]> git.ipfire.org Git - thirdparty/squid.git/blob - helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.pl.in
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ext_wbinfo_group_acl: Update man(8) documentation
[thirdparty/squid.git] / helpers / external_acl / wbinfo_group / ext_wbinfo_group_acl.pl.in
1 #!@PERL@ -w
2
3 use strict;
4 use Pod::Usage;
5 use Getopt::Long;
6
7 =pod
8
9 =head1 NAME
10
11 ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo.
12
13 =head1 SYNOPSIS
14
15 ext_wbinfo_group_acl [-dhK]
16
17 =head1 DESCRIPTION
18
19 B<ext_wbinfo_group_acl> is an installed executable script.
20 It uses B<wbinfo> from Samba to lookup group membership of logged in users.
21
22 This helper must be used in with an authentication scheme (typically
23 Basic or NTLM) based on Windows NT/2000 domain users.
24
25 It reads from the standard input the domain username and a list of groups
26 and tries to match each against the groups membership of the specified
27 username.
28
29 =head1 OPTIONS
30
31 =over 12
32
33 =item B<-d>
34
35 Write debug info to stderr.
36
37 =item B<-h>
38
39 Print the help.
40
41 =item B<-K>
42
43 Downgrade Kerberos credentials to NTLM.
44
45 =back
46
47 =head1 CONFIGURATION
48
49 external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl
50 acl allowed_group external wbinfo_check Group1 Group2
51 http_access allow allowed_group
52
53 If the local perl interpreter is in a unusual location it may need to be added:
54
55 external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl
56
57 =head1 AUTHOR
58
59 This program was written by Jerry Murdock <jmurdock@itraktech.com>
60
61 This manual was written by Amos Jeffries <amosjeffries@squid-cache.org>
62
63 =head1 COPYRIGHT
64
65 * Copyright (C) 1996-2014 The Squid Software Foundation and contributors
66 *
67 * Squid software is distributed under GPLv2+ license and includes
68 * contributions from numerous individuals and organizations.
69 * Please see the COPYING and CONTRIBUTORS files for details.
70
71 This program is put in the public domain by Jerry Murdock
72 <jmurdock@itraktech.com>. It is distributed in the hope that it will
73 be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
74 of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
75
76 =head1 QUESTIONS
77
78 Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@squid-cache.org>>
79
80 =head1 REPORTING BUGS
81
82 Bug reports need to be made in English.
83 See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
84
85 Report bugs or bug fixes using http://bugs.squid-cache.org/
86
87 Report serious security bugs to I<Squid Bugs <squid-bugs@squid-cache.org>>
88
89 Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@squid-cache.org>>
90
91 =head1 SEE ALSO
92
93 The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
94
95 The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
96
97 =cut
98
99 #
100 # Version history:
101 # 2010-08-27 Hank Hampel <hh@nr-city.net>
102 # Add Kerberos to NTLM conversion of credentials (-K)
103 #
104 # 2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
105 # Add '-d' command line debugging option
106 #
107 # 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
108 # Fix for wbinfo from Samba 3.0.21
109 #
110 # 2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
111 # Helper protocol changed to URL escaped in Squid-3.0
112 #
113 # 2005-06-28 Arno Streuli <astreuli@gmail.com>
114 # Add multi group check
115 #
116 # 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
117 # Initial release
118
119 #
120 # Globals
121 #
122 use vars qw/ %opt /;
123
124 # Disable output buffering
125 $|=1;
126
127 sub debug {
128 print STDERR "@_\n" if $opt{d};
129 }
130
131 #
132 # Check if a user belongs to a group
133 #
134 sub check {
135 local($user, $group) = @_;
136 if ($opt{K} && ($user =~ m/\@/)) {
137 @tmpuser = split(/\@/, $user);
138 $user = "$tmpuser[1]\\$tmpuser[0]";
139 }
140 $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
141 chop $groupSID;
142 $groupGID = `wbinfo -Y "$groupSID"`;
143 chop $groupGID;
144 &debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
145 return 'ERR' if($groupGID eq ""); # Verify if groupGID variable is empty.
146 return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if "wbinfo -r" command returns no value.
147 return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
148 return 'ERR';
149 }
150
151 #
152 # Command line options processing
153 #
154 sub init()
155 {
156 use Getopt::Std;
157 my $opt_string = 'hdK';
158 getopts( "$opt_string", \%opt ) or usage();
159 usage() if $opt{h};
160 }
161
162 #
163 # Message about this program and how to use it
164 #
165 sub usage()
166 {
167 print "Usage: ext_wbinfo_group_acl -dh\n";
168 print "\t-d enable debugging\n";
169 print "\t-h print the help\n";
170 print "\t-K downgrade Kerberos credentials to NTLM.\n";
171 exit;
172 }
173
174 init();
175 print STDERR "Debugging mode ON.\n" if $opt{d};
176
177 #
178 # Main loop
179 #
180 while (<STDIN>) {
181 chop;
182 &debug("Got $_ from squid");
183 ($user, @groups) = split(/\s+/);
184 $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
185 # test for each group squid send in it's request
186 foreach $group (@groups) {
187 $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
188 $ans = &check($user, $group);
189 last if $ans eq "OK";
190 }
191 &debug("Sending $ans to squid");
192 print "$ans\n";
193 }
Mirror of https://github.com/squid-cache/squid.git