On 17/01/2013 6:28 a.m., Alan Schmidt wrote:
Hi list,
Due to my employer's specific requirement, I'm writing an external_acl
helper that allows us to query an LDAP server for valid dstdomains.
It's actually working (not in the cleanest way :S), but i think i'm
lacking squid basic knoledge to get it done properly.
I can see from squid_ldap_group helper configuration
external_acl_type ldap_group ttl=1 negative_ttl=1 %LOGIN
/usr/sbin/squid_ldap_group -d -D $ADMIN_DN -w $PASS -b $SUFFIX -f
"(&(memberUid=%u)(cn=%g))" -h 127.0.0.1 -v 3
that it uses %LOGIN format and %u/%g variables.
I don't fully understand this, is there any list of this squid's
available variables??? where do they come from (squid environmental??)
???.
Formats are listed in the directive documentation:
http://www.squid-cache.org/Doc/config/external_acl_type/
The %u/%g variables are macros specific to the helper program. For
squid_ldap_group they are listed here:
http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_group.html
Using %DST i managed to get the info i need from squid (requested url
and name of the acl) via standard input. Helper works this way, but
it's quite awkward.
The question: is there any variable (like %u or %g from the example
above) i could use to pass the requested url and acl via helper
parameter?
This way i could generate a much more flexible code.
No the helper parameters are a raw command line characters.
You could copy-n-paste the squid.conf contents from "/usr/sbin..."
onwards including those %u/%g into a command line shell then manually
type "user group1 group2 group3" or whatever user/group combos you want
as stdin input to the helper.
What i want to do woud be something like:
external_acl_type validsites ttl=1 negative_ttl=1 %DST
/usr/sbin/squid_ldap_checksite -D $ADMIN_DN -w %PASS -b $SUFFIX -h
%PASS is the password some HTTP client sent to Squid.
-w in this helper is the LDAP password permitting the proxy access
permission to do LDAP searches and find some users account details. You
DO NOT want all your end-user accounts to be given LDAP search privileges.
NP: In fact use of the lower-case -w option is not very good security
practice. It is far better and very simple to use the upper case -W
option which stores the password detail in a secure location and does
not display it in cache.log and cachemgr config report.
127.0.0.1 -f "urlattribute=%something"
being %something a variable containing the requested url.
You can replace %something with %u or %g.
%u is the first token (expected to be %LOGIN) in the helper format string.
%g is replaced by eaach of the additional tokens presented on the
helper stdin. There can be multiple groups passed (as shown in my above
example) and each is searched for individually until one matches or
confirmed none match or something fails.
I'm sorry if this is not the place to ask, or if the info is available
somewhere already. I've been searching on manuals, faqs, etc, without
any luck.
I'm relatively new to this kind of stuff (both lists and
external_acl_types :S). If someone coud point me at least at the right
documentation i'll be very grateful.
The helper you are testing with is written specifically as a helper to
lookup a users group, with flexibility on where the account details may
be stored in LDAP.
FWIW: You may want to take the code for that helper and adjust it to
suit your needs better than the existing one can. If you want to alter
the behaviour of %g or add other filter macros you will need to do this.
Amos
