Re: [squid-users] External Script for checks

From: Stefan Dengscherz <stefan.dengscherz_at_gmail.com>
Date: Thu, 8 Oct 2009 20:29:06 +0200

Hello Henrik,

sorry - I've posted the script off-list. Here we go:

---8<---
#!/usr/bin/perl -w

$|=1;

while (<STDIN>) {
 chop;
 $user = `winexe -U xxx%yyy //$_ "reg query
\\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows
NT\\CurrentVersion\\Winlogon\\"" 2>&1 | grep " DefaultUserName" | awk
'{print \$3}'`;
 $now = localtime;
 if ($user eq "") {
   print STDERR "$now SQUIDAUTH: ip=$_,user=none";
   print "OK user=none\n";
 }
 else {
   print STDERR "$now SQUIDAUTH: ip=$_,user=$user";
   print "OK user=$user";
 }
}
---8<---

it is embedded into squid with this line:

---8<---
external_acl_type exauthuser ttl=600 %SRC /opt/squidtools/auth.pl
---8<---

As you can see squid basically "fingers" the currently logged on user
from the registry using winexe (http://eol.ovh.org/winexe/). Keep in
mind this is rather a hack rather than a real authentication - it
won't even deny unknown users (and every local machine admin can
impersonate other users by changing the registry key)! Still, it does
the job for me very well and better than clumbsy authentication
against the AD via NTLM/Kerberos/LDAP.

Regards,

-sd

2009/10/5 Henrik Nordstrom <henrik_at_henriknordstrom.net>:
> fre 2009-10-02 klockan 11:42 +0200 skrev Stefan Dengscherz:
>
>> i'm using 'external_acl_type' with a homebrew script to lookup remote
>> user ids via the windows registry at the moment because NTLM and
>> Kerberos did not work well in my environment.
>
> Interesting. Can you provide more information on the script you wrote?
>
> Regards
> Henrik
>
>
Received on Thu Oct 08 2009 - 18:29:14 MDT

This archive was generated by hypermail 2.2.0 : Fri Oct 09 2009 - 12:00:02 MDT