Hi everyone. I've the following use case to be accomplished using ACL: - Allow any authenticated user who is member of a group named after the URI To construct this I've built the following squid.conf (snippet): --------- auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r auth_param negotiate children 10 auth_param negotiate keep_alive on external_acl_type ldap_HTTP %LOGIN %URI /usr/lib/squid/ext_ldap_group_acl -D "cn=admin,dc=example,dc=com" -w test -R -b "ou=authorization,dc=example,dc=com" -B "ou=people,dc=example,dc=com" -f '(&(objectclass=groupOfNames)(cn=%g)(member=uid=%u,ou=people,dc=example,dc=com))' -h ldap01.example.com -d acl allow_HTTP_ACL external ldap_HTTP "" http_access deny !allow_HTTP_ACL all http_access allow allow_HTTP_ACL http_access deny all --------- I call it a "dynamic" acl, because the value of the group is the actual URI (the search filter will expand like: cn=<URI>,ou=authorization,dc=example,dc=com). For that "allow_HTTP_ACL" passes "" to ldap_HTTP. This is working, however that's not documented. I was wondering how this works, so I debugged. I found out the %<template filter var> expands as following for the following search filter: -f '(&(objectclass=groupOfNames)(<template_filter_reference>=%<template_filter>)(member=uid=%u,ou=people,dc=example,dc=com))' 1) '(&(objectclass=groupOfNames)(a=%a)(member=uid=%u,ou=people,dc=example,dc=com))': ext_ldap_group_acl.cc(718): pid=25913 :group filter '(&(objectclass=groupOfNames)(a=http://web.example.com/)(member=uid=john_doe,ou=people,dc=example,dc=com))', searchbase 'ou=ou=authorization,dc=example,dc=com' ext_ldap_group_acl.cc(718): pid=25913 :group filter '(&(objectclass=groupOfNames)(a=GET)(member=uid=john_doe,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example,dc=com' ext_ldap_group_acl.cc(718): pid=25913 :group filter '(&(objectclass=groupOfNames)(a=80)(member=uid=john_doe,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example,dc=com' 2) '(&(objectclass=groupOfNames)(b=%b)(member=uid=%u,ou=people,dc=example,dc=com))': ext_ldap_group_acl.cc(579): pid=26068 :Connected OK ERROR: Unknown filter template string %b ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter. filter="(&(objectclass=groupOfNames)(b=L?II??U", user="john_doe", group="http://web.example.com/"; ERROR: Unknown filter template string %b ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter. filter="(&(objectclass=groupOfNames)(b=L?II??U", user="john_doe", group="GET" ERROR: Unknown filter template string %b ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter. filter="(&(objectclass=groupOfNames)(b=L?II??U", user="john_doe", group="80" 3) '(&(objectclass=groupOfNames)(c=%c)(member=uid=%u,ou=people,dc=example,dc=com))': ERROR: Unknown filter template string %c ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter. filter="(&(objectclass=groupOfNames)(c=?پ>?U", user="john_doe", group="http://web.example.com/"; ERROR: Unknown filter template string %c ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter. filter="(&(objectclass=groupOfNames)(c=?پ>?U", user="john_doe", group="GET" ERROR: Unknown filter template string %c ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter. filter="(&(objectclass=groupOfNames)(c=?پ>?U", user="john_doe", group="80" 4) '(&(objectclass=groupOfNames)(test=%test)(member=uid=%u,ou=people,dc=example,dc=com))': ERROR: Unknown filter template string %t ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter. filter="(&(objectclass=groupOfNames)(test=?,?U", user="john_doe", group="http://web.example.com/"; ERROR: Unknown filter template string %t ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter. filter="(&(objectclass=groupOfNames)(test=?,?U", user="john_doe", group="GET" ERROR: Unknown filter template string %t ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter. filter="(&(objectclass=groupOfNames)(test=?,?U", user="john_doe", group="80" 5) '(&(objectclass=groupOfNames)(v=%v)(member=uid=%u,ou=people,dc=example,dc=com))': ext_ldap_group_acl.cc(718): pid=26314 :group filter '(&(objectclass=groupOfNames)(v=john_doe)(member=uid=john_doe,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example,dc=com' ext_ldap_group_acl.cc(718): pid=26314 :group filter '(&(objectclass=groupOfNames)(v=john_doe)(member=uid=john_doe,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example,dc=com' ext_ldap_group_acl.cc(718): pid=26314 :group filter '(&(objectclass=groupOfNames)(v=john_doe)(member=uid=john_doe,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example,dc=com' 6) '(&(objectclass=groupOfNames)(g=%g)(member=uid=%u,ou=people,dc=example,dc=com))': ext_ldap_group_acl.cc(718): pid=26408 :group filter '(&(objectclass=groupOfNames)(g=http://web.example.com/)(member=uid=john_doe,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example,dc=com' ext_ldap_group_acl.cc(718): pid=26408 :group filter '(&(objectclass=groupOfNames)(g=GET)(member=uid=john_doe,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example,dc=com' ext_ldap_group_acl.cc(718): pid=26408 :group filter '(&(objectclass=groupOfNames)(g=80)(member=uid=john_doe,ou=people,dc=example,dc=com))', searchbase 'ou=authorization,dc=example,dc=com' This is all pretty much happening here [https://github.com/squid-cache/squid/blob/master/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc#L638] So conclusions: - %v and %u both map to "user", which is expected (historical reasons & compatibility) - %g and %a both map to "group", which is expected (historical reasons & compatibility) - any other template filter (%b, %c, %test, etc) is trash (only %a, %u, %g, %v won't yield error) - when "" is passed to the acl ("acl <ACL_name> external ldap_HTTP ""), the helper will attempt all FORMAT values, mapping then to "group" (%a or %g) Although I can move on with this for now, I would be actually more relieved if I could use: acl allow_HTTP_ACL external ldap_HTTP <a_var_which_is_available_here_representing_URI> instead of acl allow_HTTP_ACL external ldap_HTTP "" + non-documented behavior of ext_ldap_group_acl However I don't know that <acl> directive has access to the URI variable. Tips anyone? Best regards _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
