ext_kerberos_sid_group_acl - external ACL helper for Squid to verify AD Domain group membership using sid.
NAME SYNOPSIS DESCRIPTION OPTIONS CONFIGURATION AUTHOR COPYRIGHT QUESTIONS REPORTING BUGS SEE ALSONAME
ext_kerberos_sid_group_acl − external ACL helper for Squid to verify AD Domain group membership using sid.
SYNOPSIS
ext_kerberos_sid_group_acl [−d] [−h] −p Principal Name −D Domain Controller −b Base DN −G Group1:Group2
DESCRIPTION
ext_kerberos_sid_group_acl is an installed executable script. It uses ldapsearch from Openldap to lookup the name of a AD group sid.
This helper must be used in with the negotiate_kerberos_auth helper in a Microsoft AD or Samba environment.
It reads from the standard input the domain username and a list of group sids and tries to match the group SIDs to the AD group sids.
OPTIONS
|
−d |
Write debug info to stderr. |
|||
|
−h |
Print the help. |
−p principal name
Principal name in squid keytab to use for ldap authentication to AD
−D domain controller
Domain controller to contact to lookup group SID
|
−b base DN |
Base DN for ldap search |
−G AD group name
AD group name to be used for SID lookup. List separated by a colon (:)
CONFIGURATION
auth_param
negotiate program /path/to/negotiate_wrapper_auth −d \
−−ntlm /path/to/ntlm_auth
−−helper−protocol=squid−2.5−ntlmssp
−−domain example.com \
−−kerberos /path/to/negotiate_kerberos_auth
−d −s GSS_C_NO_NAME −k
/path/to/squid.keytab −t none
external_acl_type sid_check %LOGIN %note{group}
/path/to/kerberos_sid_group_acl −p principal −D
dc1.example.com −b "DC=example,DC=com"
−G Group1:Group2
acl squid_allow external sid_check
acl allowed_group external sid_check
http_access allow allowed_group
If the local perl interpreter is in a unusual location it may need to be added:
external_acl_type sid_check %LOGIN %note{group} /path/to/perl /path/to/kerberos_sid_group_acl −p principal −D dc1.example.com −b "DC=example,DC=com" −G Group1:Group2
AUTHOR
This program was written by Markus Moeller <[email protected]>
This manual was written by Markus Moeller <[email protected]>
COPYRIGHT
* Copyright (C)
1996−2026 The Squid Software Foundation and
contributors
*
* Squid software is distributed under GPLv2+ license and
includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
This program is put in the public domain by Markus Moeller
<[email protected]>. It is distributed in
the hope that it will
be useful, but WITHOUT ANY WARRANTY; without even the
implied warranty
of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
QUESTIONS
Questions on the usage of this program can be sent to the Squid Users mailing list <squid−[email protected]−cache.org>
REPORTING BUGS
Bug reports need to be made in English. See https://wiki.squid−cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
Report bugs or bug fixes using https://bugs.squid−cache.org/
Report serious security bugs to Squid Bugs <squid−[email protected]−cache.org>
Report ideas for new improvements to the Squid Developers mailing list <squid−[email protected]−cache.org>
SEE ALSO
negotiate_kerberos_auth(8)
The Squid FAQ wiki https://wiki.squid−cache.org/SquidFaq
The Squid Configuration Manual http://www.squid−cache.org/Doc/config/