From: Amos Jeffries Date: Mon, 12 Jul 2010 14:45:17 +0000 (+1200) Subject: Helpers: Naming and C++ update for external ACL helpers X-Git-Tag: SQUID_3_2_0_1~72 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c152a4473c4a3d187f67923eb83c5fe6ccd91013;p=thirdparty%2Fsquid.git Helpers: Naming and C++ update for external ACL helpers * Also adds the Fake auth helper for testing Basic authentication. * Also adds manual pages for most external ACL helpers TODO: test for and fix any build issues on Windows. --- diff --git a/configure.in b/configure.in index a91957e291..e06b7eb5a5 100644 --- a/configure.in +++ b/configure.in @@ -2183,6 +2183,8 @@ AC_CHECK_HEADERS( \ ip_fil.h \ ip_nat.h \ ipl.h \ + lber.h \ + ldap.h \ libc.h \ limits.h \ linux/posix_types.h \ @@ -3806,6 +3808,7 @@ AC_CONFIG_FILES([\ helpers/Makefile \ helpers/basic_auth/Makefile \ helpers/basic_auth/DB/Makefile \ + helpers/basic_auth/fake/Makefile \ helpers/basic_auth/getpwnam/Makefile \ helpers/basic_auth/LDAP/Makefile \ helpers/basic_auth/MSNT/Makefile \ @@ -3830,13 +3833,13 @@ AC_CONFIG_FILES([\ helpers/negotiate_auth/kerberos/Makefile \ helpers/negotiate_auth/SSPI/Makefile \ helpers/external_acl/Makefile \ - helpers/external_acl/ip_user/Makefile \ - helpers/external_acl/ldap_group/Makefile \ + helpers/external_acl/AD_group/Makefile \ + helpers/external_acl/file_userip/Makefile \ + helpers/external_acl/LDAP_group/Makefile \ + helpers/external_acl/LM_group/Makefile \ helpers/external_acl/session/Makefile \ helpers/external_acl/unix_group/Makefile \ helpers/external_acl/wbinfo_group/Makefile \ - helpers/external_acl/mswin_ad_group/Makefile \ - helpers/external_acl/mswin_lm_group/Makefile \ helpers/log_daemon/Makefile \ helpers/log_daemon/file/Makefile \ helpers/url_rewrite/Makefile \ diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml index db2cb88981..f5256caeb7 100644 --- a/doc/release-notes/release-3.2.sgml +++ b/doc/release-notes/release-3.2.sgml @@ -139,15 +139,15 @@ Most user-facing changes are reflected in squid.conf (see below). squid_db_auth - basic_db_auth - Retrieve authentication details from a simple SQL database table. getpwnam_auth - basic_getpwname_auth - Authenticate with local system user accounts. squid_ldap_auth - basic_ldap_auth - Authenticate with LDAP user accounts. + MSNT-multi-domain - basic_msnt_multi_domain_auth - Authenticate with any one of multiple Windows Domain Controllers. ncsa_auth - basic_ncsa_auth - Authenticate with NCSA httpd-style password file. + yp_auth - basic_nis_auth - Authenticate with NIS security system. pam_auth - basic_pam_auth - Authenticate with the system PAM infrastructure. pop3.pl - basic_pop3_auth - Authenticate with a mail server POP3/SMTP credentials + squid_radius_auth - basic_radius_auth - Authenticate with RADIUS. squid_sasl_auth - basic_sasl_auth - Authenticate with SASL. smb_auth - basic_smb_auth - Authenticate with Samba SMB. - yp_auth - basic_nis_auth - Authenticate with NIS security system. mswin_sspi - basic_sspi_auth - Authenticate with a Windows Domain Controller using SSPI. - MSNT-multi-domain - basic_msnt_multi_domain_auth - Authenticate with any one of multiple Windows Domain Controllers. - squid_radius_auth - basic_radius_auth - Authenticate with RADIUS. Digest Authentication protocol helpers @@ -157,21 +157,27 @@ Most user-facing changes are reflected in squid.conf (see below). External ACL helpers

- (none yet converted) + mswin_check_ad_group - ext_ad_group_acl - Check logged in users Group membership using Active Directory. + ip_user_check - ext_file_userip_acl - Restrict users to cetain IP addresses, using a text file backend. + squid_ldap_group - ext_ldap_group_acl - Check logged in users Group membership using LDAP. + mswin_check_lm_group - ext_lm_group_acl - Check logged in users Group membership using LanManager. + squid_session - ext_session_acl - Maintain a session cache of client identifiers (usually IP address). + squid_unix_group - ext_unix_group_acl - Check logged in users Group membership using local UNIX groups. + wbinfo_group.pl - ext_wbinfo_group_acl - Check logged in users Group membership using wbinfo. Negotiate Authentication protocol helpers

- mswin_sspi - negotiate_sspi_auth - Authenticate with a Windows Domain Controller using SSPI. squid_kerb_auth - negotiate_kerberos_auth - Authenticate with Kerberos servers. + mswin_sspi - negotiate_sspi_auth - Authenticate with a Windows Domain Controller using SSPI. NTLM Authentication protocol helpers

+ no_check.pl - Deprecated. - Use the faster and less easily decrypted ntlm_fake_auth instead. fakeauth_auth - ntlm_fake_auth - Perform NTLMSSP to recover the username but don't verify the password. - mswin_ntlm_auth - ntlm_sspi_auth - Perform NTLMSSP authentication using Windows native Security Support Provider Interface API. ntlm_auth - ntlm_smb_lm_auth - Perform SMB LanManager domain-less authentication over NTLM protocol. - no_check.pl - Deprecated. - Use the faster and less easily decrypted ntlm_fake_auth instead. + mswin_ntlm_auth - ntlm_sspi_auth - Perform NTLMSSP authentication using Windows native Security Support Provider Interface API. URL re-write helpers diff --git a/helpers/basic_auth/Makefile.am b/helpers/basic_auth/Makefile.am index a113d8559c..2607f30280 100644 --- a/helpers/basic_auth/Makefile.am +++ b/helpers/basic_auth/Makefile.am @@ -1,6 +1,7 @@ ## Alphabetical list of sub-directories to distribute with Squid: DIST_SUBDIRS = \ DB \ + fake \ getpwnam \ LDAP \ MSNT \ diff --git a/helpers/basic_auth/fake/Makefile.am b/helpers/basic_auth/fake/Makefile.am new file mode 100644 index 0000000000..2599db67c1 --- /dev/null +++ b/helpers/basic_auth/fake/Makefile.am @@ -0,0 +1,8 @@ +include $(top_srcdir)/src/Common.am + +libexec_PROGRAMS = basic_fake_auth +basic_fake_auth_SOURCES = fake.cc + +LDADD = $(COMPAT_LIB) + +EXTRA_DIST = config.test diff --git a/helpers/basic_auth/fake/config.test b/helpers/basic_auth/fake/config.test new file mode 100755 index 0000000000..039e4d0069 --- /dev/null +++ b/helpers/basic_auth/fake/config.test @@ -0,0 +1,2 @@ +#!/bin/sh +exit 0 diff --git a/helpers/basic_auth/fake/fake.cc b/helpers/basic_auth/fake/fake.cc new file mode 100644 index 0000000000..85657b04a2 --- /dev/null +++ b/helpers/basic_auth/fake/fake.cc @@ -0,0 +1,95 @@ +/* + * AUTHOR: Amos Jeffries + * + * Fake Basic Authentication program for Squid. + * + * This code gets the user details and returns OK. + * It is intended for testing use and as a base for further implementation. + * + * + * This code is copyright (C) 2009 by Treehouse Networks Ltd + * of New Zealand. It is published and Licensed as an extension of + * squid under the same conditions as the main squid application. + */ + +#include "config.h" +#include "helpers/defines.h" + +#if HAVE_CSTRING +#include +#endif +#if HAVE_STRING_H +#include +#endif + +/** + * options: + * -d enable debugging. + * -h interface help. + */ +char *program_name = NULL; + +static void +usage(void) +{ + fprintf(stderr, + "Usage: %s [-d] [-v] [-h]\n" + " -d enable debugging.\n" + " -h this message\n\n", + program_name); +} + +static void +process_options(int argc, char *argv[]) +{ + int opt; + + opterr = 0; + while (-1 != (opt = getopt(argc, argv, "hd"))) { + switch (opt) { + case 'd': + debug_enabled = 1; + break; + case 'h': + usage(); + exit(0); + default: + fprintf(stderr, "%s: FATAL: unknown option: -%c. Exiting\n", program_name, opt); + usage(); + exit(1); + } + } +} + +int +main(int argc, char *argv[]) +{ + char buf[HELPER_INPUT_BUFFER]; + int buflen = 0; + + setbuf(stdout, NULL); + setbuf(stderr, NULL); + + program_name = argv[0]; + + process_options(argc, argv); + + debug("%s build " __DATE__ ", " __TIME__ " starting up...\n", program_name); + + while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { + char *p; + + if ((p = strchr(buf, '\n')) != NULL) { + *p = '\0'; /* strip \n */ + buflen = p - buf; /* length is known already */ + } else + buflen = strlen(buf); /* keep this so we only scan the buffer for \0 once per loop */ + + debug("Got %d bytes '%s' from Squid\n", buflen, buf); + + /* send 'OK' result back to Squid */ + SEND_OK(""); + } + debug("%s build " __DATE__ ", " __TIME__ " shutting down...\n", program_name); + exit(0); +} diff --git a/helpers/digest_auth/file/digest_file_auth.cc b/helpers/digest_auth/file/digest_file_auth.cc index 2c38e733f7..47ea1e30c5 100644 --- a/helpers/digest_auth/file/digest_file_auth.cc +++ b/helpers/digest_auth/file/digest_file_auth.cc @@ -1,9 +1,12 @@ /* * digest_file_auth.cc * - * AUTHOR: Robert Collins. Based on ncsa_auth.c by Arjan de Vet - * - * LDAP backend extension by Flavio Pescuma, MARA Systems AB + * AUTHOR: Robert Collins. + * + * Based on ncsa_auth.c by Arjan de Vet + * + * LDAP backend extension by Flavio Pescuma, + * MARA Systems AB * * Example digest authentication program for Squid, based on the original * proxy_auth code from client_side.c, written by @@ -32,6 +35,7 @@ #include "config.h" #include "digest_common.h" +#include "helpers/defines.h" #include "text_backend.h" #define PROGRAM_NAME "digest_file_auth" @@ -64,7 +68,7 @@ OutputHHA1(RequestData * requestData) requestData->error = 0; GetHHA1(requestData); if (requestData->error) { - printf("ERR No such user\n"); + SEND_ERR("No such user"); return; } printf("%s\n", requestData->HHA1); @@ -76,7 +80,7 @@ DoOneRequest(char *buf) RequestData requestData; ParseBuffer(buf, &requestData); if (!requestData.parsed) { - printf("ERR\n"); + SEND_ERR(""); return; } OutputHHA1(&requestData); @@ -91,10 +95,10 @@ ProcessArguments(int argc, char **argv) int main(int argc, char **argv) { - char buf[256]; + char buf[HELPER_INPUT_BUFFER]; setbuf(stdout, NULL); ProcessArguments(argc, argv); - while (fgets(buf, 256, stdin) != NULL) + while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) DoOneRequest(buf); return 0; } diff --git a/helpers/external_acl/mswin_ad_group/Makefile.am b/helpers/external_acl/AD_group/Makefile.am similarity index 53% rename from helpers/external_acl/mswin_ad_group/Makefile.am rename to helpers/external_acl/AD_group/Makefile.am index 748aaab84c..af421957bb 100644 --- a/helpers/external_acl/mswin_ad_group/Makefile.am +++ b/helpers/external_acl/AD_group/Makefile.am @@ -1,11 +1,8 @@ -libexec_PROGRAMS = mswin_check_ad_group +include $(top_srcdir)/src/Common.am -mswin_check_ad_group_SOURCES = mswin_check_ad_group.c mswin_check_ad_group.h - -INCLUDES = \ - -I$(top_srcdir) \ - -I$(top_srcdir)/src \ - -I$(top_srcdir)/include +libexec_PROGRAMS = ext_ad_group_acl +ext_ad_group_acl_SOURCES = ext_ad_group_acl.cc +man_MANS = ext_ad_group_acl.8 # # Currently activeds and adsiid libraries are not available on MinGW or Cygwin, @@ -13,8 +10,7 @@ INCLUDES = \ # This helper can be compiled only using Microsoft Visual Studio. # LDADD = \ - $(top_builddir)/compat/libcompat.la \ - -L$(top_builddir)/lib -lmiscutil \ + $(COMPAT_LIB) \ -lnetapi32 \ -ladvapi32 \ -lole32 \ @@ -24,4 +20,4 @@ LDADD = \ -ladsiid \ $(XTRA_LIBS) -EXTRA_DIST = readme.txt config.test +EXTRA_DIST = config.test ext_ad_group_acl.8 diff --git a/helpers/external_acl/mswin_ad_group/config.test b/helpers/external_acl/AD_group/config.test similarity index 100% rename from helpers/external_acl/mswin_ad_group/config.test rename to helpers/external_acl/AD_group/config.test diff --git a/helpers/external_acl/AD_group/ext_ad_group_acl.8 b/helpers/external_acl/AD_group/ext_ad_group_acl.8 new file mode 100644 index 0000000000..aca3eb20d6 --- /dev/null +++ b/helpers/external_acl/AD_group/ext_ad_group_acl.8 @@ -0,0 +1,230 @@ +.if !'po4a'hide' .TH ext_ad_group_acl 8 +. +.SH NAME +.if !'po4a'hide' .B ext_ad_group_acl +.if !'po4a'hide' \- +Squid external ACL helper to check Windows users group membership. +.PP +Version 2.0 +. +.SH SYNOPSIS +.if !'po4a'hide' .B ext_ad_group_acl +.if !'po4a'hide' .B "[\-D " +domain +.if !'po4a'hide' .B "[\-cdGh]" +. +.SH DESCRIPTION +.B ext_ad_group_acl +is an installed binary in Squid for Windows builds. +.PP +This helper must be used in with an authentication scheme (typically +Basic, NTLM or Negotiate) based on Windows Active Directory domain users. +.PP +It reads from the standard input the domain username and a list of groups +and tries to match each against the groups membership of the specified +username. +.PP +Two running mode are available: +.if !'po4a'hide' .TP 12 +.B "\- Local mode:" +membership is checked against machine's local groups, cannot be used when +running on a Domain Controller. +.B "\- Active Directory Global mode:" +membership is checked against the whole Active Directory Forest of the +machine where Squid is running. +.PP +The minimal Windows version needed to run ext_ad_group_acl is +a Windows 2000 SP4 member of an Active Directory Domain. +.PP +When running in Active Directory Global mode, all types of Active Directory +security groups are supported: +.if !'po4a'hide' .TP 12 +.B \- Domain Global +.B \- Domain Local from user's domain +.B \- Universal +and Active Directory group nesting is fully supported. +. +.SH OPTIONS +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-c +Use case insensitive compare (local mode only). +.if !'po4a'hide' .B \-d +Write debug info to stderr. +.if !'po4a'hide' .B \-D domain +Specify the default user's domain. +.if !'po4a'hide' .B \-G +Start helper in Active Directory Global mode. +.if !'po4a'hide' .B \-h +Display the binary help and command line syntax info using stderr. +. +.SH CONFIGURATION +.PP +When running in Active Directory Global mode, the AD Group can be specified using the +following syntax: +. +.if !'po4a'hide' .TP 5 +.PP 1. Plain NT4 Group Name +.PP 2. Full NT4 Group Name +.PP 3. Active Directory Canonical name +. +.PP As Example: +.if !'po4a'hide' .TP 5 +.if !'po4a'hide' .PP 1. Proxy-Users +.if !'po4a'hide' .PP 