EXT_KERBEROS_SID_GROUP_ACL(8)              User Contributed Perl Documentation


NAME
        ext_kerberos_sid_group_acl - external ACL helper for Squid to verify AD Domain group membership using sid.

SYNOPSIS
        ext_kerberos_sid_group_acl [-d] [-h] -p Principal Name -D Domain Controller -b Base DN -G Group1:Group2

DESCRIPTION
       ext_kerberos_sid_group_acl is an installed executable script.  It uses
       ldapsearch from Openldap to lookup the name of a AD group sid.

       This helper must be used in with the negotiate_kerberos_auth helper in
       a Microsoft AD or Samba environment.

       It reads from the standard input the domain username and a list of
       group sids and tries to match the group SIDs to the AD group sids.

OPTIONS
       -d          Write debug info to stderr.

       -h          Print the help.

       -p principal name
                   Principal name in squid keytab to use for ldap
                   authentication to AD

       -D domain controller
                   Domain controller to contact to lookup group SID

       -b base DN  Base DN for ldap search

       -G AD group name
                   AD group name to be used for SID lookup. List separated by
                   a colon (:)

CONFIGURATION
         auth_param negotiate program /path/to/negotiate_wrapper_auth -d \
              --ntlm /path/to/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain example.com \
              --kerberos /path/to/negotiate_kerberos_auth -d -s GSS_C_NO_NAME -k /path/to/squid.keytab -t none
         external_acl_type sid_check %LOGIN %note{group} /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2
         acl squid_allow external sid_check
         acl allowed_group external sid_check
         http_access allow allowed_group

       If the local perl interpreter is in a unusual location it may need to
       be added:

         external_acl_type sid_check %LOGIN %note{group} /path/to/perl /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2

AUTHOR
       This program was written by Markus Moeller
       <markus_moeller@compuserve.com>

       This manual was written by Markus Moeller
       <markus_moeller@compuserve.com>

COPYRIGHT
        * Copyright (C) 1996-2023 The Squid Software Foundation and contributors
        *
        * Squid software is distributed under GPLv2+ license and includes
        * contributions from numerous individuals and organizations.
        * Please see the COPYING and CONTRIBUTORS files for details.

        This program is put in the public domain by Markus Moeller
        <markus_moeller@compuserve.com>. It is distributed in the hope that it will
        be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
        of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

QUESTIONS
       Questions on the usage of this program can be sent to the Squid Users
       mailing list <squid-users@lists.squid-cache.org>

REPORTING BUGS
       Bug reports need to be made in English.  See
       https://wiki.squid-cache.org/SquidFaq/BugReporting for details of what
       you need to include with your bug report.

       Report bugs or bug fixes using https://bugs.squid-cache.org/

       Report serious security bugs to Squid Bugs
       <squid-bugs@lists.squid-cache.org>

       Report ideas for new improvements to the Squid Developers mailing list
       <squid-dev@lists.squid-cache.org>

SEE ALSO
       negotiate_kerberos_auth(8)

       The Squid FAQ wiki https://wiki.squid-cache.org/SquidFaq

       The Squid Configuration Manual http://www.squid-cache.org/Doc/config/

perl v5.38.2                      2024-04-09     EXT_KERBEROS_SID_GROUP_ACL(8)