Provided by: squid3_3.3.8-1ubuntu6.11_amd64 bug

NAME

       ext_ldap_group_acl - Squid LDAP external acl group helper

       Version 2.17

SYNOPSIS

       ext_ldap_group_acl -b base DN  LDAP search filter  options ] [ LDAP server name [: port ]|
       URI ]...

DESCRIPTION

       ext_ldap_group_acl allows Squid to connect to a LDAP directory to authorize users via LDAP
       groups.   LDAP  options  are  specified  as  parameters  on  the  command  line, while the
       username(s) and group(s) to be  checked  against  the  LDAP  directory  are  specified  on
       subsequent  lines  of input to the helper, one username/group pair per line separated by a
       space.

       As expected by the external_acl_type construct of Squid, after specifying a  username  and
       group  followed  by a new line, this helper will produce either OK or ERR on the following
       line to show if the user is a member of the specified group.

       The program operates by searching with a search filter based on the users  user  name  and
       requested  group,  and  if  a match is found it is determined that the user belongs to the
       group.

OPTIONS

       -a never|always|search|find
                   When to dereference aliases. Defaults to 'never'

                   never dereference aliases (default), always dereference  aliases,  only  while
                   searching or only to find the base object

       -b basedn   REQUIRED.  Specifies the base DN under which the groups are located.

       -B basedn   Specifies the base DN under which the users are located (if different)

       -c connect_timeout
                   Specify  timeout  used when connecting to LDAP servers (requires Netscape LDAP
                   API libraries)

       -d          Debug mode where each step taken will get  reported  in  detail.   Useful  for
                   understanding what goes wrong if the result is not what was expected.

       -D binddn -w password
                   The DN and password to bind as while performing searches. Required if the LDAP
                   directory does not allow anonymous searches.

                   As the password needs to be printed in plain text in your Squid  configuration
                   and  will be sent on the command line to the helper it is strongly recommended
                   to use a account with minimal associated privileges.  This to limit the damage
                   in  case  someone could get hold of a copy of your Squid configuration file or
                   extracts the password used from a process listing.

       -D binddn -W secretfile
                   The DN and the name of a  file  containing  the  password  to  bind  as  while
                   performing searches.

                   Less  insecure  version  of the former parameter pair with two advantages: The
                   password does not occur in the process listing, and the password is not  being
                   compromised  if  someone gets the squid configuration file without getting the
                   secretfile.

       -Ecertpath  Enable LDAP over SSL (requires Netscape LDAP API libraries)

       -f filter   LDAP search filter used to search the LDAP directory for  any  matching  group
                   memberships.     In  the filter %u will be replaced by the user name (or DN if
                   the -F or -u options are used) and %g by the requested group name.

       -F filter   LDAP search filter used to search the LDAP directory for any matching users.
                   In  the  filter  %s  will be replaced by the user name. If % is to be included
                   literally in the filter then use %%

       -g          Specifies that the first query argument sent to  the  helper  by  Squid  is  a
                   extension  to  the basedn and will be temporarily added in front of the global
                   basedn for this query.

       -h ldapserver
                   Specify the LDAP server to connect to

       -H ldapuri  Specity the LDAP server to  connect  to  by  a  LDAP  URI  (requires  OpenLDAP
                   libraries)

       -K          Strip Kerberos Realm component from user names (@ separated)

       -p ldapport Specify an alternate TCP port where the LDAP server is listening if other than
                   the default LDAP port 389.

       -P          Use a persistent LDAP connection. Normally the LDAP connection  is  only  open
                   while  verifying  a  users  group membership to preserve resources at the LDAP
                   server. This option causes the LDAP connection to be kept open, allowing it to
                   be reused for further user validations. Recommended for larger installations.

       -R          Do not follow referrals

       -s base|one|sub
                   search scope. Defaults to sub

                   base object only,

                   one level below the base object or

                   subtree below the base object

       -S          Strip NT domain name component from user names (/ or \ separated)

       -t search_timeout
                   Specify time limit on LDAP search operations

       -u attr     LDAP  attribute  used  to construct the user DN from the user name and base dn
                   without needing to search for the user.  A maximum of 16 occurrences of %s are
                   supported.

       -v 2|3      LDAP protocol version. Defaults to 3 if not specified.

       -Z          Use TLS encryption

CONFIGURATION

       This helper is intended to be used as an external_acl_type helper in squid.conf .
              external_acl_type ldap_group %LOGIN /path/to/ext_ldap_group_acl ...
              acl group1 external ldap_group Group1
              acl group2 external ldap_group Group2

       NOTE:  When  constructing  search filters it is recommended to first test the filter using
       ldapsearch to verify that the filter matches what you expect before  you  attempt  to  use
       ext_ldap_group_acl

AUTHOR

       This  program  was  written  by  Flavio  Pescuma <flavio@marasystems.com> Henrik Nordstrom
       <hno@squid-cache.org>

       Based on prior work in squid_ldap_auth by Glen Newton <glen.newton@nrc.ca>

       This manual was written by Henrik Nordstrom <hno@marasystems.com>

COPYRIGHT

       This program and documentation is copyright to the authors named above.

       Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).

QUESTIONS

       Questions on the usage of this program can be sent to the Squid Users mailing list <squid-
       users@squid-cache.org>

       Or  contact  your  favorite  LDAP list/friend if the question is more related to LDAP than
       Squid.

REPORTING BUGS

       Bug    reports    need    to    be    made    in    English.     See    http://wiki.squid-
       cache.org/SquidFaq/BugReporting  for  details  of  what  you need to include with your bug
       report.

       Report bugs or bug fixes using http://bugs.squid-cache.org/

       Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>

       Report ideas for new improvements to the Squid Developers mailing  list  <squid-dev@squid-
       cache.org>

SEE ALSO

       squid(8), basic_ldap_auth(8), ldapsearch(1), GPL(7),
       Your favorite LDAP documentation
       RFC2254 - The String Representation of LDAP Search Filters,
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/

                                         30 January 2005                    ext_ldap_group_acl(8)