]>
Commit | Line | Data |
---|---|---|
c152a447 | 1 | #!@PERL@ -w |
ee28ce13 | 2 | # |
ca02e0ec AJ |
3 | ## Copyright (C) 1996-2014 The Squid Software Foundation and contributors |
4 | ## | |
5 | ## Squid software is distributed under GPLv2+ license and includes | |
6 | ## contributions from numerous individuals and organizations. | |
7 | ## Please see the COPYING and CONTRIBUTORS files for details. | |
8 | ## | |
9 | # | |
ee28ce13 | 10 | # external_acl helper to Squid to verify NT Domain group |
11 | # membership using wbinfo | |
12 | # | |
13 | # This program is put in the public domain by Jerry Murdock | |
14 | # <jmurdock@itraktech.com>. It is distributed in the hope that it will | |
15 | # be useful, but WITHOUT ANY WARRANTY; without even the implied warranty | |
16 | # of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | |
17 | # | |
18 | # Author: | |
19 | # Jerry Murdock <jmurdock@itraktech.com> | |
20 | # | |
21 | # Version history: | |
2a4b511e AJ |
22 | # 2010-08-27 Hank Hampel <hh@nr-city.net> |
23 | # Add Kerberos to NTLM conversion of credentials (-K) | |
24 | # | |
47ea0413 | 25 | # 2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it> |
26 | # Add '-d' command line debugging option | |
27 | # | |
585e63cb | 28 | # 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it> |
29 | # Fix for wbinfo from Samba 3.0.21 | |
30 | # | |
1958420a | 31 | # 2004-08-15 Henrik Nordstrom <hno@squid-cache.org> |
32 | # Helper protocol changed to URL escaped in Squid-3.0 | |
ee28ce13 | 33 | # |
d617cf18 | 34 | # 2005-06-28 Arno Streuli <astreuli@gmail.com> |
35 | # Add multi group check | |
585e63cb | 36 | # |
37 | # 2002-07-05 Jerry Murdock <jmurdock@itraktech.com> | |
38 | # Initial release | |
c152a447 | 39 | =pod |
d617cf18 | 40 | |
c152a447 AJ |
41 | =head1 NAME |
42 | ||
43 | ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo. | |
44 | ||
45 | =head1 SYNOPSIS | |
46 | ||
47 | ext_wbinfo_group_acl [-dh] | |
48 | ||
49 | =head1 DESCRIPTION | |
50 | ||
51 | ext_wbinfo_group_acl is an installed executable script. | |
52 | It uses wbinfo from Samba to lookup group membership of logged in users. | |
53 | ||
54 | This helper must be used in with an authentication scheme (typically | |
55 | Basic or NTLM) based on Windows NT/2000 domain users. | |
56 | ||
57 | It reads from the standard input the domain username and a list of groups | |
58 | and tries to match each against the groups membership of the specified | |
59 | username. | |
60 | ||
61 | =head1 OPTIONS | |
62 | ||
63 | -d Write debug info to stderr. | |
64 | -h Print the help. | |
2a4b511e | 65 | -K downgrade Kerberos credentials to NTLM. |
c152a447 AJ |
66 | |
67 | =head1 CONFIGURATION | |
68 | ||
69 | external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl | |
70 | acl allowed_group external wbinfo_check Group1 Group2 | |
71 | http_access allow allowed_group | |
72 | ||
73 | If the local perl interpreter is in a unusual location it may need to be added: | |
74 | ||
75 | external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl | |
76 | ||
77 | =head1 AUTHOR | |
78 | ||
79 | This program was written by Jerry Murdock <jmurdock@itraktech.com> | |
80 | ||
81 | This manual was written by Amos Jeffries <amosjeffries@squid-cache.org> | |
82 | ||
83 | =head1 COPYRIGHT | |
84 | ||
85 | This program is put in the public domain by Jerry Murdock | |
86 | <jmurdock@itraktech.com>. It is distributed in the hope that it will | |
87 | be useful, but WITHOUT ANY WARRANTY; without even the implied warranty | |
