.\" -*- mode: troff; coding: utf-8 -*-
.\" Automatically generated by Pod::Man 5.01 (Pod::Simple 3.43)
.\"
.\" Standard preamble:
.\" ========================================================================
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
..
.de Vb \" Begin verbatim text
.ft CW
.nf
.ne \\$1
..
.de Ve \" End verbatim text
.ft R
.fi
..
.\" \*(C` and \*(C' are quotes in nroff, nothing in troff, for use with C<>.
.ie n \{\
.    ds C` ""
.    ds C' ""
'br\}
.el\{\
.    ds C`
.    ds C'
'br\}
.\"
.\" Escape single quotes in literal strings from groff's Unicode transform.
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\"
.\" If the F register is >0, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD.  Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.\"
.\" Avoid warning from groff about undefined register 'F'.
.de IX
..
.nr rF 0
.if \n(.g .if rF .nr rF 1
.if (\n(rF:(\n(.g==0)) \{\
.    if \nF \{\
.        de IX
.        tm Index:\\$1\t\\n%\t"\\$2"
..
.        if !\nF==2 \{\
.            nr % 0
.            nr F 2
.        \}
.    \}
.\}
.rr rF
.\" ========================================================================
.\"
.IX Title "EXT_KERBEROS_SID_GROUP_ACL 8"
.TH EXT_KERBEROS_SID_GROUP_ACL 8 2024-04-09 "perl v5.38.2" "User Contributed Perl Documentation"
.\" For nroff, turn off justification.  Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.nh
.SH NAME
.Vb 1
\& ext_kerberos_sid_group_acl \- external ACL helper for Squid to verify AD Domain group membership using sid.
.Ve
.SH SYNOPSIS
.IX Header "SYNOPSIS"
.Vb 1
\& ext_kerberos_sid_group_acl [\-d] [\-h] \-p Principal Name \-D Domain Controller \-b Base DN \-G Group1:Group2
.Ve
.SH DESCRIPTION
.IX Header "DESCRIPTION"
\&\fBext_kerberos_sid_group_acl\fR is an installed executable script.
It uses \fBldapsearch\fR from Openldap to lookup the name of a AD group sid.
.PP
This helper must be used in with the negotiate_kerberos_auth helper in a
Microsoft AD or Samba environment.
.PP
It reads from the standard input the domain username and a list of group sids
and tries to match the group SIDs to the AD group sids.
.SH OPTIONS
.IX Header "OPTIONS"
.IP \fB\-d\fR 12
.IX Item "-d"
Write debug info to stderr.
.IP \fB\-h\fR 12
.IX Item "-h"
Print the help.
.IP "\fB\-p principal name\fR" 12
.IX Item "-p principal name"
Principal name in squid keytab to use for ldap authentication to AD
.IP "\fB\-D domain controller\fR" 12
.IX Item "-D domain controller"
Domain controller to contact to lookup group SID
.IP "\fB\-b base DN\fR" 12
.IX Item "-b base DN"
Base DN for ldap search
.IP "\fB\-G AD group name\fR" 12
.IX Item "-G AD group name"
AD group name to be used for SID lookup. List separated by a colon (:)
.SH CONFIGURATION
.IX Header "CONFIGURATION"
.Vb 7
\&  auth_param negotiate program /path/to/negotiate_wrapper_auth \-d \e
\&       \-\-ntlm /path/to/ntlm_auth \-\-helper\-protocol=squid\-2.5\-ntlmssp \-\-domain example.com \e
\&       \-\-kerberos /path/to/negotiate_kerberos_auth \-d \-s GSS_C_NO_NAME \-k /path/to/squid.keytab \-t none
\&  external_acl_type sid_check %LOGIN %note{group} /path/to/kerberos_sid_group_acl \-p principal \-D dc1.example.com \-b "DC=example,DC=com" \-G Group1:Group2
\&  acl squid_allow external sid_check
\&  acl allowed_group external sid_check
\&  http_access allow allowed_group
.Ve
.PP
If the local perl interpreter is in a unusual location it may need to be added:
.PP
.Vb 1
\&  external_acl_type sid_check %LOGIN %note{group} /path/to/perl /path/to/kerberos_sid_group_acl \-p principal \-D dc1.example.com \-b "DC=example,DC=com" \-G Group1:Group2
.Ve
.SH AUTHOR
.IX Header "AUTHOR"
This program was written by Markus Moeller <markus_moeller@compuserve.com>
.PP
This manual was written by Markus Moeller <markus_moeller@compuserve.com>
.SH COPYRIGHT
.IX Header "COPYRIGHT"
.Vb 5
\& * Copyright (C) 1996\-2023 The Squid Software Foundation and contributors
\& *
\& * Squid software is distributed under GPLv2+ license and includes
\& * contributions from numerous individuals and organizations.
\& * Please see the COPYING and CONTRIBUTORS files for details.
\&
\& This program is put in the public domain by Markus Moeller
\& <markus_moeller@compuserve.com>. It is distributed in the hope that it will
\& be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
\& of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
.Ve
.SH QUESTIONS
.IX Header "QUESTIONS"
Questions on the usage of this program can be sent to the \fISquid Users mailing list <squid\-users@lists.squid\-cache.org\fR>
.SH "REPORTING BUGS"
.IX Header "REPORTING BUGS"
Bug reports need to be made in English.
See https://wiki.squid\-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
.PP
Report bugs or bug fixes using https://bugs.squid\-cache.org/
.PP
Report serious security bugs to \fISquid Bugs <squid\-bugs@lists.squid\-cache.org\fR>
.PP
Report ideas for new improvements to the \fISquid Developers mailing list <squid\-dev@lists.squid\-cache.org\fR>
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fBnegotiate_kerberos_auth\fR\|(8)
.PP
The Squid FAQ wiki https://wiki.squid\-cache.org/SquidFaq
.PP
The Squid Configuration Manual http://www.squid\-cache.org/Doc/config/