[squid-users] dynamic group using URI as group name on external acl with ext_ldap_group_acl
Diogenes S. Jesus
splash at gmail.com
Sun Aug 21 22:54:36 UTC 2016
Hi everyone.
I've the following use case to be accomplished using ACL:
- Allow any authenticated user who is member of a group named after the URI
To construct this I've built the following squid.conf (snippet):
---------
auth_param negotiate program /usr/lib/squid3/negotiate_kerberos_auth -d -r
auth_param negotiate children 10
auth_param negotiate keep_alive on
external_acl_type ldap_HTTP %LOGIN %URI
/usr/lib/squid/ext_ldap_group_acl -D "cn=admin,dc=example,dc=com" -w
test -R -b "ou=authorization,dc=example,dc=com" -B
"ou=people,dc=example,dc=com" -f
'(&(objectclass=groupOfNames)(cn=%g)(member=uid=%u,ou=people,dc=example,dc=com))'
-h ldap01.example.com -d
acl allow_HTTP_ACL external ldap_HTTP ""
http_access deny !allow_HTTP_ACL all
http_access allow allow_HTTP_ACL
http_access deny all
---------
I call it a "dynamic" acl, because the value of the group is the
actual URI (the search filter will expand like:
cn=<URI>,ou=authorization,dc=example,dc=com). For that
"allow_HTTP_ACL" passes "" to ldap_HTTP.
This is working, however that's not documented. I was wondering how
this works, so I debugged.
I found out the %<template filter var> expands as following for the
following search filter:
-f '(&(objectclass=groupOfNames)(<template_filter_reference>=%<template_filter>)(member=uid=%u,ou=people,dc=example,dc=com))'
1) '(&(objectclass=groupOfNames)(a=%a)(member=uid=%u,ou=people,dc=example,dc=com))':
ext_ldap_group_acl.cc(718): pid=25913 :group filter
'(&(objectclass=groupOfNames)(a=http://web.example.com/)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=25913 :group filter
'(&(objectclass=groupOfNames)(a=GET)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=25913 :group filter
'(&(objectclass=groupOfNames)(a=80)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
2) '(&(objectclass=groupOfNames)(b=%b)(member=uid=%u,ou=people,dc=example,dc=com))':
ext_ldap_group_acl.cc(579): pid=26068 :Connected OK
ERROR: Unknown filter template string %b
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(b=L?II??U", user="john_doe",
group="http://web.example.com/"
ERROR: Unknown filter template string %b
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(b=L?II??U", user="john_doe",
group="GET"
ERROR: Unknown filter template string %b
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(b=L?II??U", user="john_doe",
group="80"
3) '(&(objectclass=groupOfNames)(c=%c)(member=uid=%u,ou=people,dc=example,dc=com))':
ERROR: Unknown filter template string %c
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(c=?پ>?U", user="john_doe",
group="http://web.example.com/"
ERROR: Unknown filter template string %c
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(c=?پ>?U", user="john_doe",
group="GET"
ERROR: Unknown filter template string %c
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(c=?پ>?U", user="john_doe",
group="80"
4) '(&(objectclass=groupOfNames)(test=%test)(member=uid=%u,ou=people,dc=example,dc=com))':
ERROR: Unknown filter template string %t
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(test=?,?U", user="john_doe",
group="http://web.example.com/"
ERROR: Unknown filter template string %t
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(test=?,?U", user="john_doe",
group="GET"
ERROR: Unknown filter template string %t
ext_ldap_group_acl: ERROR: Failed to construct LDAP search filter.
filter="(&(objectclass=groupOfNames)(test=?,?U", user="john_doe",
group="80"
5) '(&(objectclass=groupOfNames)(v=%v)(member=uid=%u,ou=people,dc=example,dc=com))':
ext_ldap_group_acl.cc(718): pid=26314 :group filter
'(&(objectclass=groupOfNames)(v=john_doe)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=26314 :group filter
'(&(objectclass=groupOfNames)(v=john_doe)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=26314 :group filter
'(&(objectclass=groupOfNames)(v=john_doe)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
6) '(&(objectclass=groupOfNames)(g=%g)(member=uid=%u,ou=people,dc=example,dc=com))':
ext_ldap_group_acl.cc(718): pid=26408 :group filter
'(&(objectclass=groupOfNames)(g=http://web.example.com/)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=26408 :group filter
'(&(objectclass=groupOfNames)(g=GET)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
ext_ldap_group_acl.cc(718): pid=26408 :group filter
'(&(objectclass=groupOfNames)(g=80)(member=uid=john_doe,ou=people,dc=example,dc=com))',
searchbase 'ou=authorization,dc=example,dc=com'
This is all pretty much happening here
[https://github.com/squid-cache/squid/blob/master/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc#L638]
So conclusions:
- %v and %u both map to "user", which is expected (historical reasons
& compatibility)
- %g and %a both map to "group", which is expected (historical reasons
& compatibility)
- any other template filter (%b, %c, %test, etc) is trash (only %a,
%u, %g, %v won't yield error)
- when "" is passed to the acl ("acl <ACL_name> external ldap_HTTP
""), the helper will attempt all FORMAT values, mapping then to
"group" (%a or %g)
Although I can move on with this for now, I would be actually more
relieved if I could use:
acl allow_HTTP_ACL external ldap_HTTP
<a_var_which_is_available_here_representing_URI>
instead of
acl allow_HTTP_ACL external ldap_HTTP "" + non-documented behavior of
ext_ldap_group_acl
However I don't know that <acl> directive has access to the URI
variable. Tips anyone?
Best regards
More information about the squid-users
mailing list