aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorjim-p <jimp@pfsense.org>2013-06-10 14:13:28 -0400
committerjim-p <jimp@pfsense.org>2013-06-10 14:13:28 -0400
commit2dda3a961921534bec5df1dfb039c47ade0ff5b1 (patch)
tree272ae24710dd7be0d712599ab79bfb8f67cc140c
parentb01b711ee6be3fa03844095d92dee9025aafd18a (diff)
downloadpfsense-packages-2dda3a961921534bec5df1dfb039c47ade0ff5b1.tar.gz
pfsense-packages-2dda3a961921534bec5df1dfb039c47ade0ff5b1.tar.bz2
pfsense-packages-2dda3a961921534bec5df1dfb039c47ade0ff5b1.zip
Add LDAP search patch from http://forum.pfsense.org/index.php/topic,59246.0.html
-rw-r--r--config/squidGuard/squidguard.inc6
-rw-r--r--config/squidGuard/squidguard.xml58
-rw-r--r--config/squidGuard/squidguard_acl.xml5
-rw-r--r--config/squidGuard/squidguard_configurator.inc56
4 files changed, 110 insertions, 15 deletions
diff --git a/config/squidGuard/squidguard.inc b/config/squidGuard/squidguard.inc
index 1ea1b5a5..d58dfb79 100644
--- a/config/squidGuard/squidguard.inc
+++ b/config/squidGuard/squidguard.inc
@@ -979,6 +979,12 @@ function convert_pfxml_to_sgxml() {
$sgxml[F_LOGDIR] = SQUIDGUARD_LOGDIR;
$sgxml[F_DBHOME] = SQUIDGUARD_DBHOME;
+ $sgxml[F_LDAPENABLE] = $pfxml['ldap_enable'];
+ $sgxml[F_LDAPBINDDN] = $pfxml['ldapbinddn'];
+ $sgxml[F_LDAPBINDPASS] = $pfxml['ldapbindpass'];
+ $sgxml[F_LDAPVERSION] = $pfxml['ldapversion'];
+ $sgxml[F_STRIPNTDOMAIN] = $pfxml['stripntdomain'];
+ $sgxml[F_STRIPREALM] = $pfxml['striprealm'];
$sgxml[F_BINPATH] = SQUIDGUARD_BINPATH;
$sgxml[F_WORKDIR] = SQUIDGUARD_WORKDIR;
$sgxml[F_SGCONF_XML] = SQUIDGUARD_WORKDIR . SQUIDGUARD_CONFXML;
diff --git a/config/squidGuard/squidguard.xml b/config/squidGuard/squidguard.xml
index 21356e1c..e1fb3d41 100644
--- a/config/squidGuard/squidguard.xml
+++ b/config/squidGuard/squidguard.xml
@@ -122,7 +122,61 @@
<description><![CDATA[Check this option to enable squidGuard]]></description>
<type>checkbox</type>
</field>
- <field>
+ <field>
+ <name>LDAP Options</name>
+ <type>listtopic</type>
+ </field>
+ <field>
+ <fielddescr>Enable LDAP Filter</fielddescr>
+ <fieldname>ldap_enable</fieldname>
+ <description><![CDATA[Enable options for setup ldap connection to create filters with ldap search]]></description>
+ <type>checkbox</type>
+ <enablefields>ldapbinddn,ldapbindpass,stripntdomain,striprealm,ldapversion</enablefields>
+ </field>
+ <field>
+ <fielddescr>LDAP DN</fielddescr>
+ <fieldname>ldapbinddn</fieldname>
+ <description><![CDATA[Configure your LDAP DN (ex: cn=Administrator,cn=Users,dc=domain)]]></description>
+ <type>input</type>
+ <size>60</size>
+ </field>
+ <field>
+ <fielddescr>LDAP DN Password</fielddescr>
+ <fieldname>ldapbindpass</fieldname>
+ <description><![CDATA[Password must be initialize with letters (Ex: Change123), valid format: [a-zA-Z\/][a-zA-Z0-9/_\-\.\/\:\%\+\?=&]]]></description>
+ <type>password</type>
+ </field>
+ <field>
+ <fielddescr>Strip NT domain name</fielddescr>
+ <fieldname>stripntdomain</fieldname>
