[squid-users] external_acl_type LDAP for acl NOT related to auth

Amos Jeffries

2018-09-24 23:08:36 UTC

Post by Marcio Vogel Merlone dos Santos
Hi,
Searched google but could not find anyone trying this. I want to use
some LDAP data to create an ACL not related to authentication or

external_acl_type myServers ttl=300 ipv4 %SRC
/usr/lib/squid/ldap_lookup_acl -p
http_access allow myServers

Where 'myServers' contains a list of machines that don't need to auth
the service, for example. Other uses would be to define a network list,
mac lists, people with youtube access, and so on. Is it possible, has
someone already made it, can anyone point me the direction?

Look at the example configuration for the eDirectory user-IP helper it
uses src-IP as "username" being looked up.
<http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_edirectory_userip_acl.html>

Wrapping is currently broken in that doc, I've fixed that below for clarity:

external_acl_type IPUser %SRC /usr/sbin/ext_edirectory_userip_acl

acl edirectory_users_allowed external IPUser \
cn=Internet_Allowed,ou=ORG,o=BASE

acl edirectory_users_denied external IPUser \
cn=Internet_Denied,ou=ORG,o=BASE

http_access deny edirectory_users_denied
http_access allow edirectory_users_allowed
http_access deny all

The above config passes the LDAP path details as %DATA, so the helper
gets told to always use the src-IP as the "username" and each acl line
tells it which LDAP path/directory to check for that particular ACL
test. Allowing multiple tables for different whitelist or blacklist
checks by the same helper.

You may be able to use the above helper as-is, or use the existing AD
LDAP group helpers with %SRC in a similar way. Though the older AD
helpers probably need to use %g macro in the -f filter to specify where
the %DATA portion is to go.

Disclaimer: I have not tried this myself, so YMMV.

Amos