--------------------- PatchSet 3747 Date: 2002/03/18 22:39:44 Author: serassio Branch: nt-2_5 Tag: (none) Log: Added external helpers support Members: src/auth/basic/helpers/win32_locallogon/Makefile.am:1.1->1.1.22.1 src/auth/basic/helpers/win32_locallogon/NT_auth.c:1.1->1.1.38.1 src/auth/basic/helpers/win32_locallogon/README.txt:1.1->1.1.38.1 src/auth/basic/helpers/win32_locallogon/valid.c:1.1->1.1.38.1 src/auth/basic/helpers/win32_locallogon/valid.h:1.1->1.1.38.1 --- /dev/null Wed Feb 14 00:55:47 2007 +++ squid/src/auth/basic/helpers/win32_locallogon/Makefile.am Wed Feb 14 00:57:30 2007 @@ -0,0 +1,17 @@ +# +# Makefile for the Squid Object Cache server +# +# $Id$ +# +# Uncomment and customize the following to suit your needs: +# + + +libexec_PROGRAMS = nt_auth + +nt_auth_SOURCES = NT_auth.c valid.c + +LDADD = -lnetapi32 + +INCLUDES = -I. -I$(top_builddir)/include -I$(top_srcdir)/include \ + -I$(top_srcdir)/src/ --- /dev/null Wed Feb 14 00:55:47 2007 +++ squid/src/auth/basic/helpers/win32_locallogon/NT_auth.c Wed Feb 14 00:57:30 2007 @@ -0,0 +1,96 @@ +/* + NT_auth - Version 1.11 + + Modified to act as a Squid authenticator module. + Can run as dll on NT native port. + Removed all Pike stuff. + Returns OK for a successful authentication, or ERR upon error. + + Guido Serassio, Torino - Italy + Sun Jun 17 14:34:26 CST 2001 + + Uses code from - + Antonino Iannella 2000 + Andrew Tridgell 1997 + Richard Sharpe 1996 + Bill Welliver 1999 + + Released under GNU Public License + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "squid.h" + +/* Check if we try to compile on a Windows Platform */ +#if defined(_SQUID_CYGWIN_) || defined(_SQUID_MSWIN_) + +#include "valid.h" + +/* Main program for simple authentication. + Scans and checks for Squid input, and attempts to validate the user. +*/ + +static char NTGroup[256]; +extern char Default_NTDomain[256]; + +int +main(int argc, char **argv) + +{ + char wstr[256]; + char username[256]; + char password[256]; + char *p; + + if ((argc < 2) || (argc > 3)) { + fprintf(stderr, "Usage: NT_auth []\n"); + exit(1); + } + strcpy(NTGroup, argv[1]); + if (argc == 3) + strcpy(Default_NTDomain, argv[2]); + while (1) { + /* Read whole line from standard input. Terminate on break. */ + if (fgets(wstr, 255, stdin) == NULL) + break; + if ((p = strchr(wstr, '\n')) != NULL) + *p = '\0'; /* strip \n */ + if ((p = strchr(wstr, '\r')) != NULL) + *p = '\0'; /* strip \r */ + /* Clear any current settings */ + username[0] = '\0'; + password[0] = '\0'; + sscanf(wstr, "%s %s", username, password); /* Extract parameters */ + /* Check for invalid or blank entries */ + if ((username[0] == '\0') || (password[0] == '\0')) { + puts("ERR"); + fflush(stdout); + continue; + } + if (Valid_User(username, password, NTGroup) == NTV_NO_ERROR) + puts("OK"); + else + puts("ERR"); + fflush(stdout); + } + return 0; +} + +#else /* NON Windows Platform !!! */ + +#error NON WINDOWS PLATFORM + +#endif --- /dev/null Wed Feb 14 00:55:47 2007 +++ squid/src/auth/basic/helpers/win32_locallogon/README.txt Wed Feb 14 00:57:30 2007 @@ -0,0 +1,77 @@ +This is a simple authentication module for the Squid proxy server running on Windows NT +compiled with CygWin to authenticate users on an NT domain in native WIN32 mode. + +Usage is simple. It accepts a username and password on standard input +and will return OK if the username/password is valid for the domain/machine, +or ERR if there was some problem. +It's possible to authenticate against NT trusted domains specifyng the username +in the domain\username Microsoft notation. + +This is released under the GNU General Public License and +is available from http://www.serassio.it. + +Allowing Users - + +Users that are allowed to access the web proxy must have the Windows NT +User Rights "logon from the network" and must be included in the NT LOCAL User Group +specified in the Authenticator's command line. +This can be accomplished creating a local user group on the NT machine, grant the privilege, +and adding users to it. + +The squid process must have the NT User Rights "Act as part of the operating system", +this is true if squid runs as a service with LocalSystem Account. + +Installation - + +Type 'make', then 'make install', then 'make clean'. + +The default is to install 'nt_auth' into /usr/local/squid/bin. + +Refer to Squid documentation for the required changes to squid.conf. +You will need to set the following line to enable the authenticator: + +authenticate_program /usr/local/squid/bin/NT_auth + +You will need to set the following lines to enable authentication for +your access list - + + acl proxy_auth REQUIRED + http_access allow + +You will need to specify the absolute path to NT_auth in the +authenticate_program directive, and check the authenticate_children +and authenticate_ttl. + +Compilation issues - + +The Makefile assumes