squid_ldap_group(8)                                        squid_ldap_group(8)

       squid_ldap_group - Squid LDAP external acl group helper

       squid_ldap_group  -b  "base  DN"  -f  "LDAP  search  filter"  [options]

       This helper allows Squid to connect to a LDAP  directory  to  authorize
       users via LDAP groups.

       The  program  operates  by  searching with a search filter based on the
       users login name and requested group, and if a match  is  found  it  is
       determined that the user belongs to the group.

       -b basedn (REQUIRED)
              Specifies the base DN under which the groups are located.

       -B basedn
              Specifies the base DN under which the users are located (if dif-

       -g     Specifies that the first query argument sent to  the  helper  by
              Squid is a extension to the basedn and will be temporarily added
              infront of the global basedn for this query.

       -f filter
              LDAP search filter used to search the  LDAP  directory  for  any
              matching  group memberships.   In the filter %u will be replaced
              by the user login name (or DN if the -F or -u options are  used)
              and %g by the requested group name.

       -F filter
              LDAP  search  filter  used  to search the LDAP directory for any
              matching users.   In the filter %s will be replaced by the  user
              login  name. If % is to be included literally in the filter then
              use %%.

       -u attr
              LDAP attribute used to construct the user DN from the login name
              and base dn.

       -s base|one|sub
              search scope. Defaults to 'sub'.

              base  object  only,  one  level below the base object or subtree
              below the base object

       -D binddn -w password
              The DN and  password  to  bind  as  while  performing  searches.
              Required if the directory does not allow anonymous searches.

              As  the password needs to be printed in plain text in your Squid
              configuration and will be sent on the command line to the helper
              it is strongly recommended to use a account with minimal associ-
              ated privileges.  This to limit the damage in case someone could
              get  hold of a copy of your Squid configuration file or extracts
              the password used from a process listing.

       -P     Use a persistent LDAP connection. Normally the  LDAP  connection
              is  only  open while validating a username to preserve resources
              at the LDAP server. This option causes the LDAP connection to be
              kept  open,  allowing  it  to be reused for further user valida-
              tions. Recommended for larger installations.

       -R     do not follow referrals

       -a never|always|search|find
              when to dereference aliases. Defaults to 'never'

              never dereference aliases (default), always dereference aliases,
              only while searching or only to find the base object

       -h ldapserver
              Specify the LDAP server to connect to

       -p ldapport
              Specify an alternate TCP port where the ldap server is listening
              if other than the default LDAP port 389.

       -S     Strip NT domain name component from usernames (/ or \ separated)

       This  helper  is intended to be used as a external_acl_type helper from

       external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ...
       acl group1 ldap_group Group1
       acl group2 ldap_gorup Group2

       When constructing search filters it is strongly recommended to test the
       filter  using  ldapsearch  before  you attempt to use squid_ldap_group.
       This to verify that the filter matches what you expect.

       This manual page was written by Henrik Nordstrom <>

       squid_ldap_group is written by Flavio Pescuma  <>
       and  Henrik  Nordstrom  <>,  based  on prior work in
       squid_ldap_auth by Glen Newton <>

       Max 16 occurances of %s in the -u argument is supported.

       Any questions on usage can be sent to Squid  Users  <squid-users@squid->,  or  to  your  favorite LDAP list/friend if the question is
       more related to LDAP than Squid.

       Report bugs or bug-fixes to Squid Bugs <>  or
       ideas  for  new  improvements  to  Squid  Developers  <squid-dev@squid->

       squid_ldap_auth(8), ldapsearch(1),
       Your favorite LDAP documentation
       RFC2254 - The String Representation of LDAP Search Filters,

Squid LDAP Match               7 September 2002            squid_ldap_group(8)