--------------------- PatchSet 1121 Date: 2001/01/06 17:06:45 Author: hno Branch: nt-2_4 Tag: (none) Log: Ported changes from nt-2_3 Members: Readme.txt:1.1->1.1.4.1 WIN32-ChangeLog.txt:1.1->1.1.4.1 auth_modules/LDAP/squid_ldap_auth.c:1.1.1.1->1.1.1.1.44.1 auth_modules/NCSA/ncsa_auth.c:1.1.1.1->1.1.1.1.52.1 auth_modules/NT/Makefile.in:1.1->1.1.4.1 auth_modules/NT/NT_auth.c:1.1->1.1.4.1 auth_modules/NT/Readme.txt:1.1->1.1.4.1 auth_modules/NT/valid.c:1.1->1.1.4.1 auth_modules/NT/valid.h:1.1->1.1.4.1 --- /dev/null Wed Feb 14 00:45:56 2007 +++ squid/Readme.txt Wed Feb 14 00:48:05 2007 @@ -0,0 +1,55 @@ +Free Squid NT 2.3 STABLE 4 for Windows NT 4 + +(native port of Squid 2.3 STABLE 4, plus 21/12/2000 tarball update and many NT service enhancement, +derived from the Harvest project) + +Current features: + + Run as a native Windows NT Service (No CygWin Unix emulation, compiled with MS VC 6.0) + Use PSAPI.LIB for rusage emulation + Internal DNS looks in registry for configured DNS, resolv.conf no more needed + External DNS helper run as a DLL plug-in and use internal NT DNS resolver, so hosts file if used. + All squid -k switches (check, debug, interrupt, kill, parse, reconfigure, rotate, shutdown) works + Native Windows NT Authenticator working as DLL plug-in, is possible to authenticante aginst a single NT Server, a + single or a trusted NT Domain. User access allowed by NT User Group membership + NCSA Authenticator working as DLL plug-in + Working htpasswd and chhpasswd.cgi for NCSA password support + LDAP Authenticator working as DLL plug-in (NOT YET TESTED !!!) + Working Cachemgr CGI interface + Code Merged with main Head 21/12/2000 tarball + Buffered Disk I/O + +Current ChangeLog + + Install: + Edit the squid.conf + Manually create logs directory, etc. + squid -z (creates the cache directories) + squid -i (installs the SquidNT2.3Stable4 beta service) + + Authenticators configuration: + Edit the squid.conf + Specify the FULL DLL path (with .dll suffix) in the authenticate_program directive plus the correct parameter - + See the original authenticator documentation + + External DNS Helper Plug-in configuration: + Edit the squid.conf + Specify the FULL DLL path (with .dll suffix) in the cache_dns_program directive + + Uninstall: + squid -r (removes the SquidNT2.3Stable4 beta service) + + Usage: + Start: Control Panel/Services: choose "Start" for the "SquidNT2.3Stable4 beta" service. + Stop: Control Panel/Services: choose "Stop" for the "SquidNT2.3Stable4 beta" service. + squid -h Print help message. + squid -k reconfigure | rotate | shutdown | interrupt | kill | debug | check + Send signal to running copy and exit. + squid -v Print version. + +The results of the rest of the (original) cmdline switches is undeterminate (for the moment). + +No warranties of any kind. No time for support, sorry. Use at your own risk. + +Original Port and some enhancements by Romeo Anghelache (see the ChangeLog) + --- /dev/null Wed Feb 14 00:45:56 2007 +++ squid/WIN32-ChangeLog.txt Wed Feb 14 00:48:05 2007 @@ -0,0 +1,20 @@ +Squid 2.3 Stable 4 for WIN32 Change Log + + +16 Nov 2000 - Initial WIN32 port (Romeo Angelache) +03 Dec 2000 - Added more service functionality, so squid -k works (Guido Serassio) + - Added PSAPI.LIB for rusage emulation (Guido Serassio) + - Merged with 21/11/2000 main Head tarball (Guido Serassio) + - Internal DNS looks in registry for configured DNS (Guido Serassio) + - Added WIN32 EXE file version information (Guido Serassio) +06 Dec 2000 - cachemgr.exe done (Romeo Anghelache) + - patched comm_select to handle service_not_available in win32 (Romeo Anghelache) +09 