squid_ldap_auth(8)                                          squid_ldap_auth(8)

       squid_ldap_auth - Squid LDAP authentication helper

       squid_ldap_auth    -b    "base    DN"    [-u    attribute]    [options]

       squid_ldap_auth  -b  "base  DN"  -f  "LDAP  search  filter"   [options]

       This helper allows Squid to connect to a LDAP directory to validate the
       user name and password of Basic HTTP authentication.

       The program has two major modes of operation. In the  default  mode  of
       operation  the  users  DN  is  constructed  using  the base DN and user
       attribute. In the other mode of operation a search filter  is  used  to
       locate valid user DN's below the base DN.

       -b basedn (REQUIRED)
              Specifies the base DN under which the users are located.

       -f filter
              LDAP  search filter to locate the user DN. Required if the users
              are in a hierarchy below the base DN, or if the  login  name  is
              not what builds the user specific part of the users DN.

              The  search  filter can contain up to 15 occurrences of %s which
              will be replaced by the username, as  in  "uid=%s"  for  RFC2037
              directories.  For  a  detailed description of LDAP search filter
              syntax see RFC2254.

       -u userattr
              Specifies the name of the DN attribute that contains  the  user-
              name/login.  Combined with the base DN to construct the users DN
              when no search filter is  specified  (-f  option).  Defaults  to

              Note:  This  can  only  be  done  if  all your users are located
              directly under the same position in the LDAP tree and the  login
              name is used for naming each user object. If your LDAP tree does
              not match these criterias or if you want to filter who are valid
              users  then  you  need to use a search filter to search for your
              users DN (-f option).

       -s base|one|sub
              search scope when performing user DN searches specified  by  the
              -f option. Defaults to 'sub'.

              base  object  only,  one  level below the base object or subtree
              below the base object

       -D binddn -w password
              The DN and  password  to  bind  as  while  performing  searches.
              Required  by  the -f flag if the directory does not allow anony-
              mous searches.

              As the password needs to be printed in plain text in your  Squid
              configuration  it  is strongly recommended to use a account with
              minimal associated privileges.  This to limit the damage in case
              someone  could  get  hold  of a copy of your Squid configuration

       -P     Use a persistent LDAP connection. Normally the  LDAP  connection
              is  only  open while validating a username to preserve resources
              at the LDAP server. This option causes the LDAP connection to be
              kept  open,  allowing  it  to be reused for further user valida-
              tions. Recommended for larger installations.

       -R     do not follow referrals

       -a never|always|search|find
              when to dereference aliases. Defaults to 'never'

              never dereference aliases (default), always dereference aliases,
              only while searching or only to find the base object

       -h ldapserver
              Specify the LDAP server to connect to

       -p ldapport
              Specify an alternate TCP port where the ldap server is listening
              if other than the default LDAP port 389.

       For directories using the RFC2307 layout with a single domain, all  you
       need  to  specify  is  usually  the  base DN under where your users are
       located and the server name:

              squid_ldap_auth -b ou=people,dc=your,dc=domain ldapserver

       If you have sub-domains then you need to use a search  filter  approach
       to  locate  your user DNs as these can no longer be constructed direcly
       from the base DN and login name alone:

              squid_ldap_auth -b dc=your,dc=domain -f uid=%s ldapserver

       And similarily if you only want to allow access to users having a  spe-
       cific attribute

              squid_ldap_auth  -b  dc=your,dc=domain  -f (&(uid=%s)(specialat-
              tribute=value)) ldapserver

       Or if the user attribute of the user DN is "cn" instead  of  "uid"  and
       you  do  not  want  to  have to search for the users then you could use
       something like the following example for Active Directory:

              squid_ldap_auth -u cn -b cn=Users,dc=your,dc=domain ldapserver

       If you want to search for the user DN and your directory does not allow
       anonymous  searches then you must also use the -D and -w flags to spec-
       ify a user DN and password to log in as to perform the searches, as  in
       the following complex Active Directory example

              squid_ldap_auth     -p     -R     -b     dc=your,dc=domain    -D
              cn=squid,cn=users,dc=your,dc=domain  -w  secretsquidpassword  -f
              (&(userPrincipalName=%s)(objectClass=Person))   activedirectory-

       When constructing search filters it is strongly recommended to test the
       filter using ldapsearch before you attempt to use squid_ldap_auth. This
       to verify that the filter matches what you expect.

       This manual page was written by Henrik Nordstrom <>

       squid_ldap_auth      is       written       by       Glenn       Newton
       <>    and   Henrik   Nordstrom   <hno@squid->

       Will crash if other % values than %s is used in -f, or if more than  15
       %s is used.

       Any  questions  on usage can be sent to Squid Users <squid-users@squid->, or to your favorite LDAP list/friend  if  the  question  is
       more related to LDAP than Squid.

       Report  bugs or bug-fixes to Squid Bugs <> or
       ideas  for  new  improvements  to  Squid  Developers  <squid-dev@squid->

       Your favorite LDAP documentation
       RFC2254 - The String Representation of LDAP Search Filters,

Squid LDAP Auth                25 September 2001            squid_ldap_auth(8)