diff options
author | jim-p <jimp@pfsense.org> | 2013-06-10 14:13:28 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2013-06-10 14:13:28 -0400 |
commit | 2dda3a961921534bec5df1dfb039c47ade0ff5b1 (patch) | |
tree | 272ae24710dd7be0d712599ab79bfb8f67cc140c /config/squidGuard | |
parent | b01b711ee6be3fa03844095d92dee9025aafd18a (diff) | |
download | pfsense-packages-2dda3a961921534bec5df1dfb039c47ade0ff5b1.tar.gz pfsense-packages-2dda3a961921534bec5df1dfb039c47ade0ff5b1.tar.bz2 pfsense-packages-2dda3a961921534bec5df1dfb039c47ade0ff5b1.zip |
Add LDAP search patch from http://forum.pfsense.org/index.php/topic,59246.0.html
Diffstat (limited to 'config/squidGuard')
-rw-r--r-- | config/squidGuard/squidguard.inc | 6 | ||||
-rw-r--r-- | config/squidGuard/squidguard.xml | 58 | ||||
-rw-r--r-- | config/squidGuard/squidguard_acl.xml | 5 | ||||
-rw-r--r-- | config/squidGuard/squidguard_configurator.inc | 56 |
4 files changed, 110 insertions, 15 deletions
diff --git a/config/squidGuard/squidguard.inc b/config/squidGuard/squidguard.inc index 1ea1b5a5..d58dfb79 100644 --- a/config/squidGuard/squidguard.inc +++ b/config/squidGuard/squidguard.inc @@ -979,6 +979,12 @@ function convert_pfxml_to_sgxml() { $sgxml[F_LOGDIR] = SQUIDGUARD_LOGDIR; $sgxml[F_DBHOME] = SQUIDGUARD_DBHOME; + $sgxml[F_LDAPENABLE] = $pfxml['ldap_enable']; + $sgxml[F_LDAPBINDDN] = $pfxml['ldapbinddn']; + $sgxml[F_LDAPBINDPASS] = $pfxml['ldapbindpass']; + $sgxml[F_LDAPVERSION] = $pfxml['ldapversion']; + $sgxml[F_STRIPNTDOMAIN] = $pfxml['stripntdomain']; + $sgxml[F_STRIPREALM] = $pfxml['striprealm']; $sgxml[F_BINPATH] = SQUIDGUARD_BINPATH; $sgxml[F_WORKDIR] = SQUIDGUARD_WORKDIR; $sgxml[F_SGCONF_XML] = SQUIDGUARD_WORKDIR . SQUIDGUARD_CONFXML; diff --git a/config/squidGuard/squidguard.xml b/config/squidGuard/squidguard.xml index 21356e1c..e1fb3d41 100644 --- a/config/squidGuard/squidguard.xml +++ b/config/squidGuard/squidguard.xml @@ -122,7 +122,61 @@ <description><![CDATA[Check this option to enable squidGuard]]></description> <type>checkbox</type> </field> - <field> + <field> + <name>LDAP Options</name> + <type>listtopic</type> + </field> + <field> + <fielddescr>Enable LDAP Filter</fielddescr> + <fieldname>ldap_enable</fieldname> + <description><![CDATA[Enable options for setup ldap connection to create filters with ldap search]]></description> + <type>checkbox</type> + <enablefields>ldapbinddn,ldapbindpass,stripntdomain,striprealm,ldapversion</enablefields> + </field> + <field> + <fielddescr>LDAP DN</fielddescr> + <fieldname>ldapbinddn</fieldname> + <description><![CDATA[Configure your LDAP DN (ex: cn=Administrator,cn=Users,dc=domain)]]></description> + <type>input</type> + <size>60</size> + </field> + <field> + <fielddescr>LDAP DN Password</fielddescr> + <fieldname>ldapbindpass</fieldname> + <description><![CDATA[Password must be initialize with letters (Ex: Change123), valid format: [a-zA-Z\/][a-zA-Z0-9/_\-\.\/\:\%\+\?=&]]]></description> + <type>password</type> + </field> + <field> + <fielddescr>Strip NT domain name</fielddescr> + <fieldname>stripntdomain</fieldname> + <description><![CDATA[Strip NT domain name component from user names (/ or \ separated).]]