[squid-users] external_acl_type LDAP for acl NOT related to auth

[Amos Jeffries]

On 25/09/18 7:48 AM, Marcio Vogel Merlone dos Santos wrote:
> Hi,
> 
> Searched google but could not find anyone trying this. I want to use
> some LDAP data to create an ACL not related to authentication or
> users/groups. I want to create an ACL like this pseudo conf:
> 
>> external_acl_type myServers ttl=300 ipv4 %SRC
>> /usr/lib/squid/ldap_lookup_acl -p
>>
>> http_access allow myServers
>>
> Where 'myServers' contains a list of machines that don't need to auth
> the service, for example. Other uses would be to define a network list,
> mac lists, people with youtube access, and so on. Is it possible, has
> someone already made it, can anyone point me the direction?


Look at the example configuration for the eDirectory user-IP helper it
uses src-IP as "username" being looked up.
 <http://www.squid-cache.org/Versions/v3/3.5/manuals/ext_edirectory_userip_acl.html>

Wrapping is currently broken in that doc, I've fixed that below for clarity:

  external_acl_type IPUser %SRC /usr/sbin/ext_edirectory_userip_acl

  acl edirectory_users_allowed external IPUser \
    cn=Internet_Allowed,ou=ORG,o=BASE

  acl edirectory_users_denied external IPUser \
    cn=Internet_Denied,ou=ORG,o=BASE

  http_access deny edirectory_users_denied
  http_access allow edirectory_users_allowed
  http_access deny all


The above config passes the LDAP path details as %DATA, so the helper
gets told to always use the src-IP as the "username" and each acl line
tells it which LDAP path/directory to check for that particular ACL
test. Allowing multiple tables for different whitelist or blacklist
checks by the same helper.


You may be able to use the above helper as-is, or use the existing AD
LDAP group helpers with %SRC in a similar way. Though the older AD
helpers probably need to use %g macro in the -f filter to specify where
the %DATA portion is to go.

Disclaimer: I have not tried this myself, so YMMV.

Amos