+ <description><![CDATA[Strip NT domain name component from user names (/ or \ separated).]]></description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>Strip Kerberos Realm</fielddescr>
+ <fieldname>striprealm</fieldname>
+ <description><![CDATA[Strip Kerberos Realm component from user names (@ separated).]]></description>
+ <type>checkbox</type>
+ <default_value>on</default_value>
+ </field>
+ <field>
+ <fielddescr>LDAP Version</fielddescr>
+ <fieldname>ldapversion</fieldname>
+ <type>select</type>
+ <default_value>3</default_value>
+ <options>
+ <option>
+ <name>Version 2</name>
+ <value>2</value>
+ </option>
+ <option>
+ <name>Version 3</name>
+ <value>3</value>
+ </option>
+ </options>
+ </field>
+ <field>
<name>Logging options</name>
<type>listtopic</type>
</field>
@@ -144,7 +198,7 @@
<description><![CDATA[Check this option to rotate the logs every day. This is recommended if you enable any kind of logging to limit file size and do not run out of disk space.]]></description>
<type>checkbox</type>
</field>
- <field>
+ <field>
<name>Miscellaneous</name>
<type>listtopic</type>
</field>
diff --git a/config/squidGuard/squidguard_acl.xml b/config/squidGuard/squidguard_acl.xml
index 07ecd71b..243576e8 100644
--- a/config/squidGuard/squidguard_acl.xml
+++ b/config/squidGuard/squidguard_acl.xml
@@ -106,7 +106,10 @@
<b>Example:</b><br>
<b>IP:</b> 192.168.0.1 - <b>Subnet:</b> 192.168.0.0/24 or 192.168.1.0/255.255.255.0 - <b>IP-Range:</b> 192.168.1.1-192.168.1.10<br>
<b>Domain:</b> foo.bar matches foo.bar or *.foo.bar<br>
- <b>Username:</b> 'user1'
+ <b>Username:</b> 'user1' <br>
+ <b>Ldap search (Ldap filter must be enabled in General Settings):</b> <br>
+ ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))<br>
+ <i>Attention: these line don't have break line, all on one line</i>
]]></description>
<type>textarea</type>
<cols>65</cols>
diff --git a/config/squidGuard/squidguard_configurator.inc b/config/squidGuard/squidguard_configurator.inc
index b900a477..ab44ae8d 100644
--- a/config/squidGuard/squidguard_configurator.inc
+++ b/config/squidGuard/squidguard_configurator.inc
@@ -244,6 +244,12 @@ define('F_SQUIDGUARD', 'squidGuard');
define('F_LOGDIR', 'logdir');
define('F_DBHOME', 'dbhome');
define('F_WORKDIR', 'workdir');
+define('F_LDAPENABLE', 'ldap_enable');
+define('F_LDAPBINDDN', 'ldapbinddn');
+define('F_LDAPBINDPASS', 'ldapbindpass');
+define('F_LDAPVERSION', 'ldapversion');
+define('F_STRIPNTDOMAIN', 'stripntdomain');
+define('F_STRIPREALM', 'striprealm');
define('F_BINPATH', 'binpath');
define('F_PROCCESSCOUNT', 'process_count');
define('F_SQUIDCONFIGFILE', 'squid_configfile');
@@ -331,6 +337,7 @@ function sg_init($init = '')
$squidguard_config[F_BINPATH] = SQUIDGUARD_BINPATH;
$squidguard_config[F_SQUIDCONFIGFILE] = SQUID_CONFIGFILE;
$squidguard_config[F_PROCCESSCOUNT] = REDIRECTOR_PROCESS_COUNT;
+
} else {
# copy config from $init
foreach($init as $key => $in)
@@ -848,6 +855,15 @@ function sg_create_config()
$sgconf[] = CONFIG_SG_HEADER;
