source: squid-ssl/trunk/fuentes/helpers/external_acl/wbinfo_group/ext_wbinfo_group_acl @ 5495

Last change on this file since 5495 was 5495, checked in by Juanma, 22 months ago

Initial release

File size: 4.9 KB
Line 
1#!/usr/bin/perl -w
2
3use strict;
4use Pod::Usage;
5use Getopt::Long;
6
7=pod
8
9=head1 NAME
10
11 ext_wbinfo_group_acl - external ACL helper for Squid to verify NT Domain group membership using wbinfo.
12
13=head1 SYNOPSIS
14
15 ext_wbinfo_group_acl [-dhK]
16
17=head1 DESCRIPTION
18
19B<ext_wbinfo_group_acl> is an installed executable script.
20It uses B<wbinfo> from Samba to lookup group membership of logged in users.
21
22This helper must be used in with an authentication scheme (typically
23Basic or NTLM) based on Windows NT/2000 domain users.
24
25It reads from the standard input the domain username and a list of groups
26and tries to match each against the groups membership of the specified
27username.
28
29=head1 OPTIONS
30
31=over 12
32
33=item B<-d>
34
35Write debug info to stderr.
36
37=item B<-h>
38
39Print the help.
40
41=item B<-K>
42
43Downgrade Kerberos credentials to NTLM.
44
45=back
46
47=head1 CONFIGURATION
48
49  external_acl_type wbinfo_check %LOGIN /path/to/ext_wbinfo_group_acl
50  acl allowed_group external wbinfo_check Group1 Group2
51  http_access allow allowed_group
52
53If the local perl interpreter is in a unusual location it may need to be added:
54
55  external_acl_type wbinfo_check %LOGIN /path/to/perl /path/to/ext_wbinfo_group_acl
56
57=head1 AUTHOR
58
59This program was written by Jerry Murdock <jmurdock@itraktech.com>
60
61This manual was written by Amos Jeffries <amosjeffries@squid-cache.org>
62
63=head1 COPYRIGHT
64
65 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
66 *
67 * Squid software is distributed under GPLv2+ license and includes
68 * contributions from numerous individuals and organizations.
69 * Please see the COPYING and CONTRIBUTORS files for details.
70
71 This program is put in the public domain by Jerry Murdock
72 <jmurdock@itraktech.com>. It is distributed in the hope that it will
73 be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
74 of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
75
76=head1 QUESTIONS
77
78Questions on the usage of this program can be sent to the I<Squid Users mailing list <squid-users@squid-cache.org>>
79
80=head1 REPORTING BUGS
81
82Bug reports need to be made in English.
83See http://wiki.squid-cache.org/SquidFaq/BugReporting for details of what you need to include with your bug report.
84
85Report bugs or bug fixes using http://bugs.squid-cache.org/
86
87Report serious security bugs to I<Squid Bugs <squid-bugs@squid-cache.org>>
88
89Report ideas for new improvements to the I<Squid Developers mailing list <squid-dev@squid-cache.org>>
90
91=head1 SEE ALSO
92
93The Squid FAQ wiki http://wiki.squid-cache.org/SquidFaq
94
95The Squid Configuration Manual http://www.squid-cache.org/Doc/config/
96
97=cut
98
99#
100# Version history:
101#   2010-08-27 Hank Hampel <hh@nr-city.net>
102#               Add Kerberos to NTLM conversion of credentials (-K)
103#
104#   2005-12-26 Guido Serassio <guido.serassio@acmeconsulting.it>
105#               Add '-d' command line debugging option
106#
107#   2005-12-24 Guido Serassio <guido.serassio@acmeconsulting.it>
108#               Fix for wbinfo from Samba 3.0.21
109#
110#   2004-08-15 Henrik Nordstrom <hno@squid-cache.org>
111#               Helper protocol changed to URL escaped in Squid-3.0
112#
113#   2005-06-28 Arno Streuli <astreuli@gmail.com>
114#               Add multi group check
115#
116#   2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
117#               Initial release
118
119#
120# Globals
121#
122use vars qw/ %opt /;
123
124my $user;
125my $group;
126my @groups;
127my $ans;
128
129# Disable output buffering
130$|=1;
131
132sub debug {
133        print STDERR "@_\n" if $opt{d};
134}
135
136#
137# Check if a user belongs to a group
138#
139sub check {
140        my $groupSID;
141        my $groupGID;
142        my @tmpuser;
143
144        our($user, $group) = @_;
145        if ($opt{K} && ($user =~ m/\@/)) {
146                @tmpuser = split(/\@/, $user);
147                $user = "$tmpuser[1]\\$tmpuser[0]";
148        }
149        $groupSID = `wbinfo -n "$group" | cut -d" " -f1`;
150        chop  $groupSID;
151        $groupGID = `wbinfo -Y "$groupSID"`;
152        chop $groupGID;
153        &debug( "User:  -$user-\nGroup: -$group-\nSID:   -$groupSID-\nGID:   -$groupGID-");
154        return 'ERR' if($groupGID eq ""); # Verify if groupGID variable is empty.
155        return 'ERR' if(`wbinfo -r \Q$user\E` eq ""); # Verify if "wbinfo -r" command returns no value.
156        return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
157        return 'ERR';
158}
159
160#
161# Command line options processing
162#
163sub init()
164{
165    use Getopt::Std;
166    my $opt_string = 'hdK';
167    getopts( "$opt_string", \%opt ) or usage();
168    usage() if $opt{h};
169}
170
171#
172# Message about this program and how to use it
173#
174sub usage()
175{
176        print "Usage: ext_wbinfo_group_acl -dh\n";
177        print "\t-d enable debugging\n";
178        print "\t-h print the help\n";
179        print "\t-K downgrade Kerberos credentials to NTLM.\n";
180        exit;
181}
182
183init();
184print STDERR "Debugging mode ON.\n" if $opt{d};
185
186#
187# Main loop
188#
189while (<STDIN>) {
190        chop;
191        &debug("Got $_ from squid");
192        ($user, @groups) = split(/\s+/);
193        $user =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
194        # test for each group squid send in it's request
195        foreach $group (@groups) {
196                $group =~ s/%([0-9a-fA-F][0-9a-fA-F])/pack("c",hex($1))/eg;
197                $ans = &check($user, $group);
198                last if $ans eq "OK";
199        }
200        &debug("Sending $ans to squid");
201        print "$ans\n";
202}
Note: See TracBrowser for help on using the repository browser.