diff options
Diffstat (limited to 'config/dansguardian')
-rwxr-xr-x | config/dansguardian/dansguardian.inc | 18 | ||||
-rwxr-xr-x | config/dansguardian/dansguardian_groups.xml | 39 | ||||
-rw-r--r-- | config/dansguardian/dansguardian_ldap.php | 43 |
3 files changed, 77 insertions, 23 deletions
diff --git a/config/dansguardian/dansguardian.inc b/config/dansguardian/dansguardian.inc index b1c79a97..39282409 100755 --- a/config/dansguardian/dansguardian.inc +++ b/config/dansguardian/dansguardian.inc @@ -90,7 +90,7 @@ function check_ca_hashes(){ } } -function sync_package_dansguardian($via_rpc=false,$install_process=false) { +function sync_package_dansguardian($via_rpc="no",$install_process=false) { global $config,$g; # detect boot process @@ -101,7 +101,7 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) { $boot_process="on"; } - if (is_process_running('dansguardian') && isset($boot_process) && $via_rpc==false){ + if (is_process_running('dansguardian') && isset($boot_process) && $via_rpc=="no"){ log_error("[Dansguardian] - Detected boot process pr:".is_process_running('dansguardian')." bp:".isset($boot_process)." rpc:".$via_rpc); return; } @@ -723,6 +723,7 @@ function sync_package_dansguardian($via_rpc=false,$install_process=false) { 'urlacl'=> "Default", 'group_options' => "scancleancache,infectionbypasserrorsonly", 'reportinglevel'=>'3', + 'group_name_source'=>'name', 'mode'=> "1", 'report_level'=>"global"); @@ -979,7 +980,7 @@ EOF; $cron_found=0; if (is_array($config['cron']['item'])) foreach($config['cron']['item'] as $cron) - if (preg_match("@".DANSGUARDIAN_DIR."/(bin.freshclam|www/dansguardian)@",$cron["command"])) + if (preg_match("@(".DANSGUARDIAN_DIR."|/usr/local)/(bin.freshclam|www/dansguardian)@",$cron["command"])) $cron_found++; else $new_cron['item'][]=$cron; @@ -1062,6 +1063,7 @@ EOF; $cron_cmd="/usr/local/bin/php /usr/local/www/dansguardian_ldap.php"; if (is_array($config['installedpackages']['dansguardiangroups']['config'])) foreach ($config['installedpackages']['dansguardiangroups']['config'] as $dansguardian_groups){ + $dans_group_source=($dansguardian_groups['groupnamesource'] !="" ? $dansguardian_groups['groupnamesource'] : "name"); if(preg_match('/(\d+)m/',$dansguardian_groups['freq'],$matches)){ $new_cron['item'][]=array( "minute" => "*/".$matches[1], "hour" => "*", @@ -1069,7 +1071,7 @@ EOF; "month" => "*", "wday" => "*", "who" => "root", - "command"=> $cron_cmd." ".$dansguardian_groups['name']); + "command"=> "{$cron_cmd} $dans_group_source '{$dansguardian_groups[$dans_group_source]}'"); $config['cron']=$new_cron; $cron_found++; } @@ -1080,7 +1082,7 @@ EOF; "month" => "*", "wday" => "*", "who" => "root", - "command"=> $cron_cmd." ".$dansguardian_groups['name']); + "command"=> "{$cron_cmd} $dans_group_source '{$dansguardian_groups[$dans_group_source]}'"); $config['cron']=$new_cron; $cron_found++; } @@ -1205,7 +1207,7 @@ EOF; #avoid sync during boot process - if (!isset($boot_process)){ + if (!isset($boot_process) || $via_rpc=="yes"){ /* Uses XMLRPC to synchronize the changes to a remote node */ if (is_array($config['installedpackages']['dansguardiansync']['config'])){ $dans_sync=$config['installedpackages']['dansguardiansync']['config'][0]; @@ -1280,7 +1282,7 @@ function dansguardian_validate_input($post, &$input_errors) { } function dansguardian_php_install_command() { - sync_package_dansguardian(false,true); + sync_package_dansguardian("no",true); } function dansguardian_php_deinstall_command() { @@ -1385,7 +1387,7 @@ function dansguardian_do_xmlrpc_sync($sync_to_ip,$username,$password,$sync_type, /* tell dansguardian to reload our settings on the destionation sync host. */ $method = 'pfsense.exec_php'; $execcmd = "require_once('/usr/local/pkg/dansguardian.inc');\n"; - $execcmd .