Dec 2000 - Fixed a problem with log files rotate (Guido Serassio) + - Added native Windows NT Authenticator working as DLL (Guido Serassio) +10 Dec 2000 - Added NCSA Authenticator working as DLL (Guido Serassio) + - Added crypt function to source (Guido Serassio) + - Ported htpasswd and chhpasswd.cgi for NCSA password support (Guido Serassio) + - Added dnsserver helper running as DLL (Guido Serassio) +11 Dec 2000 - Added LDAP Authenticator working as DLL - NOT YET TESTED !!! (Guido Serassio) +14 Dec 2000 - Disk I/O is now buffered (Romeo Anghelache) +21 Dec 2000 - Merged with 21/12/2000 main Head tarball (Guido Serassio) Index: squid/auth_modules/LDAP/squid_ldap_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/auth_modules/LDAP/Attic/squid_ldap_auth.c,v retrieving revision 1.1.1.1 retrieving revision 1.1.1.1.44.1 diff -u -r1.1.1.1 -r1.1.1.1.44.1 --- squid/auth_modules/LDAP/squid_ldap_auth.c 26 Jan 2000 03:25:00 -0000 1.1.1.1 +++ squid/auth_modules/LDAP/squid_ldap_auth.c 6 Jan 2001 17:06:45 -0000 1.1.1.1.44.1 @@ -1,106 +1,170 @@ /* - - squid_ldap_auth: authentication via ldap for squid proxy server - - Author: Glen Newton - glen.newton@nrc.ca - Advanced Services - CISTI - National Research Council - - Usage: squid_ldap_auth - - Dependencies: You need to get the OpenLDAP libraries - from http://www.openldap.org - - License: squid_ldap_auth is free software; you can redistribute it - and/or modify it under the terms of the GNU General Public License - as published by the Free Software Foundation; either version 2, - or (at your option) any later version. + * + * squid_ldap_auth: authentication via ldap for squid proxy server + * + * Author: Glen Newton + * glen.newton@nrc.ca + * Advanced Services + * CISTI + * National Research Council + * + * Usage: squid_ldap_auth + * + * Dependencies: You need to get the OpenLDAP libraries + * from http://www.openldap.org + * + * License: squid_ldap_auth is free software; you can redistribute it + * and/or modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2, + * or (at your option) any later version. */ +#include "squid.h" +#undef sprintf #include -#include +#ifdef _SQUID_MSWIN_ +#include +#else #include #include #include +#endif + +typedef struct { + void *data; + acl_proxy_auth_user *auth_user; + RH *handler; +} authenticateStateData; + /* Change this to your search base */ #define SEARCHBASE "ou=people,o=nrc.ca" -int checkLDAP( LDAP *ld, char *userid, char *password); +int checkLDAP(LDAP * ld, char *userid, char *password); + +#ifdef _SQUID_MSWIN_ -int main(int argc, char **argv) +static char *ldapServer = NULL; + +BOOL APIENTRY DllMain(HINSTANCE hInst, DWORD reason, + LPVOID reserved /* Not used. */ ); + +__declspec(dllexport) + int + Authenticate(char *username, char *password, authenticateStateData * data, HLPCB callback) { - char buf[256]; - char *user, *passwd, *p; - char *ldapServer; - LDAP *ld; - LDAPMessage *result, *e; - - setbuf(stdout, NULL); - - if (argc != 2) - { - fprintf(stderr, "Usage: squid_ldap_auth ldap_server_name\n"); - exit(1); + LDAP *ld; + + if ((ld = ldap_init(ldapServer, LDAP_PORT)) == NULL) { + (callback) (data, "ERR"); + return 0; } + if (checkLDAP(ld, username, password) != 0) { + ldap_unbind(ld); + (callback) (data, "ERR"); + return 0; + } else { + ldap_unbind(ld); + (callback) (data, "OK"); + return 0; + } +} - ldapServer = (char*)argv[1]; - - while (fgets(buf, 256, stdin) != NULL) - { - /* You can put this ldap connect outside the loop, but i didn't want to - have the connection open too much. If you have a site which will - be doing >1 authentication per second, you should move this (and the - below ldap_unbind()) outside the loop. - */ - if( (ld = ldap_init(ldapServer, LDAP_PORT)) == NULL) - { - fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", - ldapServer, LDAP_PORT); - exit(1); - } +#else - if ((p = strchr(buf, '\n')) != NULL) - *p = '\0'; /* strip \n */ +int +main(int argc, char **argv) +{ + char buf[256]; + char *username, *password, *p; + char *ldapServer; + LDAP *ld; + + setbuf(stdout, NULL); + + if (argc != 2) { + fprintf(stderr, "Usage: squid_ldap_auth ldap_server_name\n"); + exit(1); + } + ldapServer = (char *) argv[1]; - if ((user = strtok(buf, " ")) == NULL) - { - printf("ERR\n"); - continue; + while (fgets(buf, 256, stdin) != NULL) { + /* You can put this ldap connect outside the loop, but i didn't want to + * have the connection open too much. If you have a site which will + * be doing >1 authentication per second, you should move this (and the + * below ldap_unbind()) outside the loop. + */ + if ((ld = ldap_init(ldapServer, LDAP_PORT)) == NULL) { + fprintf(stderr, "\nUnable to connect to LDAP server:%s port:%d\n", + ldapServer, LDAP_PORT); + exit(1); } - if ((passwd = strtok(NULL, "")) == NULL) - { - printf("ERR\n"); - continue; + if ((p = strchr(buf, '\n')) != NULL) + *p = '\0'; /* strip \n */ + + if ((username = strtok(buf, " ")) == NULL) { + printf("ERR\n"); + continue; } - if(checkLDAP(ld, user, passwd) != 0) - { - printf("ERR\n"); - continue; + if ((password = strtok(NULL, "")) == NULL) { + printf("ERR\n"); + continue; } - else - { - printf("OK\n"); - } - ldap_unbind(ld); + if (checkLDAP(ld, username, password) != 0) { + printf("ERR\n"); + continue; + } else { + printf("OK\n"); + } + ldap_unbind(ld); } } +#endif + +int +checkLDAP(LDAP * ld, char *userid, char *password) +{ + char buffer[256]; + + sprintf(buffer, "uid=%s, %s", userid, SEARCHBASE); + + if (ldap_simple_bind_s(ld, buffer, password) != LDAP_SUCCESS) + return 1; + return 0; +} + +#ifdef _SQUID_MSWIN_ +__declspec(dllexport) + int Init(char *Server) +{ + if (ldapServer) + xfree(ldapServer); + ldapServer = xstrdup(Server); + return 0; +} -int checkLDAP( LDAP *ld, char *userid, char *password) +BOOL APIENTRY +DllMain( + HINSTANCE hInst /* Library instance handle. */ , + DWORD reason /* Reason this function is being called. */ , + LPVOID reserved /* Not used. */ ) { - char str[256]; + switch (reason) { + case DLL_PROCESS_ATTACH: + break; - /*sprintf(str,"uid=[%s][%s], %s",userid, password, SEARCHBASE); */ - sprintf(str,"uid=%s, %s",userid, SEARCHBASE); - - if(ldap_simple_bind_s(ld, str, password) != LDAP_SUCCESS) - { - /*fprintf(stderr, "\nUnable to bind\n");*/ - return 33; + case DLL_PROCESS_DETACH: + break; + + case DLL_THREAD_ATTACH: + break; + + case DLL_THREAD_DETACH: + break; } - return 0; + return TRUE; } + +#endif Index: squid/auth_modules/NCSA/ncsa_auth.c =================================================================== RCS file: /cvsroot/squid-sf//squid/auth_modules/NCSA/Attic/ncsa_auth.c,v retrieving revision 1.1.1.1 retrieving revision 1.1.1.1.52.1 diff -u -r1.1.1.1 -r1.1.1.1.52.1 --- squid/auth_modules/NCSA/ncsa_auth.c 26 Jan 2000 03:21:46 -0000 1.1.1.1 +++ squid/auth_modules/NCSA/ncsa_auth.c 6 Jan 2001 17:06:45 -0000 1.1.1.1.52.1 @@ -17,34 +17,11 @@ * */ -#include "config.h" -#if HAVE_STDIO_H -#include -#endif -#if HAVE_STDLIB_H -#include -#endif -#if HAVE_UNISTD_H -#include -#endif -#if HAVE_STRING_H -#include -#endif -#if HAVE_SYS_TYPES_H -#include -#endif -#if HAVE_SYS_STAT_H -#include -#endif -#if HAVE_CRYPT_H -#include -#endif - -#include "util.h" -#include "hash.h" +#include "squid.h" static hash_table *hash = NULL; static HASHFREE