--------------------- PatchSet 5714 Date: 2003/05/02 14:46:47 Author: serassio Branch: nt-2_5 Tag: (none) Log: Updated win32_group External ACL helper to release 1.1 Members: helpers/external_acl/win32_group/readme.txt:1.1.8.4->1.1.8.5 helpers/external_acl/win32_group/win32_check_group.c:1.1.8.10->1.1.8.11 helpers/external_acl/win32_group/win32_check_group.h:1.1.6.2->1.1.6.3 Index: squid/helpers/external_acl/win32_group/readme.txt =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/external_acl/win32_group/Attic/readme.txt,v retrieving revision 1.1.8.4 retrieving revision 1.1.8.5 diff -u -r1.1.8.4 -r1.1.8.5 --- squid/helpers/external_acl/win32_group/readme.txt 8 Sep 2002 07:34:20 -0000 1.1.8.4 +++ squid/helpers/external_acl/win32_group/readme.txt 2 May 2003 14:46:47 -0000 1.1.8.5 @@ -3,20 +3,22 @@ helper fo the External ACL Scheme for Squid. -This helper must be used in with an authentication scheme, tipcally basic -or NTLM based on Windows NT/2000 domain users. +This helper must be used in with an authentication scheme, tipically +basic or NTLM, based on Windows NT/2000 domain users. It reads from the standard input the domain username and a list of groups -and tries to match it against the groups membership of the specified username. +and tries to match it against the groups membership of the specified +username. ============== Program Syntax ============== -win32_check_group [-Gdh] +win32_check_group [-G][-c][-d][-h] -G start helper in Global Group mode --d enable debug mode +-c use case insensitive compare +-d enable debugging -h this message @@ -39,11 +41,21 @@ domain group or member of LProxyUsers machine local group are allowed to use the cache. -Groups with spaces in name must be quoted, for example "Domain Users" +Groups with spaces in name, for example "Domain Users", must be quoted and +the acl data ("Domain Users") must be placed into a separate file included +by specifying "/path/to/file". The previous example will be: + +acl ProxyUsers external NT_global_group "/usr/local/squid/etc/DomainUsers" + +and the DomainUsers files will contain only the following line: + +"Domain Users" NOTES: -- The group name comparation is case sensitive, so group name +- The standard group name comparation is case sensitive, so group name must be specified with same case as in the NT/2000 Domain. + It's possible to enable not case sensitive group name comparation (-c), + but on on some non - English locales, the results can be unexpected. - Native WIN32 NTLM and Basic Helpers must be used without the -a & -d switches. @@ -68,4 +80,5 @@ -- Serassio Guido -squidnt@serassio.it +guido.serassio@acmeconsulting.it + Index: squid/helpers/external_acl/win32_group/win32_check_group.c =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/external_acl/win32_group/Attic/win32_check_group.c,v retrieving revision 1.1.8.10 retrieving revision 1.1.8.11 diff -u -r1.1.8.10 -r1.1.8.11 --- squid/helpers/external_acl/win32_group/win32_check_group.c 23 Feb 2003 11:40:42 -0000 1.1.8.10 +++ squid/helpers/external_acl/win32_group/win32_check_group.c 2 May 2003 14:46:50 -0000 1.1.8.11 @@ -1,47 +1,88 @@ /* - * $Id: win32_check_group.c,v 1.1.8.10 2003/02/23 11:40:42 serassio Exp $ + * win32_group: lookup group membership in a Windows NT/2000 domain + * + * (C)2002,2003 Guido Serassio - Acme Consulting S.r.l. + * + * Authors: + * Guido Serassio + * Acme Consulting S.r.l., Italy + * + * With contributions from others mentioned in the change history section + * below. + * + * In part based on check_group by Rodrigo Albani de Campos. + * + * Dependencies: Windows NT4 SP4 and later. + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * + * History: + * + * Version 1.10 + * 01-05-2003 Guido Serassio + * Added option for case insensitive group name comparation. + * More debug info. + * Updated documentation. + * Segfault bug fix (Bugzilla #574) + * Version 1.0 + * 24-06-2002 Guido Serassio + * Using the main function from check_group and sections + * from wbinfo wrote win32_group * * This is a helper for the external ACL