2. MYDOMAIN\Proxy-Users +.if !'po4a'hide' .PP 3. mydomain.local/Groups/Proxy-Users +.PP +When using Plain NT4 Group Name, the Group is searched in the user's domain. +.if !'po4a'hide' . +.if !'po4a'hide' external_acl_type AD_global_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe -G +.if !'po4a'hide' external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_ad_group_acl.exe +.if !'po4a'hide' . +.if !'po4a'hide' acl GProxyUsers external AD_global_group MYDOMAIN\GProxyUsers +.if !'po4a'hide' acl LProxyUsers external NT_local_group LProxyUsers +.if !'po4a'hide' acl password proxy_auth REQUIRED +.if !'po4a'hide' . +.if !'po4a'hide' http_access allow password GProxyUsers +.if !'po4a'hide' http_access allow password LProxyUsers +.if !'po4a'hide' http_access deny all +.PP +In the previous example all validated AD users member of +.I MYDOMAIN\GProxyUsers +domain group or member of +.I LProxyUsers +machine local group are allowed to +use the cache. +.PP +Groups with spaces in name, for example +.B "Domain Users" +, must be quoted and the acl data ( +.B "Domain Users" +) must be placed into a separate file included +by specifying +.B "/path/to/file" . +The previous example will be: +.if !'po4a'hide' . +.if !'po4a'hide' acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers" +.if !'po4a'hide' . +and the DomainUsers files will contain only the following line: +"Domain Users" +.PP NOTE: +When running in Active Directory Global mode, for better performance, +all Domain Controllers of the Active Directory forest should be configured +as Global Catalog. +.PP NOTE: +When running in local mode, the standard group name comparison is case +sensitive, so group name must be specified with same case as in the +local SAM database. +. +It is possible to enable case insensitive group name comparison ( +.B \-c +), +but on some non\-english locales, the results can be unexpected. +.PP NOTE: +Native WIN32 NTLM and Basic Helpers must be used without the +.B \-A +and +.B \-D +switches. +.PP +Refer to Squid documentation for the more details on squid.conf. +. +.SH TESTING +.PP +I strongly recommend that +.B ext_lm_group_acl +is tested prior to being used in a +production environment. It may behave differently on different platforms. +. +.PP +To test it, run it from the command line. Enter username and group +pairs separated by a space (username must entered with URL-encoded +.I domain%5Cusername +syntax). Press +.B ENTER +to get an +.B OK +or +.B ERR +message. +.PP +Make sure pressing +.B CTRL+D +behaves the same as a carriage return. +.PP +Make sure pressing +.B CTRL+C +aborts the program. +. +.PP +Test that entering no details does not result in an +.B OK +or +.B ERR +message. +.PP +Make sure pressing +.B CTRL+D +behaves the same as a carriage return. +.PP +Make sure pressing +.B CTRL+C +aborts the program. +. +.PP +Test that entering no details does not result in an +.B OK +or +.B ERR +message. +.PP +Test that entering an invalid username and group results in an +.B ERR +message. +.PP +Test that entering an valid username and group results in an +.B OK +message. +. +.SH AUTHOR +This program was written by +.if !'po4a'hide' .I Guido Serassio +.PP +Based on prior work in +.B "mswin_check_lm_group (ext_lm_group_acl)" +.PP +This manual was written by +.if !'po4a'hide' .I Guido Serassio +.if !'po4a'hide' .I Amos Jeffries +. +.SH COPYRIGHT +This program and documentation is copyright to the authors named above. +.PP +Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). +. +.SH QUESTIONS +Questions on the usage of this program can be sent to the +.I Squid Users mailing list +.if !'po4a'hide' +. +.SH REPORTING BUGS +Bug reports need to be made in English. +See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. +.PP +Report bugs or bug fixes using http://bugs.squid-cache.org/ +.PP +Report serious security bugs to +.I Squid Bugs +.PP +Report ideas for new improvements to the +.I Squid Developers mailing list +.if !'po4a'hide' +. +.SH SEE ALSO +.if !'po4a'hide' .BR squid "(8), " +.if !'po4a'hide' .BR GPL "(7), " +.br +The Squid FAQ wiki +.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq +.br +The Squid Configuration Manual +.if !'po4a'hide' http://www.squid-cache.org/Doc/config/ diff --git a/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c b/helpers/external_acl/AD_group/ext_ad_group_acl.cc similarity index 96% rename from helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c rename to helpers/external_acl/AD_group/ext_ad_group_acl.cc index 4172c93e35..9ed185fde5 100644 --- a/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.c +++ b/helpers/external_acl/AD_group/ext_ad_group_acl.cc @@ -1,5 +1,5 @@ /* - * mswin_check_ad_group: lookup group membership in a Windows + * ext_ad_group_acl: lookup group membership in a Windows * Active Directory domain * * (C)2008-2009 Guido Serassio - Acme Consulting S.r.l. @@ -58,10 +58,14 @@ */ #include "config.h" +#include "helpers/defines.h" +#include "include/util.h" + #ifdef _SQUID_CYGWIN_ #include int _wcsicmp(const wchar_t *, const wchar_t *); #endif + #if HAVE_STDIO_H #include #endif @@ -87,17 +91,13 @@ int _wcsicmp(const wchar_t *, const wchar_t *); #include #include -#include "util.h" - enum ADSI_PATH { LDAP_MODE, GC_MODE } ADSI_Path; -#define BUFSIZE 8192 /* the stdin buffer size */ int use_global = 0; -char debug_enabled = 0; -char *myname; +char *program_name; pid_t mypid; char *machinedomain; int use_case_insensitive_compare = 0; @@ -109,8 +109,6 @@ char *WIN32_ErrorMessage = NULL; wchar_t **User_Groups; int User_Groups_Count = 0; -#include "mswin_check_ad_group.h" - wchar_t *My_NameTranslate(wchar_t *, int, int); char *Get_WIN32_ErrorMessage(HRESULT); @@ -734,7 +732,7 @@ Valid_Global_Groups(char *UserName, const char **Groups) } static void -usage(char *program) +usage(const char *program) { fprintf(stderr, "Usage: %s [-D domain][-G][-c][-d][-h]\n" " -D default user Domain\n" @@ -773,7 +771,7 @@ process_options(int argc, char *argv[]) opt = optopt; /* fall thru to default */ default: - fprintf(stderr, "%s Unknown option: -%c. Exiting\n", myname, opt); + fprintf(stderr, "%s: FATAL: Unknown option: -%c. Exiting\n", program_name, opt); usage(argv[0]); exit(1); break; /* not reached */ @@ -787,19 +785,18 @@ int main(int argc, char *argv[]) { char *p; - char buf[BUFSIZE]; + char buf[HELPER_INPUT_BUFFER]; char *username; char *group; - int err = 0; const char *groups[512]; int n; if (argc > 0) { /* should always be true */ - myname = strrchr(argv[0], '/'); - if (myname == NULL) - myname = argv[0]; + program_name = strrchr(argv[0], '/'); + if (program_name == NULL) + program_name = argv[0]; } else { - myname = "(unknown)"; + program_name = "(unknown)"; } mypid = getpid(); @@ -811,7 +808,7 @@ main(int argc, char *argv[]) if (use_global) { if ((machinedomain = GetDomainName()) == NULL) { - fprintf(stderr, "%s Can't read machine domain\n", myname); + fprintf(stderr, "%s: FATAL: Can't read machine domain\n", program_name); exit(1); } strlwr(machinedomain); @@ -829,16 +826,17 @@ main(int argc, char *argv[]) /* Main Loop */ - while (fgets(buf, sizeof(buf), stdin)) { + while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) { if (NULL == strchr(buf, '\n')) { /* too large message received.. skip and deny */ fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], buf); - while (fgets(buf, sizeof(buf), stdin)) { + while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) { fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], buf); if (strchr(buf, '\n') != NULL) break; } - goto error; + SEND_ERR("Invalid Request. Too Long."); + continue; } if ((p = strchr(buf, '\n')) != NULL) *p = '\0'; /* strip \n */ @@ -848,8 +846,8 @@ main(int argc, char *argv[]) debug("Got '%s' from Squid (length: %d).\n", buf, strlen(buf)); if (buf[0] == '\0') { - fprintf(stderr, "Invalid Request\n"); - goto error; + SEND_ERR("Invalid Request. No Input."); + continue; } username = strtok(buf, " "); for (n = 0; (group = strtok(NULL, " ")) != NULL; n++) { @@ -860,16 +858,15 @@ main(int argc, char *argv[]) numberofgroups = n; if (NULL == username) { - fprintf(stderr, "Invalid Request\n"); - goto error; + SEND_ERR("Invalid Request. No Username."); + continue; } rfc1738_unescape(username); if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) { - SEND("OK"); + SEND_OK(""); } else { -error: - SEND("ERR"); + SEND_ERR(""); } err = 0; } diff --git a/helpers/external_acl/ldap_group/ChangeLog b/helpers/external_acl/LDAP_group/ChangeLog similarity index 95% rename from helpers/external_acl/ldap_group/ChangeLog rename to helpers/external_acl/LDAP_group/ChangeLog index 3fd7c4ade3..06abfc87c0 100644 --- a/helpers/external_acl/ldap_group/ChangeLog +++ b/helpers/external_acl/LDAP_group/ChangeLog @@ -1,5 +1,12 @@ Version 2.17 +2010-07-12 Amos Jeffries + + Rename to ext_ldap_group_acl (Squid-3 helper naming schema) + Convert to build under C++ + Remove several goto statements. + Update to use helper macro API + 2005-03-19 Henrik Nordstrom Bug #1258: LDAP helpers fails to compile with SUN LDAP SDK diff --git a/helpers/external_acl/LDAP_group/Makefile.am b/helpers/external_acl/LDAP_group/Makefile.am new file mode 100644 index 0000000000..fbf0cda814 --- /dev/null +++ b/helpers/external_acl/LDAP_group/Makefile.am @@ -0,0 +1,13 @@ +include $(top_srcdir)/src/Common.am + +libexec_PROGRAMS = ext_ldap_group_acl +ext_ldap_group_acl_SOURCES = ext_ldap_group_acl.cc + +man_MANS = ext_ldap_group_acl.8 +EXTRA_DIST = ext_ldap_group_acl.8 config.test + +LDADD = \ + $(COMPAT_LIB) \ + $(LDAPLIB) \ + $(LBERLIB) \ + $(XTRA_LIBS) diff --git a/helpers/external_acl/ldap_group/config.test b/helpers/external_acl/LDAP_group/config.test similarity index 100% rename from helpers/external_acl/ldap_group/config.test rename to helpers/external_acl/LDAP_group/config.test diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.8 b/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 similarity index 94% rename from helpers/external_acl/ldap_group/squid_ldap_group.8 rename to helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 index 51888cc4d5..0ea749da57 100644 --- a/helpers/external_acl/ldap_group/squid_ldap_group.8 +++ b/helpers/external_acl/LDAP_group/ext_ldap_group_acl.8 @@ -1,14 +1,14 @@ -.if !'po4a'hide' .TH squid_ldap_group 8 "30 January 2005" +.if !'po4a'hide' .TH ext_ldap_group_acl 8 "30 January 2005" . .SH NAME -.if !'po4a'hide' .B squid_ldap_group +.if !'po4a'hide' .B ext_ldap_group_acl .if !'po4a'hide' \- Squid LDAP external acl group helper .PP Version 2.17 . .SH SYNOPSIS -.if !'po4a'hide' .B squid_ldap_group +.if !'po4a'hide' .B ext_ldap_group_acl .if !'po4a'hide' .B "\-b \"" base DN .if !'po4a'hide' .B "\" \-f \"" @@ -16,7 +16,7 @@ LDAP search filter .if !'po4a'hide' .B "\" [" options .if !'po4a'hide' .B "] [" -ldap_server_name +LDAP server name .if !'po4a'hide' .B "[:" port .if !'po4a'hide' .B "]|" @@ -24,7 +24,7 @@ URI .if !'po4a'hide' .B "]..." . .SH DESCRIPTION -.B squid_ldap_group +.B ext_ldap_group_acl allows Squid to connect to a LDAP directory to authorize users via LDAP groups. LDAP options are specified as parameters on the command line, while the username(s) and group(s) to be checked against the @@ -77,13 +77,13 @@ Netscape LDAP API libraries) .if !'po4a'hide' .TP .if !'po4a'hide' .BI \-d Debug mode where each step taken will get reported in detail. -Useful for understanding what goes wrong if the results is -not what is expected. +Useful for understanding what goes wrong if the result is +not what was expected. . .if !'po4a'hide' .TP .if !'po4a'hide' .BI "\-D " "binddn " "\-w " password The DN and password to bind as while performing searches. Required -if the directory does not allow anonymous searches. +if the LDAP directory does not allow anonymous searches. .IP As the password needs to be printed in plain text in your Squid configuration and will be sent on the command line to the helper it is strongly recommended @@ -153,7 +153,7 @@ Strip Kerberos Realm component from user names (@ separated) . .if !'po4a'hide' .TP .if !'po4a'hide' .BI \-p " ldapport" -Specify an alternate TCP port where the ldap server is listening if +Specify an alternate TCP port where the LDAP server is listening if other than the default LDAP port 389. . .if !'po4a'hide' .TP @@ -214,7 +214,7 @@ helper in .if !'po4a'hide' .P .if !'po4a'hide' .ft CR .if !'po4a'hide' .nf -.if !'po4a'hide' external_acl_type ldap_group %LOGIN /path/to/squid_ldap_group ... +.if !'po4a'hide' external_acl_type ldap_group %LOGIN /path/to/ext_ldap_group_acl ... .if !'po4a'hide' .br .if !'po4a'hide' acl group1 external ldap_group Group1 .if !'po4a'hide' .br @@ -227,7 +227,7 @@ When constructing search filters it is recommended to first test the filter using .B ldapsearch to verify that the filter matches what you expect before you attempt to use -.B squid_ldap_group +.B ext_ldap_group_acl . .SH AUTHOR This program was written by diff --git a/helpers/external_acl/ldap_group/squid_ldap_group.c b/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc similarity index 84% rename from helpers/external_acl/ldap_group/squid_ldap_group.c rename to helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc index d4dbf6df15..1436314468 100644 --- a/helpers/external_acl/ldap_group/squid_ldap_group.c +++ b/helpers/external_acl/LDAP_group/ext_ldap_group_acl.cc @@ -1,5 +1,7 @@ /* - * squid_ldap_group: lookup group membership in LDAP + * ext_ldap_group_acl: lookup group membership in LDAP + * + * Version 2.17 * * (C)2002,2003 MARA Systems AB * @@ -34,15 +36,21 @@ */ #define SQUID_NO_ALLOC_PROTECT 1 #include "config.h" - -#define LDAP_DEPRECATED 1 - +#include "helpers/defines.h" #include "rfc1738.h" #include "util.h" +#define LDAP_DEPRECATED 1 + +#if HAVE_STDIO_H #include +#endif +#if HAVE_STRING_H #include +#endif +#if HAVE_CTYPE_H #include +#endif #ifdef _SQUID_MSWIN_ /* Native Windows port and MinGW */ @@ -73,8 +81,12 @@ PFldap_start_tls_s Win32_ldap_start_tls_s; #else +#if HAVE_LBER_H #include +#endif +#if HAVE_LDAP_H #include +#endif #endif @@ -82,7 +94,7 @@ PFldap_start_tls_s Win32_ldap_start_tls_s; #include #endif -#define PROGRAM_NAME "squid_ldap_group" +#define PROGRAM_NAME "ext_ldap_group_acl" #define PROGRAM_VERSION "2.17" /* Globals */ @@ -97,7 +109,6 @@ static const char *bindpasswd = NULL; static int searchscope = LDAP_SCOPE_SUBTREE; static int persistent = 0; static int noreferrals = 0; -static int show_debug_messages = 0; static int aliasderef = LDAP_DEREF_NEVER; #if defined(NETSCAPE_SSL) static char *sslpath = NULL; @@ -138,7 +149,7 @@ squid_ldap_set_aliasderef(LDAP * ld, int deref) static void squid_ldap_set_referrals(LDAP * ld, int referrals) { - int *value = referrals ? LDAP_OPT_ON :LDAP_OPT_OFF; + int *value = static_cast(referrals ? LDAP_OPT_ON :LDAP_OPT_OFF); ldap_set_option(ld, LDAP_OPT_REFERRALS, value); } static void @@ -192,7 +203,7 @@ squid_ldap_set_timelimit(LDAP * ld, int timelimit) static void squid_ldap_set_connect_timeout(LDAP * ld, int timelimit) { - fprintf(stderr, "Connect timeouts not supported in your LDAP library\n"); + fprintf(stderr, "WARNING: Connect timeouts not supported in your LDAP library\n"); } static void squid_ldap_memfree(char *p) @@ -211,7 +222,7 @@ squid_ldap_memfree(char *p) int main(int argc, char **argv) { - char buf[8192]; + char buf[HELPER_INPUT_BUFFER]; char *user, *group, *extension_dn = NULL; char *ldapServer = NULL; LDAP *ld = NULL; @@ -253,14 +264,14 @@ main(int argc, char **argv) switch (option) { case 'H': #if !HAS_URI_SUPPORT - fprintf(stderr, "ERROR: Your LDAP library does not have URI support\n"); + fprintf(stderr, "FATAL: Your LDAP library does not have URI support\n"); exit(1); #endif /* Fall thru to -h */ case 'h': if (ldapServer) { int len = strlen(ldapServer) + 1 + strlen(value) + 1; - char *newhost = malloc(len); + char *newhost = (char*)malloc(len); snprintf(newhost, len, "%s %s", ldapServer, value); free(ldapServer); ldapServer = newhost; @@ -291,7 +302,7 @@ main(int argc, char **argv) else if (strcmp(value, "sub") == 0) searchscope = LDAP_SCOPE_SUBTREE; else { - fprintf(stderr, PROGRAM_NAME " ERROR: Unknown search scope '%s'\n", value); + fprintf(stderr, PROGRAM_NAME ": FATAL: Unknown search scope '%s'\n", value); exit(1); } break; @@ -301,7 +312,7 @@ main(int argc, char **argv) if (port == LDAP_PORT) port = LDAPS_PORT; #else - fprintf(stderr, PROGRAM_NAME " ERROR: -E unsupported with this LDAP library\n"); + fprintf(stderr, PROGRAM_NAME ": FATAL: -E unsupported with this LDAP library\n"); exit(1); #endif break; @@ -321,7 +332,7 @@ main(int argc, char **argv) else if (strcmp(value, "find") == 0) aliasderef = LDAP_DEREF_FINDING; else { - fprintf(stderr, PROGRAM_NAME " ERROR: Unknown alias dereference method '%s'\n", value); + fprintf(stderr, PROGRAM_NAME ": FATAL: Unknown alias dereference method '%s'\n", value); exit(1); } break; @@ -353,13 +364,13 @@ main(int argc, char **argv) version = LDAP_VERSION3; break; default: - fprintf(stderr, "Protocol version should be 2 or 3\n"); + fprintf(stderr, "FATAL: Protocol version should be 2 or 3\n"); exit(1); } break; case 'Z': if (version == LDAP_VERSION2) { - fprintf(stderr, "TLS (-Z) is incompatible with version %d\n", + fprintf(stderr, "FATAL: TLS (-Z) is incompatible with version %d\n", version); exit(1); } @@ -368,7 +379,7 @@ main(int argc, char **argv) break; #endif case 'd': - show_debug_messages = 1; + debug_enabled = 1; break; case 'g': use_extension_dn = 1; @@ -380,7 +391,7 @@ main(int argc, char **argv) strip_kerberos_realm = 1; break; default: - fprintf(stderr, PROGRAM_NAME " ERROR: Unknown command line option '%c'\n", option); + fprintf(stderr, PROGRAM_NAME ": FATAL: Unknown command line option '%c'\n", option); exit(1); } } @@ -389,7 +400,7 @@ main(int argc, char **argv) char *value = argv[1]; if (ldapServer) { int len = strlen(ldapServer) + 1 + strlen(value) + 1; - char *newhost = malloc(len); + char *newhost = (char*)malloc(len); snprintf(newhost, len, "%s %s", ldapServer, value); free(ldapServer); ldapServer = newhost; @@ -449,28 +460,30 @@ main(int argc, char **argv) WLDAP32Handle = GetModuleHandle("wldap32"); if ((Win32_ldap_start_tls_s = (PFldap_start_tls_s) GetProcAddress(WLDAP32Handle, LDAP_START_TLS_S)) == NULL) { - fprintf(stderr, PROGRAM_NAME ": ERROR: TLS (-Z) not supported on this platform.\n"); + fprintf(stderr, PROGRAM_NAME ": FATAL: TLS (-Z) not supported on this platform.\n"); exit(1); } } #endif - while (fgets(buf, 256, stdin) != NULL) { + while (fgets(buf, HELPER_INPUT_BUFFER, stdin) != NULL) { int found = 0; if (!strchr(buf, '\n')) { /* too large message received.. skip and deny */ - fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], buf); + fprintf(stderr, "%s: ERROR: Input Too large: %s\n", argv[0], buf); while (fgets(buf, sizeof(buf), stdin)) { - fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], buf); + fprintf(stderr, "%s: ERROR: Input Too large..: %s\n", argv[0], buf); if (strchr(buf, '\n') != NULL) break; } - goto error; + SEND_ERR(""); + continue; } user = strtok(buf, " \n"); if (!user) { - fprintf(stderr, "%s: Invalid request\n", argv[0]); - goto error; + debug("%s: Invalid request: No Username given\n", argv[0]); + SEND_ERR("Invalid request. No Username"); + continue; } rfc1738_unescape(user); if (strip_nt_domain) { @@ -491,8 +504,9 @@ main(int argc, char **argv) if (use_extension_dn) { extension_dn = strtok(NULL, " \n"); if (!extension_dn) { - fprintf(stderr, "%s: Invalid request\n", argv[0]); - goto error; + debug("%s: Invalid request: Extension DN configured, but none sent.\n", argv[0]); + SEND_ERR("Invalid Request. Extension DN required."); + continue; } rfc1738_unescape(extension_dn); } @@ -505,7 +519,7 @@ recover: if (strstr(ldapServer, "://") != NULL) { rc = ldap_initialize(&ld, ldapServer); if (rc != LDAP_SUCCESS) { - fprintf(stderr, "\nUnable to connect to LDAPURI:%s\n", ldapServer); + fprintf(stderr, "%s: ERROR: Unable to connect to LDAPURI:%s\n", argv[0], ldapServer); break; } } else @@ -513,21 +527,20 @@ recover: #if NETSCAPE_SSL if (sslpath) { if (!sslinit && (ldapssl_client_init(sslpath, NULL) != LDAP_SUCCESS)) { - fprintf(stderr, "\nUnable to initialise SSL with cert path %s\n", - sslpath); + fprintf(stderr, "FATAL: Unable to initialise SSL with cert path %s\n", sslpath); exit(1); } else { sslinit++; } if ((ld = ldapssl_init(ldapServer, port, 1)) == NULL) { - fprintf(stderr, "\nUnable to connect to SSL LDAP server: %s port:%d\n", + fprintf(stderr, "FATAL: Unable to connect to SSL LDAP server: %s port:%d\n", ldapServer, port); exit(1); } } else #endif if ((ld = ldap_init(ldapServer, port)) == NULL) { - fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", ldapServer, port); + fprintf(stderr, "ERROR: Unable to connect to LDAP server:%s port:%d\n", ldapServer, port); break; } if (connect_timeout) @@ -538,7 +551,7 @@ recover: version = LDAP_VERSION3; } if (ldap_set_option(ld, LDAP_OPT_PROTOCOL_VERSION, &version) != LDAP_SUCCESS) { - fprintf(stderr, "Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", + fprintf(stderr, "ERROR: Could not set LDAP_OPT_PROTOCOL_VERSION %d\n", version); ldap_unbind(ld); ld = NULL; @@ -547,16 +560,16 @@ recover: if (use_tls) { #ifdef LDAP_OPT_X_TLS if (version != LDAP_VERSION3) { - fprintf(stderr, "TLS requires LDAP version 3\n"); + fprintf(stderr, "FATAL: TLS requires LDAP version 3\n"); exit(1); } else if (ldap_start_tls_s(ld, NULL, NULL) != LDAP_SUCCESS) { - fprintf(stderr, "Could not Activate TLS connection\n"); + fprintf(stderr, "ERROR: Could not Activate TLS connection\n"); ldap_unbind(ld); ld = NULL; break; } #else - fprintf(stderr, "TLS not supported with your LDAP library\n"); + fprintf(stderr, "FATAL: TLS not supported with your LDAP library\n"); exit(1); #endif } @@ -567,14 +580,13 @@ recover: if (binddn && bindpasswd && *binddn && *bindpasswd) { rc = ldap_simple_bind_s(ld, binddn, bindpasswd); if (rc != LDAP_SUCCESS) { - fprintf(stderr, PROGRAM_NAME " WARNING, could not bind to binddn '%s'\n", ldap_err2string(rc)); + fprintf(stderr, PROGRAM_NAME ": WARNING: could not bind to binddn '%s'\n", ldap_err2string(rc)); ldap_unbind(ld); ld = NULL; break; } } - if (show_debug_messages) - fprintf(stderr, "Connected OK\n"); + debug("Connected OK\n"); } if (searchLDAP(ld, group, user, extension_dn) == 0) { found = 1; @@ -589,10 +601,9 @@ recover: } } if (found) - printf("OK\n"); + SEND_OK(""); else { -error: - printf("ERR\n"); + SEND_ERR(""); } if (ld != NULL) { @@ -639,43 +650,43 @@ ldap_escape_value(char *escaped, int size, const char *src) } static int -build_filter(char *filter, int size, const char *template, const char *user, const char *group) +build_filter(char *filter, int size, const char *templ, const char *user, const char *group) { int n; - while (*template && size > 0) { - switch (*template) { + while (*templ && size > 0) { + switch (*templ) { case '%': - template++; - switch (*template) { + templ++; + switch (*templ) { case 'u': case 'v': - template++; + templ++; n = ldap_escape_value(filter, size, user); size -= n; filter += n; break; case 'g': case 'a': - template++; + templ++; n = ldap_escape_value(filter, size, group); size -= n; filter += n; break; default: - fprintf(stderr, "ERROR: Unknown filter template string %%%c\n", *template); + fprintf(stderr, "ERROR: Unknown filter template string %%%c\n", *templ); return 1; break; } break; case '\\': - template++; - if (*template) { - *filter++ = *template++; + templ++; + if (*templ) { + *filter++ = *templ++; size--; } break; default: - *filter++ = *template++; + *filter++ = *templ++; size--; break; } @@ -704,11 +715,10 @@ searchLDAPGroup(LDAP * ld, char *group, char *member, char *extension_dn) snprintf(searchbase, sizeof(searchbase), "%s", basedn); if (build_filter(filter, sizeof(filter), searchfilter, member, group) != 0) { - fprintf(stderr, PROGRAM_NAME " ERROR, Failed to construct LDAP search filter. filter=\"%s\", user=\"%s\", group=\"%s\"\n", filter, member, group); + fprintf(stderr, PROGRAM_NAME ": ERROR: Failed to construct LDAP search filter. filter=\"%s\", user=\"%s\", group=\"%s\"\n", filter, member, group); return 1; } - if (show_debug_messages) - fprintf(stderr, "group filter '%s', searchbase '%s'\n", filter, searchbase); + debug("group filter '%s', searchbase '%s'\n", filter, searchbase); rc = ldap_search_s(ld, searchbase, searchscope, filter, searchattr, 1, &res); if (rc != LDAP_SUCCESS) { @@ -717,11 +727,11 @@ searchLDAPGroup(LDAP * ld, char *group, char *member, char *extension_dn) * are disabled. */ } else { - fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); + fprintf(stderr, PROGRAM_NAME ": WARNING: LDAP search error '%s'\n", ldap_err2string(rc)); #if defined(NETSCAPE_SSL) if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { int sslerr = PORT_GetError(); - fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); + fprintf(stderr, PROGRAM_NAME ": WARNING: SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); } #endif ldap_msgfree(res); @@ -756,8 +766,7 @@ searchLDAP(LDAP * ld, char *group, char *login, char *extension_dn) snprintf(searchbase, sizeof(searchbase), "%s", userbasedn ? userbasedn : basedn); ldap_escape_value(escaped_login, sizeof(escaped_login), login); snprintf(filter, sizeof(filter), usersearchfilter, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login, escaped_login); - if (show_debug_messages) - fprintf(stderr, "user filter '%s', searchbase '%s'\n", filter, searchbase); + debug("user filter '%s', searchbase '%s'\n", filter, searchbase); rc = ldap_search_s(ld, searchbase, searchscope, filter, searchattr, 1, &res); if (rc != LDAP_SUCCESS) { if (noreferrals && rc == LDAP_PARTIAL_RESULTS) { @@ -765,11 +774,11 @@ searchLDAP(LDAP * ld, char *group, char *login, char *extension_dn) * are disabled. */ } else { - fprintf(stderr, PROGRAM_NAME " WARNING, LDAP search error '%s'\n", ldap_err2string(rc)); + fprintf(stderr, PROGRAM_NAME ": WARNING: LDAP search error '%s'\n", ldap_err2string(rc)); #if defined(NETSCAPE_SSL) if (sslpath && ((rc == LDAP_SERVER_DOWN) || (rc == LDAP_CONNECT_ERROR))) { int sslerr = PORT_GetError(); - fprintf(stderr, PROGRAM_NAME ": WARNING, SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); + fprintf(stderr, PROGRAM_NAME ": WARNING: SSL error %d (%s)\n", sslerr, ldapssl_err2string(sslerr)); } #endif ldap_msgfree(res); @@ -778,7 +787,7 @@ searchLDAP(LDAP * ld, char *group, char *login, char *extension_dn) } entry = ldap_first_entry(ld, res); if (!entry) { - fprintf(stderr, PROGRAM_NAME " WARNING, User '%s' not found in '%s'\n", login, searchbase); + fprintf(stderr, PROGRAM_NAME ": WARNING: User '%s' not found in '%s'\n", login, searchbase); ldap_msgfree(res); return 1; } @@ -808,11 +817,11 @@ readSecret(const char *filename) FILE *f; if (!