my_free; +static char *passwdfile = NULL; typedef struct _user_data { /* first two items must be same as hash_link */ @@ -76,16 +53,15 @@ /* initial setup */ hash = hash_create((HASHCMP *) strcmp, 7921, hash_string); if (NULL == hash) { - fprintf(stderr, "ncsa_auth: cannot create hash table\n"); exit(1); } f = fopen(passwdfile, "r"); while (fgets(buf, 8192, f) != NULL) { if ((buf[0] == '#') || (buf[0] == ' ') || (buf[0] == '\t') || - (buf[0] == '\n')) + (buf[0] == '\n') || (buf[0] == '\r')) continue; - user = strtok(buf, ":\n"); - passwd = strtok(NULL, ":\n"); + user = strtok(buf, ":\n\r"); + passwd = strtok(NULL, ":\n\r"); if ((strlen(user) > 0) && passwd) { u = xmalloc(sizeof(*u)); u->user = xstrdup(user); @@ -96,14 +72,15 @@ fclose(f); } -int +#ifndef _SQUID_MSWIN_ main(int argc, char **argv) { - struct stat sb; - time_t change_time = 0; char buf[256]; char *user, *passwd, *p; + static time_t change_time = 0; + struct stat sb; user_data *u; + setbuf(stdout, NULL); if (argc != 2) { fprintf(stderr, "Usage: ncsa_auth \n"); @@ -123,12 +100,12 @@ } } if ((user = strtok(buf, " ")) == NULL) { - printf("ERR\n"); - continue; + printf("ERR\n"); + continue; } if ((passwd = strtok(NULL, "")) == NULL) { - printf("ERR\n"); - continue; + printf("ERR\n"); + continue; } u = hash_lookup(hash, user); if (u == NULL) { @@ -139,5 +116,69 @@ printf("OK\n"); } } - exit(0); } + +#else /* _SQUID_MSWIN_ */ +__declspec(dllexport) +int +Authenticate(char *user, char *passwd, void *data, HLPCB callback) +{ + static time_t change_time = 0; + struct stat sb; + user_data *u; + + if (stat(passwdfile, &sb) == 0) { + if (sb.st_mtime != change_time) { + read_passwd_file(passwdfile); + change_time = sb.st_mtime; + } + } + u = hash_lookup(hash, user); + if (u == NULL) { + (callback) (data, "ERR"); + return 0; + } else if (strcmp(u->passwd, (char *) crypt(passwd, u->passwd))) { + (callback) (data, "ERR"); + return 0; + } else { + (callback) (data, "OK"); + return 0; + } +} +#endif + +#ifdef _SQUID_MSWIN_ +__declspec(dllexport) +int +Init(char *pwfile) +{ + if (passwdfile) + xfree(passwdfile); + passwdfile = xstrdup(pwfile); + return 0; +} + +BOOL APIENTRY +DllMain( + HINSTANCE hInst /* Library instance handle. */ , + DWORD reason /* Reason this function is being called. */ , + LPVOID reserved /* Not used. */ ) +{ + switch (reason) { + case DLL_PROCESS_ATTACH: + break; + + case DLL_PROCESS_DETACH: + if (passwdfile) + xfree(passwdfile); + break; + + case DLL_THREAD_ATTACH: + break; + + case DLL_THREAD_DETACH: + break; + } + return TRUE; +} +#endif --- /dev/null Wed Feb 14 00:45:56 2007 +++ squid/auth_modules/NT/Makefile.in Wed Feb 14 00:48:05 2007 @@ -0,0 +1,96 @@ +# +# Makefile for the Squid Object Cache server +# +# $Id$ +# +# Uncomment and customize the following to suit your needs: +# + +prefix = @prefix@ +exec_prefix = @exec_prefix@ +exec_suffix = @exec_suffix@ +cgi_suffix = @cgi_suffix@ +top_srcdir = @top_srcdir@ +bindir = @bindir@ +libexecdir = @libexecdir@ +sysconfdir = @sysconfdir@ +localstatedir = @localstatedir@ +srcdir = @srcdir@ +VPATH = @srcdir@ + +# Gotta love the DOS legacy +# +AUTH_EXE = NT_auth$(exec_suffix) + +CC = @CC@ +MAKEDEPEND = @MAKEDEPEND@ +INSTALL = @INSTALL@ +INSTALL_BIN = @INSTALL_PROGRAM@ +INSTALL_FILE = @INSTALL_DATA@ +INSTALL_SUID = @INSTALL_PROGRAM@ -o root -m 4755 +RANLIB = @RANLIB@ +LN_S = @LN_S@ +PERL = @PERL@ +CRYPTLIB = @CRYPTLIB@ +REGEXLIB = @REGEXLIB@ +PTHREADLIB = @PTHREADLIB@ +SNMPLIB = @SNMPLIB@ +MALLOCLIB = @LIB_MALLOC@ +AC_CFLAGS = @CFLAGS@ +LDFLAGS = @LDFLAGS@ +XTRA_LIBS = @XTRA_LIBS@ +XTRA_OBJS = @XTRA_OBJS@ +MV = @MV@ +RM = @RM@ +SHELL = /bin/sh +DEFINES = + +INCLUDE = -I. -I../../include -I$(top_srcdir)/include -I../../src +CFLAGS = $(AC_CFLAGS) $(INCLUDE) $(DEFINES) +AUTH_LIBS = $(XTRA_LIBS) -lnetapi32 + +LIBPROGS = $(AUTH_EXE) +OBJS = NT_auth.o valid.o + +all: $(AUTH_EXE) + +$(AUTH_EXE): $(OBJS) + $(CC) $(LDFLAGS) $(OBJS) -o $@ $(AUTH_LIBS) + +install-mkdirs: + -@if test ! -d $(prefix); then \ + echo "mkdir $(prefix)"; \ + mkdir $(prefix); \ + fi + -@if test ! -d $(libexecdir); then \ + echo "mkdir $(libexecdir)"; \ + mkdir $(libexecdir); \ + fi + +# Michael Lupp wants to know about additions +# to the install target. +install: all install-mkdirs + @for f in $(LIBPROGS); do \ + if test -f $(libexecdir)/$$f; then \ + echo $(MV) $(libexecdir)/$$f $(libexecdir)/-$$f; \ + $(MV) $(libexecdir)/$$f $(libexecdir)/-$$f; \ + fi; \ + echo $(INSTALL_BIN) $$f $(libexecdir); \ + $(INSTALL_BIN) $$f $(libexecdir); \ + if test -f $(libexecdir)/-$$f; then \ + echo $(RM) -f $(libexecdir)/-$$f; \ + $(RM) -f $(libexecdir)/-$$f; \ + fi; \ + done + +clean: + -rm -rf *.o *pure_* core $(PROGS) + +distclean: clean + -rm -f Makefile + +tags: + ctags *.[ch] + +depend: + $(MAKEDEPEND) -fMakefile *.c --- /dev/null Wed Feb 14 00:45:56 2007 +++ squid/auth_modules/NT/NT_auth.c Wed Feb 14 00:48:05 2007 @@ -0,0 +1,154 @@ + +/* + * NT_auth - Version 1.1 + * + * Modified to act as a Squid authenticator module. Can run as dll on NT native + * port. Removed all Pike stuff. Returns OK for a successful authentication, or + * ERR upon error. + * + * Guido Serassio, Torino - Italy Sun Dec 10 22:24:26 CST 2000 + * + * Uses code from - Antonino Iannella 2000 Andrew Tridgell 1997 Richard Sharpe + * 1996 Bill Welliver 1999 + * + * Released under GNU Public License + * + * This program is free software; you can redistribute it and/or modify it under + * the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + * This program is distributed in the hope that it will be useful, but WITHOUT ANY + * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS + * FOR A PARTICULAR PURPOSE. See the GNU General Public License for more + * details. + * + * You should have received a copy of the GNU General Public License along with + * this program; if not, write to the Free Software Foundation, Inc., 675 Mass + * Ave, Cambridge, MA 02139, USA. + */ + +#include "squid.h" +#include "valid.h" + +typedef struct { + void *data; + acl_proxy_auth_user *auth_user; + RH *handler; +} authenticateStateData; + + +/* + * Main program for simple authentication. Scans and checks for Squid input, + * and attempts to validate the user. + */ + + +#ifdef _SQUID_CYGWIN_ +static char NTGroup[256]; + +int +main(int argc, char **argv) +{ + char wstr[256]; + char username[256]; + char password[256]; + + if (argc != 2) { + fprintf(stderr, "Usage: ms_auth \n"); + exit(1); + } + strcpy(NTGroup, argv[1]); + + while (1) { + /* Read whole line from standard input. Terminate on break. */ + if (fgets(wstr, 255, stdin) == NULL) + break; + + /* Clear any current settings */ + username[0] = '\0'; + password[0] = '\0'; + sscanf(wstr, "%s %s", username, password); /* Extract parameters */ + + /* Check for invalid or blank entries */ + if ((username[0] == '\0') || (password[0] == '\0')) { + puts("ERR"); + fflush(stdout); + continue; + } + if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR) + puts("OK"); + else + puts("ERR"); + fflush(stdout); + } + return 0; +} + +#else /* _SQUID_CYGWIN_ */ + +static char *NTGroup = NULL; + +BOOL APIENTRY + DllMain(HINSTANCE hInst, DWORD reason, + LPVOID reserved /* Not used. */ ); + +__declspec(dllexport) + int + Authenticate(char *username, char *password, authenticateStateData * data, HLPCB callback) +{ + /* Check for invalid or blank entries */ + if ((username[0] == '\0') || (password[0] == '\0')) { + (callback) (data, "ERR"); + return 0; + } + if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR) + (callback) (data, "OK"); + else + (callback) (data, "ERR"); + return 0; +} +#endif + +/* + * Valid_User return codes - + * + * 0 - User authenticated successfully. 