ext_kerberos_ldap_group_acl man page on Mageia

Man page or keyword search:  
man Server   17783 pages
apropos Keyword Search (all sections)
Output format
Mageia logo
[printable version]

ext_kerberos_ldap_group_acl(8)			ext_kerberos_ldap_group_acl(8)

NAME
       ext_kerberos_ldap_group_acl  - Squid LDAP external acl group helper for
       Kerberos or NTLM credentials.

       Version 1.3.0sq

SYNOPSIS
       ext_kerberos_ldap_group_acl [-h] [-d] [-i] [-s] [-a] [-D	 Realm	]  [-N
       Netbios-Realm-List]  [-m	 Max-Depth]  [-u Ldap-User] [-p Ldap-Password]
       [-b Ldap-Bind-Path] [-l Ldap-URL] [-S ldap server list] -g Group-Realm-
       List -t Hex-Group-Realm-List -T Hex-Group-Hex-Realm-List

DESCRIPTION
       ext_kerberos_ldap_group_acl  is an installed binary and allows Squid to
       connect to a LDAP directory to authorize users via LDAP groups. Options
       are  specified  as  parameters  on the command line, while the username
       (e.g.  user , user@REALM , NDOMAINser ) to be checked against the  LDAP
       directory are specified on subsequent lines of input to the helper, one
       username per line.

       ext_kerberos_ldap_group_acl will determine the ldap  server  name  from
       DNS  SRV	 and/or A records or a local hosts file (e.g. for the Kerberos
       Realm SUSE.HOME it will look for an SRV record _ldap._tcp.SUSE.HOME and
       an  A record SUSE.HOME or a SUSE.HOME hosts entry). If no domain infor‐
       mation is available from the username the LDAP server  will  be	deter‐
       mined through the command line options.

       ext_kerberos_ldap_group_acl  requires  as  a  minimum the -g , -t or -T
       option which provides the LDAP group name the user has to  belong  too.
       For  Active  Directory  a recursive group lookup is implemented until a
       max depth specified by -m depth. For other LDAP	servers	 a  RFC2307bis
       schema of groups is assumed.

       Different  group	 names	can be specified for different domains using a
       group@domain syntax.  As expected by the external_acl_type construct of
       Squid,  after  specifying  a username and group followed by a new line,
       this helper will produce either OK or ERR on the following line to show
       if the user is a member of the specified group.

OPTIONS
       -h	   Display  the binary help and command line syntax info using
		   stderr.

       -d	   Write debug messages to stderr.

       -i	   Write informational messages to stderr.

       -s	   Use SSL for the LDAP connection.

		   The CA certificate file can	be  set	 via  the  environment
		   variable  TLS_CACERTFILE  (default /etc/ssl/certs/cert.pem)
		   (OpenLDAP).

		   The SSL certificate database can be set via the environment
		   variable   SSL_CERTDBPATH  (default	/etc/certs)  (Sun  and
		   Mozilla LDAP SDK).

       -a	   Allow SSL without certificate verification.

       -D Realm	   Default Kerberos domain to use for usernames which  do  not
		   contain  domain  information	 (e.g.	for  users using basic
		   authentication).

       -N Netbios-Realm-List
		   A list of Netbios name mappings to Kerberos domain names of
		   the	 form	Netbios-Name@Kerberos-Realm[:Netbios-Name@Ker‐
		   beros-Realm] (e.g. for users using NTLM authentication).

       -m Max-Depth
		   Maximal depth of recursive group search.

       -u Ldap-User
		   Username for LDAP server.

       -u Ldap-Password
		   Password for LDAP server.

		   As the password needs to be printed in plain text  in  your
		   Squid  configuration	 it  is strongly recommended to use an
		   account with minimal associated privileges.	This to	 limit
		   the damage in case someone could get hold of a copy of your
		   Squid configuration file or extracts the password used from
		   a process listing.

       -b Ldap-Bind-Path
		   LDAP server bind path.

       -u Ldap-URL LDAP server URL in form ldap[s]://server:port

       -S ldap server list
		   list	     of	     ldap      servers	   of	  the	  form
		   lserver|lserver@|lserver@Realm[:lserver@|lserver@Realm]

       -g Group-Realm-List
		   A list of group  name  per  Kerberos	 domain	 of  the  form
		   Group|Group@|Group@Realm[:Group@|Group@Realm]

       -t Hex-Group-Realm-List
		   A  list  of	group  name  per  Kerberos  domain of the form
		   Group|Group@|Group@Realm[:Group@|Group@Realm]  where	 group
		   is in UTF-8 hex format

       -T Hex-Group-Hex-Realm-List
		   A  list  of	group  name  per  Kerberos  domain of the form
		   Group|Group@|Group@Realm[:Group@|Group@Realm]  where	 group
		   and domain is in UTF-8 hex format