></description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>Strip Kerberos Realm</fielddescr> + <fieldname>striprealm</fieldname> + <description><![CDATA[Strip Kerberos Realm component from user names (@ separated).]]></description> + <type>checkbox</type> + <default_value>on</default_value> + </field> + <field> + <fielddescr>LDAP Version</fielddescr> + <fieldname>ldapversion</fieldname> + <type>select</type> + <default_value>3</default_value> + <options> + <option> + <name>Version 2</name> + <value>2</value> + </option> + <option> + <name>Version 3</name> + <value>3</value> + </option> + </options> + </field> + <field> <name>Logging options</name> <type>listtopic</type> </field> @@ -144,7 +198,7 @@ <description><![CDATA[Check this option to rotate the logs every day. This is recommended if you enable any kind of logging to limit file size and do not run out of disk space.]]></description> <type>checkbox</type> </field> - <field> + <field> <name>Miscellaneous</name> <type>listtopic</type> </field> diff --git a/config/squidGuard/squidguard_acl.xml b/config/squidGuard/squidguard_acl.xml index 07ecd71b..243576e8 100644 --- a/config/squidGuard/squidguard_acl.xml +++ b/config/squidGuard/squidguard_acl.xml @@ -106,7 +106,10 @@ <b>Example:</b><br> <b>IP:</b> 192.168.0.1 - <b>Subnet:</b> 192.168.0.0/24 or 192.168.1.0/255.255.255.0 - <b>IP-Range:</b> 192.168.1.1-192.168.1.10<br> <b>Domain:</b> foo.bar matches foo.bar or *.foo.bar<br> - <b>Username:</b> 'user1' + <b>Username:</b> 'user1' <br> + <b>Ldap search (Ldap filter must be enabled in General Settings):</b> <br> + ldapusersearch ldap://192.168.0.100/DC=domain,DC=com?sAMAccountName?sub?(&(sAMAccountName=%s)(memberOf=CN=it%2cCN=Users%2cDC=domain%2cDC=com))<br> + <i>Attention: these line don't have break line, all on one line</i> ]]></description> <type>textarea</type> <cols>65</cols> diff --git a/config/squidGuard/squidguard_configurator.inc b/config/squidGuard/squidguard_configurator.inc index b900a477..ab44ae8d 100644 --- a/config/squidGuard/squidguard_configurator.inc +++ b/config/squidGuard/squidguard_configurator.inc @@ -244,6 +244,12 @@ define('F_SQUIDGUARD', 'squidGuard'); define('F_LOGDIR', 'logdir'); define('F_DBHOME', 'dbhome'); define('F_WORKDIR', 'workdir'); +define('F_LDAPENABLE', 'ldap_enable'); +define('F_LDAPBINDDN', 'ldapbinddn'); +define('F_LDAPBINDPASS', 'ldapbindpass'); +define('F_LDAPVERSION', 'ldapversion'); +define('F_STRIPNTDOMAIN', 'stripntdomain'); +define('F_STRIPREALM', 'striprealm'); define('F_BINPATH', 'binpath'); define('F_PROCCESSCOUNT', 'process_count'); define('F_SQUIDCONFIGFILE', 'squid_configfile'); @@ -331,6 +337,7 @@ function sg_init($init = '') $squidguard_config[F_BINPATH] = SQUIDGUARD_BINPATH; $squidguard_config[F_SQUIDCONFIGFILE] = SQUID_CONFIGFILE; $squidguard_config[F_PROCCESSCOUNT] = REDIRECTOR_PROCESS_COUNT; + } else { # copy config from $init foreach($init as $key => $in) @@ -848,6 +855,15 @@ function