From: huaraz Date: Sun, 24 Jun 2018 16:01:28 +0000 (+0000) Subject: Added a sample Kerberos group authentication external_acl helper (#202) X-Git-Tag: M-staged-PR202 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4a544c9d535f48998ac8eacb840f86770f56079a;p=thirdparty%2Fsquid.git Added a sample Kerberos group authentication external_acl helper (#202) --- diff --git a/configure.ac b/configure.ac index 37a52ef8a4..1ec245adde 100644 --- a/configure.ac +++ b/configure.ac @@ -3777,6 +3777,7 @@ AC_CONFIG_FILES([ src/acl/external/eDirectory_userip/Makefile src/acl/external/file_userip/Makefile src/acl/external/kerberos_ldap_group/Makefile + src/acl/external/kerberos_sid_group/Makefile src/acl/external/LDAP_group/Makefile src/acl/external/LM_group/Makefile src/acl/external/session/Makefile diff --git a/src/acl/external/Makefile.am b/src/acl/external/Makefile.am index cb61a82922..3842571708 100644 --- a/src/acl/external/Makefile.am +++ b/src/acl/external/Makefile.am @@ -11,6 +11,7 @@ DIST_SUBDIRS= \ eDirectory_userip \ file_userip \ kerberos_ldap_group \ + kerberos_sid_group \ LDAP_group \ LM_group \ session \ diff --git a/src/acl/external/helpers.m4 b/src/acl/external/helpers.m4 index f228a2bca5..0ac25419f3 100644 --- a/src/acl/external/helpers.m4 +++ b/src/acl/external/helpers.m4 @@ -51,6 +51,9 @@ if test "x$enable_external_acl_helpers" != "xno" ; then elif test "x$helper" = "xkerberos_ldap_group" ; then m4_include([src/acl/external/kerberos_ldap_group/required.m4]) + elif test "x$helper" = "xkerberos_sid_group" ; then + m4_include([src/acl/external/kerberos_sid_group/required.m4]) + elif test "x$helper" = "xsession" ; then m4_include([src/acl/external/session/required.m4]) diff --git a/src/acl/external/kerberos_sid_group/Makefile.am b/src/acl/external/kerberos_sid_group/Makefile.am new file mode 100644 index 0000000000..cbf29a62dc --- /dev/null +++ b/src/acl/external/kerberos_sid_group/Makefile.am @@ -0,0 +1,28 @@ +## Copyright (C) 1996-2018 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +include $(top_srcdir)/src/Common.am + +libexec_SCRIPTS= ext_kerberos_sid_group_acl +CLEANFILES += ext_kerberos_sid_group_acl +EXTRA_DIST= \ + ext_kerberos_sid_group_acl.pl.in \ + required.m4 + +ext_kerberos_sid_group_acl: ext_kerberos_sid_group_acl.pl.in + $(subst_perlshell) + +if ENABLE_POD2MAN_DOC +man_MANS = ext_kerberos_sid_group_acl.8 +CLEANFILES += ext_kerberos_sid_group_acl.8 +EXTRA_DIST += ext_kerberos_sid_group_acl.8 + +ext_kerberos_sid_group_acl.8: ext_kerberos_sid_group_acl + pod2man --section=8 ext_kerberos_sid_group_acl ext_kerberos_sid_group_acl.8 + +endif + diff --git a/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.pl.in b/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.pl.in new file mode 100755 index 0000000000..f426560d37 --- /dev/null +++ b/src/acl/external/kerberos_sid_group/ext_kerberos_sid_group_acl.pl.in @@ -0,0 +1,240 @@ +#!@PERL@ -w + +use strict; +use Pod::Usage; +use Getopt::Long; +use File::Basename; +use Date::Format; + +=pod + +=head1 NAME + + ext_kerberos_sid_group_acl - external ACL helper for Squid to verify AD Domain group membership using sid. + +=head1 SYNOPSIS + + ext_kerberos_sid_group_acl [-d] [-h] -p Principal Name -D Domain Controller -b Base DN -G Group1:Group2 + +=head1 DESCRIPTION + +B is an installed executable script. +It uses B from Openldap to lookup the name of a AD group sid. + +This helper must be used in with the negotiate_kerberos_auth helper in a +Microsft AD or Samba environement. + +It reads from the standard input the domain username and a list of group sids +and tries to match the group SIDs to the AD group sids. + +=head1 OPTIONS + +=over 12 + +=item B<-d> + +Write debug info to stderr. + +=item B<-h> + +Print the help. + +=item B<-p principal name> + +Principal name in squid keytab to use for ldap authentication to AD + +=item B<-D domain controller> + +Domain controller to contact to lookup group SID + +=item B<-b base DN> + +Base DN for ldap search + +=item B<-G AD group name> + +AD group name to be used for SID lookup. List separated by a colon (:) + +=back + +=head1 CONFIGURATION + + auth_param negotiate program /path/to/negotiate_wrapper_auth -d \ + --ntlm /path/to/ntlm_auth --helper-protocol=squid-2.5-ntlmssp --domain example.com \ + --kerberos /path/to/negotiate_kerberos_auth -d -s GSS_C_NO_NAME -k /path/to/squid.keytab -t none + external_acl_type sid_check %LOGIN %note{group} /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2 + acl squid_allow external sid_check + acl allowed_group external sid_check + http_access allow allowed_group + +If the local perl interpreter is in a unusual location it may need to be added: + + external_acl_type sid_check %LOGIN %note{group} /path/to/perl /path/to/kerberos_sid_group_acl -p principal -D dc1.example.com -b "DC=example,DC=com" -G