Hi Amos,
I'm actually writing it from scratch, i've just taken squid_ldap_group as an
"invocation example"(???). I think macros is what i'm missing.
I'll be researching on your answers.
Thanks a lot for your time.
On Thu, Jan 17, 2013 at 3:39 AM, Amos Jeffries <squid3_at_treenet.co.nz> wrote:
> On 17/01/2013 6:28 a.m., Alan Schmidt wrote:
>>
>> Hi list,
>>
>> Due to my employer's specific requirement, I'm writing an external_acl
>> helper that allows us to query an LDAP server for valid dstdomains.
>> It's actually working (not in the cleanest way :S), but i think i'm
>> lacking squid basic knoledge to get it done properly.
>>
>> I can see from squid_ldap_group helper configuration
>>
>> external_acl_type ldap_group ttl=1 negative_ttl=1 %LOGIN
>> /usr/sbin/squid_ldap_group -d -D $ADMIN_DN -w $PASS -b $SUFFIX -f
>> "(&(memberUid=%u)(cn=%g))" -h 127.0.0.1 -v 3
>>
>> that it uses %LOGIN format and %u/%g variables.
>>
>> I don't fully understand this, is there any list of this squid's
>> available variables??? where do they come from (squid environmental??)
>> ???.
>
>
> Formats are listed in the directive documentation:
> http://www.squid-cache.org/Doc/config/external_acl_type/
>
> The %u/%g variables are macros specific to the helper program. For
> squid_ldap_group they are listed here:
> http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_group.html
>
>
>
>> Using %DST i managed to get the info i need from squid (requested url
>> and name of the acl) via standard input. Helper works this way, but
>> it's quite awkward.
>>
>> The question: is there any variable (like %u or %g from the example
>> above) i could use to pass the requested url and acl via helper
>> parameter?
>> This way i could generate a much more flexible code.
>
>
> No the helper parameters are a raw command line characters.
> You could copy-n-paste the squid.conf contents from "/usr/sbin..." onwards
> including those %u/%g into a command line shell then manually type "user
> group1 group2 group3" or whatever user/group combos you want as stdin input
> to the helper.
>
>
>> What i want to do woud be something like:
>>
>> external_acl_type validsites ttl=1 negative_ttl=1 %DST
>> /usr/sbin/squid_ldap_checksite -D $ADMIN_DN -w %PASS -b $SUFFIX -h
>
>
> %PASS is the password some HTTP client sent to Squid.
>
> -w in this helper is the LDAP password permitting the proxy access
> permission to do LDAP searches and find some users account details. You DO
> NOT want all your end-user accounts to be given LDAP search privileges.
>
> NP: In fact use of the lower-case -w option is not very good security
> practice. It is far better and very simple to use the upper case -W option
> which stores the password detail in a secure location and does not display
> it in cache.log and cachemgr config report.
>
>
>> 127.0.0.1 -f "urlattribute=%something"
>> being %something a variable containing the requested url.
>
>
> You can replace %something with %u or %g.
> %u is the first token (expected to be %LOGIN) in the helper format string.
> %g is replaced by eaach of the additional tokens presented on the helper
> stdin. There can be multiple groups passed (as shown in my above example)
> and each is searched for individually until one matches or confirmed none
> match or something fails.
>
>
>> I'm sorry if this is not the place to ask, or if the info is available
>> somewhere already. I've been searching on manuals, faqs, etc, without
>> any luck.
>> I'm relatively new to this kind of stuff (both lists and
>> external_acl_types :S). If someone coud point me at least at the right
>> documentation i'll be very grateful.
>
>
> The helper you are testing with is written specifically as a helper to
> lookup a users group, with flexibility on where the account details may be
> stored in LDAP.
>
> FWIW: You may want to take the code for that helper and adjust it to suit
> your needs better than the existing one can. If you want to alter the
> behaviour of %g or add other filter macros you will need to do this.
>
> Amos
-- AlanReceived on Thu Jan 17 2013 - 13:22:34 MST
This archive was generated by hypermail 2.2.0 : Thu Jan 17 2013 - 12:00:04 MST