Have you looed at tha man pages ?
NAME
ext_kerberos_ldap_group_acl - Squid LDAP external acl group helper
for
Kerberos or NTLM credentials.
Version 1.3.0sq
SYNOPSIS
ext_kerberos_ldap_group_acl [-h] [-d] [-i] [-s] [-a] [-D Realm ]
[-N
Netbios-Realm-List] [-m Max-Depth] [-u Ldap-User] [-p
Ldap-Password]
[-b Ldap-Bind-Path] [-l Ldap-URL] [-S ldap server list] -g
Group-Realm-
List -t Hex-Group-Realm-List -T Hex-Group-Hex-Realm-List
DESCRIPTION
ext_kerberos_ldap_group_acl is an installed binary and allows Squid
to
connect to a LDAP directory to authorize users via LDAP groups.
Options
are specified as parameters on the command line, while the
username
(e.g. user , user@REALM , NDOMAINser ) to be checked against the
LDAP
directory are specified on subsequent lines of input to the helper,
one
username per line.
ext_kerberos_ldap_group_acl will determine the ldap server name
from
DNS SRV and/or A records or a local hosts file (e.g. for the
Kerberos
Realm SUSE.HOME it will look for an SRV record _ldap._tcp.SUSE.HOME
and
an A record SUSE.HOME or a SUSE.HOME hosts entry). If no domain
infor-
mation is available from the username the LDAP server will be
deter-
mined through the command line options.
ext_kerberos_ldap_group_acl requires as a minimum the -g , -t
or -T
option which provides the LDAP group name the user has to belong
too.
For Active Directory a recursive group lookup is implemented until
a
max depth specified by -m depth. For other LDAP servers a
RFC2307bis
schema of groups is assumed.
Different group names can be specified for different domains using
a
group@domain syntax. As expected by the external_acl_type construct
of
Squid, after specifying a username and group followed by a new
line,
this helper will produce either OK or ERR on the following line to
show
if the user is a member of the specified group.
OPTIONS
-h Display the binary help and command line syntax info
using
stderr.
-d Write debug messages to stderr.
-i Write informational messages to stderr.
-s Use SSL for the LDAP connection.
The CA certificate file can be set via the
environment
variable TLS_CACERTFILE (default
/etc/ssl/certs/cert.pem)
(OpenLDAP).
The SSL certificate database can be set via the
environment
variable SSL_CERTDBPATH (default /etc/certs) (Sun
and
Mozilla LDAP SDK).
-a Allow SSL without certificate verification.
-D Realm Default Kerberos domain to use for usernames which do
not
contain domain information (e.g. for users using
basic
authentication).
-N Netbios-Realm-List
A list of Netbios name mappings to Kerberos domain names
of
the form
Netbios-Name@Kerberos-Realm[:Netbios-Name@Ker-
beros-Realm] (e.g. for users using NTLM authentication).
-m Max-Depth
Maximal depth of recursive group search.
-u Ldap-User
Username for LDAP server.
-u Ldap-Password
Password for LDAP server.
As the password needs to be printed in plain text in
your
Squid configuration it is strongly recommended to use
an
account with minimal associated privileges. This to
limit
the damage in case someone could get hold of a copy of
your
Squid configuration file or extracts the password used
from
a process listing.
-b Ldap-Bind-Path
LDAP server bind path.
-u Ldap-URL LDAP server URL in form ldap[s]://server:port
-S ldap server list
list of ldap servers of the
form
lserver|lserver@|lserver@Realm[:lserver@|lserver@Realm]
-g Group-Realm-List
A list of group name per Kerberos domain of the
form
Group|Group@|Group@Realm[:Group@|Group@Realm]
-t Hex-Group-Realm-List
A list of group name per Kerberos domain of the
form
Group|Group@|Group@Realm[:Group@|Group@Realm] where
group
is in UTF-8 hex format
-T Hex-Group-Hex-Realm-List
A list of group name per Kerberos domain of the
form
Group|Group@|Group@Realm[:Group@|Group@Realm] where
group
and domain is in UTF-8 hex format
CONFIGURATION
This helper is intended to be used as an external_acl_type helper
in
squid.conf.
external_acl_type kerberos_ldap_group1 ttl=3600 negative_ttl=3600
%LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP1
external_acl_type kerberos_ldap_group2 ttl=3600 negative_ttl=3600
%LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP2
acl group1 external kerberos_ldap_group1
acl group2 external kerberos_ldap_group2
NOTE: The following squid startup file modification may be
required:
Add the following lines to the squid startup script to point squid to
a
keytab file which contains the HTTP/fqdn service principal for
the
default Kerberos domain. The fqdn must be the proxy name set in IE
or
firefox. You can not use an IP address.
KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME
If you use a different Kerberos domain than the machine itself is
in
you can point squid to the seperate Kerberos config file by setting
the
following environmnet variable in the startup script.
