NAME¶

ext_kerberos_ldap_group_acl - Squid LDAP external acl group helper for Kerberos or NTLM credentials.

Version 1.3.0sq

SYNOPSIS¶

ext_kerberos_ldap_group_acl [-h] [-d] [-i] [-s] [-a] [-D Realm ] [-N Netbios-Realm-List] [-P service principal name] [-m Max-Depth] [-u Ldap-User] [-p Ldap-Password] [-b Ldap-Bind-Path] [-l Ldap-URL] [-S ldap server list] -g Group-Realm-List -t Hex-Group-Realm-List -T Hex-Group-Hex-Realm-List

DESCRIPTION¶

ext_kerberos_ldap_group_acl is an installed binary and allows Squid to connect to a LDAP directory to authorize users via LDAP groups. Options are specified as parameters on the command line, while the username (e.g. user , user@REALM , NDOMAINser ) to be checked against the LDAP directory are specified on subsequent lines of input to the helper, one username per line.

ext_kerberos_ldap_group_acl will determine the ldap server name from DNS SRV and/or A records or a local hosts file (e.g. for the Kerberos Realm SUSE.HOME it will look for an SRV record _ldap._tcp.SUSE.HOME and an A record SUSE.HOME or a SUSE.HOME hosts entry). If no domain information is available from the username the LDAP server will be determined through the command line options.

ext_kerberos_ldap_group_acl requires as a minimum the -g , -t or -T option which provides the LDAP group name the user has to belong too. For Active Directory a recursive group lookup is implemented until a max depth specified by -m depth. For other LDAP servers a RFC2307bis schema of groups is assumed.

Different group names can be specified for different domains using a group@domain syntax. As expected by the external_acl_type construct of Squid, after specifying a username and group followed by a new line, this helper will produce either OK or ERR on the following line to show if the user is a member of the specified group.

OPTIONS¶

-h

Display the binary help and command line syntax info using stderr.

-d

Write debug messages to stderr.

-i

Write informational messages to stderr.

-s

Use SSL for the LDAP connection.

The CA certificate file can be set via the environment variable TLS_CACERTFILE (default /etc/ssl/certs/cert.pem) (OpenLDAP).

The SSL certificate database can be set via the environment variable SSL_CERTDBPATH (default /etc/certs) (Sun and Mozilla LDAP SDK).

-a

Allow SSL without certificate verification.

-D Realm

Default Kerberos domain to use for usernames which do not contain domain information (e.g. for users using basic authentication).

-N Netbios-Realm-List

A list of Netbios name mappings to Kerberos domain names of the form Netbios-Name@Kerberos-Realm[:Netbios-Name@Kerberos-Realm] (e.g. for users using NTLM authentication). -P service principal name The principal name in the keytab to use. Avoids automated selection of name.

-m Max-Depth

Maximal depth of recursive group search.

-u Ldap-User

Username for LDAP server.

-p Ldap-Password

Password for LDAP server.

As the password needs to be printed in plain text in your Squid configuration it is strongly recommended to use an account with minimal associated privileges.

This to limit the damage in case someone could get hold of a copy of your Squid configuration file or extracts the password used from a process listing.

-b Ldap-Bind-Path

LDAP server bind path.

-l Ldap-URL

LDAP server URL in form ldap[s]://server:port

-S ldap server list

list of ldap servers of the form lserver|lserver@|lserver@Realm[:lserver@|lserver@Realm]

-g Group-Realm-List

A list of group name per Kerberos domain of the form Group|Group@|Group@Realm[:Group@|Group@Realm]

-t Hex-Group-Realm-List

A list of group name per Kerberos domain of the form Group|Group@|Group@Realm[:Group@|Group@Realm] where group is in UTF-8 hex format

-T Hex-Group-Hex-Realm-List

A list of group name per Kerberos domain of the form Group|Group@|Group@Realm[:Group@|Group@Realm] where group and domain is in UTF-8 hex format

CONFIGURATION¶

This helper is intended to be used as an external_acl_type helper in squid.conf.

external_acl_type kerberos_ldap_group1 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP1


external_acl_type kerberos_ldap_group2 ttl=3600 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP2


acl group1 external kerberos_ldap_group1


acl group2 external kerberos_ldap_group2

NOTE: The following squid startup file modification may be required: Add the following lines to the squid startup script to point squid to a keytab file which contains the HTTP/fqdn service principal for the default Kerberos domain. The fqdn must be the proxy name set in IE or firefox. You can not use an IP address.

KRB5_KTNAME=/etc/squid/HTTP.keytab
export KRB5_KTNAME

KRB5_CONFIG=/etc/krb5-squid.conf
export KRB5_CONFIG

1) For user@REALM
a) Query DNS for SRV record _ldap._tcp.REALM
b) Query DNS for A record REALM
c) Use LDAP_URL if given

2) For user
a) Use domain -D REALM and follow step 1)
b) Use LDAP_URL if given

The Groups to check against are determined as follows:

1) For user@REALM
a) Use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM
b) Use values given by -g option which contain a @ only e.g. -g GROUP1@:GROUP2@
c) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2

2) For user
a) Use values given by -g option which do not contain a realm e.g. -g GROUP1:GROUP2

3) For NDOMAIN\user
a) Use realm given by -N NDOMAIN@REALM and then use values given by -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM

To support Non-ASCII character use -t GROUP or -t GROUP@REALM instead of -g where GROUP is the hex UTF-8 representation e.g.

-t 6d61726b7573 instead of -g markus

The REALM must still be based on the ASCII character set. If REALM contains also non ASCII characters use -T GROUP@REALM where GROUP and REALM are hex UTF-8 representation e.g.

-T 6d61726b7573@57494e3230303352322e484f4d45 instead of -g markus@WIN2003R2.HOME

For a translation of hex UTF-8 see for example http://www.utf8-chartable.de/unicode-utf8-table.pl

The ldap server list can be: server - In this case server can be used for all Kerberos domains server@ - In this case server can be used for all Kerberos domains server@domain - In this case server can be used for Kerberos domain domain server1a@domain1:server1b@domain1:server2@domain2:server3@:server4 - A list is build with a colon as separator

AUTHOR¶

This program was written by Markus Moeller <markus_moeller@compuserve.com>

This manual was written by Markus Moeller <markus_moeller@compuserve.com>

COPYRIGHT¶

* Copyright (C) 1996-2015 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.

This program and documentation is copyright to the authors named above.

Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).

QUESTIONS¶

Questions on the usage of this program can be sent to the Squid Users mailing list <squid-users@lists.squid-cache.org>

REPORTING BUGS¶

Bug reports need to be made in English. See https://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.

Report bugs or bug fixes using http://bugs.squid-cache.org/

Report serious security bugs to Squid Bugs <squid-bugs@lists.squid-cache.org>

Report ideas for new improvements to the Squid Developers mailing list <squid-dev@lists.squid-cache.org>

SEE ALSO¶

squid(8) negotiate_kerberos_auth(8)
RFC1035 - Domain names - implementation and specification,
RFC2782 - A DNS RR for specifying the location of services (DNS SRV),
RFC2254 - The String Representation of LDAP Search Filters,
RFC2307bis - An Approach for Using LDAP as a Network Information Service http://www.padl.com/~lukeh/rfc2307bis.txt,"
The Squid FAQ wiki https://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual http://www.squid-cache.org/Doc/config/