an  external_acl_type  helper  in
       squid.conf .
              external_acl_type  ldap_group %LOGIN /path/to/ext_ldap_group_acl
              acl group1 external ldap_group Group1
              acl group2 external ldap_group Group2

       NOTE: When constructing search filters it is recommended to first  test
       the  filter using ldapsearch to verify that the filter matches what you
       expect before you attempt to use ext_ldap_group_acl


       This program was written  by  Flavio  Pescuma  <>
       Henrik Nordstrom <>

       Based    on    prior   work   in   squid_ldap_auth   by   Glen   Newton

       This manual was written by Henrik Nordstrom <>


        *  Copyright  (C)  1996-2015  The  Squid   Software   Foundation   and
        * Squid software is distributed under GPLv2+ license and includes
        * contributions from numerous individuals and organizations.
        * Please see the COPYING and CONTRIBUTORS files for details.

       This program and documentation is copyright to the authors named above.

       Distributed under the GNU General Public License (GNU GPL) version 2 or
       later (GPLv2+).


       Questions on the usage of this program can be sent to the  Squid  Users
       mailing list <>

       Or  contact  your  favorite  LDAP  list/friend  if the question is more
       related to LDAP than Squid.


       Bug reports  need  to  be  made  in  English.   See  http://wiki.squid- for details of what you need to include
       with your bug report.

       Report bugs or bug fixes using

       Report serious security bugs to Squid Bugs <>

       Report ideas for new improvements to the Squid Developers mailing  list


       squid(8), basic_ldap_auth(8), ldapsearch(1), GPL(7),
       Your favorite LDAP documentation
       RFC2254 - The String Representation of LDAP Search Filters,
       The Squid FAQ wiki
       The Squid Configuration Manual

                                30 January 2005          ext_ldap_group_acl(8)