KRB5_CONFIG=/etc/krb5-squid.conf
export KRB5_CONFIG
ext_kerberos_ldap_group_acl will determine automagically the right
ldap
server. The following method is used:
1) For user@REALM
a) Query DNS for SRV record _ldap._tcp.REALM
b) Query DNS for A record REALM
c) Use LDAP_URL if given
2) For user
a) Use domain -D REALM and follow step 1)
b) Use LDAP_URL if given
The Groups to check against are determined as follows:
1) For user@REALM
a) Use values given by -g option which contain a @REALM
e.g. -g
GROUP1@REALM:GROUP2@REALM
b) Use values given by -g option which contain a @ only
e.g. -g
GROUP1@:GROUP2@
c) Use values given by -g option which do not contain a realm
e.g.
-g GROUP1:GROUP2
2) For user
a) Use values given by -g option which do not contain a realm
e.g.
-g GROUP1:GROUP2
3) For NDOMAIN\user
a) Use realm given by -N NDOMAIN@REALM and then use values given
by
-g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM
To support Non-ASCII character use -t GROUP or -t GROUP@REALM
instead
of -g where GROUP is the hex UTF-8 representation e.g.
-t 6d61726b7573 instead of -g markus
The REALM must still be based on the ASCII character set. If REALM
con-
tains also non ASCII characters use -T GROUP@REALM where GROUP
and
REALM are hex UTF-8 representation e.g.
-T 6d61726b7573@57494e3230303352322e484f4d45 instead
of -g
mar...@win2003r2.home
For a translation of hex UTF-8 see for
example
http://www.utf8-chartable.de/unicode-utf8-table.pl
The ldap server list can be: server - In this case server can be
used
for all Kerberos domains server@ - In this case server can be used
for
all Kerberos domains server@domain - In this case server can be
used
for Kerberos domain
domain
server1a@domain1:server1b@domain1:server2@domain2:server3@:server4 -
A
list is build with a colon as seperator
AUTHOR
This program was written by Markus Moeller
<markus_moeller@com-
puserve.com>
This manual was written by Markus Moeller
<markus_moeller@com-
puserve.com>
COPYRIGHT
This program and documentation is copyright to the authors named
above.
Distributed under the GNU General Public License (GNU GPL) version 2
or
later (GPLv2+).
QUESTIONS
Questions on the usage of this program can be sent to the Squid
Users
mailing list <squid-users@squid-cache.org>
REPORTING BUGS
Bug reports need to be made in English. See
http://wiki.squid-
cache.org/SquidFaq/BugReporting for details of what you need to
include
with your bug report.
Report bugs or bug fixes using http://bugs.squid-cache.org/
Report serious security bugs to Squid Bugs
<squid-b...@squid-cache.org>
Report ideas for new improvements to the Squid Developers mailing
list
<squid-...@squid-cache.org>
SEE ALSO
squid(8) negotiate_kerberos_auth(8)
RFC1035 - Domain names - implementation and specification,
RFC2782 - A DNS RR for specifying the location of services (DNS SRV),
RFC2254 - The String Representation of LDAP Search Filters,
RFC2307bis - An Approach for Using LDAP as a Network Information
Ser-
vice http://www.padl.com/~lukeh/rfc2307bis.txt,";
The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
ext_kerberos_ldap_group_acl(8)
"Kris Glynn" <kris.gl...@virginaustralia.com> wrote in message
news:C0BFCFE42E56BB43ACEC98F3F0088FA1285756C0@empexcemxprd01.virginblue.internal...
Hi,
I can not for the life of me work out how to use ext_kerberos_ldap_group_acl
with squid 3.2.6
I have authentication with negotiate_kerberos_auth working fine but I also
want authorisation helper for group membership.
Relevant squid.conf config below..
# Kerberos Auth
auth_param negotiate program /usr/lib64/squid/negotiate_kerberos_auth
auth_param negotiate children 40
auth_param negotiate keep_alive on
# Group ACL Helper
external_acl_type ldap_group ttl=60 negative_ttl=60 %LOGIN
/usr/lib64/squid/ext_kerberos_ldap_group_acl -d -g ALL@ -D my.internal
What is the ALL@ for ? Does someone have a working config against Windows
2008 AD/LDAP ?
To be honest, at the moment I am using this external helper
ext_wbinfo_group_acl which is working fine..
external_acl_type ldap_group ttl=300 children-max=50 children-startup=40
%LOGIN /usr/lib64/squid/ext_wbinfo_group_acl -K
.. but is ext_kerberos_ldap_group_acl better or should I leave authorisation
up to ext_wbinfo_group_acl since I have it working?
Is either better than the other?
Thanks
Kris
The content of this e-mail, including any attachments, is a confidential
communication between Virgin Australia Airlines Pty Ltd (Virgin Australia)
or its related entities (or the sender if this email is a private
communication) and the intended addressee and is for the sole use of that
intended addressee. If you are not the intended addressee, any use,
interference with, disclosure or copying of this material is unauthorized
and prohibited. If you have received this e-mail in error please contact the
sender immediately and then delete the message and any attachment(s). There
is no warranty that this email is error, virus or defect free. This email is
also subject to copyright. No part of it should be reproduced, adapted or
communicated without the written consent of the copyright owner. If this is
a private communication it does not represent the views of Virgin Australia
or its related entities. Please be aware that the contents of any emails
sent to or from Virgin Australia or its related entities may be periodically
monitored and reviewed. Virgin Australia and its related entities respect
your privacy. Our privacy policy can be accessed from our website:
www.virginaustralia.com
