]> git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/external/wbinfo_group/ext_wbinfo_group_acl.pl.in
projects / thirdparty / squid.git / blob
? search:


44795fac4d76ae27ffaaf83d0b398167d786ec69
[thirdparty/squid.git] / src / acl / external / wbinfo_group / ext_wbinfo_group_acl.pl.in
1 #!@PERL@ -w
2
3 use strict;
4 use Pod::Usage;
5 use Getopt::Long;
6
7 =pod
8
9 =head1 NAME
10
11 ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo.
12
13 =head1 SYNOPSIS
14
15 ext_wbinfo_group_acl [-dhK]
16
17 =head1 DESCRIPTION
18
19 B<ext_wbinfo_group_acl> is an installed executable script.
20 It uses B<wbinfo> from Samba to lookup group membership of logged in users.
21
22 This helper must be used in with an authentication scheme (typically
23 Basic or NTLM) based on Windows NT/2000 domain users.
24
25 It reads from the standard input the domain username and a list of groups
26 and tries to match each against the groups membership of the specified
27 username.
28
29 =head1 OPTIONS
30
31 =over 12
32
33 =item B<-d>
34
35 Write debug info to stderr.
36
37 =item B<-h>
38
39 Print the help.
40
41 =item B<-K>
42
43 Downgrade Kerberos credentials to NTLM.
44
45 =back
46
47 =head1 CONFIGURATION
48
49 external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl
50 acl allowed_group external wbinfo_check Group1 Group2
51 http_access allow allowed_group
52
53 If the local perl interpreter is in a unusual location it may need to be added:
54
55 external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl
56
57 =head1 AUTHOR
58
59 This program was written by Jerry Murdock <jmurdock@itraktech.com>
60
61 This manual was written by Amos Jeffries <amosjeffries@squid-cache.org>
62
63 =head1 COPYRIGHT
64
65 * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
66 *
67 * Squid software is distributed under GPLv2+ license and includes
68 * contributions from numerous individuals and organizations.
69 * Please see the COPYING and CONTRIBUTORS files for details.
70
71 This program is put in the public domain by Jerry Murdock
72 <jmurdock@itraktech.com>. It is distributed in the hope that it will
73 be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
74 of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
75
76 =head1 QUESTIONS
77
78 Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@lists.squid-cache.org>>
79
80 =head1 REPORTING BUGS
81
82 Bug reports need to be made in English.
83 See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
84
85 Report bugs or bug fixes using http://bugs.squid-cache.org/
86
87 Report serious security bugs to I<Squid Bugs <squid-bugs@lists.squid-cache.org>>
88
89 Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@lists.squid-cache.org>>
90
91 =head1 SEE ALSO
92
93 The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
94
95 The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
96
97 =cut
98
99 #
100 # Version history:
101 # 2010-08-27 Hank Hampel <hh@nr-city.net>
102 # Add Kerberos to NTLM conversion of credentials (-K)
103 #
104 # 2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
105 # Add '-d' command line debugging option
106 #
107 # 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
108 # Fix for wbinfo from Samba 3.0.21
109 #
110 # 2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
111 # Helper protocol changed to URL escaped in Squid-3.0
112 #
113 # 2005-06-28 Arno Streuli <astreuli@gmail.com>
114 # Add multi group check
115 #
116 # 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
117 # Initial release
118
119 #
120 # Globals
121 #
122 use vars qw/ %opt /;
123
124 my $user;
125 my $group;
126 my @groups;
127 my $ans;
128
129 # Disable output buffering
130 $|=1;
131
132 sub debug {
133 print STDERR "@_\n" if $opt{d};
134 }
135
136 #
137 # Check if a user belongs to a group
138 #
139 sub check {
140 my $groupSID;
141 my $groupGID;
142 my @tmpuser;
143
144 our($user, $group) = @_;
145 if ($opt{K} && ($user =~ m/\@/)) {
146 @tmpuser = split(/\@/, $user);
147 $user = "$tmpuser[1]\\$tmpuser[0]";
148 }
149 $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
150 chop $groupSID;
151 $groupGID = `wbinfo -Y "$groupSID"`;
152 chop $groupGID;
153 &debug( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
154 return 'ERR' if($groupGID eq ""); # Verify if groupGID variable is empty.
155 return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if "wbinfo -r" command returns no value.
156 return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
157 return 'ERR';
158 }
159
160 #
161 # Command line options processing
162 #
163 sub init()
164 {
165 use Getopt::Std;
166 my $opt_string = 'hdK';
167 getopts( "$opt_string", \%opt ) or usage();
168 usage() if $opt{h};
169 }
170
171 #
172 # Message about this program and how to use it
173 #
174 sub usage()
175 {
176 print "Usage: ext_wbinfo_group_acl -dh\n";
177 print "\t-d enable debugging\n";
178 print "\t-h print the help\n";
179 print "\t-K downgrade Kerberos credentials to NTLM.\n";
180 exit;
181 }
182
183 init();
184 print STDERR "Debugging mode ON.\n" if $opt{d};
185
186 #
187 # Main loop
188 #
189 while (<STDIN>) {
190 chop;
191 &debug("Got $_ from squid");
192 ($user, @groups) = split(/\s+/);
193 $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
194 # test for each group squid send in it's request
195 foreach $group (@groups) {
196 $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
197 $ans = &check($user, $group);
198 last if $ans eq "OK";
199 }
200 &debug("Sending $ans to squid");
201 print "$ans\n";
202 }
Mirror of https://github.com/squid-cache/squid.git