sg_create_config() $sgconf[] = CONFIG_SG_HEADER; $sgconf[] = "logdir {$squidguard_config[F_LOGDIR]}"; $sgconf[] = "dbhome {$squidguard_config[F_DBHOME]}"; + if ( $squidguard_config[F_LDAPENABLE] == 'on' ) { + $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}"; + $sgconf[] = "ldapbindpass {$squidguard_config[F_LDAPBINDPASS]}"; + $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}"; + if ( $squidguard_config[F_STRIPNTDOMAIN] ) + $sgconf[] = "stripntdomain true"; + if ( $squidguard_config[F_STRIPREALM] ) + $sgconf[] = "striprealm true"; + } # --- Times --- if ($squidguard_config[F_TIMES]) { @@ -879,13 +895,17 @@ function sg_create_config() $sg_tag->set("src", $src[F_NAME], "", $src[F_DESCRIPTION]); # separate IP, domains, usernames - $tsrc = explode(" ", trim($src[F_SOURCE])); - foreach($tsrc as $sr) { - $sr = trim($sr); - if (empty($sr)) continue; - if (is_ipaddr_valid($sr)) $sg_tag->items[] = "ip $sr"; - elseif (is_domain_valid($sr)) $sg_tag->items[] = "domain $sr"; - elseif (is_username($sr)) $sg_tag->items[] = "user " . str_replace("'", "", $sr); + if (strpos(trim($src[F_SOURCE]), 'ldapusersearch') === false) { + $tsrc = explode(" ", trim($src[F_SOURCE])); + foreach($tsrc as $sr) { + $sr = trim($sr); + if (empty($sr)) continue; + if (is_ipaddr_valid($sr)) $sg_tag->items[] = "ip $sr"; + elseif (is_domain_valid($sr)) $sg_tag->items[] = "domain $sr"; + elseif (is_username($sr)) $sg_tag->items[] = "user " . str_replace("'", "", $sr); + } + } else { + $sg_tag->items[] = trim($src[F_SOURCE]); } if ($squidguard_config[F_ENABLELOG] == 'on' ) { @@ -1172,6 +1192,16 @@ function sg_create_simple_config($blk_dbhome, $blk_destlist, $redirect_to = "404 # init section $sgconf[] = "logdir $logdir"; $sgconf[] = "dbhome $dbhome"; + if ( $squidguard_config[F_LDAPENABLE] == 'on' ) { + $sgconf[] = "ldapbinddn {$squidguard_config[F_LDAPBINDDN]}"; + $sgconf[] = "ldapbindpass {$squidguard_config[F_LDAPBINDPASS]}"; + $sgconf[] = "ldapprotover {$squidguard_config[F_LDAPVERSION]}"; + if ( $squidguard_config[F_STRIPNTDOMAIN] ) + $sgconf[] = "stripntdomain true"; + if ( $squidguard_config[F_STRIPREALM] ) + $sgconf[] = "striprealm true"; + } + $sgconf[] = ""; # destination section @@ -1755,11 +1785,13 @@ function sg_check_src($sgx, $input_errors) # source may be as one ('source') field or as two ('ip' and 'domain') fields $src = (isset($sgx[F_SOURCE])) ? $sgx[F_SOURCE] : $sgx[F_IP] . " " . $sgx[F_DOMAINS]; - $src = explode(" ", $src); - foreach ($src as $s_item) { - if ($s_item) { - if (!is_ipaddr_valid($s_item) and !is_domain_valid($s_item) and !is_username($s_item)) - $elog[] = "SRC '{$sgx[F_NAME]}': Item '$s_item' is not a ip address or a domain or a 'username'."; + if (strpos($sgx[F_SOURCE], 'ldapusersearch') === false) { + $src = explode(" ", $src); + foreach ($src as $s_item) { + if ($s_item) { + if (!is_ipaddr_valid($s_item) and !is_domain_valid($s_item) and !is_username($s_item) and (strpos($s_item, 'ldapusersearch') !== false)) + $elog[] = "SRC '{$sgx[F_NAME]}': Item '$s_item' is not a ip address or a domain or a 'username'."; + } } } |