ext_ad_group_acl man page on Mageia

Man page or keyword search:  
man Server   17783 pages
apropos Keyword Search (all sections)
Output format
Mageia logo
[printable version]

ext_ad_group_acl.exe(8)				       ext_ad_group_acl.exe(8)

NAME
       ext_ad_group_acl.exe - Squid external ACL helper to check Windows users
       group membership.

       Version 2.0

SYNOPSIS
       ext_ad_group_acl.exe [-D domain ] [-cdGh]

DESCRIPTION
       ext_ad_group_acl.exe is	an  installed  binary  in  Squid  for  Windows
       builds.

       This  helper  must  be used in with an authentication scheme (typically
       Basic, NTLM or Negotiate) based	on  Windows  Active  Directory	domain
       users.

       It  reads  from	the  standard  input the domain username and a list of
       groups and tries to match each against the  groups  membership  of  the
       specified username.

       Two running mode are available:

       - Local mode:
		   membership  is checked against machine's local groups, can‐
		   not be used when running on a Domain Controller.

       - Active Directory Global mode:
		   membership is checked against the  whole  Active  Directory
		   Forest of the machine where Squid is running.

       The  minimal  Windows  version  needed to run ext_ad_group_acl.exe is a
       Windows 2000 SP4 member of an Active Directory Domain.

       When running in Active Directory	 Global	 mode,	all  types  of	Active
       Directory  security  groups are supported: Domain Global , Domain Local
       from user's domain, Universal and Active	 Directory  group  nesting  is
       fully supported.

OPTIONS
       -c	   Use case insensitive compare (local mode only).

       -d	   Write debug info to stderr.

       -D domain   Specify the default user's domain

       -G	   Start helper in Active Directory Global mode.

       -h	   Display  the binary help and command line syntax info using
		   stderr.

CONFIGURATION
       When running in Active Directory Global mode, the AD Group can be spec‐
       ified using the following syntax:

       1. Plain NT4 Group Name

       2. Full NT4 Group Name

       3. Active Directory Canonical name

       As Exampled:

       1. Proxy-Users

       2. MYDOMAINProxy-Users

       3. mydomain.local/Groups/Proxy-Users

       When  using  Plain  NT4 Group Name, the Group is searched in the user's
       domain.
	      external_acl_type		    AD_global_group		%LOGIN
	      c:/squid/libexec/ext_ad_group_acl.exe -G
	      external_acl_type		     NT_local_group		%LOGIN
	      c:/squid/libexec/ext_ad_group_acl.exe
	      acl GProxyUsers external AD_global_group MYDOMAINGProxyUsers
	      acl LProxyUsers external NT_local_group LProxyUsers
	      acl password proxy_auth REQUIRED
	      http_access allow password GProxyUsers
	      http_access allow password LProxyUsers
	      http_access deny all

       In the previous example all validated AD users member of MYDOMAINGProx‐
       yUsers  domain  group  or member of LProxyUsers machine local group are
       allowed to use the cache.

       Groups with spaces in name, for example Domain Users , must  be	quoted
       and  the	 acl data ( Domain Users ) must be placed into a separate file
       included by specifying /path/to/file .  The previous example will be:
	      acl ProxyUsers external NT_global_group
       and the DomainUsers files will contain only the following line:
	      "Domain Users"

       NOTE 1: When running in Active Directory Global mode, for  better  per‐
       formance,  all Domain Controllers of the Active Directory forest should
       be configured as Global Catalog.

       NOTE 2: When running in local mode, the standard group name  comparison
       is case sensitive, so group name must be specified with same case as in
       the local SAM database.	It is  possible	 to  enable  case  insensitive
       group  name  comparison	(  -c  ), but on some non-English locales, the
       results can be unexpected.

       NOTE 3: Native WIN32 NTLM and Basic helpers must be used without the -A
       and -D switches.

       Refer to Squid documentation for more details on squid.conf

TESTING
       I strongly recommend that ext_ad_group_acl.exe is tested prior to being
       used in a production environment. It may behave differently on  differ‐
       ent platforms.

       To  test	 it,  run  it  from the command line. Enter username and group
       pairs separated by a space  (username  must  entered  with  URL-encoded
       domain%5Cusername syntax). Press ENTER to get an OK or ERR message.

       Make sure pressing CTRL+D behaves the same as a carriage return.

       Make sure pressing CTRL+C aborts the program.

       Test that entering no details does not result in an OK or ERR message.

       Make sure pressing CTRL+D behaves the same as a carriage return.

       Make sure pressing CTRL+C aborts the program.

       Test that entering no details does not result in an OK or ERR message.

       Test that entering an invalid username and group results in an ERR mes‐
       sage.

       Test that entering an valid username and group results in  an  OK  mes‐
       sage.

AUTHOR
       This program was written by Guido Serassio <guido.serassio@acmeconsult‐
       ing.it>

       Based on prior work in mswin_check_lm_group (ext_lm_group_acl)

       This manual was written by Guido Serassio  <guido.serassio@acmeconsult‐
       ing.it> Amos Jeffries <amosjeffries@squid-cache.org>

COPYRIGHT
       This program and documentation is copyright to the authors named above.

       Distributed under the GNU General Public License (GNU GPL) version 2 or
       later (GPLv2+).

QUESTIONS
       Questions on the usage of this program can be sent to the  Squid	 Users
       mailing list <squid-users@squid-cache.org>

REPORTING BUGS
       Bug  reports  need  to  be  made	 in  English.	See http://wiki.squid-
       cache.org/SquidFaq/BugReporting for details of what you need to include
       with your bug report.

       Report bugs or bug fixes using http://bugs.squid-cache.org/

       Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>

       Report  ideas for new improvements to the Squid Developers mailing list
       <squid-dev@squid-cache.org>

SEE ALSO
       squid(8), GPL(7),
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/

						       ext_ad_group_acl.exe(8)
[top]

List of man pages available for Mageia

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net