]>
git.ipfire.org Git - thirdparty/squid.git/blob - src/acl/external/wbinfo_group/ext_wbinfo_group_acl.pl.in
11 ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo.
15 ext_wbinfo_group_acl [-dhK]
19 B<ext_wbinfo_group_acl> is an installed executable script.
20 It uses B<wbinfo> from Samba to lookup group membership of logged in users.
22 This helper must be used in with an authentication scheme (typically
23 Basic or NTLM) based on Windows NT/2000 domain users.
25 It reads from the standard input the domain username and a list of groups
26 and tries to match each against the groups membership of the specified
35 Write debug info to stderr.
43 Downgrade Kerberos credentials to NTLM.
49 external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl
50 acl allowed_group external wbinfo_check Group1 Group2
51 http_access allow allowed_group
53 If the local perl interpreter is in a unusual location it may need to be added:
55 external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl
59 This program was written by Jerry Murdock <jmurdock@itraktech.com>
61 This manual was written by Amos Jeffries <amosjeffries@squid-cache.org>
65 * Copyright (C) 1996-2016 The Squid Software Foundation and contributors
67 * Squid software is distributed under GPLv2+ license and includes
68 * contributions from numerous individuals and organizations.
69 * Please see the COPYING and CONTRIBUTORS files for details.
71 This program is put in the public domain by Jerry Murdock
72 <jmurdock@itraktech.com>. It is distributed in the hope that it will
73 be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
74 of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
78 Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@squid-cache.org>>
82 Bug reports need to be made in English.
83 See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
85 Report bugs or bug fixes using http://bugs.squid-cache.org/
87 Report serious security bugs to I<Squid Bugs <squid-bugs@squid-cache.org>>
89 Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@squid-cache.org>>
93 The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
95 The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
101 # 2010-08-27 Hank Hampel <hh@nr-city.net>
102 # Add Kerberos to NTLM conversion of credentials (-K)
104 # 2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
105 # Add '-d' command line debugging option
107 # 2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
108 # Fix for wbinfo from Samba 3.0.21
110 # 2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
111 # Helper protocol changed to URL escaped in Squid-3.0
113 # 2005-06-28 Arno Streuli <astreuli@gmail.com>
114 # Add multi group check
116 # 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
129 # Disable output buffering
133 print STDERR
"@_\n" if $opt{d
};
137 # Check if a user belongs to a group
144 our($user, $group) = @_;
145 if ($opt{K
} && ($user =~ m/\@/)) {
146 @tmpuser = split(/\@/, $user);
147 $user = "$tmpuser[1]\\$tmpuser[0]";
149 $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
151 $groupGID = `wbinfo -Y "$groupSID"`;
153 &debug
( "User: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
154 return 'ERR' if($groupGID eq ""); # Verify if groupGID variable is empty.
155 return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if "wbinfo -r" command returns no value.
156 return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
161 # Command line options processing
166 my $opt_string = 'hdK';
167 getopts
( "$opt_string", \
%opt ) or usage
();
172 # Message about this program and how to use it
176 print "Usage: ext_wbinfo_group_acl -dh\n";
177 print "\t-d enable debugging\n";
178 print "\t-h print the help\n";
179 print "\t-K downgrade Kerberos credentials to NTLM.\n";
184 print STDERR
"Debugging mode ON.\n" if $opt{d
};
191 &debug
("Got $_ from squid");
192 ($user, @groups) = split(/\s+/);
193 $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
194 # test for each group squid send in it's request
195 foreach $group (@groups) {
196 $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
197 $ans = &check
($user, $group);
198 last if $ans eq "OK";
200 &debug
("Sending $ans to squid");