$sgconf[] = "logdir {$squidguard_config[F_LOGDIR]}";
$sgconf[] = "dbhome {$squidguard_config[F_DBHOME]}";
+ if ( $squidguard_config[F_LDAPENABLE] == 'on' ) {
+ $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}";
+ $sgconf[] = "ldapbindpass {$squidguard_config[F_LDAPBINDPASS]}";
+ $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}";
+ if ( $squidguard_config[F_STRIPNTDOMAIN] )
+ $sgconf[] = "stripntdomain true";
+ if ( $squidguard_config[F_STRIPREALM] )
+ $sgconf[] = "striprealm true";
+ }
# --- Times ---
if ($squidguard_config[F_TIMES]) {
@@ -879,13 +895,17 @@ function sg_create_config()
$sg_tag->set("src", $src[F_NAME], "", $src[F_DESCRIPTION]);
# separate IP, domains, usernames
- $tsrc = explode(" ", trim($src[F_SOURCE]));
- foreach($tsrc as $sr) {
- $sr = trim($sr);
- if (empty($sr)) continue;
- if (is_ipaddr_valid($sr)) $sg_tag->items[] = "ip $sr";
- elseif (is_domain_valid($sr)) $sg_tag->items[] = "domain $sr";
- elseif (is_username($sr)) $sg_tag->items[] = "user " . str_replace("'", "", $sr);
+ if (strpos(trim($src[F_SOURCE]), 'ldapusersearch') === false) {
+ $tsrc = explode(" ", trim($src[F_SOURCE]));
+ foreach($tsrc as $sr) {
+ $sr = trim($sr);
+ if (empty($sr)) continue;
+ if (is_ipaddr_valid($sr)) $sg_tag->items[] = "ip $sr";
+ elseif (is_domain_valid($sr)) $sg_tag->items[] = "domain $sr";
+ elseif (is_username($sr)) $sg_tag->items[] = "user " . str_replace("'", "", $sr);
+ }
+ } else {
+ $sg_tag->items[] = trim($src[F_SOURCE]);
}
if ($squidguard_config[F_ENABLELOG] == 'on' ) {
@@ -1172,6 +1192,16 @@ function sg_create_simple_config($blk_dbhome, $blk_destlist, $redirect_to = "404
# init section
$sgconf[] = "logdir $logdir";
$sgconf[] = "dbhome $dbhome";
+ if ( $squidguard_config[F_LDAPENABLE] == 'on' ) {
+ $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}";
+ $sgconf[] = "ldapbindpass {$squidguard_config[F_LDAPBINDPASS]}";
+ $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}";
+ if ( $squidguard_config[F_STRIPNTDOMAIN] )
+ $sgconf[] = "stripntdomain true";
+ if ( $squidguard_config[F_STRIPREALM] )
+ $sgconf[] = "striprealm true";
+ }
+
$sgconf[] = "";
# destination section
@@ -1755,11 +1785,13 @@ function sg_check_src($sgx, $input_errors)
# source may be as one ('source') field or as two ('ip' and 'domain') fields
$src = (isset($sgx[F_SOURCE])) ? $sgx[F_SOURCE] : $sgx[F_IP] . " " . $sgx[F_DOMAINS];
- $src = explode(" ", $src);
- foreach ($src as $s_item) {
- if ($s_item) {
- if (!is_ipaddr_valid($s_item) and !is_domain_valid($s_item) and !is_username($s_item))
- $elog[] = "SRC '{$sgx[F_NAME]}': Item '$s_item' is not a ip address or a domain or a 'username'.";
+ if (strpos($sgx[F_SOURCE], 'ldapusersearch') === false) {
+ $src = explode(" ", $src);
+ foreach ($src as $s_item) {
+ if ($s_item) {
+ if (!is_ipaddr_valid($s_item) and !is_domain_valid($s_item) and !is_username($s_item) and (strpos($s_item, 'ldapusersearch') !== false))
+ $elog[] = "SRC '{$sgx[F_NAME]}': Item '$s_item' is not a ip address or a domain or a 'username'.";
+ }
}
}