(f = fopen(filename, "r"))) { - fprintf(stderr, PROGRAM_NAME " ERROR: Can not read secret file %s\n", filename); + fprintf(stderr, PROGRAM_NAME ": ERROR: Can not read secret file %s\n", filename); return 1; } if (!fgets(buf, sizeof(buf) - 1, f)) { - fprintf(stderr, PROGRAM_NAME " ERROR: Secret file %s is empty\n", filename); + fprintf(stderr, PROGRAM_NAME ": ERROR: Secret file %s is empty\n", filename); fclose(f); return 1; } @@ -824,7 +833,7 @@ readSecret(const char *filename) bindpasswd = xstrdup(buf); if (!bindpasswd) { - fprintf(stderr, PROGRAM_NAME " ERROR: can not allocate memory\n"); + fprintf(stderr, PROGRAM_NAME ": ERROR: can not allocate memory\n"); } fclose(f); diff --git a/helpers/external_acl/LM_group/Makefile.am b/helpers/external_acl/LM_group/Makefile.am new file mode 100644 index 0000000000..5e60d00425 --- /dev/null +++ b/helpers/external_acl/LM_group/Makefile.am @@ -0,0 +1,15 @@ +include $(top_srcdir)/src/Common.am + +libexec_PROGRAMS = ext_lm_group_acl +ext_lm_group_acl_SOURCES = ext_lm_group_acl.cc + +LDADD = \ + $(COMPAT_LIB) \ + -lnetapi32 \ + -ladvapi32 \ + -lntdll \ + $(XTRA_LIBS) + +man_MANS = ext_lm_group_acl.8 + +EXTRA_DIST = config.test ext_lm_group_acl.8 diff --git a/helpers/external_acl/mswin_lm_group/config.test b/helpers/external_acl/LM_group/config.test similarity index 100% rename from helpers/external_acl/mswin_lm_group/config.test rename to helpers/external_acl/LM_group/config.test diff --git a/helpers/external_acl/LM_group/ext_lm_group_acl.8 b/helpers/external_acl/LM_group/ext_lm_group_acl.8 new file mode 100644 index 0000000000..d8f14e4dbe --- /dev/null +++ b/helpers/external_acl/LM_group/ext_lm_group_acl.8 @@ -0,0 +1,181 @@ +.if !'po4a'hide' .TH ext_lm_group_acl 8 +. +.SH NAME +.if !'po4a'hide' .B ext_lm_group_acl +.if !'po4a'hide' \- +Squid external ACL helper to check Windows users group membership. +.PP +Version 1.22 +. +.SH SYNOPSIS +.if !'po4a'hide' .B ext_lm_group_acl +.if !'po4a'hide' .B "[\-D " +domain +.if !'po4a'hide' .B "] [\-cdhGP]" +. +.SH DESCRIPTION +.B ext_lm_group_acl +is an installed binary in Squid for Windows builds. +.PP +This helper must be used in with an authentication scheme (typically +Basic or NTLM) based on Windows NT/2000 domain users (LM mode). +.PP +It reads from the standard input the domain username and a list of groups +and tries to match each against the groups membership of the specified +username. +. +.SH OPTIONS +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-c +Use case insensitive compare. +.if !'po4a'hide' .B \-d +Write debug info to stderr. +.if !'po4a'hide' .B \-D domain +Specify the default user's domain. +.if !'po4a'hide' .B \-G +Start helper in Domain Global Group mode. +.if !'po4a'hide' .B \-h +Display the binary help and command line syntax info using stderr. +.if !'po4a'hide' .B \-P +Use ONLY PDCs for group validation. +. +.SH CONFIGURATION +. +.if !'po4a'hide' external_acl_type NT_global_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe -G +.if !'po4a'hide' external_acl_type NT_local_group %LOGIN c:/squid/libexec/ext_lm_group_acl.exe +.if !'po4a'hide' . +.if !'po4a'hide' acl GProxyUsers external NT_global_group GProxyUsers +.if !'po4a'hide' acl LProxyUsers external NT_local_group LProxyUsers +.if !'po4a'hide' acl password proxy_auth REQUIRED +.if !'po4a'hide' . +.if !'po4a'hide' http_access allow password GProxyUsers +.if !'po4a'hide' http_access allow password LProxyUsers +.if !'po4a'hide' http_access deny all +. +.PP +In the previous example all validated NT users member of GProxyUsers Global +domain group or member of LProxyUsers machine local group are allowed to +use the cache. +. +.PP +Groups with spaces in name, for example +.B "Domain Users" +, must be quoted and the acl data ( +.B "Domain Users" +) must be placed into a separate file included by specifying +.B "/path/to/file" +. +The previous example will be: +. +.if !'po4a'hide' acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers.txt" +. +and the +.B DomainUsers.txt +files will contain only the following line: +.B "Domain Users" +. +.PP NOTE: +The standard group name comparison is case sensitive, so group name +must be specified with same case as in the NT/2000 Domain. +It's possible to enable case insensitive group name comparison ( +.B \-c +), but on some not-english locales, the results can be unexpected. +. +.PP NOTE: +Native WIN32 NTLM and Basic Helpers must be used without the +.B \-A +and +.B \-D +switches. +.PP +Refer to Squid documentation for the more details on squid.conf. +. +.SH TESTING +.PP +I strongly recommend that +.B ext_lm_group_acl +is tested prior to being used in a +production environment. It may behave differently on different platforms. +. +.PP +To test it, run it from the command line. Enter username and group +pairs separated by a space (username must entered with URL-encoded +.I domain%5Cusername +syntax). Press +.B ENTER +to get an +.B OK +or +.B ERR +message. +.PP +Make sure pressing +.B CTRL+D +behaves the same as a carriage return. +.PP +Make sure pressing +.B CTRL+C +aborts the program. +. +.PP +Test that entering no details does not result in an +.B OK +or +.B ERR +message. +.PP +Test that entering an invalid username and group results in an +.B ERR +message. +.PP +Test that entering an valid username and group results in an +.B OK +message. +. +.SH AUTHOR +This program was written by +.if !'po4a'hide' .I Guido Serassio +with contributions by +.if !'po4a'hide' .I Henrik Nordstrom +.PP +Based in part on prior work in +.B check_group +by +.if !'po4a'hide' .I Rodrigo Albani de Campos +.PP +This manual was written by +.if !'po4a'hide' .I Guido Serassio +.if !'po4a'hide' .I Amos Jeffries +. +.SH COPYRIGHT +This program and documentation is copyright to the authors named above. +.PP +Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). +. +.SH QUESTIONS +Questions on the usage of this program can be sent to the +.I Squid Users mailing list +.if !'po4a'hide' +. +.SH REPORTING BUGS +Bug reports need to be made in English. +See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. +.PP +Report bugs or bug fixes using http://bugs.squid-cache.org/ +.PP +Report serious security bugs to +.I Squid Bugs +.PP +Report ideas for new improvements to the +.I Squid Developers mailing list +.if !'po4a'hide' +. +.SH SEE ALSO +.if !'po4a'hide' .BR squid "(8), " +.if !'po4a'hide' .BR GPL "(7), " +.br +The Squid FAQ wiki +.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq +.br +The Squid Configuration Manual +.if !'po4a'hide' http://www.squid-cache.org/Doc/config/ diff --git a/helpers/external_acl/mswin_lm_group/win32_check_group.c b/helpers/external_acl/LM_group/ext_lm_group_acl.cc similarity index 92% rename from helpers/external_acl/mswin_lm_group/win32_check_group.c rename to helpers/external_acl/LM_group/ext_lm_group_acl.cc index b8b2267118..209d008152 100644 --- a/helpers/external_acl/mswin_lm_group/win32_check_group.c +++ b/helpers/external_acl/LM_group/ext_lm_group_acl.cc @@ -68,10 +68,15 @@ */ #include "config.h" +#include "helpers/defines.h" +#include "include/util.h" + + #ifdef _SQUID_CYGWIN_ #include int _wcsicmp(const wchar_t *, const wchar_t *); #endif + #if HAVE_STDIO_H #include #endif @@ -90,21 +95,16 @@ int _wcsicmp(const wchar_t *, const wchar_t *); #include #include -#include "util.h" -#define BUFSIZE 8192 /* the stdin buffer size */ int use_global = 0; int use_PDC_only = 0; -char debug_enabled = 0; -char *myname; +char *program_name; pid_t mypid; char *machinedomain; int use_case_insensitive_compare = 0; char *DefaultDomain = NULL; const char NTV_VALID_DOMAIN_SEPARATOR[] = "\\/"; -#include "win32_check_group.h" - char * AllocStrFromLSAStr(LSA_UNICODE_STRING LsaStr) @@ -378,7 +378,7 @@ Valid_Global_Groups(char *UserName, const char **Groups) } else nStatus = (use_PDC_only ? NetGetDCName(NULL, wszLocalDomain, (LPBYTE *) & LclDCptr) : NetGetAnyDCName(NULL, wszLocalDomain, (LPBYTE *) & LclDCptr)); } else { - fprintf(stderr, "%s NetServerGetInfo() failed.'\n", myname); + fprintf(stderr, "%s: ERROR: NetServerGetInfo() failed.'\n", program_name); if (pSrvBuf != NULL) NetApiBufferFree(pSrvBuf); return result; @@ -392,7 +392,7 @@ Valid_Global_Groups(char *UserName, const char **Groups) strlen(NTDomain) + 1, wszUserDomain, sizeof(wszUserDomain) / sizeof(wszUserDomain[0])); nStatus = (use_PDC_only ? NetGetDCName(LclDCptr, wszUserDomain, (LPBYTE *) & UsrDCptr) : NetGetAnyDCName(LclDCptr, wszUserDomain, (LPBYTE *) & UsrDCptr)); if (nStatus != NERR_Success) { - fprintf(stderr, "%s Can't find DC for user's domain '%s'\n", myname, NTDomain); + fprintf(stderr, "%s: ERROR: Can't find DC for user's domain '%s'\n", program_name, NTDomain); if (pSrvBuf != NULL) NetApiBufferFree(pSrvBuf); if (LclDCptr != NULL) @@ -438,10 +438,10 @@ Valid_Global_Groups(char *UserName, const char **Groups) } } else { result = 0; - fprintf(stderr, "%s NetUserGetGroups() failed.'\n", myname); + fprintf(stderr, "%s: ERROR: NetUserGetGroups() failed.'\n", program_name); } } else { - fprintf(stderr, "%s Can't find DC for local domain '%s'\n", myname, machinedomain); + fprintf(stderr, "%s: ERROR: Can't find DC for local domain '%s'\n", program_name, machinedomain); } /* * Free the allocated memory. @@ -458,7 +458,7 @@ Valid_Global_Groups(char *UserName, const char **Groups) } static void -usage(char *program) +usage(const char *program) { fprintf(stderr, "Usage: %s [-D domain][-G][-P][-c][-d][-h]\n" " -D default user Domain\n" @@ -501,7 +501,7 @@ process_options(int argc, char *argv[]) opt = optopt; /* fall thru to default */ default: - fprintf(stderr, "%s Unknown option: -%c. Exiting\n", myname, opt); + fprintf(stderr, "%s: FATAL: Unknown option: -%c. Exiting\n", program_name, opt); usage(argv[0]); exit(1); break; /* not reached */ @@ -515,19 +515,18 @@ int main(int argc, char *argv[]) { char *p; - char buf[BUFSIZE]; + char buf[HELPER_INPUT_BUFFER]; char *username; char *group; - int err = 0; const char *groups[512]; int n; if (argc > 0) { /* should always be true */ - myname = strrchr(argv[0], '/'); - if (myname == NULL) - myname = argv[0]; + program_name = strrchr(argv[0], '/'); + if (program_name == NULL) + program_name = argv[0]; } else { - myname = "(unknown)"; + program_name = "(unknown)"; } mypid = getpid(); @@ -539,7 +538,7 @@ main(int argc, char *argv[]) if (use_global) { if ((machinedomain = GetDomainName()) == NULL) { - fprintf(stderr, "%s Can't read machine domain\n", myname); + fprintf(stderr, "%s: FATAL: Can't read machine domain\n", program_name); exit(1); } strlwr(machinedomain); @@ -556,16 +555,17 @@ main(int argc, char *argv[]) debug("Warning: using only PDCs for group validation !!!\n"); /* Main Loop */ - while (fgets(buf, sizeof(buf), stdin)) { + while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) { if (NULL == strchr(buf, '\n')) { /* too large message received.. skip and deny */ - fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], buf); - while (fgets(buf, sizeof(buf), stdin)) { - fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], buf); + debug("%s: ERROR: Too large: %s\n", argv[0], buf); + while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) { + debug("%s: ERROR: Too large..: %s\n", argv[0], buf); if (strchr(buf, '\n') != NULL) break; } - goto error; + SEND_ERR("Input Too Long."); + continue; } if ((p = strchr(buf, '\n')) != NULL) *p = '\0'; /* strip \n */ @@ -575,8 +575,8 @@ main(int argc, char *argv[]) debug("Got '%s' from Squid (length: %d).\n", buf, strlen(buf)); if (buf[0] == '\0') { - fprintf(stderr, "Invalid Request\n"); - goto error; + SEND_ERR("Invalid Request."); + continue; } username = strtok(buf, " "); for (n = 0; (group = strtok(NULL, " ")) != NULL; n++) { @@ -586,18 +586,16 @@ main(int argc, char *argv[]) groups[n] = NULL; if (NULL == username) { - fprintf(stderr, "Invalid Request\n"); - goto error; + SEND_ERR("Invalid Request. No Username."); + continue; } rfc1738_unescape(username); if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) { - printf("OK\n"); + SEND_OK(""); } else { -error: - printf("ERR\n"); + SEND_ERR(""); } - err = 0; } return 0; } diff --git a/helpers/external_acl/Makefile.am b/helpers/external_acl/Makefile.am index 4b0217adc1..7144c8ceee 100644 --- a/helpers/external_acl/Makefile.am +++ b/helpers/external_acl/Makefile.am @@ -1,7 +1,2 @@ -# Makefile for storage modules in the Squid Object Cache server -# -# $Id$ -# - -DIST_SUBDIRS = ip_user ldap_group mswin_ad_group mswin_lm_group session unix_group wbinfo_group +DIST_SUBDIRS = AD_group file_userip LDAP_group LM_group session unix_group wbinfo_group SUBDIRS = $(EXTERNAL_ACL_HELPERS) diff --git a/helpers/external_acl/file_userip/Makefile.am b/helpers/external_acl/file_userip/Makefile.am new file mode 100644 index 0000000000..af5813efa6 --- /dev/null +++ b/helpers/external_acl/file_userip/Makefile.am @@ -0,0 +1,15 @@ +include $(top_srcdir)/src/Common.am + +libexec_PROGRAMS = ext_file_userip_acl +ext_file_userip_acl_SOURCES = ext_file_userip_acl.cc +man_MANS = ext_file_userip_acl.8 + +EXTRA_DIST = \ + example.conf \ + example-deny_all_but.conf \ + ext_file_userip_acl.8 \ + config.test + +LDADD = \ + $(COMPAT_LIB) \ + $(XTRA_LIBS) diff --git a/helpers/external_acl/ip_user/config.test b/helpers/external_acl/file_userip/config.test similarity index 100% rename from helpers/external_acl/ip_user/config.test rename to helpers/external_acl/file_userip/config.test diff --git a/helpers/external_acl/ip_user/example-deny_all_but.conf b/helpers/external_acl/file_userip/example-deny_all_but.conf similarity index 100% rename from helpers/external_acl/ip_user/example-deny_all_but.conf rename to helpers/external_acl/file_userip/example-deny_all_but.conf diff --git a/helpers/external_acl/ip_user/example.conf b/helpers/external_acl/file_userip/example.conf similarity index 63% rename from helpers/external_acl/ip_user/example.conf rename to helpers/external_acl/file_userip/example.conf index 25fe3de613..b3b91e5e6c 100644 --- a/helpers/external_acl/ip_user/example.conf +++ b/helpers/external_acl/file_userip/example.conf @@ -1,11 +1,12 @@ -# $Id$ +# Configuration File for Squid ext_file_userip_acl helper +# # Lines that begin with a # are ignored # The main format is: # # Single user # ip[/mask] user # -# Users that belong to `group´ (/etc/group) +# Users that belong to "group" (/etc/group) # ip[/mask] @group # # No User from this IP @@ -17,23 +18,21 @@ # IP and MASK must be in dotted quad format. # # Ths first match wins, so you may create rules that -# `allow everyone but foo bar´ or -# `deny everyone but foo bar´ +# "allow everyone but