interface for Squid Cache - * Copyright (C) 2002 Guido Serassio - * Based on previous work of Rodrigo Albani de Campos * - * It reads from the standard input the domain username and a list of groups - * and tries to match it against the groups membership of the specified username. - * Returns `OK' if the user belongs to a group or `ERR' otherwise, as - * described on http://devel.squid-cache.org/external_acl/config.html + * It reads from the standard input the domain username and a list of + * groups and tries to match it against the groups membership of the + * specified username. * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * Returns `OK' if the user belongs to a group or `ERR' otherwise, as + * described on http://devel.squid-cache.org/external_acl/config.html * */ -#include "squid.h" -#if defined(_SQUID_CYGWIN_) +#include "config.h" +#ifdef _SQUID_CYGWIN_ #include #endif +#if HAVE_STDIO_H +#include +#endif +#if HAVE_CTYPE_H +#include +#endif +#ifdef HAVE_STRING_H +#include +#endif +#if HAVE_GETOPT_H +#include +#endif #undef assert #include #include #include #include +#include "util.h" + #define BUFSIZE 8192 /* the stdin buffer size */ int use_global = 0; char debug_enabled = 0; char *myname; pid_t mypid; char * machinedomain; +int use_case_insensitive_compare=0; #include "win32_check_group.h" @@ -210,7 +251,7 @@ MultiByteToWideChar(CP_ACP, 0, *array, strlen(*array) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); debug("Windows group: %S, Squid group: %S\n", str, wszGroup); - if (wcscmp(str, wszGroup) == 0) + if ((use_case_insensitive_compare ? _wcsicmp(str, wszGroup) : wcscmp(str, wszGroup)) == 0) return 0; array++; } @@ -318,7 +359,7 @@ } else { strcpy(User, domain_qualify + 1); domain_qualify[0] = '\0'; - _strlwr(NTDomain); + strlwr(NTDomain); } /* Convert ANSI User Name and Group to Unicode */ @@ -407,9 +448,10 @@ static void usage(char *program) { - fprintf(stderr,"Usage: %s [-d][-G][-h]\n" - " -d enable debugging\n" + fprintf(stderr,"Usage: %s [-G][-c][-d][-h]\n" " -G enable Domain Global group mode\n" + " -c use case insensitive compare\n" + " -d enable debugging\n" " -h this message\n", program); } @@ -420,11 +462,14 @@ int opt; opterr = 0; - while (-1 != (opt = getopt(argc, argv, "Gdh"))) { + while (-1 != (opt = getopt(argc, argv, "Gcdh"))) { switch (opt) { case 'G': use_global = 1; break; + case 'c': + use_case_insensitive_compare = 1; + break; case 'd': debug_enabled = 1; break; @@ -476,11 +521,15 @@ fprintf(stderr, "%s Can't read machine domain\n", myname); exit(1); } - _strlwr(machinedomain); + strlwr(machinedomain); } debug("External ACL win32 group helper build " __DATE__ ", " __TIME__ " starting up...\n"); + if (use_global) + debug("Domain Global group mode enabled.\n"); + if (use_case_insensitive_compare) + debug("Warning: running in case insensitive mode !!!\n"); /* Main Loop */ while (fgets (buf, BUFSIZE, stdin)) @@ -511,6 +560,11 @@ groups[n] = group; groups[n] = NULL; + if (NULL == username) { + fprintf(stderr, "Invalid Request\n"); + goto error; + } + if ((use_global ? Valid_Global_Groups(username, groups) : Valid_Local_Groups(username, groups))) { printf ("OK\n"); } else { Index: squid/helpers/external_acl/win32_group/win32_check_group.h =================================================================== RCS file: /cvsroot/squid-sf//squid/helpers/external_acl/win32_group/Attic/win32_check_group.h,v retrieving revision 1.1.6.2 retrieving revision 1.1.6.3 diff -u -r1.1.6.2 -r1.1.6.3 --- squid/helpers/external_acl/win32_group/win32_check_group.h 22 Sep 2002 11:40:25 -0000 1.1.6.2 +++ squid/helpers/external_acl/win32_group/win32_check_group.h 2 May 2003 14:46:50 -0000 1.1.6.3 @@ -1,5 +1,5 @@ /* - * (C) 2002 Guido Serassio + * (C) 2002 Guido Serassio * Based on previous work of Francesco Chemolli, Robert Collins and Andrew Doran * * Distributed freely under the terms of the GNU General Public License, @@ -29,6 +29,8 @@ #include +#define safe_free(x) if (x) { free(x); x = NULL; } + /* Debugging stuff */ #ifdef __GNUC__ /* this is really a gcc-ism */