1 - Server error. 2 - Protocol error. 3 - + * Logon error; Incorrect password or username given. + */ + +#ifndef _SQUID_CYGWIN_ + +__declspec(dllexport) + int Init(char *Group) +{ + if (NTGroup) + xfree(NTGroup); + NTGroup = xstrdup(Group); + return 0; +} + + +BOOL APIENTRY +DllMain( + HINSTANCE hInst /* Library instance handle. */ , + DWORD reason /* Reason this function is being called. */ , + LPVOID reserved /* Not used. */ ) +{ + + switch (reason) { + case DLL_PROCESS_ATTACH: + break; + + case DLL_PROCESS_DETACH: + break; + + case DLL_THREAD_ATTACH: + break; + + case DLL_THREAD_DETACH: + break; + } + return TRUE; +} +#endif --- /dev/null Wed Feb 14 00:45:56 2007 +++ squid/auth_modules/NT/Readme.txt Wed Feb 14 00:48:05 2007 @@ -0,0 +1,76 @@ +This is a simple authentication module for the Squid proxy server running on Windows NT +compiled with CygWin to authenticate users on an NT domain in native WIN32 mode. + +Usage is simple. It accepts a username and password on standard input +and will return OK if the username/password is valid for the domain/machine, +or ERR if there was some problem. +It's possible to authenticate against NT trusted domains specifyng the username +in the domain\username Microsoft notation. + +This is released under the GNU General Public License and +is available from http://serassio.interfree.it. + +Allowing Users - + +Users that are allowed to access the web proxy must have the Windows NT +User Rights "logon from the network" and must be included in the NT LOCAL User Group +specified in the Authenticator's command line. +This can be accomplished creating a local user group on the NT Server, grant the privilege, +and adding users to it. + +The squid process must have the NT User Rights "Act as part of the operating system", +this is true if squid runs as a service with LocalSystem Account. + +Installation - + +Type 'make', then 'make install', then 'make clean'. + +The default is to install 'nt_auth' into /usr/local/squid/bin. + +Refer to Squid documentation for the required changes to squid.conf. +You will need to set the following line to enable the authenticator: + +authenticate_program /usr/local/squid/bin/nt_auth + +You will need to set the following lines to enable authentication for +your access list - + + acl proxy_auth REQUIRED + http_access allow + +You will need to specify the absolute path to nt_auth in the +authenticate_program directive, and check the authenticate_children +and authenticate_ttl. + +Compilation issues - + +The Makefile assumes that GCC is in the current PATH. +nt_auth compile ONLY on GygWin Environment or MS VC++. +Note: Under MS VC++ this package compile as a dll, an work only with my release +of native NT Squid 2.3 Stable4 port. + +Testing - + +I strongly urge that nt_auth is tested prior to being used in a +production environment. It may behave differently on different platforms. +To test it, run it from the command line. Enter username and password +pairs separated by a space. Press ENTER to get an OK or ERR message. +Make sure pressing behaves the same as a carriage return. +Make sure pressing aborts the program. + +NOTE: the NT user running the nt_auth module, must have the NT User Rights +"Act as part