Silly me, forgot to attach file!
Sorry,
Frank
"Frank Fegert" <[EMAIL PROTECTED]> schrieb am 25.03.04 16:42:56:
>
> Hi all,
>
> > > 2.) Taken from the squid logs the client submits it's IP upon each
> > > request. I would resolve the IP to a hostname, and look up if a
> > > workstation object of the same name exists in the ADS by using
> > > ldapsearch. Regarding the use of ldapsearch i would add the code
> > > to squid_ldap_auth.
> >
> > The idea is good, but authentication is the wrong place to add this into.
> >
> > What you should do for implementing this idea is to write a small external
> > helper to Squid which performs only this check. See the external_acl_type
> > directive.
>
> regarding the above matter and after taking Henriks suggestions in account,
> i did the attached ugly hack on the base of Henriks squid_ldap_auth.c. I
> used squid_ldap_auth.c because it already had the nasty LDAP connection
> code ;-) The new file is called check_ads_wks_ldap.c and is essentially used
> in the same way as squid_ldap_auth except as an external_acl_type. The
> helper reads an IP from stdin, resolves it, checks the presence of an work-
> station object with same name in the MS AD and returns OK or ERR.
> To compile and link i used:
>
> gcc -DHAVE_CONFIG_H -I. -I. -I../../../include -I../../../include -g -O2
> -Wall -c check_ads_wks_ldap.c
> gcc -g -O2 -Wall -g -o check_ads_wks_ldap check_ads_wks_ldap.o
> -L../../../lib -lmiscutil -lldap -llber -lm -lresolv -lsocket -lnsl
>
> The usage as an external_acl_type would be
>
> external_acl_type ads_wks_ldap %SRC /<path to>/check_ads_wks_ldap \
> -D "<bind dn>" \
> -w "<bind passwd>" \
> -b "<base dn>" \
> -h <MS AD server> \
> -f "(&(memberOf= <container with workstation
> objects>)(dNSHostName=%s))"
>
> for example.
> Just FYI in case someone else has to do something similar ;-)
>
> Regards,
>
> Frank
>
> --
> +++ NEU bei GMX und erstmalig in Deutschland: T�V-gepr�fter Virenschutz +++
> 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutz
>
_____________________________________________________________________
Der WEB.DE Virenschutz schuetzt Ihr Postfach vor dem Wurm Beagle.A-J!
Kostenfrei fuer FreeMail Nutzer. http://f.web.de/?mc=021158*** check_ads_wks_ldap.c Wed Feb 25 10:32:51 2004
--- squid_ldap_auth.c Thu Mar 25 15:03:51 2004
***************
*** 72,79 ****
#include <stdlib.h>
#include <lber.h>
#include <ldap.h>
- #include <arpa/inet.h>
- #include <netdb.h>
#include "util.h"
--- 72,77 ----
***************
*** 100,106 ****
static int use_tls = 0;
static int version = -1;
! static int checkLDAP(LDAP * ld, const char *userid);
static int readSecret(const char *filename);
/* Yuck.. we need to glue to different versions of the API */
--- 98,104 ----
static int use_tls = 0;
static int version = -1;
! static int checkLDAP(LDAP * ld, const char *userid, const char *password);
static int readSecret(const char *filename);
/* Yuck.. we need to glue to different versions of the API */
***************
*** 192,198 ****
main(int argc, char **argv)
{
char buf[256];
! char *ip_addr;
char *ldapServer = NULL;
LDAP *ld = NULL;
int tryagain;
--- 190,196 ----
main(int argc, char **argv)
{
char buf[256];
! char *user, *passwd;
char *ldapServer = NULL;
LDAP *ld = NULL;
int tryagain;
***************
*** 388,415 ****
exit(1);
}
while (fgets(buf, 256, stdin) != NULL) {
! //
! // Read IP-address from stdin
! //
! ip_addr = strtok(buf, " \r\n");
! if (!ip_addr) {
printf("ERR\n");
continue;
}
!
! //
! // Translate the IP-address into a hostname
! //
! struct hostent *hp = NULL;
! struct in_addr addr;
!
! addr.s_addr = inet_addr(ip_addr);
! if ( (hp = gethostbyaddr((char *) &addr, 4, AF_INET)) == NULL) {
! printf("ERR\n");
! continue;
! }
!
tryagain = 1;
recover:
if (ld == NULL) {
--- 386,400 ----
exit(1);
}
while (fgets(buf, 256, stdin) != NULL) {
! user = strtok(buf, " \r\n");
! passwd = strtok(NULL, "\r\n");
! if (!user || !passwd || !passwd[0]) {
printf("ERR\n");
continue;
}
! rfc1738_unescape(user);
! rfc1738_unescape(passwd);
tryagain = 1;
recover:
if (ld == NULL) {
***************
*** 469,475 ****
squid_ldap_set_referrals(ld, !noreferrals);
squid_ldap_set_aliasderef(ld, aliasderef);
}
! if (checkLDAP(ld, hp->h_name) != 0) {
if (tryagain && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS) {
tryagain = 0;
ldap_unbind(ld);
--- 454,460 ----
squid_ldap_set_referrals(ld, !noreferrals);
squid_ldap_set_aliasderef(ld, aliasderef);
}
! if (checkLDAP(ld, user, passwd) != 0) {
if (tryagain && squid_ldap_errno(ld) != LDAP_INVALID_CREDENTIALS) {
tryagain = 0;
ldap_unbind(ld);
***************
*** 491,500 ****
}
static int
! checkLDAP(LDAP * ld, const char *userid)
{
char dn[256];
if (searchfilter) {
char filter[256];
LDAPMessage *res = NULL;
--- 476,491 ----
}
static int
! checkLDAP(LDAP * ld, const char *userid, const char *password)
{
char dn[256];
+ if (!*password) {
+ /* LDAP can't bind with a blank password. Seen as "anonymous"
+ * and always granted access
+ */
+ return 1;
+ }
if (searchfilter) {
char filter[256];
LDAPMessage *res = NULL;
***************
*** 512,520 ****
}
}
snprintf(filter, sizeof(filter), searchfilter, userid, userid, userid, userid,
userid, userid, userid, userid, userid, userid, userid, userid, userid, userid,
userid);
- printf("FRANK 1: %s\n", ldap_err2string(rc));
rc = ldap_search_s(ld, basedn, searchscope, filter, searchattr, 1, &res);
- printf("FRANK 2: %s\n", ldap_err2string(rc));
if (rc != LDAP_SUCCESS) {
if (noreferrals && rc == LDAP_PARTIAL_RESULTS) {
/* Everything is fine. This is expected when referrals
--- 503,509 ----
***************
*** 550,555 ****
--- 539,547 ----
snprintf(dn, sizeof(dn), "%s=%s,%s", userattr, userid, basedn);
}
+ if (ldap_simple_bind_s(ld, dn, password) != LDAP_SUCCESS)
+ return 1;
+
return 0;
}
