ext_lm_group_acl − Squid external ACL helper to check Windows users group membership.
ext_lm_group_acl [−D domain ] [−cdhGP]
ext_lm_group_acl is an installed binary in Squid for Windows builds.
This helper must be used in with an authentication scheme (typically Basic or NTLM) based on Windows NT/2000 domain users (LM mode).
It reads from the standard input the domain username and a list of groups and tries to match each against the groups membership of the specified username.
Use case insensitive compare.
Write debug info to stderr.
Specify the default user’s domain.
Start helper in Domain Global Group mode.
Display the binary help and command line syntax info using stderr.
Use ONLY PDCs for group validation.
NT_global_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe
external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe
acl GProxyUsers external NT_global_group GProxyUsers
acl LProxyUsers external NT_local_group LProxyUsers
acl password proxy_auth REQUIRED
http_access allow password GProxyUsers
http_access allow password LProxyUsers
http_access deny all
In the previous example all validated NT users member of GProxyUsers Global domain group or member of LProxyUsers machine local group are allowed to use the cache.
Groups with spaces in name, for example Domain Users , must be quoted and the acl data ( Domain Users ) must be placed into a separate file included by specifying /path/to/file The previous example will be:
acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers.txt"
The DomainUsers.txt file will contain only the following line:
NOTE: The standard group name comparison is case sensitive, so group name must be specified with same case as in the NT/2000 Domain. It’s possible to enable case insensitive group name comparison ( −c ), but on some not-english locales, the results can be unexpected.
NOTE: Native WIN32 NTLM and Basic Helpers must be used without the −A and −D switches.
Refer to Squid documentation for the more details on squid.conf.
I strongly recommend that ext_lm_group_acl is tested prior to being used in a production environment. It may behave differently on different platforms.
To test it, run it from the command line. Enter username and group pairs separated by a space (username must entered with URL-encoded domain%5Cusername syntax). Press ENTER to get an OK or ERR message.
Make sure pressing CTRL+D behaves the same as a carriage return.
Make sure pressing CTRL+C aborts the program.
Test that entering no details does not result in an OK or ERR message.
Test that entering an invalid username and group results in an ERR message.
Test that entering an valid username and group results in an OK message.
This program was written by Guido Serassio <firstname.lastname@example.org> with contributions by Henrik Nordstrom <email@example.com>
Based in part on prior work in check_group by Rodrigo Albani de Campos
This manual was written by Guido Serassio <firstname.lastname@example.org> Amos Jeffries <email@example.com>
This program and documentation is copyright to the authors named above.
Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+).
Questions on the usage of this program can be sent to the Squid Users mailing list <firstname.lastname@example.org>
Bug reports need to be made in English. See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
Report bugs or bug fixes using http://bugs.squid-cache.org/
Report serious security bugs to Squid Bugs <email@example.com>
Report ideas for new improvements to the Squid Developers mailing list <firstname.lastname@example.org>
The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
- About Squid
- Why Squid?
- Squid Developers
- How to Donate
- How to Help Out
- Getting Squid
- Squid Source Packages
- Squid Deployment Case-Studies
- Squid Software Foundation
- FAQ and Wiki
- Guide Books:
- Security Advisories
- Bugzilla Database
- Mailing lists
- Contacting us
- Commercial services
- Project Sponsors
- Squid-based products
- Developer Resources
- Related Writings
- Related Software:
- Squid Artwork