Re: [squid-users] ACL/restriction of OS-version/-type

From: <fra.nospam.nk@dont-contact.us>
Date: Thu, 25 Mar 2004 17:18:58 +0100

Silly me, forgot to attach file!

Sorry,

        Frank

"Frank Fegert" <fra.nospam.nk@gmx.de> schrieb am 25.03.04 16:42:56:
>
> Hi all,
>
> > > 2.) Taken from the squid logs the client submits it's IP upon each
> > > request. I would resolve the IP to a hostname, and look up if a
> > > workstation object of the same name exists in the ADS by using
> > > ldapsearch. Regarding the use of ldapsearch i would add the code
> > > to squid_ldap_auth.
> >
> > The idea is good, but authentication is the wrong place to add this into.
> >
> > What you should do for implementing this idea is to write a small external
> > helper to Squid which performs only this check. See the external_acl_type
> > directive.
>
> regarding the above matter and after taking Henriks suggestions in account,
> i did the attached ugly hack on the base of Henriks squid_ldap_auth.c. I
> used squid_ldap_auth.c because it already had the nasty LDAP connection
> code ;-) The new file is called check_ads_wks_ldap.c and is essentially used
> in the same way as squid_ldap_auth except as an external_acl_type. The
> helper reads an IP from stdin, resolves it, checks the presence of an work-
> station object with same name in the MS AD and returns OK or ERR.
> To compile and link i used:
>
> gcc -DHAVE_CONFIG_H -I. -I. -I../../../include -I../../../include -g -O2
> -Wall -c check_ads_wks_ldap.c
> gcc -g -O2 -Wall -g -o check_ads_wks_ldap check_ads_wks_ldap.o
> -L../../../lib -lmiscutil -lldap -llber -lm -lresolv -lsocket -lnsl
>
> The usage as an external_acl_type would be
>
> external_acl_type ads_wks_ldap %SRC /<path to>/check_ads_wks_ldap \
> -D "<bind dn>" \
> -w "<bind passwd>" \
> -b "<base dn>" \
> -h <MS AD server> \
> -f "(&(memberOf= <container with workstation
> objects>)(dNSHostName=%s))"
>
> for example.
> Just FYI in case someone else has to do something similar ;-)
>
> Regards,
>
> Frank
>
> --
> +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++
> 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz
>

_____________________________________________________________________
Der WEB.DE Virenschutz schuetzt Ihr Postfach vor dem Wurm Beagle.A-J!
Kostenfrei fuer FreeMail Nutzer. http://f.web.de/?mc=021158

Received on Thu Mar 25 2004 - 13:09:05 MST

This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:03 MST