LDAP support for squidguard user lists

Wed, 13 Oct 2004 09:54:35 -0700 

Hello list,

This is to announce the availability of some patches to squidguard 1.2.0
that enables LDAP support for Source block user lists.

Using this patch, it is possible to have a near-dynamic user configuration
without having to restart squidguard.

The ldap patch adds 3 new configuration keywords to the squidguard.conf file:

ldapusersearch          This keyword goes in the Source {} config block, and
                        specifies an LDAP URL to use to search for an unknown
                        user name.
 
                        You can specify multple LDAP URLs per Source block.
 
                        Use '%s' to reference the username in your LDAP URL.
 
                        If the search returns a record, the user is considered
                        "found", otherwise the next URL in the same Source
                        block is tried.
 
                        Squidguard caches the "found" state of each search,
                        even when a user name is not found.  The cache
                        is valid for ldapcachetime seconds.
 
ldapcachetime           This global keyword specifies the number of seconds
                        to cache LDAP search results before contacting
                        the LDAP server again.  This keyword is global and
                        must go outside any Source/Destination/Rule blocks.
 
                        Setting this value to a reasonably low value can
                        allow simulation of near-realtime user groupings
                        in LDAP without restarting squidguard.
 
                        Recommended value: 300

execuserlist            This keyword goes in the Source {} block, and
                        specifies a command to run that will write a list
                        of usernames on stdout.


Please note that this patch is in beta.  I've tested it myself and found it to
work, but no guarantees are made that it will work as advertised.  Feedback
is welcome.

The patch is rather large, so instead of clogging the mailing list, you can
download it from here:

        http://www.netdirect.ca/~cdfrey/software/

There are 4 patches available at the above link:

        01-squidGuard-1.2.0-dbcfg.patch.bz2
        02-squidGuard-1.2.0-buffer.patch.bz2
        03-squidGuard-1.2.0-ldap.patch.bz2
        04-squidGuard-1.2.0-cleanup.patch.bz2

Only the first 3 are needed for the LDAP feature.  I'm publishing the last
patch as well in case anyone is interested in making squidguard restart itself
without re-execing.  In that case you will need to free a lot of allocated
memory, and patch 04 is a step in that direction.

Enjoy,

Chris Frey
Net Direct, Inc.




-------------------  Example squidguard.conf snippet  ------------------------
 
dbhome /var/lib/squidguard
logdir /var/log/squidguard
 
# ldap cache time in seconds
ldapcachetime   300
 
src INTERNAL_LAN {
        ip              192.168.0.0/24 127.0.0.1
        within          workhours
        user            dave,chris,john, marconi
        ldapusersearch  
ldap://ldap.example.com/cn=squidguardusers,ou=groups,dc=example,dc=com?memberUid?sub?(&(objectclass=posixGroup)(memberUid=%s))
        execuserlist    sed "s/:.*$//" /etc/passwd
        log             internal_lan
}
 
------------------------------  End snippet  ---------------------------------

Reply via email to