#!/usr/bin/perl -w
#
# external_acl helper to Squid to verify NT Domain group
# membership using "net ads user info"
#
# This program is put in the public domain by Jerry Murdock 
# <jmurdock@itraktech.com>. It is distributed in the hope that it will
# be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
# of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
#
# Author:
#   Jerry Murdock <jmurdock@itraktech.com>
#
# Version history:
#   2002-07-05 Jerry Murdock <jmurdock@itraktech.com>
#		Initial release
#
#   2005-07-05 Joe Cooper <joe@swelltech.com>
#		converted to net ads use from wbinfo, which broke for
#		some reason

# external_acl uses shell style lines in it's protocol
require 'shellwords.pl';

# Disable output buffering
$|=1;           

# User and password for net ads commands
$adsuser="user";
$adspass="password";

sub debug {
	# Uncomment this to enable debugging
	#print STDERR "@_\n";
}

#
# Check if a user belongs to a group
#
sub check {
        local($user, $group) = @_;
        &debug ("Got user: $user and group: $group");
	($domain, $user) = split(/\\/, $user);
	&debug ("Now user: $user and domain: $domain");
        return 'OK' if(`net ads user info \Q$user\E -U$adsuser%$adspass`  =~ /^$group$/m);
        return 'ERR';
}

#
# Main loop
#
while (<STDIN>) {
        chop;
	&debug ("Got $_ from squid");
        ($user, $group) = &shellwords;
	$ans = &check($user, $group);
	&debug ("Sending $ans to squid");
	print "$ans\n";
}