Group1:Group2 + +=head1 AUTHOR + +This program was written by Markus Moeller + +This manual was written by Markus Moeller + +=head1 COPYRIGHT + + * Copyright (C) 1996-2018 The Squid Software Foundation and contributors + * + * Squid software is distributed under GPLv2+ license and includes + * contributions from numerous individuals and organizations. + * Please see the COPYING and CONTRIBUTORS files for details. + + This program is put in the public domain by Markus Moeller + . It is distributed in the hope that it will + be useful, but WITHOUT ANY WARRANTY; without even the implied warranty + of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +=head1 QUESTIONS + +Questions on the usage of this program can be sent to the I> + +=head1 REPORTING BUGS + +Bug reports need to be made in English. +See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. + +Report bugs or bug fixes using http://bugs.squid-cache.org/ + +Report serious security bugs to I> + +Report ideas for new improvements to the I> + +=head1 SEE ALSO + +negotiate_kerberos_auth(8) + +The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq + +The Squid Configuration Manual http://www.squid-cache.org/Doc/config/ + +=cut + +# +# Version history: +# 2018-06-10 Markus Moeller +# Initial release +# +# Globals +# +use vars qw/ %opt /; + +my $name = basename($0); +my $principal; +my $dc; +my $basedn; +my $ccname="/tmp/squid_krb5cc"; +my $groupSIDs; +my @ADgroupSIDs; +my $user; +my @groups; +my $ans; + +# Disable output buffering +$|=1; + +sub debug() +{ + my @lt = localtime; + print STDERR strftime("%Y/%m/%d %H:%M:%S", @lt)." | $name: @_\n" if $opt{d}; +} + +sub info() +{ + my @lt = localtime; + print STDERR strftime("%Y/%m/%d %H:%M:%S", @lt)." | $name: @_\n"; +} + +sub check() +{ + if ( grep( /^@_$/, @ADgroupSIDs) ) { + &debug("DEBUG: Found @_ in AD group SID"); + return "OK"; + } else { + &debug("DEBUG: Did not find @_ in AD group SID"); + return "ERR"; + } +} + +# +# Command line options processing +# +sub init() +{ + use Getopt::Std; + my $errmsg; + my $opt_string = 'hdD:p:b:G:'; + getopts( "$opt_string", \%opt ) or usage(); + Pod::Usage::pod2usage(1) if $opt{h}; + Pod::Usage::pod2usage(1) if not defined $opt{D}; + Pod::Usage::pod2usage(1) if not defined $opt{b}; + Pod::Usage::pod2usage(1) if not defined $opt{p}; + Pod::Usage::pod2usage(1) if not defined $opt{G}; + + $ENV{'KRB5CCNAME'} = $ccname; + + @groups = split(/:/,$opt{G}); + $errmsg=`kinit -k $opt{p} 2>&1`; + &info("ERROR: $errmsg") if $errmsg; + exit 99 if $errmsg; + + $errmsg=""; + foreach my $group (@groups) { + open(LDAP, "ldapsearch -LLL -Ygssapi -H ldap://$opt{D}:389 -s sub -b \"$opt{b}\" \"(CN=$group)\" objectsid 2>&1 |"); + my $sid; + while () { + chomp($_); + if ( $_ =~ /^object/ && defined $sid ) { + &info("ERROR: multiple SIDs returned for group $group"); + } elsif ( $_ =~ /^object/ ) { + $sid=$_; + $sid=~s/^[^\s]+\s+//; + } else { + $errmsg=$errmsg.";".$_; + } + } + close(LDAP); + if ( ! defined $sid ) { + $errmsg=~s/^;//; + &info("ERROR: $errmsg"); + &info("ERROR: no SID returned for group $group"); + } else { + &info("INFO:ldapsearch result Group=$group, SID=$sid"); + push @ADgroupSIDs, $sid; + } + } + &info("ERROR: Exit as no sid was found for any group") if ! @ADgroupSIDs; + exit 99 if ! @ADgroupSIDs; +} + +init(); +&debug("INFO: Debugging mode ON."); + +# +# Main loop +# +while () { + chop; + &debug("DEBUG: Got $_ from squid"); + ($user, $groupSIDs) = split(/\s+/); + if ( defined $user && defined $groupSIDs ) { + &debug("DEBUG: user=$user"); + &debug("DEBUG: groups=$groupSIDs"); + # test for each group squid send in it's request + foreach my $group (split(/,/,$groupSIDs)) { + $ans = &check($group); + last if $ans eq "OK"; + } + &debug("DEBUG: Sending $ans to squid"); + print "$ans\n"; + } else { + &debug("DEBUG: Sending ERR to squid"); + print "ERR\n"; + } +} + diff --git a/src/acl/external/kerberos_sid_group/required.m4 b/src/acl/external/kerberos_sid_group/required.m4 new file mode 100755 index 0000000000..359fed161b --- /dev/null +++ b/src/acl/external/kerberos_sid_group/required.m4 @@ -0,0 +1,20 @@ +## Copyright (C) 1996-2018 The Squid Software Foundation and contributors +## +## Squid software is distributed under GPLv2+ license and includes +## contributions from numerous individuals and organizations. +## Please see the COPYING and CONTRIBUTORS files for details. +## + +AC_PATH_PROG(LDAPSEARCH, ldapsearch) +if test "x$LDAPSEARCH" = "x"; then + AC_MSG_WARN([ldapsearch not found in default location. ext_kerberos_sid_group_acl may not work on this machine]) +fi + +# allow script install anyway when perl is present +if test "x$PERL" != "x"; then + BUILD_HELPER="kerberos_sid_group" +fi +if test "x$POD2MAN" = "x"; then + AC_MSG_WARN([pod2man not found. ext_kerberos_sid_group_acl man(8) page will not be built]) +fi +