ext_edirectory_userip_acl(8)ext_edirectory_userip_acl(8)NAMEext_edirectory_userip_acl - Squid eDirectory IP Lookup Helper
Version 2.0
SYNOPSISext_edirectory_userip_acl [-h | --help | --usage]
ext_edirectory_userip_acl-H host -p port [-Z] [-P] [-v LDAP version ]
-b basedn -s scope -D binddn -W bindpass -F filter [-G]
DESCRIPTIONext_edirectory_userip_acl is an installed binary.
This program has been written in order to solve the problems associated
with running the Perl squid_ip_lookup.pl as a squid external helper.
The limitations of the Perl script involved memory/cpu utilization,
speed, the lack of eDirectory 8.8 support, and IPv6 support.
OPTIONS-4 Force Addresses to be in IPv4 (0.0.0.0 format).
-6 Force Addresses to be in IPv6 (:: format).
-b base Specify base DN. For example; o=ORG
-d Write debug info to stderr.
-Dbinddn Specify binding DN. For example; cn=squid,o=ORG
-F filter Specify LDAP search filter. For example; (objectClass=User)
-G Specify if LDAP search group is required. For example;
groupMembership=
-h | --help | --usage
Display the binary help and command line syntax info using
stderr.
-H host Specify hostname or IP of server
-p port Port number.
-P Use persistent connections.
-t seconds Timeout factor for persistent connections. Set to 0 for
never timeout. Default is 60 seconds.
-s base|one|sub
search scope. Defaults to sub
base object only,
one level below the base object or
subtree below the base object
-u attribute
Set userid attribute . Default is cn
-v 1|2|3 Set LDAP version
-V Display version information and exit.
-W password Specify binding password
-Z Enable TLS security.
CONFIGURATION
external_acl_type IPUser %SRC /usr/sbin/ext_edirec‐
tory_userip_acl
acl edirectory_users_allowed external IPUser cn=Inter‐
net_Allowed,ou=ORG,o=BASE acl edirectory_users_denied external
IPUser cn=Internet_Denied,ou=ORG,o=BASE
http_access deny edirectory_users_denied http_access allow edi‐
rectory_users_allowed http_access deny all
In this example, the Internet_Allowed and Internet_Denied are Groups
that users may be used to control internet access, which can also be
stacked against other ACL's. Use of the groups is optional, unless the
'-G' option has been passed. Please note that you need to specify the
full LDAP object for this, as shown above.
KNOWN ISSUES
IPv6 support has yet to be tested in a real IPv6 environment, but the
code is in place to read IPv6 networkAddress fields, please attempt
this in a TESTING environment first. Please contact the author regard‐
ing IPv6 support development.
There is a known issue regarding Novell's Client for Windows, that is
mostly fixed by using version 4.91 SP3+, with the 'Auto-Reconnect' fea‐
ture not re-populating the networkAddress field in eDirectory.
I have also experienced an issue related to using NetWare 6.5 (SP6 and
lower?) and connection licensing. It appears that whenever a server
runs low on connection licenses, that it I sometimes does not populate
the networkAddress fields correctly.
Majority of Proxy Authentication issues can be resolved by having the
users' reboot if their networkAddress is not correct, or using
basic_ldap_auth as a fallback. Check ConsoleOne, etc to verify their
networkAddress fields to troubleshoot.
AUTHOR
This program was written by Chad E. Naugle <chad.naugle@travimp.com>
This manual was written by Chad E. Naugle <chad.naugle@travimp.com>
Amos Jeffries <amosjeffries@squid-cache.org>
COPYRIGHT
This program and documentation is copyright to the authors named above.
Distributed under the GNU General Public License (GNU GPL) version 2 or
later (GPLv2+).
QUESTIONS
Questions on the usage of this program can be sent to the Squid Users
mailing list <squid-users@squid-cache.org>
REPORTING BUGS
I STRONGLY RECOMMEND using the latest version of the Novell Client in
all situations before seeking support! You may also need to make sure
your servers have the latest service packs installed, and that your
servers are properly synchronizing partitions.
Bug reports need to be made in English. See http://wiki.squid-
cache.org/SquidFaq/BugReporting for details of what you need to include
with your bug report.
Report bugs or bug fixes using http://bugs.squid-cache.org/
Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org>
Report ideas for new improvements to the Squid Developers mailing list
<squid-dev@squid-cache.org>
SEE ALSOsquid(8), basic_ldap_auth(8), GPL(7),
The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
ext_edirectory_userip_acl(8)