Hi Amos, I'm actually writing it from scratch, i've just taken squid_ldap_group as an "invocation example"(???). I think macros is what i'm missing. I'll be researching on your answers. Thanks a lot for your time. On Thu, Jan 17, 2013 at 3:39 AM, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote: > On 17/01/2013 6:28 a.m., Alan Schmidt wrote: >> >> Hi list, >> >> Due to my employer's specific requirement, I'm writing an external_acl >> helper that allows us to query an LDAP server for valid dstdomains. >> It's actually working (not in the cleanest way :S), but i think i'm >> lacking squid basic knoledge to get it done properly. >> >> I can see from squid_ldap_group helper configuration >> >> external_acl_type ldap_group ttl=1 negative_ttl=1 %LOGIN >> /usr/sbin/squid_ldap_group -d -D $ADMIN_DN -w $PASS -b $SUFFIX -f >> "(&(memberUid=%u)(cn=%g))" -h 127.0.0.1 -v 3 >> >> that it uses %LOGIN format and %u/%g variables. >> >> I don't fully understand this, is there any list of this squid's >> available variables??? where do they come from (squid environmental??) >> ???. > > > Formats are listed in the directive documentation: > http://www.squid-cache.org/Doc/config/external_acl_type/ > > The %u/%g variables are macros specific to the helper program. For > squid_ldap_group they are listed here: > http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_group.html > > > >> Using %DST i managed to get the info i need from squid (requested url >> and name of the acl) via standard input. Helper works this way, but >> it's quite awkward. >> >> The question: is there any variable (like %u or %g from the example >> above) i could use to pass the requested url and acl via helper >> parameter? >> This way i could generate a much more flexible code. > > > No the helper parameters are a raw command line characters. > You could copy-n-paste the squid.conf contents from "/usr/sbin..." onwards > including those %u/%g into a command line shell then manually type "user > group1 group2 group3" or whatever user/group combos you want as stdin input > to the helper. > > >> What i want to do woud be something like: >> >> external_acl_type validsites ttl=1 negative_ttl=1 %DST >> /usr/sbin/squid_ldap_checksite -D $ADMIN_DN -w %PASS -b $SUFFIX -h > > > %PASS is the password some HTTP client sent to Squid. > > -w in this helper is the LDAP password permitting the proxy access > permission to do LDAP searches and find some users account details. You DO > NOT want all your end-user accounts to be given LDAP search privileges. > > NP: In fact use of the lower-case -w option is not very good security > practice. It is far better and very simple to use the upper case -W option > which stores the password detail in a secure location and does not display > it in cache.log and cachemgr config report. > > >> 127.0.0.1 -f "urlattribute=%something" >> being %something a variable containing the requested url. > > > You can replace %something with %u or %g. > %u is the first token (expected to be %LOGIN) in the helper format string. > %g is replaced by eaach of the additional tokens presented on the helper > stdin. There can be multiple groups passed (as shown in my above example) > and each is searched for individually until one matches or confirmed none > match or something fails. > > >> I'm sorry if this is not the place to ask, or if the info is available >> somewhere already. I've been searching on manuals, faqs, etc, without >> any luck. >> I'm relatively new to this kind of stuff (both lists and >> external_acl_types :S). If someone coud point me at least at the right >> documentation i'll be very grateful. > > > The helper you are testing with is written specifically as a helper to > lookup a users group, with flexibility on where the account details may be > stored in LDAP. > > FWIW: You may want to take the code for that helper and adjust it to suit > your needs better than the existing one can. If you want to alter the > behaviour of %g or add other filter macros you will need to do this. > > Amos -- Alan