that GCC is in the current PATH. +NT_auth compile ONLY on CygWin Environment or MS VC++. + +Note: Under MS VC++ this package compile as a dll, an work only with my release +of native NT Squid 2.3 STABLE 5 port. + +Testing - + +I strongly urge that NT_auth is tested prior to being used in a +production environment. It may behave differently on different platforms. +To test it, run it from the command line. Enter username and password +pairs separated by a space. Press ENTER to get an OK or ERR message. +Make sure pressing behaves the same as a carriage return. +Make sure pressing aborts the program. + +NOTE: the NT user running the NT_auth module, must have the NT User Rights +"Act as part of the operating system". + +Test that entering no details does not result in an OK or ERR message. +Test that entering an invalid username and password results in an ERR message. +Note that if NT guest user access is allowed on the PDC, an OK message +may be returned instead of ERR. +Test that entering an valid username and password results in an OK message. +Test that entering a guest username and password returns the correct +response for the site's access policy. + +Contact details - + +To contact the maintainer of this package, email Guido Serassio +on serassio@interfree.it. +The latest version may be found on http://www.serassio.it/SquidNT.htm. --- /dev/null Wed Feb 14 00:55:47 2007 +++ squid/src/auth/basic/helpers/win32_locallogon/valid.c Wed Feb 14 00:57:30 2007 @@ -0,0 +1,117 @@ +#include "squid.h" + +/* Check if we try to compile on a Windows Platform */ +#if defined(_SQUID_CYGWIN_) || defined(_SQUID_MSWIN_) + +#include +#if defined(_SQUID_CYGWIN_) +#include +#endif +#include +#include +#include "valid.h" + +char Default_NTDomain[256] = NTV_DEFAULT_DOMAIN; + +/* Valid_User return codes - + 0 - User authenticated successfully. + 1 - Server error. + 2 - Protocol error. + 3 - Logon error; Incorrect password or username given. +*/ + +int +Valid_User(char *UserName, char *Password, char *Group) +{ + HANDLE hToken = INVALID_HANDLE_VALUE; + int result = NTV_LOGON_ERROR; + int error; + char NTDomain[256]; + char *domain_qualify; + char DomainUser[256]; + WCHAR wszUserName[256]; // Unicode user name + WCHAR wszGroup[256]; // Unicode Group + + LPLOCALGROUP_USERS_INFO_0 pBuf = NULL; + LPLOCALGROUP_USERS_INFO_0 pTmpBuf; + DWORD dwLevel = 0; + DWORD dwFlags = LG_INCLUDE_INDIRECT; + DWORD dwPrefMaxLen = -1; + DWORD dwEntriesRead = 0; + DWORD dwTotalEntries = 0; + NET_API_STATUS nStatus; + DWORD i; + DWORD dwTotalCount = 0; + +/* Convert ANSI User Name and Group to Unicode */ + + MultiByteToWideChar(CP_ACP, 0, UserName, + strlen(UserName) + 1, wszUserName, + sizeof(wszUserName) / sizeof(wszUserName[0])); + MultiByteToWideChar(CP_ACP, 0, Group, + strlen(Group) + 1, wszGroup, sizeof(wszGroup) / sizeof(wszGroup[0])); + strcpy(NTDomain, UserName); + if ((domain_qualify = strchr(NTDomain, '\\')) == NULL) { + strcpy(DomainUser, NTDomain); + strcpy(NTDomain, Default_NTDomain); + } else { + strcpy(DomainUser, domain_qualify + 1); + domain_qualify[0] = '\0'; + } + /* Log the client on to the local computer. */ + if (!LogonUser(DomainUser, + NTDomain, + Password, + LOGON32_LOGON_NETWORK, LOGON32_PROVIDER_DEFAULT, &hToken)) { + result = NTV_LOGON_ERROR; + error = GetLastError(); + } else { + /* + * Call the NetUserGetLocalGroups function + * specifying information level 0. + * + * The LG_INCLUDE_INDIRECT flag specifies that the + * function should also return the names of the local + * groups in which the user is indirectly a member. + */ + nStatus = NetUserGetLocalGroups(NULL, + wszUserName, + dwLevel, + dwFlags, + (LPBYTE *) & pBuf, dwPrefMaxLen, &dwEntriesRead, &dwTotalEntries); + /* + * If the call succeeds, + */ + if (nStatus == NERR_Success) { + if ((pTmpBuf = pBuf) != NULL) { + for (i = 0; i < dwEntriesRead; i++) { + assert(pTmpBuf != NULL); + if (pTmpBuf == NULL) { + result = NTV_SERVER_ERROR; + break; + } + if (wcscmp(pTmpBuf->lgrui0_name, wszGroup) == 0) { + result = NTV_NO_ERROR; + break; + } + pTmpBuf++; + dwTotalCount++; + } + } + } else + result = NTV_SERVER_ERROR; + /* + * Free the allocated memory. + */ + if (pBuf != NULL) + NetApiBufferFree(pBuf); + } + if (hToken != INVALID_HANDLE_VALUE) + CloseHandle(hToken); + return result; +} +#else /* NON Windows Platform !!! */ + +#error NON WINDOWS PLATFORM + +#endif --- /dev/null Wed Feb 14 00:55:47 2007 +++ squid/src/auth/basic/helpers/win32_locallogon/valid.h Wed Feb 14 00:57:30 2007 @@ -0,0 +1,18 @@ +#ifndef _VALID_H_ +#define _VALID_H_ +/* SMB User verification function */ + +#define NTV_NO_ERROR 0 +#define NTV_SERVER_ERROR 1 +#define NTV_PROTOCOL_ERROR 2 +#define NTV_LOGON_ERROR 3 + +#ifndef LOGON32_LOGON_NETWORK +#define LOGON32_LOGON_NETWORK 3 +#endif + +#define NTV_DEFAULT_DOMAIN "." + +int Valid_User(char *,char *, char *); + +#endif