and tries to match it against the groups membership of the specified
username.
-For Winbindd configuration, look the Squid winbind authenticators
-instructions.
+Before compile or configure it, look at the Squid winbind authenticators
+instructions: http://www.squid-cache.org/Doc/FAQ/FAQ-23.html#ss23.5
+
+When used in Windows 2000 domains, permissions compatible with pre-Windows
+2000 servers are required. See the Q257988 Microsoft KB article for more
+details.
==============
Program Syntax
==============
-wb_group [-d][-h]
+wb_group [-c][-d][-h]
--d enable debug mode
+-c use case insensitive compare
+-d enable debugging
-h this message
In the previous example all validated NT users member of ProxyUsers Global
domain group are allowed to use the cache.
-Groups with spaces in name must be quoted, for example "Domain Users"
+Groups with spaces in name, for example "Domain Users", must be quoted and
+the acl data ("Domain Users") must be placed into a separate file included
+by specifying "/path/to/file". The previous example will be:
-NOTE: the group name comparation is case sensitive, so group name
-must be specified with same case as in the NT/2000 Domain.
+acl ProxyUsers external NT_global_group "/usr/local/squid/etc/DomainUsers"
-Refer to Squid documentation for the more details on squid.conf.
+and the DomainUsers files will contain only the following line:
+
+"Domain Users"
+
+
+NOTE: the standard group name comparation is case sensitive, so group name
+must be specified with same case as in the NT/2000 Domain.
+It's possible to enable not case sensitive group name comparation (-c),
+but on on some non - English locales, the results can be unexpected.
+For details see toupper man page, BUGS section.
=======
Test that entering an invalid username and group results in an ERR message.
Test that entering an valid username and group results in an OK message.
+To check winbind functionality use wbinfo provided with Samba,
+try -t, -g and -r options.
+
--
Serassio Guido
-squidnt@serassio.it
+guido.serassio@acmeconsulting.it
/*
- * $Id: wb_check_group.c,v 1.9 2003/02/11 14:34:41 hno Exp $
+ * winbind_group: lookup group membership in a Windows NT/2000 domain
+ *
+ * (C)2002,2003 Guido Serassio - Acme Consulting S.r.l.
+ *
+ * Authors:
+ * Guido Serassio <guido.serassio@acmeconsulting.it>
+ * Acme Consulting S.r.l., Italy <http://www.acmeconsulting.it>
+ *
+ * With contributions from others mentioned in the change history section
+ * below.
+ *
+ * In part based on check_group by Rodrigo Albani de Campos and wbinfo
+ * from Samba Project.
+ *
+ * Dependencies: Samba 2.2.4 or later with Winbindd.
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program; if not, write to the Free Software
+ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
+ *
+ * History:
+ *
+ * Version 1.10
+ * 26-04-2003 Guido Serassio
+ * Added option for case insensitive group name comparation.
+ * More debug info.
+ * Updated documentation.
+ * 21-03-2003 Nicolas Chaillot
+ * Segfault bug fix (Bugzilla #574)
+ * Version 1.0
+ * 02-07-2002 Guido Serassio
+ * Using the main function from check_group and sections
+ * from wbinfo wrote winbind_group
*
* This is a helper for the external ACL interface for Squid Cache
- * Copyright (C) 2002 Guido Serassio <squidnt@serassio.it>
- * Based on previous work of Rodrigo Albani de Campos
*
* It reads from the standard input the domain username and a list of
* groups and tries to match it against the groups membership of the
* specified username.
*
* Returns `OK' if the user belongs to a group or `ERR' otherwise, as
- * described on http://devel.squid-cache.org/ external_acl/config.html
- *
- * Requires Samba 2.2.4 or later with Winbindd.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
+ * described on http://devel.squid-cache.org/external_acl/config.html
*
*/
#include "wbntlm.h"
char debug_enabled=0;
char *myname;
pid_t mypid;
+int use_case_insensitive_compare=0;
NSS_STATUS winbindd_request(int req_type,
struct winbindd_request *request,
}
+int strCaseCmp (const char *s1, const char *s2)
+{
+ while (*s1 && toupper (*s1) == toupper (*s2)) s1++, s2++;
+ return *s1 - *s2;
+}
/* Convert sid to string */
return group;
}
-
/* Convert gid to sid */
char * wbinfo_gid_to_sid(char * sid, gid_t gid)
{
while (*array) {
debug("Windows group: %s, Squid group: %s\n", str, *array);
- if (strcmp(str, *array) == 0)
+ if ((use_case_insensitive_compare ? strCaseCmp(str, *array) : strcmp(str, *array)) == 0)
return 0;
array++;
}
result = winbindd_request(WINBINDD_GETGROUPS, &request, &response);
- if (result != NSS_STATUS_SUCCESS)
+ if (result != NSS_STATUS_SUCCESS) {
+ warn("Warning: Can't enum user groups.\n");
return match;
+ }
for (i = 0; i < response.data.num_entries; i++) {
if ((wbinfo_gid_to_sid(sid, (int)((gid_t *)response.extra_data)[i])) != NULL) {
static void
usage(char *program)
{
- fprintf(stderr,"Usage: %s [-d] [-h]\n"
+ fprintf(stderr,"Usage: %s [-c] [-d] [-h]\n"
+ " -c use case insensitive compare\n"
" -d enable debugging\n"
" -h this message\n",
program);
int opt;
opterr = 0;
- while (-1 != (opt = getopt(argc, argv, "dh"))) {
+ while (-1 != (opt = getopt(argc, argv, "cdh"))) {
switch (opt) {
+ case 'c':
+ use_case_insensitive_compare = 1;
+ break;
case 'd':
debug_enabled = 1;
break;
debug("External ACL winbindd group helper build " __DATE__ ", " __TIME__
" starting up...\n");
+ if (use_case_insensitive_compare)
+ debug("Warning: running in case insensitive mode !!!\n");
/* Main Loop */
while (fgets (buf, BUFSIZE, stdin))
warn("Oversized message\n");
goto error;
}
-
+
if ((p = strchr(buf, '\n')) != NULL)
*p = '\0'; /* strip \n */
if ((p = strchr(buf, '\r')) != NULL)
*p = '\0'; /* strip \r */
debug("Got '%s' from Squid (length: %d).\n",buf,strlen(buf));
-
+
if (buf[0] == '\0') {
warn("Invalid Request\n");
goto error;
groups[n] = group;
groups[n] = NULL;
+ if (NULL == username) {
+ warn("Invalid Request\n");
+ goto error;
+ }
+
if (Valid_Groups(username, groups)) {
printf ("OK\n");
} else {
projects / thirdparty / squid.git / commitdiff