CONFIGURATION
       This  helper  is	 intended to be used as an external_acl_type helper in
       squid.conf.

       external_acl_type kerberos_ldap_group1  ttl=3600	 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP1
       external_acl_type kerberos_ldap_group2  ttl=3600	 negative_ttl=3600 %LOGIN /path/to/ext_kerberos_ldap_group_acl -g GROUP2
       acl group1 external kerberos_ldap_group1
       acl group2 external kerberos_ldap_group2

       NOTE: The following squid startup file modification  may	 be  required:
       Add the following lines to the squid startup script to point squid to a
       keytab file which contains the  HTTP/fqdn  service  principal  for  the
       default	Kerberos  domain. The fqdn must be the proxy name set in IE or
       firefox. You can not use an IP address.

       KRB5_KTNAME=/etc/squid/HTTP.keytab
       export KRB5_KTNAME
       If you use a different Kerberos domain than the machine	itself	is  in
       you can point squid to the seperate Kerberos config file by setting the
       following environmnet variable in the startup script.

       KRB5_CONFIG=/etc/krb5-squid.conf
       export KRB5_CONFIG
       ext_kerberos_ldap_group_acl will determine automagically the right ldap
       server. The following method is used:

       1) For user@REALM
	  a) Query DNS for SRV record _ldap._tcp.REALM
	  b) Query DNS for A record REALM
	  c) Use LDAP_URL if given

       2) For user
	  a) Use domain -D REALM and follow step 1)
	  b) Use LDAP_URL if given

       The Groups to check against are determined as follows:

       1) For user@REALM
	  a)  Use  values  given  by  -g option which contain a @REALM e.g. -g
       GROUP1@REALM:GROUP2@REALM
	  b) Use values given by -g option which contain  a  @	only  e.g.  -g
       GROUP1@:GROUP2@
	  c)  Use  values given by -g option which do not contain a realm e.g.
       -g GROUP1:GROUP2

       2) For user
	  a) Use values given by -g option which do not contain a  realm  e.g.
       -g GROUP1:GROUP2

       3) For NDOMAIN\user
	  a)  Use realm given by -N NDOMAIN@REALM and then use values given by
       -g option which contain a @REALM e.g. -g GROUP1@REALM:GROUP2@REALM

       To support Non-ASCII character use -t GROUP  or -t GROUP@REALM  instead
       of -g where GROUP is the hex UTF-8 representation e.g.

	  -t 6d61726b7573 instead of -g markus

       The REALM must still be based on the ASCII character set. If REALM con‐
       tains also non ASCII characters use  -T	GROUP@REALM  where  GROUP  and
       REALM are hex UTF-8 representation e.g.

	 -T    6d61726b7573@57494e3230303352322e484f4d45    instead    of   -g
       markus@WIN2003R2.HOME

       For    a	   translation	  of	hex    UTF-8	see    for     example
       http://www.utf8-chartable.de/unicode-utf8-table.pl

       The  ldap  server list can be: server - In this case server can be used
       for all Kerberos domains server@	 - In this case server can be used for
       all  Kerberos  domains server@domain  - In this case server can be used
       for		  Kerberos		  domain		domain
       server1a@domain1:server1b@domain1:server2@domain2:server3@:server4  - A
       list is build with a colon as seperator

AUTHOR
       This  program  was  written  by	Markus	Moeller	  <markus_moeller@com‐
       puserve.com>

       This   manual   was  written  by	 Markus	 Moeller  <markus_moeller@com‐
       puserve.com>

COPYRIGHT
       This program and documentation is copyright to the authors named above.

       Distributed under the GNU General Public License (GNU GPL) version 2 or
       later (GPLv2+).

QUESTIONS
       Questions  on  the usage of this program can be sent to the Squid Users
       mailing list <squid-users@squid-cache.org>

REPORTING BUGS
       Bug reports  need  to  be  made	in  English.   See  http://wiki.squid-
       cache.org/SquidFaq/BugReporting for details of what you need to include
       with your bug report.

       Report bugs or bug fixes using http://bugs.squid-cache.org/

       Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>

       Report ideas for new improvements to the Squid Developers mailing  list
       <squid-dev@squid-cache.org>

SEE ALSO
       squid(8) negotiate_kerberos_auth(8)
       RFC1035 - Domain names - implementation and specification,
       RFC2782 - A DNS RR for specifying the location of services (DNS SRV),
       RFC2254 - The String Representation of LDAP Search Filters,
       RFC2307bis  -  An Approach for Using LDAP as a Network Information Ser‐
       vice http://www.padl.com/~lukeh/rfc2307bis.txt,"
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/

						ext_kerberos_ldap_group_acl(8)
[top]

List of man pages available for Mageia

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net