of the operating system". + +Test that entering no details does not result in an OK or ERR message. +Test that entering an invalid username and password results in an ERR message. +Note that if NT guest user access is allowed on the PDC, an OK message +may be returned instead of ERR. +Test that entering an valid username and password results in an OK message. +Test that entering a guest username and password returns the correct +response for the site's access policy. + +Contact details - + +To contact the maintainer of this package, email Guido Serassio +on serassio@interfree.it. +The latest version may be found on http://serassio.interfree.it. --- /dev/null Wed Feb 14 00:45:56 2007 +++ squid/auth_modules/NT/valid.c Wed Feb 14 00:48:05 2007 @@ -0,0 +1,114 @@ +#include +#include +#include +#include +#include +#include "valid.h" + +int +Valid_User(char *UserName, char *Password, char *Group) +{ + HANDLE hToken; + int result = NTV_LOGON_ERROR; + int error; + char NTDomain[256]; + char *domain_qualify; + char DomainUser[256]; + WCHAR wszUserName[256]; // Unicode user name + + WCHAR wszGroup[256]; // Unicode Group + + LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; + LPLOCALGROUP_USERS_INFO_0 pTmpBuf; + DWORD dwLevel = 0; + DWORD dwFlags = LG_INCLUDE_INDIRECT; + DWORD dwPrefMaxLen = -1; + DWORD dwEntriesRead = 0; + DWORD dwTotalEntries = 0; + NET_API_STATUS nStatus; + DWORD i; + DWORD dwTotalCount = 0; + +/* Convert ANSI User Name and Group to Unicode */ + + MultiByteToWideChar(CP_ACP, 0, UserName, + strlen(UserName) + 1, wszUserName, + sizeof(wszUserName) / sizeof(wszUserName[0])); + + MultiByteToWideChar(CP_ACP, 0, Group, + strlen(Group) + 1, wszGroup, + sizeof(wszGroup) / sizeof(wszGroup[0])); + + if ((domain_qualify = strchr(UserName, '\\')) == NULL) { + strcpy(DomainUser, UserName); + strcpy(NTDomain, "."); + } else { + strcpy(DomainUser, domain_qualify + 1); + domain_qualify[0] = '\0'; + strcpy(NTDomain, UserName); + } + + /* Log the client on to the local computer. */ + + if (!LogonUser( + DomainUser, + NTDomain, + Password, + LOGON32_LOGON_NETWORK, + LOGON32_PROVIDER_DEFAULT, + &hToken)) { + result = NTV_LOGON_ERROR; + error = GetLastError(); + } else { + /* + * Call the NetUserGetLocalGroups function + * specifying information level 0. + * + * The LG_INCLUDE_INDIRECT flag specifies that the + * function should also return the names of the local + * groups in which the user is indirectly a member. + */ + nStatus = NetUserGetLocalGroups(NULL, + wszUserName, + dwLevel, + dwFlags, + (LPBYTE *) & pBuf, + dwPrefMaxLen, + &dwEntriesRead, + &dwTotalEntries); + + + /* + * If the call succeeds, + */ + if (nStatus == NERR_Success) { + + if ((pTmpBuf = pBuf) != NULL) { + for (i = 0; i < dwEntriesRead; i++) { + assert(pTmpBuf != NULL); + + if (pTmpBuf == NULL) { + result = NTV_SERVER_ERROR; + break; + } + if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { + result = NTV_NO_ERROR; + break; + } + pTmpBuf++; + dwTotalCount++; + } + } + } else + result = NTV_SERVER_ERROR; + + /* + * Free the allocated memory. + */ + if (pBuf != NULL) + NetApiBufferFree(pBuf); + } + if (hToken != INVALID_HANDLE_VALUE) + CloseHandle(hToken); + return result; +} --- /dev/null Wed Feb 14 00:45:56 2007 +++ squid/auth_modules/NT/valid.h Wed Feb 14 00:48:05 2007 @@ -0,0 +1,16 @@ +#ifndef _VALID_H_ +#define _VALID_H_ +/* SMB User verification function */ + +#define NTV_NO_ERROR 0 +#define NTV_SERVER_ERROR 1 +#define NTV_PROTOCOL_ERROR 2 +#define NTV_LOGON_ERROR 3 + +#ifndef LOGON32_LOGON_NETWORK +#define LOGON32_LOGON_NETWORK 3 +#endif + +int Valid_User(char *, char *, char *); + +#endif