| EXT_KERBEROS_SID_GROUP_ACL(8) | User Contributed Perl Documentation | EXT_KERBEROS_SID_GROUP_ACL(8) |
NAME
ext_kerberos_sid_group_acl - external ACL helper for Squid to verify AD Domain group membership using sid.
SYNOPSIS
ext_kerberos_sid_group_acl [-d] [-h] -p Principal Name -D Domain Controller -b Base DN -G Group1:Group2
DESCRIPTION
ext_kerberos_sid_group_acl is an installed executable script. It uses ldapsearch from Openldap to lookup the name of a AD group sid.
This helper must be used in with the negotiate_kerberos_auth helper in a Microsoft AD or Samba environment.
It reads from the standard input the domain username and a list of group sids and tries to match the group SIDs to the AD group sids.
OPTIONS
- -d
- Write debug info to stderr.
- -h
- Print the help.
- -p principal name
- Principal name in squid keytab to use for ldap authentication to AD
- -D domain controller
- Domain controller to contact to lookup group SID
- -b base DN
- Base DN for ldap search
- -G AD group name
- AD group name to be used for SID lookup. List separated by a colon (:)
CONFIGURATION
auth_param negotiate program /path/to/negotiate_wrapper_auth -d \
--ntlm /path/to/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain example.com \
--kerberos /path/to/negotiate_kerberos_auth -d -s GSS_C_NO_NAME -k /path/to/squid.keytab -t none
external_acl_type sid_check %LOGIN %note{group} /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2
acl squid_allow external sid_check
acl allowed_group external sid_check
http_access allow allowed_group
If the local perl interpreter is in a unusual location it may need to be added:
external_acl_type sid_check %LOGIN %note{group} /path/to/perl /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2
AUTHOR
This program was written by Markus Moeller <markus_moeller@compuserve.com>
This manual was written by Markus Moeller <markus_moeller@compuserve.com>
COPYRIGHT
* Copyright (C) 1996-2023 The Squid Software Foundation and contributors * * Squid software is distributed under GPLv2+ license and includes * contributions from numerous individuals and organizations. * Please see the COPYING and CONTRIBUTORS files for details. This program is put in the public domain by Markus Moeller <markus_moeller@compuserve.com>. It is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
QUESTIONS
Questions on the usage of this program can be sent to the Squid Users mailing list <squid-users@lists.squid-cache.org>
REPORTING BUGS
Bug reports need to be made in English. See https://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
Report bugs or bug fixes using https://bugs.squid-cache.org/
Report serious security bugs to Squid Bugs <squid-bugs@lists.squid-cache.org>
Report ideas for new improvements to the Squid Developers mailing list <squid-dev@lists.squid-cache.org>
SEE ALSO
The Squid FAQ wiki https://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
| 2024-04-09 | perl v5.38.2 |