Re: [squid-users] Variables and external_acl_types

On 17/01/2013 6:28 a.m., Alan Schmidt wrote:
> Hi list,
>
> Due to my employer's specific requirement, I'm writing an external_acl
> helper that allows us to query an LDAP server for valid dstdomains.
> It's actually working (not in the cleanest way :S), but i think i'm
> lacking squid basic knoledge to get it done properly.
>
> I can see from squid_ldap_group helper configuration
>
> external_acl_type ldap_group ttl=1 negative_ttl=1 %LOGIN
> /usr/sbin/squid_ldap_group -d -D $ADMIN_DN -w $PASS -b $SUFFIX -f
> "(&(memberUid=%u)(cn=%g))" -h 127.0.0.1 -v 3
>
> that it uses %LOGIN format and %u/%g variables.
>
> I don't fully understand this, is there any list of this squid's
> available variables??? where do they come from (squid environmental??)
> ???.

Formats are listed in the directive documentation:
   http://www.squid-cache.org/Doc/config/external_acl_type/

The %u/%g variables are macros specific to the helper program. For
squid_ldap_group they are listed here:
http://www.squid-cache.org/Versions/v3/3.1/manuals/squid_ldap_group.html

> Using %DST i managed to get the info i need from squid (requested url
> and name of the acl) via standard input. Helper works this way, but
> it's quite awkward.
>
> The question: is there any variable (like %u or %g from the example
> above) i could use to pass the requested url and acl via helper
> parameter?
> This way i could generate a much more flexible code.

No the helper parameters are a raw command line characters.
You could copy-n-paste the squid.conf contents from "/usr/sbin..."
onwards including those %u/%g into a command line shell then manually
type "user group1 group2 group3" or whatever user/group combos you want
as stdin input to the helper.

> What i want to do woud be something like:
>
> external_acl_type validsites ttl=1 negative_ttl=1 %DST
> /usr/sbin/squid_ldap_checksite -D $ADMIN_DN -w %PASS -b $SUFFIX -h

%PASS is the password some HTTP client sent to Squid.

-w in this helper is the LDAP password permitting the proxy access
permission to do LDAP searches and find some users account details. You
DO NOT want all your end-user accounts to be given LDAP search privileges.

NP: In fact use of the lower-case -w option is not very good security
practice. It is far better and very simple to use the upper case -W
option which stores the password detail in a secure location and does
not display it in cache.log and cachemgr config report.

> 127.0.0.1 -f "urlattribute=%something"
> being %something a variable containing the requested url.

You can replace %something with %u or %g.
  %u is the first token (expected to be %LOGIN) in the helper format string.
  %g is replaced by eaach of the additional tokens presented on the
helper stdin. There can be multiple groups passed (as shown in my above
example) and each is searched for individually until one matches or
confirmed none match or something fails.

> I'm sorry if this is not the place to ask, or if the info is available
> somewhere already. I've been searching on manuals, faqs, etc, without
> any luck.
> I'm relatively new to this kind of stuff (both lists and
> external_acl_types :S). If someone coud point me at least at the right
> documentation i'll be very grateful.

The helper you are testing with is written specifically as a helper to
lookup a users group, with flexibility on where the account details may
be stored in LDAP.

FWIW: You may want to take the code for that helper and adjust it to
suit your needs better than the existing one can. If you want to alter
the behaviour of %g or add other filter macros you will need to do this.

Amos
Received on Thu Jan 17 2013 - 06:40:04 MST