Go to main content

man pages section 8: System Administration Commands

Exit Print View

Updated: Wednesday, February 9, 2022

ext_ldap_group_acl (8)


ext_ldap_group_acl - Squid LDAP external acl group helper Version 2.18


ext_ldap_group_acl -b base-DN -f filter [ options ] [ server [ ':' port
] | URI ] ...


ext_ldap_group_acl(8)       System Manager's Manual      ext_ldap_group_acl(8)

       ext_ldap_group_acl - Squid LDAP external acl group helper

       Version 2.18

       ext_ldap_group_acl -b base-DN -f filter [ options ] [ server [ ':' port
       ] | URI ] ...

       ext_ldap_group_acl allows Squid to  connect  to  a  LDAP  directory  to
       authorize users via LDAP groups.  LDAP options are specified as parame-
       ters on the command line, while the  username(s)  and  group(s)  to  be
       checked against the LDAP directory are specified on subsequent lines of
       input to the helper, one username/group pair per line  separated  by  a

       As expected by the external_acl_type construct of Squid, after specify-
       ing a username and group followed by a new line, this helper will  pro-
       duce  either  OK  or ERR on the following line to show if the user is a
       member of the specified group.

       The program operates by searching with a search  filter  based  on  the
       users  user  name  and  requested  group, and if a match is found it is
       determined that the user belongs to the group.

       -a never|always|search|find
                   When to dereference aliases. Defaults to 'never'

                   never dereference  aliases  (default),  always  dereference
                   aliases,  only  during  a  search  or only to find the base

       -b basedn   REQUIRED.  Specifies the base DN under which the groups are

       -B basedn   Specifies the base DN under which the users are located (if

       -c connect_timeout
                   Specify  timeout  used  when  connecting  to  LDAP  servers
                   (requires Netscape LDAP API libraries)

       -d          Debug  mode  where  each  step  taken  will get reported in
                   detail.  Useful for understanding what goes  wrong  if  the
                   result is not what was expected.

       -D binddn -w password
                   The  DN  and password to bind as while performing searches.
                   Required if the LDAP directory  does  not  allow  anonymous

                   As  the  password needs to be printed in plain text in your
                   Squid configuration and will be sent on the command line to
                   the helper it is strongly recommended to use a account with
                   minimal associated privileges.  This to limit the damage in
                   case someone could get hold of a copy of your Squid config-
                   uration file or extracts the password used from  a  process

       -D binddn -W secretfile
                   The  DN  and  the name of a file containing the password to
                   bind as while performing searches.

                   Less insecure version of the former parameter pair with two
                   advantages:  The  password  does  not  occur in the process
                   listing, and the password is not being compromised if some-
                   one  gets  the squid configuration file without getting the

       -E certpath Enable LDAP over SSL (requires Netscape LDAP API libraries)

       -f filter   LDAP search filter used to search the  LDAP  directory  for
                   any  matching group memberships.   In the filter %u will be
                   replaced by the user name (or DN if the -F  or  -u  options
                   are used) and %g by the requested group name.

       -F filter   LDAP  search  filter  used to search the LDAP directory for
                   any matching users.   In the filter %s will be replaced  by
                   the user name. If % is to be included literally in the fil-
                   ter then use %%

       -g          Specifies that the first query argument sent to the  helper
                   by Squid is a extension to the basedn and will be temporar-
                   ily added in front of the global basedn for this query.

       -h ldapserver
                   Specify the LDAP server to connect to

       -H ldapuri  Specify the LDAP  server  to  connect  to  by  a  LDAP  URI
                   (requires OpenLDAP libraries)

       -K          Strip  Kerberos  Realm  component  from user names (@ sepa-

       -p ldapport Specify an alternate TCP port where the LDAP server is lis-
                   tening if other than the default LDAP port 389.

       -P          Use a persistent LDAP connection. Normally the LDAP connec-
                   tion is only open while verifying a users group  membership
                   to  preserve  resources  at  the  LDAP  server. This option
                   causes the LDAP connection to be kept open, allowing it  to
                   be  reused  for  further  user validations. Recommended for
                   larger installations.

       -R          Do not follow referrals

       -s base|one|sub
                   search scope. Defaults to sub

                   base object only,

                   one level below the base object or

                   subtree below the base object

       -S          Strip NT domain name component from user names (/ or \ sep-

       -t search_timeout
                   Specify time limit on LDAP search operations

       -u attr     LDAP  attribute used to construct the user DN from the user
                   name and base dn without needing to search for the user.  A
                   maximum of 16 occurrences of %s are supported.

       -v 2|3      LDAP protocol version. Defaults to 3 if not specified.

       -Z          Use TLS encryption

       This  helper  is  intended to be used as an external_acl_type helper in
       squid.conf .
              external_acl_type ldap_group %LOGIN  /path/to/ext_ldap_group_acl
              acl group1 external ldap_group Group1
              acl group2 external ldap_group Group2

       NOTE:  When constructing search filters it is recommended to first test
       the filter using ldapsearch to verify that the filter matches what  you
       expect before you attempt to use ext_ldap_group_acl

       This  program  was  written  by Flavio Pescuma <flavio@marasystems.com>
       Henrik Nordstrom <hno@squid-cache.org>

       Based on prior  work  in  squid_ldap_auth  by  Glen  Newton  <glen.new-

       This manual was written by Henrik Nordstrom <hno@marasystems.com>

        *  Copyright (C) 1996-2021 The Squid Software Foundation and contribu-
        * Squid software is distributed under GPLv2+ license and includes
        * contributions from numerous individuals and organizations.
        * Please see the COPYING and CONTRIBUTORS files for details.

       This program and documentation is copyright to the authors named above.

       Distributed under the GNU General Public License (GNU GPL) version 2 or
       later (GPLv2+).

       Questions  on  the usage of this program can be sent to the Squid Users
       mailing list <squid-users@lists.squid-cache.org>

       Or contact your favorite LDAP  list/friend  if  the  question  is  more
       related to LDAP than Squid.

       Bug  reports  need  to  be  made  in  English.   See http://wiki.squid-
       cache.org/SquidFaq/BugReporting for details of what you need to include
       with your bug report.

       Report bugs or bug fixes using http://bugs.squid-cache.org/

       Report  serious  security  bugs  to Squid Bugs <squid-bugs@lists.squid-

       Report ideas for new improvements to the Squid Developers mailing  list

       See attributes(7) for descriptions of the following attributes:

       |Availability   | web/proxy/squid  |
       |Stability      | Uncommitted      |

       squid(8), basic_ldap_auth(8), ldapsearch(1), GPL(7),
       Your favorite LDAP documentation
       RFC2254 - The String Representation of LDAP Search Filters,
       The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/

       Source  code  for open source software components in Oracle Solaris can
       be found at https://www.oracle.com/downloads/opensource/solaris-source-

       This     software     was    built    from    source    available    at
       https://github.com/oracle/solaris-userland.   The  original   community
       source    was    downloaded    from     http://www.squid-cache.org/Ver-

       Further information about this software can be found on the open source
       community website at http://www.squid-cache.org/.

                                30 January 2005          ext_ldap_group_acl(8)