Updating wbinfo_group.pl

Hi all

I am not sure if this is the intended behaviour, but if you create an
external file to insert windows groups in, then wbinfo_group.pl only
checks if the users is in the first group in the files and ignores the
rest. I have updated wbinfo_group.pl to check if the user is in any of
 the remaining groups.

The script works on newline sepreated quoted groups in an external
file: So if you have the folowing acl's in squid.conf

external_acl_type nt_group %LOGIN /usr/lib/squid/wbinfo_group.pl
acl AllowedWindowsGroups external nt_group
"/etc/squid/acls/allowed-windows-groups"

then /etc/squid/acls/allowed-windows-groups could look like this:

 "Domain Users"
 "TerminalUsers"
 "Domain Admins"

Please note that I do not escape the whitespace in the group names,
also the groups has to be included in a "" (double quote) and they
must be seperated by a newline.

The code comes next, hope that somebody can make use of it.

#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using wbinfo
#
# This program is put in the public domain by Jerry Murdock
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
# Jerry Murdock <jmurdock@itraktech.com> and
# Lars Roland <lroland@gmail.com>
#
# Version history:
# 2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
# Initial release
#
# 2004-30-11 Lars Roland <lroland@gmail.com>
# Updated to work on multiple groups

# Disable output buffering
$|=1;

sub debug {
        # Uncomment this to enable debugging
        print STDERR "@_\n";
}

#
# Check if a user belongs to a group
#
sub check {
        local($user, $group) = @_;
        $groupSID = `wbinfo -n "$group"`;
        chop $groupSID;
        $groupGID = `wbinfo -Y "$groupSID"`;
        chop $groupGID;
        &debug( "User: -$user-\nGroup: -$group-\nSID:
-$groupSID-\nGID: -$groupGID-");
        return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        return 'ERR';
}

#
# Main loop
#
while (<STDIN>) {
        chop;
        &debug ("Got $_ from squid");
        if( $_ =~ /^"?([^"]+)"? / ) {
                $user = $1;
        }
        if( $_ =~ /(( "?\\"[^"]+\\""?)+)/i ) {
                $groups = $1;
        }
        s/"\\/\\/g for $groups;
        s/""/"/g for $groups;
        s/\\ / /g for $groups;
        $groups = substr($groups, 3, length($groups)-5);
        @groups = split /\\" \\"/, $groups;
        foreach $group(@groups) {
                $ans = &check($user, $group);
                last if($ans eq 'OK');
        }
        &debug ("Sending $ans to squid");
        print "$ans\n";
}
Received on Tue Nov 30 2004 - 05:33:39 MST