88 | of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | |
89 | ||
90 | =head1 QUESTIONS | |
91 | ||
92 | Questions on the usage of this program can be sent to the | |
93 | Squid Users mailing list <squid-users@squid-cache.org> | |
94 | ||
95 | =head1 REPORTING BUGS | |
96 | ||
97 | Bug reports need to be made in English. | |
98 | See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. | |
99 | ||
100 | Report bugs or bug fixes using http://bugs.squid-cache.org/ | |
101 | ||
102 | Report serious security bugs to Squid Bugs <squid-bugs@squid-cache.org> | |
103 | ||
104 | Report ideas for new improvements to the | |
105 | Squid Developers mailing list <squid-dev@squid-cache.org> | |
106 | ||
107 | =head1 SEE ALSO | |
108 | ||
109 | The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq | |
110 | ||
111 | The Squid Configuration Manual http://www.squid-cache.org/Doc/config/ | |
112 | ||
113 | =cut | |
ee28ce13 | 114 | |
47ea0413 | 115 | # |
116 | # Globals | |
117 | # | |
118 | use vars qw/ %opt /; | |
119 | ||
ee28ce13 | 120 | # Disable output buffering |
c19c2c0b | 121 | $|=1; |
ee28ce13 | 122 | |
123 | sub debug { | |
47ea0413 | 124 | print STDERR "@_\n" if $opt{d}; |
ee28ce13 | 125 | } |
126 | ||
127 | # | |
128 | # Check if a user belongs to a group | |
129 | # | |
130 | sub check { | |
131 | local($user, $group) = @_; | |
2a4b511e AJ |
132 | if ($opt{K} && ($user =~ m/\@/)) { |
133 | @tmpuser = split(/\@/, $user); | |
134 | $user = "$tmpuser[1]\\$tmpuser[0]"; | |
135 | } | |
585e63cb | 136 | $groupSID = `wbinfo -n "$group" | cut -d" " -f1`; |
ee28ce13 | 137 | chop $groupSID; |
71304ae5 | 138 | $groupGID = `wbinfo -Y "$groupSID"`; |
ee28ce13 | 139 | chop $groupGID; |
140 | &debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-"); | |
f1061a7e AJ |
141 | return 'ERR' if($groupGID eq ""); # Verify if groupGID variable is empty. |
142 | return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if "wbinfo -r" command returns no value. | |
ee28ce13 | 143 | return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m); |
144 | return 'ERR'; | |
145 | } | |
146 | ||
47ea0413 | 147 | # |
148 | # Command line options processing | |
149 | # | |
150 | sub init() | |
151 | { | |
152 | use Getopt::Std; | |
2a4b511e | 153 | my $opt_string = 'hdK'; |
47ea0413 | 154 | getopts( "$opt_string", \%opt ) or usage(); |
155 | usage() if $opt{h}; | |
156 | } | |
157 | ||
158 | # | |
159 | # Message about this program and how to use it | |
160 | # | |
161 | sub usage() | |
162 | { | |
c152a447 | 163 | print "Usage: ext_wbinfo_group_acl -dh\n"; |
47ea0413 | 164 | print "\t-d enable debugging\n"; |
165 | print "\t-h print the help\n"; | |
2a4b511e | 166 | print "\t-K downgrade Kerberos credentials to NTLM.\n"; |
47ea0413 | 167 | exit; |
168 | } | |
169 | ||
170 | init(); | |
171 | print STDERR "Debugging mode ON.\n" if $opt{d}; | |
172 | ||
ee28ce13 | 173 | # |
174 | # Main loop | |
175 | # | |
176 | while (<STDIN>) { | |
177 | chop; | |
c19c2c0b | 178 | &debug("Got $_ from squid"); |
d617cf18 | 179 | ($user, @groups) = split(/\s+/); |
1958420a | 180 | $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg; |
d617cf18 | 181 | # test for each group squid send in it's request |
182 | foreach $group (@groups) { | |
183 | $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg; | |
184 | $ans = &check($user, $group); | |
185 | last if $ans eq "OK"; | |
186 | } | |
c19c2c0b | 187 | &debug("Sending $ans to squid"); |
ee28ce13 | 188 | print "$ans\n"; |
189 | } |