2 * -----------------------------------------------------------------------------
4 * Author: Markus Moeller (markus_moeller at compuserve.com)
6 * Copyright (C) 2007 Markus Moeller. All rights reserved.
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307, USA.
22 * As a special exemption, M Moeller gives permission to link this program
23 * with MIT, Heimdal or other GSS/Kerberos libraries, and distribute
24 * the resulting executable, without including the source code for
25 * the Libraries in the source distribution.
27 * -----------------------------------------------------------------------------
30 * Hosted at http://sourceforge.net/projects/squidkerbauth
33 #include "helpers/defines.h"
44 init_args(struct main_args
*margs
)
59 margs
->ddomain
= NULL
;
65 void clean_gd(struct gdstruct
*gdsp
);
66 void clean_nd(struct ndstruct
*ndsp
);
67 void clean_ls(struct ndstruct
*lssp
);
70 clean_gd(struct gdstruct
*gdsp
)
72 struct gdstruct
*p
= NULL
, *pp
= NULL
;
101 clean_nd(struct ndstruct
*ndsp
)
103 struct ndstruct
*p
= NULL
, *pp
= NULL
;
119 if (pp
&& pp
->next
) {
132 clean_ls(struct lsstruct
*lssp
)
134 struct lsstruct
*p
= NULL
, *pp
= NULL
;
150 if (pp
&& pp
->next
) {
163 clean_args(struct main_args
*margs
)
205 if (margs
->ddomain
) {
206 xfree(margs
->ddomain
);
207 margs
->ddomain
= NULL
;
210 clean_gd(margs
->groups
);
211 margs
->groups
= NULL
;
214 clean_nd(margs
->ndoms
);
218 clean_ls(margs
->lservs
);
219 margs
->lservs
= NULL
;
226 main(int argc
, char *const argv
[])
230 char *nuser
, *nuser8
= NULL
, *netbios
;
233 struct main_args margs
;
235 setbuf(stdout
, NULL
);
240 while (-1 != (opt
= getopt(argc
, argv
, "diasg:D:N:S:u:U:t:T:p:l:b:m:h"))) {
252 margs
.ssl
= (char *) "yes";
255 margs
.glist
= xstrdup(optarg
);
258 margs
.ddomain
= xstrdup(optarg
);
261 margs
.nlist
= xstrdup(optarg
);
264 margs
.luser
= xstrdup(optarg
);
267 margs
.ulist
= xstrdup(optarg
);
270 margs
.ulist
= xstrdup(optarg
);
273 margs
.tlist
= xstrdup(optarg
);
276 margs
.lpass
= xstrdup(optarg
);
278 memset(optarg
, 'X', strlen(optarg
));
281 margs
.lurl
= xstrdup(optarg
);
284 margs
.lbind
= xstrdup(optarg
);
287 margs
.mdepth
= atoi(optarg
);
290 margs
.llist
= xstrdup(optarg
);
293 fprintf(stderr
, "Usage: \n");
294 fprintf(stderr
, "squid_kerb_ldap [-d] [-i] -g group list [-D domain] [-N netbios domain map] [-s] [-u ldap user] [-p ldap user password] [-l ldap url] [-b ldap bind path] [-a] [-m max depth] [-h]\n");
295 fprintf(stderr
, "-d full debug\n");
296 fprintf(stderr
, "-i informational messages\n");
297 fprintf(stderr
, "-g group list\n");
298 fprintf(stderr
, "-t group list (only group name hex UTF-8 format)\n");
299 fprintf(stderr
, "-T group list (all in hex UTF-8 format - except seperator @)\n");
300 fprintf(stderr
, "-D default domain\n");
301 fprintf(stderr
, "-N netbios to dns domain map\n");
302 fprintf(stderr
, "-S ldap server to dns domain map\n");
303 fprintf(stderr
, "-u ldap user\n");
304 fprintf(stderr
, "-p ldap user password\n");
305 fprintf(stderr
, "-l ldap url\n");
306 fprintf(stderr
, "-b ldap bind path\n");
307 fprintf(stderr
, "-s use SSL encryption with Kerberos authentication\n");
308 fprintf(stderr
, "-a allow SSL without cert verification\n");
309 fprintf(stderr
, "-m maximal depth for recursive searches\n");
310 fprintf(stderr
, "-h help\n");
311 fprintf(stderr
, "The ldap url, ldap user and ldap user password details are only used if the kerberised\n");
312 fprintf(stderr
, "access fails(e.g. unknown domain) or if the username does not contain a domain part\n");
313 fprintf(stderr
, "and no default domain is provided.\n");
314 fprintf(stderr
, "If the ldap url starts with ldaps:// it is either start_tls or simple SSL\n");
315 fprintf(stderr
, "The group list can be:\n");
