]>
Commit | Line | Data |
---|---|---|
c152a447 | 1 | #!@PERL@ -w |
eb0c51fe AJ |
2 | |
3 | use strict; | |
4 | use Pod::Usage; | |
5 | use Getopt::Long; | |
6 | ||
c152a447 | 7 | =pod |
d617cf18 | 8 | |
c152a447 AJ |
9 | =head1 NAME |
10 | ||
eb0c51fe | 11 | ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo. |
c152a447 AJ |
12 | |
13 | =head1 SYNOPSIS | |
14 | ||
eb0c51fe | 15 | ext_wbinfo_group_acl [-dhK] |
c152a447 AJ |
16 | |
17 | =head1 DESCRIPTION | |
18 | ||
eb0c51fe AJ |
19 | B<ext_wbinfo_group_acl> is an installed executable script. |
20 | It uses B<wbinfo> from Samba to lookup group membership of logged in users. | |
c152a447 AJ |
21 | |
22 | This helper must be used in with an authentication scheme (typically | |
23 | Basic or NTLM) based on Windows NT/2000 domain users. | |
24 | ||
25 | It reads from the standard input the domain username and a list of groups | |
26 | and tries to match each against the groups membership of the specified | |
27 | username. | |
28 | ||
29 | =head1 OPTIONS | |
30 | ||
eb0c51fe AJ |
31 | =over 12 |
32 | ||
33 | =item B<-d> | |
34 | ||
35 | Write debug info to stderr. | |
36 | ||
37 | =item B<-h> | |
38 | ||
39 | Print the help. | |
40 | ||
41 | =item B<-K> | |
42 | ||
43 | Downgrade Kerberos credentials to NTLM. | |
44 | ||
45 | =back | |
c152a447 AJ |
46 | |
47 | =head1 CONFIGURATION | |
48 | ||
eb0c51fe AJ |
49 | external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl |
50 | acl allowed_group external wbinfo_check Group1 Group2 | |
51 | http_access allow allowed_group | |
c152a447 AJ |
52 | |
53 | If the local perl interpreter is in a unusual location it may need to be added: | |
54 | ||
eb0c51fe | 55 | external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl |
c152a447 AJ |
56 | |
57 | =head1 AUTHOR | |
58 | ||
59 | This program was written by Jerry Murdock <jmurdock@itraktech.com> | |
60 | ||
61 | This manual was written by Amos Jeffries <amosjeffries@squid-cache.org> | |
62 | ||
63 | =head1 COPYRIGHT | |
64 | ||
bde978a6 | 65 | * Copyright (C) 1996-2015 The Squid Software Foundation and contributors |
eb0c51fe AJ |
66 | * |
67 | * Squid software is distributed under GPLv2+ license and includes | |
68 | * contributions from numerous individuals and organizations. | |
69 | * Please see the COPYING and CONTRIBUTORS files for details. | |
70 | ||
71 | This program is put in the public domain by Jerry Murdock | |
72 | <jmurdock@itraktech.com>. It is distributed in the hope that it will | |
73 | be useful, but WITHOUT ANY WARRANTY; without even the implied warranty | |
74 | of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. | |
c152a447 AJ |
75 | |
76 | =head1 QUESTIONS | |
77 | ||
eb0c51fe | 78 | Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@squid-cache.org>> |
c152a447 AJ |
79 | |
80 | =head1 REPORTING BUGS | |
81 | ||
82 | Bug reports need to be made in English. | |
83 | See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. | |
84 | ||
85 | Report bugs or bug fixes using http://bugs.squid-cache.org/ | |
86 | ||
eb0c51fe | 87 | Report serious security bugs to I<Squid Bugs <squid-bugs@squid-cache.org>> |
c152a447 | 88 | |
eb0c51fe | 89 | Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@squid-cache.org>> |
c152a447 AJ |
90 | |
91 | =head1 SEE ALSO | |
92 | ||
93 | The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq | |
94 | ||
95 | The Squid Configuration Manual http://www.squid-cache.org/Doc/config/ | |
