]>
git.ipfire.org Git - thirdparty/squid.git/blob - helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.pl.in
11 ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo.
15 ext_wbinfo_group_acl [-dhK]
19 B<ext_wbinfo_group_acl> is an installed executable script.
20 It uses B<wbinfo> from Samba to lookup group membership of logged in users.
22 This helper must be used in with an authentication scheme (typically
23 Basic or NTLM) based on Windows NT/2000 domain users.
25 It reads from the standard input the domain username and a list of groups
26 and tries to match each against the groups membership of the specified
35 Write debug info to stderr.
43 Downgrade Kerberos credentials to NTLM.
49 external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl
50 acl allowed_group external wbinfo_check Group1 Group2
51 http_access allow allowed_group
53 If the local perl interpreter is in a unusual location it may need to be added:
55 external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl
59 This program was written by Jerry Murdock <jmurdock@itraktech.com>
61 This manual was written by Amos Jeffries <amosjeffries@squid-cache.org>
65 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
67 * Squid software is distributed under GPLv2+ license and includes
68 * contributions from numerous individuals and organizations.
69 * Please see the COPYING and CONTRIBUTORS files for details.
71 This program is put in the public domain by Jerry Murdock
72 <jmurdock@itraktech.com>. It is distributed in the hope that it will
73 be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
74 of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
78 Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@squid-cache.org>>
82 Bug reports need to be made in English.
83 See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
85 Report bugs or bug fixes using http://bugs.squid-cache.org/
87 Report serious security bugs to I<Squid Bugs <squid-bugs@squid-cache.org>>
89 Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@squid-cache.org>>
93 The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
95 The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
101 # 2010-08-27 Hank Hampel <hh@nr-city.net>
102 # Add Kerberos to NTLM conversion of credentials (-K)
104 # 2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
105 # Add '-d' command line debugging option
107 # 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
108 # Fix for wbinfo from Samba 3.0.21
110 # 2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
111 # Helper protocol changed to URL escaped in Squid-3.0
113 # 2005-06-28 Arno Streuli <astreuli@gmail.com>
114 # Add multi group check
116 # 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
124 # Disable output buffering
128 print STDERR
"@_\n" if $opt{d
};
132 # Check if a user belongs to a group
135 local($user, $group) = @_;
136 if ($opt{K
} && ($user =~ m/\@/)) {
137 @tmpuser = split(/\@/, $user);
138 $user = "$tmpuser[1]\\$tmpuser[0]";
140 $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
142 $groupGID = `wbinfo -Y "$groupSID"`;
144 &debug
( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
145 return 'ERR' if($groupGID eq ""); # Verify if groupGID variable is empty.
146 return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if "wbinfo -r" command returns no value.
147 return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
152 # Command line options processing
157 my $opt_string = 'hdK';
158 getopts
( "$opt_string", \
%opt ) or usage
();
163 # Message about this program and how to use it
167 print "Usage: ext_wbinfo_group_acl -dh\n";
168 print "\t-d enable debugging\n";
169 print "\t-h print the help\n";
170 print "\t-K downgrade Kerberos credentials to NTLM.\n";
175 print STDERR
"Debugging mode ON.\n" if $opt{d
};
182 &debug
("Got $_ from squid");
183 ($user, @groups) = split(/\s+/);
184 $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
185 # test for each group squid send in it's request
186 foreach $group (@groups) {
187 $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
188 $ans = &check
($user, $group);
189 last if $ans eq "OK";
191 &debug
("Sending $ans to squid");