foo bar" or +# "deny everyone but foo bar" # # Examples: # All users from the 192.168.1.0/24 network are allowed # 192.168.1.0/255.255.255.0 ALL # # Users from the 192.168.2.0/24 network are not allowed -# except for user `boss´ that can authenticate from +# except for user "boss" that can authenticate from # anywhere # 0.0.0.0/0.0.0.0 boss # 192.168.2.0/255.255.255.0 NONE # -# User `jayk´ may athenticate only from his station -# ip address +# User "jayk" may athenticate only from his station ip address # 192.168.3.45 jayk # -# Users of the `tol´ group may authenticate from -# their VLAN +# Users of the "tol" group may authenticate from their VLAN # 10.0.0.0/255.255.0.0 @tol diff --git a/helpers/external_acl/file_userip/ext_file_userip_acl.8 b/helpers/external_acl/file_userip/ext_file_userip_acl.8 new file mode 100644 index 0000000000..31a0241860 --- /dev/null +++ b/helpers/external_acl/file_userip/ext_file_userip_acl.8 @@ -0,0 +1,107 @@ +.if !'po4a'hide' .TH ext_file_userip_acl 8 +. +.SH NAME +.if !'po4a'hide' .B ext_file_userip_acl +.if !'po4a'hide' \- +Restrict users to cetain IP addresses, using a text file backend. +.PP +Version 1.0 +. +.SH SYNOPSIS +.if !'po4a'hide' .B ext_file_userip_acl +.if !'po4a'hide' .B [\-dh] [\-f +file name +.if !'po4a'hide' .B ] +. +.SH DESCRIPTION +.B ext_file_userip_acl +is an installed binary. An external helper for the Squid external acl scheme. +.PP +It works by reading a pair composed by an ip address and an username +on STDIN and matching it against a configuration file. +. +.SH OPTIONS +.if !'po4a'hide' .TP 12 +.if !'po4a'hide' .B \-d +Write debug info to stderr. +.if !'po4a'hide' .B \-f +Configuration file to load. +.if !'po4a'hide' .B \-h +Display the binary help and command line syntax info using stderr. +. +.SH CONFIGURATION +.PP +The +.B squid.conf +configuration for the external ACL should be: +.if !'po4a'hide' . +.if !'po4a'hide' external_acl_type type-name %SRC %LOGIN /path/to/ext_file_userip_acl -f /path/to/config.file +.if !'po4a'hide' . +.PP +If the helper program finds a matching username/ip in the configuration file, it returns +.B OK +, otherwise it returns +.B ERR . +.PP +The configuration file format is as follows: +. +ip_addr[/netmask] username|@group|ALL|NONE +.PP +Where +.B ip_addr +is a dotted quad format IP address, the +.B netmask +must be in dotted quad format too. +.PP +When the second parameter is prefixed with an +.B "@" +, the program will lookup the +.B "/etc/group" +file entry for the specified username. +.PP +There are other two directives, +.B ALL +and +.B NONE +, which mean \"any user on this IP address may authenticate\" or \"no user on this ip address may authenticate\". +. +.SH AUTHOR +This program was written by +.if !'po4a'hide' .I Rodrigo Campos +.PP +This manual was written by +.if !'po4a'hide' .I Rodrigo Campos +.if !'po4a'hide' .I Amos Jeffries +. +.SH COPYRIGHT +This program and documentation is copyright to the authors named above. +.PP +Distributed under the GNU General Public License (GNU GPL) version 2 or later (GPLv2+). +. +.SH QUESTIONS +Questions on the usage of this program can be sent to the +.I Squid Users mailing list +.if !'po4a'hide' +. +.SH REPORTING BUGS +Bug reports need to be made in English. +See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. +.PP +Report bugs or bug fixes using http://bugs.squid-cache.org/ +.PP +Report serious security bugs to +.I Squid Bugs +.PP +Report ideas for new improvements to the +.I Squid Developers mailing list +.if !'po4a'hide' +. +.SH SEE ALSO +.if !'po4a'hide' .BR squid "(8), " +.if !'po4a'hide' .BR GPL "(7), " +.br +The Squid FAQ wiki +.if !'po4a'hide' http://wiki.squid-cache.org/SquidFaq +.br +The Squid Configuration Manual +.if !'po4a'hide' http://www.squid-cache.org/Doc/config/ diff --git a/helpers/external_acl/file_userip/ext_file_userip_acl.cc b/helpers/external_acl/file_userip/ext_file_userip_acl.cc new file mode 100644 index 0000000000..01086273e0 --- /dev/null +++ b/helpers/external_acl/file_userip/ext_file_userip_acl.cc @@ -0,0 +1,283 @@ +/* $Id$ +* Copyright (C) 2002 Rodrigo Campos +* +* This program is free software; you can redistribute it and/or modify +* it under the terms of the GNU General Public License as published by +* the Free Software Foundation; either version 2 of the License, or +* (at your option) any later version. +* +* This program is distributed in the hope that it will be useful, +* but WITHOUT ANY WARRANTY; without even the implied warranty of +* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +* GNU General Public License for more details. +* +* You should have received a copy of the GNU General Public License +* along with this program; if not, write to the Free Software +* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +* +* Author: Rodrigo Campos (rodrigo@geekbunker.org) +* +*/ +#define SQUID_NO_ALLOC_PROTECT 1 +#include "config.h" +#include "helpers/defines.h" +#include "rfc1738.h" +#include "util.h" + +#if HAVE_STDIO_H +#include +#endif +#if HAVE_STDLIB_H +#include +#endif +#if HAVE_STRING_H +#include +#endif +#if HAVE_SYS_SOCKET_H +#include +#endif +#if HAVE_NETINET_IN_H +#include +#endif +#if HAVE_ARPA_INET_H +#include +#endif +#if HAVE_GRP_H +#include +#endif + + +struct ip_user_dict { + unsigned long address; // IP address (assumes IPv4) + unsigned long netmask; // IP netmask + char *username; + struct ip_user_dict *next_entry; +}; + +int match_user(char *, char *); +int match_group(char *, char *); +struct ip_user_dict *load_dict(FILE *); +int dict_lookup(struct ip_user_dict *, char *, char *); + +/** Size of lines read from the dictionary file */ +#define DICT_BUFFER_SIZE 8196 + +/** This function parses the dictionary file and loads it + * in memory. All IP addresses are processed with a bitwise AND + * with their netmasks before they are stored. + * If there´s no netmask (no /) in the in the lhs , a mask + * 255.255.255.255 is assumed. + * It returns a pointer to the first entry of the linked list + */ +struct ip_user_dict * +load_dict(FILE * FH) +{ + struct ip_user_dict *current_entry; /* the structure used to + store data */ + struct ip_user_dict *first_entry = NULL; /* the head of the + linked list */ + char line[DICT_BUFFER_SIZE]; /* the buffer for the lines read + from the dict file */ + char *cp; /* a char pointer used to parse + each line */ + char *username; /* for the username */ + char *tmpbuf; /* for the address before the + bitwise AND */ + + /* the pointer to the first entry in the linked list */ + first_entry = (struct ip_user_dict*)malloc(sizeof(struct ip_user_dict)); + current_entry = first_entry; + + while ((cp = fgets (line, DICT_BUFFER_SIZE, FH)) != NULL) { + if (line[0] == '#') { + continue; + } + if ((cp = strchr (line, '\n')) != NULL) { + /* chop \n characters */ + *cp = '\0'; + } + if ((cp = strtok (line, "\t ")) != NULL) { + /* get the username */ + username = strtok (NULL, "\t "); + /* look for a netmask */ + if ((cp = strtok (line, "/")) != NULL) { + /* store the ip address in a temporary buffer */ + tmpbuf = cp; + cp = strtok (NULL, "/"); + if (cp != NULL) { + /* if we have a slash in the lhs, we have a netmask */ + current_entry->netmask = (inet_addr(cp)); + current_entry->address = + (((inet_addr (tmpbuf))) & current_entry->netmask); + } else { + /* when theres no slash, we figure the netmask is /32 */ + current_entry->address = (inet_addr(tmpbuf)); + current_entry->netmask = (inet_addr("255.255.255.255")); + } + } + /* get space for the username */ + current_entry->username = + (char*)calloc(strlen(username) + 1, sizeof(char)); + strcpy(current_entry->username, username); + + /* get space and point current_entry to the new entry */ + current_entry->next_entry = + (struct ip_user_dict*)malloc(sizeof(struct ip_user_dict)); + current_entry = current_entry->next_entry; + } + + } + + /* Return a pointer to the first entry linked list */ + return first_entry; +} + +/** This function looks for a matching ip/mask in + * the dict file loaded in memory. + * It returns 1 if it finds a match or 0 if no match is found + */ +int +dict_lookup(struct ip_user_dict *first_entry, char *username, + char *address) +{ + /* Move the pointer to the first entry of the linked list. */ + struct ip_user_dict *current_entry = first_entry; + + while (current_entry->username != NULL) { + debug("user: %s\naddr: %lu\nmask: %lu\n\n", + current_entry->username, current_entry->address, + current_entry->netmask); + + if ((inet_addr (address) & (unsigned long) current_entry-> + netmask) == current_entry->address) { + /* If the username contains an @ we assume it´s a group and + call the corresponding function */ + if ((strchr (current_entry->username, '@')) == NULL) { + if ((match_user (current_entry->username, username)) == 1) + return 1; + } else { + if ((match_group (current_entry->username, username)) == 1) + return 1; + } + } + current_entry = current_entry->next_entry; + } + + /* If no match was found we return 0 */ + return 0; +} + +int +match_user(char *dict_username, char *username) +{ + if ((strcmp(dict_username, username)) == 0) { + return 1; + } else { + if ((strcmp(dict_username, "ALL")) == 0) { + return 1; + } + } + return 0; +} /* match_user */ + +int +match_group(char *dict_group, char *username) +{ + struct group *g; /* a struct to hold group entries */ + dict_group++; /* the @ should be the first char + so we rip it off by incrementing + * the pointer by one */ + + if ((g = getgrnam(dict_group)) == NULL) { + debug("Group does not exist '%s'\n", dict_group); + return 0; + } else { + while (*(g->gr_mem) != NULL) { + if (strcmp(*((g->gr_mem)++), username) == 0) { + return 1; + } + } + } + return 0; + +} + +static void +usage(const char *program_name) +{ + fprintf (stderr, "Usage:\n%s [-d] -f \n", + program_name); +} + +int +main (int argc, char *argv[]) +{ + FILE *FH; + char *filename = NULL; + char *program_name = argv[0]; + char *cp; + char *username, *address; + char line[HELPER_INPUT_BUFFER]; + struct ip_user_dict *current_entry; + int ch; + + setvbuf (stdout, NULL, _IOLBF, 0); + while ((ch = getopt(argc, argv, "df:h")) != -1) { + switch (ch) { + case 'f': + filename = optarg; + break; + case 'd': + debug_enabled = 1; + break; + case 'h': + usage(program_name); + exit (0); + default: + fprintf(stderr, "%s: FATAL: Unknown parameter option '%c'", program_name, ch); + usage(program_name); + exit (1); + } + } + if (filename == NULL) { + fprintf(stderr, "%s: FATAL: No Filename configured.", program_name); + usage(program_name); + exit(1); + } + FH = fopen(filename, "r"); + current_entry = load_dict(FH); + + while (fgets(line, HELPER_INPUT_BUFFER, stdin)) { + if ((cp = strchr (line, '\n')) == NULL) { + /* too large message received.. skip and deny */ + fprintf(stderr, "%s: ERROR: Input Too Large: %s\n", program_name, line); + while (fgets(line, sizeof(line), stdin)) { + fprintf(stderr, "%s: ERROR: Input Too Large..: %s\n", program_name, line); + if (strchr(line, '\n') != NULL) + break; + } + SEND_ERR("Input Too Large."); + continue; + } + *cp = '\0'; + address = strtok(line, " \t"); + username = strtok(NULL, " \t"); + if (!address || !username) { + debug("%s: unable to read tokens\n", program_name); + SEND_ERR("Invalid Input."); + continue; + } + rfc1738_unescape(address); + rfc1738_unescape(username); + int result = dict_lookup(current_entry, username, address); + debug("%s: result: %d\n", program_name, result); + if (result != 0) { + SEND_OK(""); + } else { + SEND_ERR(""); + } + } + + fclose (FH); + return 0; +} diff --git a/helpers/external_acl/ip_user/Makefile.am b/helpers/external_acl/ip_user/Makefile.am deleted file mode 100644 index 5e53d10893..0000000000 --- a/helpers/external_acl/ip_user/Makefile.am +++ /dev/null @@ -1,25 +0,0 @@ -include $(top_srcdir)/src/Common.am - -## we need our local files too (but avoid -I. at all costs) -INCLUDES += -I$(srcdir) - - -libexec_PROGRAMS = ip_user_check - -ip_user_check_SOURCES = \ - dict.c \ - ip_user.h \ - main.c \ - match.c - -EXTRA_DIST = \ - example.conf \ - example-deny_all_but.conf \ - license \ - README \ - config.test - -LDADD = \ - $(top_builddir)/compat/libcompat.la \ - -L$(top_builddir)/lib -lmiscutil \ - $(XTRA_LIBS) diff --git a/helpers/external_acl/ip_user/Makefile.separate b/helpers/external_acl/ip_user/Makefile.separate deleted file mode 100644 index 099e267270..0000000000 --- a/helpers/external_acl/ip_user/Makefile.separate +++ /dev/null @@ -1,16 +0,0 @@ -# $Id$ -CC=gcc -CFLAGS=-Wall -LIBS= -# For Solaris -# LIBS=-lnsl -lsocket - -ip_user_check: ip_user.h dict.o match.c main.c - $(CC) $(CFLAGS) -o ip_user_check dict.o match.c main.c $(LIBS) - -dict.o: ip_user.h dict.c - $(CC) $(CFLAGS) -c dict.c - -clean: - rm -f dict.o ip_user_check - diff --git a/helpers/external_acl/ip_user/README b/helpers/external_acl/ip_user/README deleted file mode 100644 index 4971de1c36..0000000000 --- a/helpers/external_acl/ip_user/README +++ /dev/null @@ -1,42 +0,0 @@ -$Id$ - -README file for ip_user_check, an external helper for the -Squid external acl scheme. - -It works by reading a pair composed by an ip address and an username -on STDIN and matching it against a configuration file. - -The configuration for the external ACL should be: - -external_acl_type type-name %SRC %LOGIN /path/to/ip_user_check -f /path/to/config.file - -If the program finds a matching username/ip in the configuration file, -it returns `OK', or `ERR' otherwise. - -The usage for the program is: - -ip_user_check -f - - -The configuration file format is as follows: - -ip_addr[/mask] user|@group|ALL|NONE - -Where ip_addr is a dotted quad format IP address, the mask -must be in dotted quad format too. - -When the second parameter is prefixed with an @, the program will lookup in the -/etc/group entry for