96 | ||
97 | =cut | |
ee28ce13 | 98 | |
eb0c51fe AJ |
99 | # |
100 | # Version history: | |
101 | # 2010-08-27 Hank Hampel <hh@nr-city.net> | |
102 | # Add Kerberos to NTLM conversion of credentials (-K) | |
103 | # | |
104 | # 2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it> | |
105 | # Add '-d' command line debugging option | |
106 | # | |
107 | # 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it> | |
108 | # Fix for wbinfo from Samba 3.0.21 | |
109 | # | |
110 | # 2004-08-15 Henrik Nordstrom <hno@squid-cache.org> | |
111 | # Helper protocol changed to URL escaped in Squid-3.0 | |
112 | # | |
113 | # 2005-06-28 Arno Streuli <astreuli@gmail.com> | |
114 | # Add multi group check | |
115 | # | |
116 | # 2002-07-05 Jerry Murdock <jmurdock@itraktech.com> | |
117 | # Initial release | |
118 | ||
47ea0413 | 119 | # |
120 | # Globals | |
121 | # | |
122 | use vars qw/ %opt /; | |
123 | ||
ee28ce13 | 124 | # Disable output buffering |
c19c2c0b | 125 | $|=1; |
ee28ce13 | 126 | |
127 | sub debug { | |
47ea0413 | 128 | print STDERR "@_\n" if $opt{d}; |
ee28ce13 | 129 | } |
130 | ||
131 | # | |
132 | # Check if a user belongs to a group | |
133 | # | |
134 | sub check { | |
135 | local($user, $group) = @_; | |
2a4b511e AJ |
136 | if ($opt{K} && ($user =~ m/\@/)) { |
137 | @tmpuser = split(/\@/, $user); | |
138 | $user = "$tmpuser[1]\\$tmpuser[0]"; | |
139 | } | |
585e63cb | 140 | $groupSID = `wbinfo -n "$group" | cut -d" " -f1`; |
ee28ce13 | 141 | chop $groupSID; |
71304ae5 | 142 | $groupGID = `wbinfo -Y "$groupSID"`; |
ee28ce13 | 143 | chop $groupGID; |
144 | &debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-"); | |
f1061a7e AJ |
145 | return 'ERR' if($groupGID eq ""); # Verify if groupGID variable is empty. |
146 | return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if "wbinfo -r" command returns no value. | |
ee28ce13 | 147 | return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m); |
148 | return 'ERR'; | |
149 | } | |
150 | ||
47ea0413 | 151 | # |
152 | # Command line options processing | |
153 | # | |
154 | sub init() | |
155 | { | |
156 | use Getopt::Std; | |
2a4b511e | 157 | my $opt_string = 'hdK'; |
47ea0413 | 158 | getopts( "$opt_string", \%opt ) or usage(); |
159 | usage() if $opt{h}; | |
160 | } | |
161 | ||
162 | # | |
163 | # Message about this program and how to use it | |
164 | # | |
165 | sub usage() | |
166 | { | |
c152a447 | 167 | print "Usage: ext_wbinfo_group_acl -dh\n"; |
47ea0413 | 168 | print "\t-d enable debugging\n"; |
169 | print "\t-h print the help\n"; | |
2a4b511e | 170 | print "\t-K downgrade Kerberos credentials to NTLM.\n"; |
47ea0413 | 171 | exit; |
172 | } | |
173 | ||
174 | init(); | |
175 | print STDERR "Debugging mode ON.\n" if $opt{d}; | |
176 | ||
ee28ce13 | 177 | # |
178 | # Main loop | |
179 | # | |
180 | while (<STDIN>) { | |
181 | chop; | |
c19c2c0b | 182 | &debug("Got $_ from squid"); |
d617cf18 | 183 | ($user, @groups) = split(/\s+/); |
1958420a | 184 | $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg; |
d617cf18 | 185 | # test for each group squid send in it's request |
186 | foreach $group (@groups) { | |
187 | $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg; | |
188 | $ans = &check($user, $group); | |
189 | last if $ans eq "OK"; | |
190 | } | |
c19c2c0b | 191 | &debug("Sending $ans to squid"); |
ee28ce13 | 192 | print "$ans\n"; |
193 | } |