316 fprintf(stderr
, "group - In this case group can be used for all keberised and non kerberised ldap servers\n");
317 fprintf(stderr
, "group@ - In this case group can be used for all keberised ldap servers\n");
318 fprintf(stderr
, "group@domain - In this case group can be used for ldap servers of domain domain\n");
319 fprintf(stderr
, "group1@domain1:group2@domain2:group3@:group4 - A list is build with a colon as seperator\n");
320 fprintf(stderr
, "Group membership is determined with AD servers through the users memberof attribute which\n");
321 fprintf(stderr
, "is followed to the top (e.g. if the group is a member of a group)\n");
322 fprintf(stderr
, "Group membership is determined with non AD servers through the users memberuid (assuming\n");
323 fprintf(stderr
, "PosixGroup) or primary group membership (assuming PosixAccount)\n");
324 fprintf(stderr
, "The ldap server list can be:\n");
325 fprintf(stderr
, "server - In this case server can be used for all Kerberos domains\n");
326 fprintf(stderr
, "server@ - In this case server can be used for all Kerberos domains\n");
327 fprintf(stderr
, "server@domain - In this case server can be used for Kerberos domain domain\n");
328 fprintf(stderr
, "server1a@domain1:server1b@domain1:server2@domain2:server3@:server4 - A list is build with a colon as seperator\n");
332 warn((char *) "%s| %s: WARNING: unknown option: -%c.\n", LogTime(), PROGRAM
, opt
);
336 debug((char *) "%s| %s: INFO: Starting version %s\n", LogTime(), PROGRAM
, KERBEROS_LDAP_GROUP_VERSION
);
337 if (create_gd(&margs
)) {
338 debug((char *) "%s| %s: FATAL: Error in group list: %s\n", LogTime(), PROGRAM
, margs
.glist
? margs
.glist
: "NULL");
343 if (create_nd(&margs
)) {
344 debug((char *) "%s| %s: FATAL: Error in netbios list: %s\n", LogTime(), PROGRAM
, margs
.nlist
? margs
.nlist
: "NULL");
349 if (create_ls(&margs
)) {
350 debug((char *) "%s| %s: Error in ldap server list: %s\n", LogTime(), PROGRAM
, margs
.llist
? margs
.llist
: "NULL");
356 if (fgets(buf
, sizeof(buf
) - 1, stdin
) == NULL
) {
358 debug((char *) "%s| %s: FATAL: fgets() failed! dying..... errno=%d (%s)\n", LogTime(), PROGRAM
, ferror(stdin
),
359 strerror(ferror(stdin
)));
363 exit(1); /* BIIG buffer */
369 c
= (char *) memchr(buf
, '\n', sizeof(buf
) - 1);
374 debug((char *) "%s| %s: ERR\n", LogTime(), PROGRAM
);
379 nuser
= strchr(user
, '\\');
381 nuser8
= strstr(user
, "%5C");
382 if (!nuser
&& !nuser8
)
383 nuser8
= strstr(user
, "%5c");
384 domain
= strrchr(user
, '@');
385 if (nuser
|| nuser8
) {
395 debug((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM
, nuser
, netbios
);
397 log((char *) "%s| %s: INFO: Got User: %s Netbios Name: %s\n", LogTime(), PROGRAM
, nuser
, netbios
);
398 domain
= get_netbios_name(&margs
, netbios
);
405 if (!domain
&& margs
.ddomain
) {
406 domain
= xstrdup(margs
.ddomain
);
408 debug((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM
, user
, domain
);
410 log((char *) "%s| %s: INFO: Got User: %s set default domain: %s\n", LogTime(), PROGRAM
, user
, domain
);
413 debug((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM
, user
, domain
? domain
: "NULL");
415 log((char *) "%s| %s: INFO: Got User: %s Domain: %s\n", LogTime(), PROGRAM
, user
, domain
? domain
: "NULL");
417 if (!strcmp(user
, "QQ") && domain
&& !strcmp(domain
, "QQ")) {
421 if (check_memberof(&margs
, user
, domain
)) {
423 debug((char *) "%s| %s: DEBUG: OK\n", LogTime(), PROGRAM
);
426 debug((char *) "%s| %s: DEBUG: ERR\n", LogTime(), PROGRAM
);
437 *s
= toupper((unsigned char) *s
);
446 main(int argc
, char *const argv
[])
448 setbuf(stdout
, NULL
);
452 if (fgets(buf
, sizeof(buf
) - 1, stdin
) == NULL
) {
454 fprintf(stdout
, "ERR\n");
455 fprintf(stderr
, "LDAP group authorisation not supported\n");