the specified username. - -There are other two directives, `ALL' and `NONE', which mean "any user on this ip -address may authenticate" or "no user on this ip address may authenticate". - -TODO -- Deny operator, to create `allow all but' rules -- Check for a valid user in the OS -- Accept decimal format netmasks - - --- -Rodrigo Campos -rodrigo@geekbunker.org diff --git a/helpers/external_acl/ip_user/dict.c b/helpers/external_acl/ip_user/dict.c deleted file mode 100644 index 287291ceaf..0000000000 --- a/helpers/external_acl/ip_user/dict.c +++ /dev/null @@ -1,141 +0,0 @@ -/* $Id$ -* Copyright (C) 2002 Rodrigo Campos -* -* This program is free software; you can redistribute it and/or modify -* it under the terms of the GNU General Public License as published by -* the Free Software Foundation; either version 2 of the License, or -* (at your option) any later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; if not, write to the Free Software -* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -* -* Author: Rodrigo Campos (rodrigo@geekbunker.org) -* -*/ - -#include -#include -#include -#include -#include -#include -#include - -#include "ip_user.h" - -#ifndef DEBUG -#undef DEBUG -#endif - - -/* This function parses the dictionary file and loads it - * in memory. All IP addresses are processed with a bitwise AND - * with their netmasks before they are stored. - * If there´s no netmask (no /) in the in the lhs , a mask - * 255.255.255.255 is assumed. - * It returns a pointer to the first entry of the linked list - */ -struct ip_user_dict * -load_dict (FILE * FH) { - struct ip_user_dict *current_entry; /* the structure used to - store data */ - struct ip_user_dict *first_entry = NULL; /* the head of the - linked list */ - char line[BUFSIZE]; /* the buffer for the lines read - from the dict file */ - char *cp; /* a char pointer used to parse - each line */ - char *username; /* for the username */ - char *tmpbuf; /* for the address before the - bitwise AND */ - - /* the pointer to the first entry in the linked list */ - first_entry = malloc (sizeof (struct ip_user_dict)); - current_entry = first_entry; - - while ((cp = fgets (line, sizeof (line), FH)) != NULL) { - if (line[0] == '#') { - continue; - } - if ((cp = strchr (line, '\n')) != NULL) { - /* chop \n characters */ - *cp = '\0'; - } - if ((cp = strtok (line, "\t ")) != NULL) { - /* get the username */ - username = strtok (NULL, "\t "); - /* look for a netmask */ - if ((cp = strtok (line, "/")) != NULL) { - /* store the ip address in a temporary buffer */ - tmpbuf = cp; - cp = strtok (NULL, "/"); - if (cp != NULL) { - /* if we have a slash in the lhs, we have a netmask */ - current_entry->netmask = (inet_addr (cp)); - current_entry->address = - (((inet_addr (tmpbuf))) & current_entry->netmask); - } else { - /* when theres no slash, we figure the netmask is /32 */ - current_entry->address = (inet_addr (tmpbuf)); - current_entry->netmask = (inet_addr ("255.255.255.255")); - } - } - /* get space for the username */ - current_entry->username = - calloc (strlen (username) + 1, sizeof (char)); - strcpy (current_entry->username, username); - - /* get space and point current_entry to the new entry */ - current_entry->next_entry = - malloc (sizeof (struct ip_user_dict)); - current_entry = current_entry->next_entry; - } - - } - - /* Return a pointer to the first entry linked list */ - return first_entry; -} /* load_dict */ - -/* This function looks for a matching ip/mask in - * the dict file loaded in memory. - * It returns 1 if it finds a match or 0 if no match is found - */ -int -dict_lookup (struct ip_user_dict *first_entry, char *username, - char *address) -{ - /* Move the pointer to the first entry of the linked list. */ - struct ip_user_dict *current_entry = first_entry; - - while (current_entry->username != NULL) { -#ifdef DEBUG - printf ("user: %s\naddr: %lu\nmask: %lu\n\n", - current_entry->username, current_entry->address, - current_entry->netmask); -#endif - - if ((inet_addr (address) & (unsigned long) current_entry-> - netmask) == current_entry->address) { - /* If the username contains an @ we assume it´s a group and - call the corresponding function */ - if ((strchr (current_entry->username, '@')) == NULL) { - if ((match_user (current_entry->username, username)) == 1) - return 1; - } else { - if ((match_group (current_entry->username, username)) == 1) - return 1; - } - } - current_entry = current_entry->next_entry; - } - - /* If no match was found we return 0 */ - return 0; -} /* dict_lookup */ diff --git a/helpers/external_acl/ip_user/ip_user.h b/helpers/external_acl/ip_user/ip_user.h deleted file mode 100644 index 487c9a23da..0000000000 --- a/helpers/external_acl/ip_user/ip_user.h +++ /dev/null @@ -1,38 +0,0 @@ -/* $Id$ -* Copyright (C) 2002 Rodrigo Campos -* -* This program is free software; you can redistribute it and/or modify -* it under the terms of the GNU General Public License as published by -* the Free Software Foundation; either version 2 of the License, or -* (at your option) any later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; if not, write to the Free Software -* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -* -* Author: Rodrigo Campos (rodrigo@geekbunker.org) -* -*/ - - - - -struct ip_user_dict { - unsigned long address; - unsigned long netmask; - char *username; - struct ip_user_dict *next_entry; -}; - -extern int match_user(char *, char *); -extern int match_group(char *, char *); -extern struct ip_user_dict *load_dict(FILE *); -extern int dict_lookup(struct ip_user_dict *, char *, char *); - - -#define BUFSIZE 1024 diff --git a/helpers/external_acl/ip_user/license b/helpers/external_acl/ip_user/license deleted file mode 100644 index 1be649a5e5..0000000000 --- a/helpers/external_acl/ip_user/license +++ /dev/null @@ -1,19 +0,0 @@ -* Copyright (C) 2002 Rodrigo Campos -* -* This program is free software; you can redistribute it and/or modify -* it under the terms of the GNU General Public License as published by -* the Free Software Foundation; either version 2 of the License, or -* (at your option) any later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; if not, write to the Free Software -* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -* -* Author: Rodrigo Campos (rodrigo@geekbunker.org) -* -*/ diff --git a/helpers/external_acl/ip_user/main.c b/helpers/external_acl/ip_user/main.c deleted file mode 100644 index f9537572ef..0000000000 --- a/helpers/external_acl/ip_user/main.c +++ /dev/null @@ -1,104 +0,0 @@ -/* $Id$ -* Copyright (C) 2002 Rodrigo Campos -* -* This program is free software; you can redistribute it and/or modify -* it under the terms of the GNU General Public License as published by -* the Free Software Foundation; either version 2 of the License, or -* (at your option) any later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; if not, write to the Free Software -* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -* -* Author: Rodrigo Campos (rodrigo@geekbunker.org) -* -*/ - -#include "rfc1738.h" -#include "util.h" - -#include -#include -#include -#include - -#include "ip_user.h" - -static void -usage (char *program_name) -{ - fprintf (stderr, "Usage:\n%s -f \n", - program_name); -} - -int -main (int argc, char *argv[]) -{ - FILE *FH; - char *filename = NULL; - char *program_name = argv[0]; - char *cp; - char *username, *address; - char line[BUFSIZE]; - struct ip_user_dict *current_entry; - int ch; - - setvbuf (stdout, NULL, _IOLBF, 0); - while ((ch = getopt (argc, argv, "f:")) != -1) { - switch (ch) { - case 'f': - filename = optarg; - break; - default: - usage (program_name); - exit (1); - } - } - if (filename == NULL) { - usage (program_name); - exit(1); - } - FH = fopen (filename, "r"); - current_entry = load_dict (FH); - - while (fgets (line, sizeof (line), stdin)) { - if ((cp = strchr (line, '\n')) == NULL) { - /* too large message received.. skip and deny */ - fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], line); - while (fgets(line, sizeof(line), stdin)) { - fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], line); - if (strchr(line, '\n') != NULL) - break; - } - goto error; - } - *cp = '\0'; - address = strtok (line, " \t"); - username = strtok (NULL, " \t"); - if (!address || !username) { - fprintf (stderr, "%s: unable to read tokens\n", argv[0]); - goto error; - } - rfc1738_unescape(address); - rfc1738_unescape(username); -#ifdef DEBUG - printf ("result: %d\n", - dict_lookup (current_entry, username, address)); -#endif - if ((dict_lookup (current_entry, username, address)) != 0) { - printf ("OK\n"); - } else { -error: - printf ("ERR\n"); - } - } - - - fclose (FH); - return 0; -} diff --git a/helpers/external_acl/ip_user/match.c b/helpers/external_acl/ip_user/match.c deleted file mode 100644 index 9f3981ab22..0000000000 --- a/helpers/external_acl/ip_user/match.c +++ /dev/null @@ -1,62 +0,0 @@ -/* $Id$ -* Copyright (C) 2002 Rodrigo Campos -* -* This program is free software; you can redistribute it and/or modify -* it under the terms of the GNU General Public License as published by -* the Free Software Foundation; either version 2 of the License, or -* (at your option) any later version. -* -* This program is distributed in the hope that it will be useful, -* but WITHOUT ANY WARRANTY; without even the implied warranty of -* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -* GNU General Public License for more details. -* -* You should have received a copy of the GNU General Public License -* along with this program; if not, write to the Free Software -* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -* -* Author: Rodrigo Campos (rodrigo@geekbunker.org) -* -*/ -#include -#include -#include -#include - -#include "ip_user.h" - -int -match_user (char *dict_username, char *username) -{ - if ((strcmp (dict_username, username)) == 0) { - return 1; - } else { - if ((strcmp (dict_username, "ALL")) == 0) { - return 1; - } - } - return 0; -} /* match_user */ - -int -match_group (char *dict_group, char *username) -{ - struct group *g; /* a struct to hold group entries */ - dict_group++; /* the @ should be the first char - so we rip it off by incrementing - * the pointer by one */ - - if ((g = getgrnam (dict_group)) == NULL) { - fprintf (stderr, "helper: Group does not exist '%s'\n", - dict_group); - return 0; - } else { - while (*(g->gr_mem) != NULL) { - if (strcmp (*((g->gr_mem)++), username) == 0) { - return 1; - } - } - } - return 0; - -} /* match_group */ diff --git a/helpers/external_acl/ldap_group/Makefile.am b/helpers/external_acl/ldap_group/Makefile.am deleted file mode 100644 index fb0febb372..0000000000 --- a/helpers/external_acl/ldap_group/Makefile.am +++ /dev/null @@ -1,17 +0,0 @@ -include $(top_srcdir)/src/Common.am - -## we need our local files too (but avoid -I. at all costs) -INCLUDES += -I$(srcdir) - - -libexec_PROGRAMS = squid_ldap_group -man_MANS = squid_ldap_group.8 -EXTRA_DIST = squid_ldap_group.8 config.test -squid_ldap_group_SOURCES = squid_ldap_group.c - -LDADD = \ - $(top_builddir)/compat/libcompat.la \ - -L$(top_builddir)/lib -lmiscutil \ - $(LDAPLIB) \ - $(LBERLIB) \ - $(XTRA_LIBS) diff --git a/helpers/external_acl/ldap_group/README b/helpers/external_acl/ldap_group/README deleted file mode 100644 index 03ca275735..0000000000 --- a/helpers/external_acl/ldap_group/README +++ /dev/null @@ -1,10 +0,0 @@ -This program is a LDAP group helper for Squid. - -See the included manpage for documentation. - - nroff -man squid_ldap_group.8 | less - -See INSTALL for installation instructions - -The latest version of this program can always be found from -MARA Systems at http://marasystems.com/download/LDAP_Group/ diff --git a/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.h b/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.h deleted file mode 100644 index a5d76212d7..0000000000 --- a/helpers/external_acl/mswin_ad_group/mswin_check_ad_group.h +++ /dev/null @@ -1,89 +0,0 @@ -/* - * (C) 2002, 2005 Guido Serassio - * Based on previous work of Francesco Chemolli, Robert Collins and Andrew Doran - * - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -#undef debug - -/************* CONFIGURATION ***************/ -/* - * define this if you want debugging - */ -#ifndef DEBUG -#define DEBUG -#endif - -/************* END CONFIGURATION ***************/ - -#include - -#define safe_free(x) if (x) { free(x); x = NULL; } - -/* Debugging stuff */ - -#ifdef __GNUC__ /* this is really a gcc-ism */ -#ifdef DEBUG -#include -#include -static char *__foo; -extern char debug_enabled; -extern char *WIN32_ErrorMessage; -#define debug(X...) if (debug_enabled) { \ - fprintf(stderr,"%s[%d](%s:%d): ", myname, mypid, \ - ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ - __LINE__);\ - fprintf(stderr,X); \ - if (WIN32_ErrorMessage != NULL){ \ - LocalFree(WIN32_ErrorMessage); \ - WIN32_ErrorMessage = NULL; \ - } } -#else /* DEBUG */ -#define debug(X...) /* */ -#endif /* DEBUG */ -#else /* __GNUC__ */ -extern char debug_enabled; -extern char *WIN32_ErrorMessage; -static void -debug(char *format,...) -{ -#ifdef DEBUG -#ifdef _SQUID_MSWIN_ - if (debug_enabled) { - va_list args; - - va_start(args, format); - fprintf(stderr, "%s[%d]: ", myname, mypid); - vfprintf(stderr, format, args); - fprintf(stderr, "\n"); - va_end(args); - if (WIN32_ErrorMessage != NULL) { - LocalFree(WIN32_ErrorMessage); - WIN32_ErrorMessage = NULL; - } - } -#endif /* _SQUID_MSWIN_ */ -#endif /* DEBUG */ -} -#endif /* __GNUC__ */ - - -/* A couple of harmless helper macros */ -#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n"); -#ifdef __GNUC__ -#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#else -/* no gcc, no debugging. varargs macros are a gcc extension */ -#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#endif diff --git a/helpers/external_acl/mswin_ad_group/readme.txt b/helpers/external_acl/mswin_ad_group/readme.txt deleted file mode 100644 index 0b2ecb66ce..0000000000 --- a/helpers/external_acl/mswin_ad_group/readme.txt +++ /dev/null @@ -1,119 +0,0 @@ - -This is the readme.txt file for mswin_check_ad_group 2.0, an external -helper for the External ACL Scheme for Squid. - - -This helper must be used in with an authentication scheme (tipically -basic, NTLM or Negotiate) based on Windows Active Directory domain users. -It reads from the standard input the domain username and a list of groups -and tries to match it against the groups membership of the specified -username. - -Two running mode are available: - -- Local mode: -membership is checked against machine's local groups, cannot be used when -running on a Domain Controller. - -- Active Directory Global mode: -membership is checked against the whole Active Directory Forest of the -machine where Squid is running. - -The minimal Windows version needed to run mswin_check_ad_group is -a Windows 2000 SP4 member of an Active Directory Domain. - -When running in Active Directory Global mode, all types of Active Directory -security groups are supported: -- Domain Global -- Domain Local from user's domain -- Universal -and Active Directory group nesting is fully supported. - - -============== -Program Syntax -============== - -mswin_check_ad_group [-D domain][-G][-c][-d][-h] - --D domain specify the default user's domain --G start helper in Active Directory Global mode --c use case insensitive compare (local mode only) --d enable debugging --h this message - - -================ -squid.conf usage -================ - -When running in Active Directory Global mode, the AD Group can be specified using the -following syntax: - -1. Plain NT4 Group Name -2. Full NT4 Group Name -3. Active Directory Canonical name - -As Example: -1. Proxy-Users -2. MYDOMAIN\Proxy-Users -3. mydomain.local/Groups/Proxy-Users - -When using Plain NT4 Group Name, the Group is searched in the user's domain. - -external_acl_type AD_global_group %LOGIN c:/squid/libexec/mswin_check_ad_group.exe -G -external_acl_type NT_local_group %LOGIN c:/squid/libexec/mswin_check_ad_group.exe - -acl GProxyUsers external AD_global_group MYDOMAIN\GProxyUsers -acl LProxyUsers external NT_local_group LProxyUsers -acl password proxy_auth REQUIRED - -http_access allow password GProxyUsers -http_access allow password LProxyUsers -http_access deny all - -In the previous example all validated AD users member of MYDOMAIN\GProxyUsers -domain group or member of LProxyUsers machine local group are allowed to -use the cache. - -Groups with spaces in name, for example "Domain Users", must be quoted and -the acl data ("Domain Users") must be placed into a separate file included -by specifying "/path/to/file". The previous example will be: - -acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers" - -and the DomainUsers files will contain only the following line: - -"Domain Users" - -NOTES: -- When running in Active Directory Global mode, for better performance, - all Domain Controllers of the Active Directory forest should be configured - as Global Catalog. -- When running in local mode, the standard group name comparison is case - sensitive, so group name must be specified with same case as in the - local SAM database. - It's possible to enable case insensitive group name comparison (-c), - but on some not-english locales, the results can be unexpected. -- Native WIN32 NTLM and Basic Helpers must be used without the - -A & -D switches. - -Refer to Squid documentation for the more details on squid.conf. - - -======= -Testing -======= - -I strongly reccomend that mswin_check_ad_group is tested prior to being used in a -production environment. It may behave differently on different platforms. -To test it, run it from the command line. Enter username and group -pairs separated by a space (username must entered with domain%5cusername -syntax). Press ENTER to get an OK or ERR message. -Make sure pressing behaves the same as a carriage return. -Make sure pressing aborts the program. - -Test that entering no details does not result in an OK or ERR message. -Test that entering an invalid username and group results in an ERR message. -Test that entering an valid username and group results in an OK message. - diff --git a/helpers/external_acl/mswin_lm_group/Makefile.am b/helpers/external_acl/mswin_lm_group/Makefile.am deleted file mode 100644 index 478b6fa407..0000000000 --- a/helpers/external_acl/mswin_lm_group/Makefile.am +++ /dev/null @@ -1,27 +0,0 @@ -# -# Makefile for the Squid Object Cache server -# -# $Id$ -# -# Uncomment and customize the following to suit your needs: -# - - -libexec_PROGRAMS = mswin_check_lm_group - -mswin_check_lm_group_SOURCES = win32_check_group.c win32_check_group.h - -INCLUDES = \ - -I$(top_srcdir) \ - -I$(top_builddir)/include \ - -I$(top_srcdir)/include - -LDADD = \ - $(top_builddir)/compat/libcompat.la \ - -L$(top_builddir)/lib -lmiscutil \ - -lnetapi32 \ - -ladvapi32 \ - -lntdll \ - $(XTRA_LIBS) - -EXTRA_DIST = readme.txt config.test diff --git a/helpers/external_acl/mswin_lm_group/readme.txt b/helpers/external_acl/mswin_lm_group/readme.txt deleted file mode 100644 index 461325ca54..0000000000 --- a/helpers/external_acl/mswin_lm_group/readme.txt +++ /dev/null @@ -1,82 +0,0 @@ - -This is the readme.txt file for mswin_check_lm_group, an external -helper for the External ACL Scheme for Squid. - - -This helper must be used in with an authentication scheme (tipically -basic or NTLM) based on Windows NT/2000 domain users (LM mode). -It reads from the standard input the domain username and a list of groups -and tries to match it against the groups membership of the specified -username. - - -============== -Program Syntax -============== - -mswin_check_lm_group [-D domain][-G][-P][-c][-d][-h] - --D domain specify the default user's domain --G start helper in Domain Global Group mode --P use ONLY PDCs for group validation --c use case insensitive compare --d enable debugging --h this message - - -================ -squid.conf usage -================ - -external_acl_type NT_global_group %LOGIN c:/squid/libexec/mswin_check_lm_group.exe -G -external_acl_type NT_local_group %LOGIN c:/squid/libexec/mswin_check_lm_group.exe - -acl GProxyUsers external NT_global_group GProxyUsers -acl LProxyUsers external NT_local_group LProxyUsers -acl password proxy_auth REQUIRED - -http_access allow password GProxyUsers -http_access allow password LProxyUsers -http_access deny all - -In the previous example all validated NT users member of GProxyUsers Global -domain group or member of LProxyUsers machine local group are allowed to -use the cache. - -Groups with spaces in name, for example "Domain Users", must be quoted and -the acl data ("Domain Users") must be placed into a separate file included -by specifying "/path/to/file". The previous example will be: - -acl ProxyUsers external NT_global_group "c:/squid/etc/DomainUsers" - -and the DomainUsers files will contain only the following line: - -"Domain Users" - -NOTES: -- The standard group name comparison is case sensitive, so group name - must be specified with same case as in the NT/2000 Domain. - It's possible to enable case insensitive group name comparison (-c), - but on some not-english locales, the results can be unexpected. -- Native WIN32 NTLM and Basic Helpers must be used without the - -A & -D switches. - -Refer to Squid documentation for the more details on squid.conf. - - -======= -Testing -======= - -I strongly reccomend that mswin_check_lm_group is tested prior to being used in a -production environment. It may behave differently on different platforms. -To test it, run it from the command line. Enter username and group -pairs separated by a space (username must entered with domain%5cusername -syntax). Press ENTER to get an OK or ERR message. -Make sure pressing behaves the same as a carriage return. -Make sure pressing aborts the program. - -Test that entering no details does not result in an OK or ERR message. -Test that entering an invalid username and group results in an ERR message. -Test that entering an valid username and group results in an OK message. - diff --git a/helpers/external_acl/mswin_lm_group/win32_check_group.h b/helpers/external_acl/mswin_lm_group/win32_check_group.h deleted file mode 100644 index 041879ed21..0000000000 --- a/helpers/external_acl/mswin_lm_group/win32_check_group.h +++ /dev/null @@ -1,79 +0,0 @@ -/* - * (C) 2002, 2005 Guido Serassio - * Based on previous work of Francesco Chemolli, Robert Collins and Andrew Doran - * - * Distributed freely under the terms of the GNU General Public License, - * version 2. See the file COPYING for licensing details - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. - */ - -#undef debug - -/************* CONFIGURATION ***************/ -/* - * define this if you want debugging - */ -#ifndef DEBUG -#define DEBUG -#endif - -/************* END CONFIGURATION ***************/ - -#include - -#define safe_free(x) if (x) { free(x); x = NULL; } - -/* Debugging stuff */ - -#ifdef __GNUC__ /* this is really a gcc-ism */ -#ifdef DEBUG -#include -#include -static char *__foo; -extern char debug_enabled; -#define debug(X...) if (debug_enabled) { \ - fprintf(stderr,"%s[%d](%s:%d): ", myname, mypid, \ - ((__foo=strrchr(__FILE__,'/'))==NULL?__FILE__:__foo+1),\ - __LINE__);\ - fprintf(stderr,X); } -#else /* DEBUG */ -#define debug(X...) /* */ -#endif /* DEBUG */ -#else /* __GNUC__ */ -extern char debug_enabled; -static void -debug(char *format,...) -{ -#ifdef DEBUG -#ifdef _SQUID_MSWIN_ - if (debug_enabled) { - va_list args; - - va_start(args, format); - fprintf(stderr, "%s[%d]: ", myname, mypid); - vfprintf(stderr, format, args); - fprintf(stderr, "\n"); - va_end(args); - } -#endif /* _SQUID_MSWIN_ */ -#endif /* DEBUG */ -} -#endif /* __GNUC__ */ - - -/* A couple of harmless helper macros */ -#define SEND(X) debug("sending '%s' to squid\n",X); printf(X "\n"); -#ifdef __GNUC__ -#define SEND2(X,Y...) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#else -/* no gcc, no debugging. varargs macros are a gcc extension */ -#define SEND2(X,Y) debug("sending '" X "' to squid\n",Y); printf(X "\n",Y); -#endif diff --git a/helpers/external_acl/session/Makefile.am b/helpers/external_acl/session/Makefile.am index 36cc2872d4..1797431974 100644 --- a/helpers/external_acl/session/Makefile.am +++ b/helpers/external_acl/session/Makefile.am @@ -1,14 +1,10 @@ include $(top_srcdir)/src/Common.am -## we need our local files too (but avoid -I. at all costs) -INCLUDES += -I$(srcdir) - - -libexec_PROGRAMS = squid_session -man_MANS = squid_session.8 -EXTRA_DIST = squid_session.8 config.test -squid_session_SOURCES = squid_session.c +libexec_PROGRAMS = ext_session_acl +man_MANS = ext_session_acl.8 +EXTRA_DIST = ext_session_acl.8 config.test +ext_session_acl_SOURCES = ext_session_acl.cc LDADD = \ - $(top_builddir)/compat/libcompat.la \ + $(COMPAT_LIB) \ $(LIB_DB) diff --git a/helpers/external_acl/session/squid_session.8 b/helpers/external_acl/session/ext_session_acl.8 similarity index 91% rename from helpers/external_acl/session/squid_session.8 rename to helpers/external_acl/session/ext_session_acl.8 index 7d789af361..0d87627b3f 100644 --- a/helpers/external_acl/session/squid_session.8 +++ b/helpers/external_acl/session/ext_session_acl.8 @@ -1,14 +1,14 @@ -.if !'po4a'hide' .TH squid_session 8 "19 March 2006" +.if !'po4a'hide' .TH ext_session_acl 8 "19 March 2006" . .SH NAME -.if !'po4a'hide' .B squid_session +.if !'po4a'hide' .B ext_session_acl .if !'po4a'hide' \- -Squid session tracking external acl group helper. +Squid session tracking external acl helper. .PP Version 1.0 . .SH SYNOPSIS -.if !'po4a'hide' .B squid_session +.if !'po4a'hide' .B ext_session_acl .if !'po4a'hide' .B "[\-t" timeout .if !'po4a'hide' .B "] [\-b" @@ -16,7 +16,7 @@ database .if !'po4a'hide' .B "] [\-a]" . .SH DESCRIPTION -.B squid_session +.B ext_session_acl maintains a concept of sessions by monitoring requests and timing out sessions if no requests have been seen for the idle timeout timer. @@ -51,7 +51,7 @@ the first request. .PP Configuration example using the default automatic mode .if !'po4a'hide' .RS -.if !'po4a'hide' external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %LOGIN /usr/local/squid/libexec/squid_session +.if !'po4a'hide' external_acl_type session ttl=300 negative_ttl=0 children=1 concurrency=200 %LOGIN /usr/local/squid/libexec/ext_session_acl .if !'po4a'hide' acl session external session .if !'po4a'hide' http_access deny !session .if !'po4a'hide' deny_info http://your.server.example.com/bannerpage?url=%s session diff --git a/helpers/external_acl/session/squid_session.c b/helpers/external_acl/session/ext_session_acl.cc similarity index 77% rename from helpers/external_acl/session/squid_session.c rename to helpers/external_acl/session/ext_session_acl.cc index ba529d82f5..d6182a107e 100644 --- a/helpers/external_acl/session/squid_session.c +++ b/helpers/external_acl/session/ext_session_acl.cc @@ -1,5 +1,5 @@ /* - * squid_session: Squid external acl helper for tracking sessions + * ext_session_acl: Squid external acl helper for tracking sessions * * Copyright (C) 2006 Henrik Nordstrom * @@ -21,6 +21,7 @@ #if HAVE_CONFIG_H #include "config.h" #endif +#include "helpers/defines.h" #include #include @@ -60,7 +61,7 @@ static void init_db(void) { db = dbopen(db_path, O_CREAT | O_RDWR, 0666, DB_BTREE, NULL); if (!db) { - fprintf(stderr, "%s: Failed to open session db '%s'\n", program_name, db_path); + fprintf(stderr, "FATAL: %s: Failed to open session db '%s'\n", program_name, db_path); exit(1); } } @@ -72,15 +73,15 @@ static void shutdown_db(void) int session_is_active = 0; -static int session_active(const char *details) +static int session_active(const char *details, size_t len) { DBT key, data; key.data = (void *)details; - key.size = strlen(details); + key.size = len; if (db->get(db, &key, &data, 0) == 0) { time_t timestamp; if (data.size != sizeof(timestamp)) { - fprintf(stderr, "%s: CORRUPTED DATABASE (%s)\n", program_name, details); + fprintf(stderr, "ERROR: %s: CORRUPTED DATABASE (%s)\n", program_name, details); db->del(db, &key, 0); return 0; } @@ -91,22 +92,22 @@ static int session_active(const char *details) return 0; } -static void session_login(const char *details) +static void session_login(const char *details, size_t len) { DBT key, data; time_t now = time(NULL); key.data = (void *)details; - key.size = strlen(details); + key.size = len; data.data = &now; data.size = sizeof(now); db->put(db, &key, &data, 0); } -static void session_logout(const char *details) +static void session_logout(const char *details, size_t len) { DBT key; key.data = (void *)details; - key.size = strlen(details); + key.size = len; db->del(db, &key, 0); } @@ -119,7 +120,7 @@ static void usage(void) } int main(int argc, char **argv) { - char request[256]; + char request[HELPER_INPUT_BUFFER]; int opt; int default_action = 1; @@ -147,33 +148,32 @@ int main(int argc, char **argv) init_db(); - while (fgets(request, sizeof(request), stdin)) { - const char *user_key, *detail; - char *lastdetail; + while (fgets(request, HELPER_INPUT_BUFFER, stdin)) { int action = 0; - user_key = strtok(request, " \n"); - detail = strtok(NULL, "\n"); - lastdetail = strrchr(detail, ' '); + const char *user_key = strtok(request, " \n"); + const char *detail = strtok(NULL, "\n"); + const char *lastdetail = strrchr(detail, ' '); + size_t detail_len; if (lastdetail) { if (strcmp(lastdetail, " LOGIN") == 0) { - *lastdetail++ = '\0'; action = 1; + detail_len = (size_t)(lastdetail-detail); } else if (strcmp(lastdetail, " LOGOUT") == 0) { action = -1; - *lastdetail++ = '\0'; + detail_len = (size_t)(lastdetail-detail); } } if (action == -1) { - session_logout(detail); + session_logout(detail, detail_len); printf("%s OK message=\"Bye\"\n", user_key); } else if (action == 1) { - session_login(detail); + session_login(detail, detail_len); printf("%s OK message=\"Welcome\"\n", user_key); - } else if (session_active(detail)) { - session_login(detail); + } else if (session_active(detail, detail_len)) { + session_login(detail, detail_len); printf("%s OK\n", user_key); } else if (default_action == 1) { - session_login(detail); + session_login(detail, detail_len); printf("%s ERR message=\"Welcome\"\n", user_key); } else { printf("%s ERR message=\"No session available\"\n", user_key); diff --git a/helpers/external_acl/unix_group/Makefile.am b/helpers/external_acl/unix_group/Makefile.am index 916a4ca942..532bf71288 100644 --- a/helpers/external_acl/unix_group/Makefile.am +++ b/helpers/external_acl/unix_group/Makefile.am @@ -1,15 +1,10 @@ include $(top_srcdir)/src/Common.am -## we need our local files too (but avoid -I. at all costs) -INCLUDES += -I$(srcdir) - - -libexec_PROGRAMS = squid_unix_group -man_MANS = squid_unix_group.8 -EXTRA_DIST = squid_unix_group.8 config.test -squid_unix_group_SOURCES = check_group.c +libexec_PROGRAMS = ext_unix_group_acl +man_MANS = ext_unix_group_acl.8 +EXTRA_DIST = ext_unix_group_acl.8 config.test +ext_unix_group_acl_SOURCES = check_group.cc LDADD = \ - $(top_builddir)/compat/libcompat.la \ - -L$(top_builddir)/lib -lmiscutil \ + $(COMPAT_LIB) \ $(XTRA_LIBS) diff --git a/helpers/external_acl/unix_group/README b/helpers/external_acl/unix_group/README deleted file mode 100644 index 0fcdbaf9fa..0000000000 --- a/helpers/external_acl/unix_group/README +++ /dev/null @@ -1,37 +0,0 @@ -$Id$ - -This is the README file for check_group, an external -helper fo the External ACL Scheme for Squid. - -More information about the External ACL scheme may -be found at http://devel.squid-cache.org/external_acl/ - -This program reads one new line terminated argument in the -standard input (the username and groups) and tries to match it against -several command-line specified groups. - -The syntax for the program is as follows: - -check_group [-g group1 -g group2 -g group3 ...] [-p] - -You may specify up to 11 different groups, this limit may be -increased by changing the MAX_GROUP define in the source code -and recompiling the program. - -To compile this program, use: - -gcc -o check_group check_group.c - - -You may specify the group names in the acl, as follows: - -acl ckgroup external ckgroup_helper %LOGIN group1 group2 group3 - - -You may get the latest release and more information about this -program at http://geekbunker.org/rodrigo/check_group.html - - --- -Rodrigo Campos -rodrigo@geekbunker.org diff --git a/helpers/external_acl/unix_group/check_group.c b/helpers/external_acl/unix_group/check_group.cc similarity index 85% rename from helpers/external_acl/unix_group/check_group.c rename to helpers/external_acl/unix_group/check_group.cc index 5cff40b445..8dad8e7952 100644 --- a/helpers/external_acl/unix_group/check_group.c +++ b/helpers/external_acl/unix_group/check_group.cc @@ -55,20 +55,29 @@ * Initial revision * */ - +#include "config.h" +#include "helpers/defines.h" #include "rfc1738.h" #include "util.h" +#if HAVE_STDIO_H #include -#include +#endif +#if HAVE_STRING_H #include -#include +#endif +#if HAVE_GRP_H #include +#endif +#if HAVE_UNISTD_H #include +#endif +#if HAVE_PWD_H #include +#endif +#if HAVE_CTYPE_H #include - -#define BUFSIZE 8192 /* the stdin buffer size */ +#endif /* * Verify if user´s primary group matches groupname @@ -83,7 +92,7 @@ validate_user_pw(char *username, char *groupname) if ((p = getpwnam(username)) == NULL) { /* Returns an error if user does not exist in the /etc/passwd */ - fprintf(stderr, "helper: User does not exist '%s'\n", username); + fprintf(stderr, "ERROR: User does not exist '%s'\n", username); return 0; } else { /* Verify if the this is the primary user group */ @@ -106,8 +115,7 @@ validate_user_gr(char *username, char *groupname) struct group *g; if ((g = getgrnam(groupname)) == NULL) { - fprintf(stderr, "helper: Group does not exist '%s'\n", - groupname); + fprintf(stderr, "ERROR: Group does not exist '%s'\n", groupname); return 0; } else { while (*(g->gr_mem) != NULL) { @@ -140,7 +148,7 @@ int main(int argc, char *argv[]) { char *user, *suser, *p; - char buf[BUFSIZE]; + char buf[HELPER_INPUT_BUFFER]; char **grents = NULL; int check_pw = 0, ch, ngroups = 0, i, j = 0, strip_dm = 0; @@ -148,8 +156,11 @@ main(int argc, char *argv[]) setvbuf(stdout, NULL, _IOLBF, 0); /* get user options */ - while ((ch = getopt(argc, argv, "spg:")) != -1) { + while ((ch = getopt(argc, argv, "dspg:")) != -1) { switch (ch) { + case 'd': + debug_enabled = 1; + break; case 's': strip_dm = 1; break; @@ -157,7 +168,7 @@ main(int argc, char *argv[]) check_pw = 1; break; case 'g': - grents = realloc(grents, sizeof(*grents) * (ngroups+1)); + grents = (char**)realloc(grents, sizeof(*grents) * (ngroups+1)); grents[ngroups++] = optarg; break; case '?': @@ -173,25 +184,27 @@ main(int argc, char *argv[]) } } if (optind < argc) { - fprintf(stderr, "Unknown option '%s'\n", argv[optind]); + fprintf(stderr, "FATAL: Unknown option '%s'\n", argv[optind]); usage(argv[0]); exit(1); } - while (fgets(buf, sizeof(buf), stdin)) { + while (fgets(buf, HELPER_INPUT_BUFFER, stdin)) { j = 0; if ((p = strchr(buf, '\n')) == NULL) { /* too large message received.. skip and deny */ - fprintf(stderr, "%s: ERROR: Too large: %s\n", argv[0], buf); + fprintf(stderr, "ERROR: %s: Too large: %s\n", argv[0], buf); while (fgets(buf, sizeof(buf), stdin)) { - fprintf(stderr, "%s: ERROR: Too large..: %s\n", argv[0], buf); + fprintf(stderr, "ERROR: %s: Too large..: %s\n", argv[0], buf); if (strchr(buf, '\n') != NULL) break; } - goto error; + SEND_ERR("Username Input too large."); + continue; } *p = '\0'; if ((p = strtok(buf, " ")) == NULL) { - goto error; + SEND_ERR("No username given."); + continue; } else { user = p; rfc1738_unescape(user); @@ -218,10 +231,9 @@ main(int argc, char *argv[]) } if (j > 0) { - printf("OK\n"); + SEND_OK(""); } else { -error: - printf("ERR\n"); + SEND_ERR(""); } } return 0; diff --git a/helpers/external_acl/unix_group/squid_unix_group.8 b/helpers/external_acl/unix_group/ext_unix_group_acl.8 similarity index 88% rename from helpers/external_acl/unix_group/squid_unix_group.8 rename to helpers/external_acl/unix_group/ext_unix_group_acl.8 index e9bf675684..b1f766c3ea 100644 --- a/helpers/external_acl/unix_group/squid_unix_group.8 +++ b/helpers/external_acl/unix_group/ext_unix_group_acl.8 @@ -1,23 +1,26 @@ -.if !'po4a'hide' .TH squid_unix_group 8 "12 August 2002" +.if !'po4a'hide' .TH ext_unix_group_acl 8 "12 August 2002" . .SH NAME -.if !'po4a'hide' .B squid_unix_group +.if !'po4a'hide' .B ext_unix_group_acl .if !'po4a'hide' \- -Squid UNIX Group helper +Squid UNIX Group ACL helper . .SH SYNOPSIS -.if !'po4a'hide' .B "squid_unix_group [\-g " +.if !'po4a'hide' .B "ext_unix_group_acl [\-d] [\-g " group .if !'po4a'hide' .B "] [\-g " group -.if !'po4a'hide' .B "...] [\-p] [\-s]" +.if !'po4a'hide' .B " ...] [\-p] [\-s]" . .SH DESCRIPTION -.B squid_unix_group +.B ext_unix_group_acl allows Squid to base access controls on users memberships in UNIX groups. . .SH OPTIONS .if !'po4a'hide' .TP +.if !'po4a'hide' .BI "\-d " +Write debug info to stderr. +. .if !'po4a'hide' .BI "\-g " "group " Specifies a group name to match. . @@ -44,7 +47,7 @@ matches users in or .I group3 .if !'po4a'hide' .RS -.if !'po4a'hide' .IP external_acl_type unix_group %LOGIN /usr/local/squid/libexec/squid_unix_group -p +.if !'po4a'hide' .IP external_acl_type unix_group %LOGIN /usr/local/squid/libexec/ext_unix_group_acl -p .if !'po4a'hide' .IP acl usergroup1 external unix_group group1 .if !'po4a'hide' .IP acl usergroup2 external unix_group group2 group3 .if !'po4a'hide' .RE @@ -103,4 +106,3 @@ The Squid FAQ wiki .br The Squid Configuration Manual .if !'po4a'hide' http://www.squid-cache.org/Doc/config/ - diff --git a/helpers/external_acl/wbinfo_group/Makefile.am b/helpers/external_acl/wbinfo_group/Makefile.am index 3bcc752b6f..b437b34a73 100644 --- a/helpers/external_acl/wbinfo_group/Makefile.am +++ b/helpers/external_acl/wbinfo_group/Makefile.am @@ -1,4 +1,13 @@ -libexec_SCRIPTS = wbinfo_group.pl -#man_MANS = squid_wbinfo_group.8 -#EXTRA_DIST = squid_wbinfo_group.8 -EXTRA_DIST = wbinfo_group.pl config.test +include $(top_srcdir)/src/Common.am + +libexec_SCRIPTS = ext_wbinfo_group_acl +EXTRA_DIST = ext_wbinfo_group_acl.pl.in config.test + +ext_wbinfo_group_acl: ext_wbinfo_group_acl.pl.in + $(subst_perlshell) + +EXTRA_DIST += ext_wbinfo_group_acl.8 +man_MANS = ext_wbinfo_group_acl.8 + +ext_wbinfo_group_acl.8: ext_wbinfo_group_acl.pl.in + pod2man $(srcdir)/ext_wbinfo_group_acl.pl.in ext_wbinfo_group_acl.8 diff --git a/helpers/external_acl/wbinfo_group/wbinfo_group.pl b/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.pl.in similarity index 53% rename from helpers/external_acl/wbinfo_group/wbinfo_group.pl rename to helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.pl.in index 4df2cdccdc..9bf652891d 100755 --- a/helpers/external_acl/wbinfo_group/wbinfo_group.pl +++ b/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl.pl.in @@ -1,4 +1,4 @@ -#!/usr/bin/perl -w +#!@PERL@ -w # # external_acl helper to Squid to verify NT Domain group # membership using wbinfo @@ -26,7 +26,80 @@ # # 2002-07-05 Jerry Murdock # Initial release +=pod +=head1 NAME + +ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo. + +=head1 SYNOPSIS + +ext_wbinfo_group_acl [-dh] + +=head1 DESCRIPTION + +ext_wbinfo_group_acl is an installed executable script. +It uses wbinfo from Samba to lookup group membership of logged in users. + +This helper must be used in with an authentication scheme (typically +Basic or NTLM) based on Windows NT/2000 domain users. + +It reads from the standard input the domain username and a list of groups +and tries to match each against the groups membership of the specified +username. + +=head1 OPTIONS + + -d Write debug info to stderr. + -h Print the help. + +=head1 CONFIGURATION + + external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl + acl allowed_group external wbinfo_check Group1 Group2 + http_access allow allowed_group + +If the local perl interpreter is in a unusual location it may need to be added: + + external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl + +=head1 AUTHOR + +This program was written by Jerry Murdock + +This manual was written by Amos Jeffries + +=head1 COPYRIGHT + +This program is put in the public domain by Jerry Murdock +. It is distributed in the hope that it will +be useful, but WITHOUT ANY WARRANTY; without even the implied warranty +of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + +=head1 QUESTIONS + +Questions on the usage of this program can be sent to the +Squid Users mailing list + +=head1 REPORTING BUGS + +Bug reports need to be made in English. +See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report. + +Report bugs or bug fixes using http://bugs.squid-cache.org/ + +Report serious security bugs to Squid Bugs + +Report ideas for new improvements to the +Squid Developers mailing list + +=head1 SEE ALSO + +The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq + +The Squid Configuration Manual http://www.squid-cache.org/Doc/config/ + +=cut # # Globals @@ -72,7 +145,7 @@ sub init() # sub usage() { - print "Usage: wbinfo_group.pl -dh\n"; + print "Usage: ext_wbinfo_group_acl -dh\n"; print "\t-d enable debugging\n"; print "\t-h print the help\n"; exit; @@ -98,4 +171,3 @@ while () { &debug("Sending $ans to squid"); print "$ans\n"; } -