rcbandit
New User
May 8, 2009, 1:56 PM
Post #1 of 2
(745 views)
|
|
Help with script for SQUID and LDAP
|
Can't Post
|
|
Hi,
I am working on a hobby project for billing system for squid and PHP.
Mi idea is to control the traffic with squid. I will use PHP program witch will pass IPs to LDAP program and squid server will read from LDAP every time when packet passes and it will check it's IP address.
The problem is that I need to force squid to read IPs from LDAP.
I found some info on that page http://www.stress-free.co.nz/transparent_squid_authentication_to_edirectory
As you see squid reads IPs from eDirectory. I need it to readd from LDAP.
Can you help to rewrite the script to read SQUID IPs from LDAP and if they mach with the IP from the packet squid to block the access?
#!/usr/bin/perl
use Net::LDAP;
use Net::LDAP::LDIF;
use File::Path qw(rmtree);
use File::Basename qw(basename);
$HOST = 'your.edirectory.server';
$PORT = 389;
$ADMIN = "cn=squid,ou=tech,o=company";
$PASSWD = "squidpassword";
$BASEDN = "o=company";
@SITES = qw(ou=groups);
$|=1;
START: while (<>) {
($IP,$GROUP) = split(/ /,$_);
# $SITE =~ tr/\n//d;
$GROUP =~ tr/\n//d;
$group_filter_string="";
for $site (@SITES) {
$group_filter_string=$group_filter_string."(groupMembership=cn=$GROUP,${site},$BASEDN)";
}
$netaddress = "1\#";
@octets = split(/\./,$IP);
foreach $octet (@octets) {
# The IP address is stored in eDirectory as four unsigned chars. ASCII 40, 41, 42 and
# 92 are characters ( ) *\ which are known tokens in LDAP search filters If you dont
# escape these with a backslash they will cause LDAP errors and he script will fail.
if ((($octet >= 40) && ($octet <= 42)) || ($octet == 92)) {
$netaddress = $netaddress.sprintf("\\%c",$octet)
} else {
$netaddress= $netaddress.sprintf("%c",$octet);
}
}
$filter="(&(objectclass=user)(|$group_filter_string)(networkAddress=$netaddress))";
$attnames=['CN'];
#connect to the server
until($ldap = Net::LDAP->new($HOST, port => $PORT)) {
die "Can not connect to ldap://$HOST:$PORT/" if ++$count > 10;
sleep 1;
}
$r = $ldap->start_tls();
$r = $ldap->bind($ADMIN, password => $PASSWD, version=>2);
die $r->error if $r->code;
$r = $ldap->search(base => $BASEDN,
scope => 'sub',
filter => $filter,
attrs => $attnames);
$count = $r->count;
if ($count == 0) {
print "ERR\n";
} else {
foreach my $entry ($r->entries){
my @values = $entry->get_value(CN);
foreach $value (@values) {
# Many users in eDirectory have multiple CN values - usually from the user template
# used to create them - sometimes their maiden name is noted in the Other Name
# attribute in ConsoleOne we want to report the proper CN to squid not these bogus
# values.
if ($value =~ m/template|previously/i) {
next;
} else {
$value =~ tr/- //d;
print "OK user=$value\n";
next START;
}
}
}
}
$ldap->unbind;
}
(This post was edited by rcbandit on May 8, 2009, 1:56 PM)
|
MAIN
SEARCH
WHO'S 
LOG 