= "sync_package_dansguardian(true);"; + $execcmd .= "sync_package_dansguardian('yes');"; /* assemble xmlrpc payload */ $params = array( diff --git a/config/dansguardian/dansguardian_groups.xml b/config/dansguardian/dansguardian_groups.xml index fc9ff8a8..aaa9bcd6 100755 --- a/config/dansguardian/dansguardian_groups.xml +++ b/config/dansguardian/dansguardian_groups.xml @@ -386,10 +386,20 @@ <type>listtopic</type> </field> <field> + <fielddescr>LDAP group name source</fielddescr> + <fieldname>groupnamesource</fieldname> + <description><![CDATA[ This option determines where to look for LDAP group/OU name.]]></description> + <type>select</type> + <options> + <option><name>Dansguardian Group Name(default)</name><value>name</value></option> + <option><name>Dansguardian Group Description</name><value>description</value></option> + </options> + </field> + <field> <fielddescr>LDAP</fielddescr> <fieldname>ldap</fieldname> - <description><![CDATA[Select Active directory servers to extract users from<br> - The group must has the same name in dansguardian and on active directory<br> + <description><![CDATA[Select LDAP servers to extract users from<br> + The group must has the same name( or description) in dansguardian and on active directory<br> <strong>This is not aplicable for default group</strong>]]></description> <type>select_source</type> <size>05</size> @@ -399,6 +409,31 @@ <source_value>dc</source_value> </field> <field> + <fielddescr>LDAP user account status</fielddescr> + <fieldname>useraccountcontrol</fieldname> + <description><![CDATA[Import only users with these account status. Leave empty to do not check account status.]]></description> + <type>select</type> + <options> + <option><name>Normal (code 512)</name><value>512</value></option> + <option><name>Disabled Account (code 514)</name><value>514</value></option> + <option><name>Account is Disabled (code 2)</name><value>2</value></option> + <option><name>Account Locked Out (code 16)</name><value>16</value></option> + <option><name>Entered Bad Password (code 17)</name><value>17</value></option> + <option><name>No Password is Required(code 32)</name><value>32</value></option> + <option><name>Password CANNOT Change(code 64)</name><value>64</value></option> + <option><name>Password has Expired (code 8388608)</name><value>8388608</value></option> + <option><name>Account will Never Expire (code 65536)</name><value>65536</value></option> + <option><name>Enabled and Does NOT expire Paswword (code 66048)</name><value>66048</value></option> + <option><name>Server Trusted Account for Delegation (code 8192)</name><value>8192</value></option> + <option><name>Trusted Account for Delegation (code 524288)</name><value>524288</value></option> + <option><name>Enabled, User Cannot Change Password, Password Never Expires (code 590336)</name><value>590336</value></option> + <option><name>Normal Account, Password will not expire and Currently Disabled (code 66050)</name><value>66050</value></option> + <option><name>Account Enabled, Password does not expire, currently Locked out (code 66064)</name><value>66064</value></option> + </options> + <multiple/> + <size>16</size> + </field> + <field> <fielddescr>Update frequency</fielddescr> <fieldname>freq</fieldname> <description><![CDATA[How often extract users from active directory and verify changes<br> diff --git a/config/dansguardian/dansguardian_ldap.php b/config/dansguardian/dansguardian_ldap.php index 33cbee91..01d4764e 100644 --- a/config/dansguardian/dansguardian_ldap.php +++ b/config/dansguardian/dansguardian_ldap.php @@ -56,6 +56,7 @@ function get_ldap_members($group,$user,$password) { global $ldap_host; global $ldap_dn; $LDAPFieldsToFind = array("member"); + print "{$ldap_host} {$ldap_dn}\n"; $ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP"); // OPTIONS TO AD @@ -64,7 +65,10 @@ function get_ldap_members($group,$user,$password) { ldap_bind($ldap, $user, $password) or die("Could not bind to LDAP"); - $results = ldap_search($ldap,$ldap_dn,"cn=" . $group,$LDAPFieldsToFind); + //check if group is just a name or an ldap string + $group_cn=(preg_match("/cn=/i",$group)? $group : "cn={$group}"); + + $results = ldap_search($ldap,$ldap_dn,$group_cn,$LDAPFieldsToFind); $member_list = ldap_get_entries($ldap, $results); $group_member_details = array(); @@ -77,7 +81,8 @@ function get_ldap_members($group,$user,$password) { $member_search = ldap_search($ldap, $ldap_dn, "(CN=" . $member_cn . ")"); $member_details = ldap_get_entries($ldap, $member_search); $group_member_details[] = array($member_details[0]['samaccountname'][0], - $member_details[0]['displayname'][0]); + $member_details[0]['displayname'][0], + $member_details[0]['useraccountcontrol'][0]); } ldap_close($ldap); array_shift($group_member_details); @@ -96,11 +101,12 @@ $apply_config=0; if (is_array($config['installedpackages']['dansguardiangroups']['config'])) foreach($config['installedpackages']['dansguardiangroups']['config'] as $group) { #ignore default group - if ($id > 0) - if ($argv[1] == "" || $argv[1] == $group['name']){ + if ($id > 0){ + $ldap_group_source=(preg_match("/description/",$argv[1]) ? "description" : "name"); + if ($argv[2] == $group[$ldap_group_source]){ $members=""; $ldap_servers= explode (',',$group['ldap']); - echo "Group : " . $group['name']."\n"; + echo "Group : {$group['name']}({$group['description']})\n"; if (is_array($config['installedpackages']['dansguardianldap']['config'])) foreach ($config['installedpackages']['dansguardianldap']['config'] as $server){ if (in_array($server['dc'],$ldap_servers)){ @@ -113,18 +119,28 @@ if (is_array($config['installedpackages']['dansguardiangroups']['config'])) $ldap_username=$server['username']; #$domainuser=split("cn=",$server['username']); #$ldap_username=preg_replace("/,\./","@",$domainuser[1].preg_replace("/(,|)DC=/i",".",$server['dn'])); - $result = get_ldap_members($group['name'],$ldap_username,$server['password']); - foreach($result as $key => $value) { - if (preg_match ("/\w+/",$value[0])){ + $result = get_ldap_members($group[$ldap_group_source],$ldap_username,$server['password']); + if ($group['useraccountcontrol'] !="") + $valid_account_codes=explode(",",$group['useraccountcontrol']); + foreach($result as $mvalue) { + if (preg_match ("/\w+/",$mvalue[0])){ #var_dump($value); - $name= preg_replace('/[^(\x20-\x7F)]*/','', $value[1]); + $name= preg_replace("/&([a-z])[a-z]+;/i", "$1", htmlentities($mvalue[1]));//preg_replace('/[^(\x20-\x7F)]*/','', $mvalue[1]); $pattern[0]="/USER/"; $pattern[1]="/,/"; $pattern[2]="/NAME/"; - $replace[0]=$value[0]; + $replace[0]=$mvalue[0]; $replace[1]="\n"; $replace[2]="$name"; - $members .= preg_replace($pattern,$replace,$mask)."\n"; + + if (is_array($valid_account_codes)){ + if (in_array($mvalue[2],$valid_account_codes,true)) + $members .= preg_replace($pattern,$replace,$mask)."\n"; + } + else + { + $members .= preg_replace($pattern,$replace,$mask)."\n"; + } } } } @@ -144,8 +160,9 @@ if (is_array($config['installedpackages']['dansguardiangroups']['config'])) $apply_config++; } } - } - $id++; + } + } + $id++; } if ($apply_config > 0){ print "User list from LDAP is different from current group, applying new configuration..."; |