[squid-users] dynamic group using URI as group name on external acl with ext_ldap_group_acl

Diogenes S. Jesus splash at gmail.com
Sun Aug 21 22:54:36 UTC 2016 

Hi everyone.

I've the following use case to be accomplished using ACL:

- Allow any authenticated user who is member of a group named after the URI

To construct this I've built the following squid.conf (snippet):

---------
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r
auth_param negotiate children 10
auth_param negotiate keep_alive on

external_acl_type ldap_HTTP %LOGIN %URI
/usr/lib/squid/ext_ldap_group_acl -D "cn=admin,dc=example,dc=com" -w
test -R -b "ou=authorization,dc=example,dc=com" -B
"ou=people,dc=example,dc=com" -f
'(&(objectclass=groupOfNames)(cn=%g)(member=uid=%u,ou=people,dc=example,dc=com))'
-h ldap01.example.com -d

acl allow_HTTP_ACL external ldap_HTTP ""

http_access deny !allow_HTTP_ACL all
http_access allow allow_HTTP_ACL
http_access deny all
---------

I call it a "dynamic" acl, because the value of the group is the
actual URI (the search filter will expand like:
cn=<URI>,ou=authorization,dc=example,dc=com). For that
"allow_HTTP_ACL" passes "" to ldap_HTTP.

This is working, however that's not documented. I was wondering how
this works, so I debugged.

I found out the %<template filter var> expands as following for the
following search filter:
-f '(&(objectclass=groupOfNames)(<template_filter_reference>=%<template_filter>)(member=uid=%u,ou=people,dc=example,dc=com))'

1) '(&(objectclass=groupOfNames)(a=%a)(member=uid=%u,ou=people,dc=example,dc=com))':
ext_ldap_group_acl.cc(718): pid=25913 :group filter
'(&(objectclass=groupOfNames)(a=http://web.example.com/)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=25913 :group filter
'(&(objectclass=groupOfNames)(a=GET)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=25913 :group filter
'(&(objectclass=groupOfNames)(a=80)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'

2) '(&(objectclass=groupOfNames)(b=%b)(member=uid=%u,ou=people,dc=example,dc=com))':
ext_ldap_group_acl.cc(579): pid=26068 :Connected OK
ERROR: Unknown filter template string %b
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(b=L?II??U", user="john_doe",
group="http://web.example.com/"
ERROR: Unknown filter template string %b
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(b=L?II??U", user="john_doe",
group="GET"
ERROR: Unknown filter template string %b
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(b=L?II??U", user="john_doe",
group="80"

3) '(&(objectclass=groupOfNames)(c=%c)(member=uid=%u,ou=people,dc=example,dc=com))':
ERROR: Unknown filter template string %c
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(c=?پ>?U", user="john_doe",
group="http://web.example.com/"
ERROR: Unknown filter template string %c
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(c=?پ>?U", user="john_doe",
group="GET"
ERROR: Unknown filter template string %c
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(c=?پ>?U", user="john_doe",
group="80"

4) '(&(objectclass=groupOfNames)(test=%test)(member=uid=%u,ou=people,dc=example,dc=com))':
ERROR: Unknown filter template string %t
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(test=?,?U", user="john_doe",
group="http://web.example.com/"
ERROR: Unknown filter template string %t
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(test=?,?U", user="john_doe",
group="GET"
ERROR: Unknown filter template string %t
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(test=?,?U", user="john_doe",
group="80"

5) '(&(objectclass=groupOfNames)(v=%v)(member=uid=%u,ou=people,dc=example,dc=com))':
ext_ldap_group_acl.cc(718): pid=26314 :group filter
'(&(objectclass=groupOfNames)(v=john_doe)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=26314 :group filter
'(&(objectclass=groupOfNames)(v=john_doe)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=26314 :group filter
'(&(objectclass=groupOfNames)(v=john_doe)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'


6) '(&(objectclass=groupOfNames)(g=%g)(member=uid=%u,ou=people,dc=example,dc=com))':
ext_ldap_group_acl.cc(718): pid=26408 :group filter
'(&(objectclass=groupOfNames)(g=http://web.example.com/)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=26408 :group filter
'(&(objectclass=groupOfNames)(g=GET)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=26408 :group filter
'(&(objectclass=groupOfNames)(g=80)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'

This is all pretty much happening here
[https://github.com/squid-cache/squid/blob/master/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc#L638]

So conclusions:
- %v and %u both map to "user", which is expected (historical reasons
& compatibility)
- %g and %a both map to "group", which is expected (historical reasons
& compatibility)
- any other template filter (%b, %c, %test, etc) is trash (only %a,
%u, %g, %v won't yield error)
- when "" is passed to the acl ("acl <ACL_name> external ldap_HTTP
""), the helper will attempt all FORMAT values, mapping then to
"group" (%a or %g)


Although I can move on with this for now, I would be actually more
relieved if I could use:
acl allow_HTTP_ACL external ldap_HTTP
<a_var_which_is_available_here_representing_URI>
 instead of
acl allow_HTTP_ACL external ldap_HTTP ""  + non-documented behavior of
ext_ldap_group_acl

However I don't know that <acl> directive has access to the URI
variable. Tips anyone?

Best regards

More information about the squid-users mailing list