Re: [squid-users] NTML_AUTH and groups

Here is my perl NT group authenticator for external_acl and winbind. It
uses wbinfo to talk to winbind.

I consider this very quick and dirty proof of concept code, but it works w/o
problems at one 100 user site. Probably not appropriate for really high
volumes with the overhead of the external calls out to wbinfo.

A "real" version would need to handle multiple groups, real error checks,
etc but maybe this will do until a real authenticator is released.

With external_acl and winbind auth a reality now, I'll need to come up with
a new squid wish list.

Jerry

==============
in squid.conf:
==============
external_acl_type wb_group %LOGIN /path/to/wb_group.pl

acl FullAccess external wb_group Internet
acl RestrictedAccess external wb_group "Restricted Internet"

============
wb_group.pl:
============
#!/usr/bin/perl -w
require 'shellwords.pl';

$|=1;

@ARGV = "-";

while (<>) {
        chop;
        &debug ("Got $_ from squid");
        ($user, $group) = &shellwords;
        $ans = &check($user, $group);
        &debug ("Sending $ans to squid");
        print "$ans\n";
}

sub check {
        local($user, $group) = @_;
        $groupSID = `wbinfo -n "$group"`;
        chop $groupSID;
        $groupGID = `wbinfo -Y $groupSID`;
        chop $groupGID;
        &debug(
ser: -$user-\nGroup: -$group-\nSID: -$groupSID-\nGID: -$groupGID-");
        return 'OK' if(`wbinfo -r \Q$user\E` =~ /^$groupGID$/m);
        return 'ERR';
}

sub debug {
        print STDERR "@_\n";
}

----- Original Message -----
From: "Henrik Nordström" <hno@marasystems.com>
To: "Federico Lombardo" <egopfe@hotmail.com>; <squid-users@squid-cache.org>
Sent: Thursday, July 04, 2002 8:55 AM
Subject: Re: [squid-users] NTML_AUTH and groups

> A group acl helper using winbind to plug into the externa_acl scheme is
> reportedly under development.
>
> Until then, you will need to define your groups in squid.conf.
>
> acl user_group1 proxy_auth "/path/to/file/listing/users/in/group1"
> acl user_group2 proxy_auth "/path/to/file/listing/users/in/group2"
> ...
>
> or if you prefer to list the usernames within squid.conf
>
> acl user_group1 proxy_auth login1 login2 login3 ....
>
> Regards
> Henrik
>
> Federico Lombardo wrote:
> > It is possible to authenticate groups with ntml_auth?
> >
> > I've realized that the correct acl to make it works is like that:
> >
> > acl NTLM proxy_auth REQUIRED
> >
> > How to make possible what I want do ?
> >
> > I must wrote an ACL per user ?
> >
> > I now that with smb_auth I solve this problem, but I've the issue that I
> > want to eliminate the users-breakers pop-up with username and password,
> > which I do with ntml_auth.
Received on Thu Jul 04 2002 - 08:40:22 MDT