ext_ad_group_acl.exe(8)ext_ad_group_acl.exe(8)NAME
ext_ad_group_acl.exe - Squid external ACL helper to check Windows users
group membership.
Version 2.0
SYNOPSIS
ext_ad_group_acl.exe [-D domain ] [-cdGh]
DESCRIPTION
ext_ad_group_acl.exe is an installed binary in Squid for Windows
builds.
This helper must be used in with an authentication scheme (typically
Basic, NTLM or Negotiate) based on Windows Active Directory domain
users.
It reads from the standard input the domain username and a list of
groups and tries to match each against the groups membership of the
specified username.
Two running mode are available:
- Local mode:
membership is checked against machine's local groups, can‐
not be used when running on a Domain Controller.
- Active Directory Global mode:
membership is checked against the whole Active Directory
Forest of the machine where Squid is running.
The minimal Windows version needed to run ext_ad_group_acl.exe is a
Windows 2000 SP4 member of an Active Directory Domain.
When running in Active Directory Global mode, all types of Active
Directory security groups are supported: Domain Global , Domain Local
from user's domain, Universal and Active Directory group nesting is
fully supported.
OPTIONS-c Use case insensitive compare (local mode only).
-d Write debug info to stderr.
-D domain Specify the default user's domain
-G Start helper in Active Directory Global mode.
-h Display the binary help and command line syntax info using
stderr.
CONFIGURATION
When running in Active Directory Global mode, the AD Group can be spec‐
ified using the following syntax:
1. Plain NT4 Group Name
2. Full NT4 Group Name
3. Active Directory Canonical name
As Exampled:
1. Proxy-Users
2. MYDOMAINProxy-Users
3. mydomain.local/Groups/Proxy-Users
When using Plain NT4 Group Name, the Group is searched in the user's
domain.
external_acl_type AD_global_group %LOGIN
c:/squid/libexec/ext_ad_group_acl.exe -G
external_acl_type NT_local_group %LOGIN
c:/squid/libexec/ext_ad_group_acl.exe
acl GProxyUsers external AD_global_group MYDOMAINGProxyUsers
acl LProxyUsers external NT_local_group LProxyUsers
acl password proxy_auth REQUIRED
http_access allow password GProxyUsers
http_access allow password LProxyUsers
http_access deny all
In the previous example all validated AD users member of MYDOMAINGProx‐
yUsers domain group or member of LProxyUsers machine local group are
allowed to use the cache.
Groups with spaces in name, for example Domain Users , must be quoted
and the acl data ( Domain Users ) must be placed into a separate file
included by specifying /path/to/file . The previous example will be:
acl ProxyUsers external NT_global_group
and the DomainUsers files will contain only the following line:
"Domain Users"
NOTE 1: When running in Active Directory Global mode, for better per‐
formance, all Domain Controllers of the Active Directory forest should
be configured as Global Catalog.
NOTE 2: When running in local mode, the standard group name comparison
is case sensitive, so group name must be specified with same case as in
the local SAM database. It is possible to enable case insensitive
group name comparison ( -c ), but on some non-English locales, the
results can be unexpected.
NOTE 3: Native WIN32 NTLM and Basic helpers must be used without the -A
and -D switches.
Refer to Squid documentation for more details on squid.conf
TESTING
I strongly recommend that ext_ad_group_acl.exe is tested prior to being
used in a production environment. It may behave differently on differ‐
ent platforms.
To test it, run it from the command line. Enter username and group
pairs separated by a space (username must entered with URL-encoded
domain%5Cusername syntax). Press ENTER to get an OK or ERR message.
Make sure pressing CTRL+D behaves the same as a carriage return.
Make sure pressing CTRL+C aborts the program.
Test that entering no details does not result in an OK or ERR message.
Make sure pressing CTRL+D behaves the same as a carriage return.
Make sure pressing CTRL+C aborts the program.
Test that entering no details does not result in an OK or ERR message.
Test that entering an invalid username and group results in an ERR mes‐
sage.
Test that entering an valid username and group results in an OK mes‐
sage.
AUTHOR
This program was written by Guido Serassio <guido.serassio@acmeconsult‐
ing.it>
Based on prior work in mswin_check_lm_group (ext_lm_group_acl)
This manual was written by Guido Serassio <guido.serassio@acmeconsult‐
ing.it> Amos Jeffries <amosjeffries@squid-cache.org>
COPYRIGHT
This program and documentation is copyright to the authors named above.
Distributed under the GNU General Public License (GNU GPL) version 2 or
later (GPLv2+).
QUESTIONS
Questions on the usage of this program can be sent to the Squid Users
mailing list <squid-users@squid-cache.org>
REPORTING BUGS
Bug reports need to be made in English. See http://wiki.squid-
cache.org/SquidFaq/BugReporting for details of what you need to include
with your bug report.
Report bugs or bug fixes using http://bugs.squid-cache.org/
Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>
Report ideas for new improvements to the Squid Developers mailing list
<squid-dev@squid-cache.org>
SEE ALSOsquid(8), GPL(7),
The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
ext_ad_group_acl.exe(8)
