Hi all,
Here's my little script(s) to verify users against a squid proxy.
The difference between this script and most other solutions is the dll call to the NetWare client.
Most other solutions start by getting the IP of the proxy requester, and searching the LDAP dir for the IP address, and matching the username up that way. My version makes a call to the Novell calwin32.dll file that comes with the client. No tree walking or directory searching...just a dll call on the local workstation.
I started with this http://www.autohotkey.com/forum/topic42967.html and made a few small changes to make the script spit out the logged in Novell user any time a connection is made and a "1" sent to the server. Sending a "2" will give the computer name (%A_COMPUTERNAME%) and lastly a "3" will send the windows user name (%A_USERNAME%).
Source code and a precompiled binary (SquidTrust.exe) are available at http://sourceforge.net/projects/squidtrust/
To test:
Run the script (or the .exe file).
From a cmd prompt, telnet to your IP on port 6399, press a "2" to get the %A_COMPUTERNAME%. The script should immidately disconnect and drop you back to a prompt. Telnet again to port 6399 and press a "3" to get the %A_USERNAME%.
To get a Novell username you will need the Novell client and to be logged into a server.
Part two of the authentication to a squid proxy is a little Perl.
This script requires IO::Socket, which is pretty common in most Perl installs, but is also available via CPAN.
I think I've documented this fairly well...if not....google is your friend.
This script is refered to as an "Authentication helper" and needs to be saved somewhere on the Squid Proxy, but, you should be able to test it on any box that has Perl installed.
***********************SquidTrust.pl********************************
##SquidTrust.pl
#!/usr/bin/perl
use IO::Socket;
$|=1;
## Main loop (START), sets the loop to wait for an input <STDIN> and sets the input to $host (clients IP address)
START: while ($host = <STDIN>) {
## Sets up the socket connection to the client computer
$port = 6399;
$sock = new IO::Socket::INET(PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp',
Timeout => '1',);
## if - else section to either print OK or ERR based on weather a successful connection was made
if ($sock =~ /IO::Socket/) {
#send a command to the workstation
$cmd = "1";
print $sock $cmd;
# print workstation response
$nwusername = <$sock>;
if ( length $nwusername > 0 )
{
print "OK user=$nwusername\n";
close $sock;
next START;
}
else
{
print "ERR\n";
close $sock;
next START;
}
} else {
print "ERR\n";
close $sock;
}
next START;
}
******************************************************
Run it as "perl SquidTrust.pl" and it should just sit there and wait for an IP address to be entered.
Once an IP address is entered, the script will try to connect to that IP on port 6399 (the AHK script) and send a "1".
If it gets any return, it prints "OK user=$nwusername" if it doesn't get a return, it prints "ERR".
These are the standard returns expected by Squid. The script then just restarts and waits for the next IP address.
To get the windows username, change the line:
$cmd = "1";
to
$cmd = "3";
in my squid.conf the helper is added like this:
*****************snip of squid.conf******************************** external_acl_type IPUser ttl=60 children=10 %SRC /usr/local/squid/SquidTrust.pl acl AuthNDS external IPUser http_access allow AuthNDS # These hosts do not have any restrictions http_access allow unrestricted_hosts # Always allow access to whitelist domains http_access allow whitelist auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v 2 -b T=MYTREE -f "(&(|(groupMembership=cn=LIMITEDaccess,o=INTERNET)(groupMembership=cn=FULLaccess,o=INTERNET))(objectclass=User)(cn=%s))" -u uid -P 10.1.1.7 auth_param basic children 70 **********************************************************
Notice how the "external_acl_type" (my perl helper script) is loaded before the default "squid_ldap_auth".
If a user isn't authenticated with the "helper" it will drop back to the standard LDAP auth and they will be prompted for a login username and password.
I've been running a slightly modified version of this script on 300-400 machines for almost 6 months and haven't had a single issue. Machines are mostly XP, but the script seems to run fine on Windows 7.
This is just kind of the begining..there is a lot of fun stuff to do with this script....if there is any interest I'll post more later.
