Hi all,
> > 2.) Taken from the squid logs the client submits it's IP upon each
> > request. I would resolve the IP to a hostname, and look up if a
> > workstation object of the same name exists in the ADS by using
> > ldapsearch. Regarding the use of ldapsearch i would add the code
> > to squid_ldap_auth.
>
> The idea is good, but authentication is the wrong place to add this into.
>
> What you should do for implementing this idea is to write a small external
> helper to Squid which performs only this check. See the external_acl_type
> directive.
regarding the above matter and after taking Henriks suggestions in account,
i did the attached ugly hack on the base of Henriks squid_ldap_auth.c. I
used squid_ldap_auth.c because it already had the nasty LDAP connection
code ;-) The new file is called check_ads_wks_ldap.c and is essentially used
in the same way as squid_ldap_auth except as an external_acl_type. The
helper reads an IP from stdin, resolves it, checks the presence of an work-
station object with same name in the MS AD and returns OK or ERR.
To compile and link i used:
gcc -DHAVE_CONFIG_H -I. -I. -I../../../include -I../../../include -g -O2
-Wall -c check_ads_wks_ldap.c
gcc -g -O2 -Wall -g -o check_ads_wks_ldap check_ads_wks_ldap.o
-L../../../lib -lmiscutil -lldap -llber -lm -lresolv -lsocket -lnsl
The usage as an external_acl_type would be
external_acl_type ads_wks_ldap %SRC /<path to>/check_ads_wks_ldap \
-D "<bind dn>" \
-w "<bind passwd>" \
-b "<base dn>" \
-h <MS AD server> \
-f "(&(memberOf= <container with workstation
objects>)(dNSHostName=%s))"
for example.
Just FYI in case someone else has to do something similar ;-)
Regards,
Frank
-- +++ NEU bei GMX und erstmalig in Deutschland: TÜV-geprüfter Virenschutz +++ 100% Virenerkennung nach Wildlist. Infos: http://www.gmx.net/virenschutzReceived on Thu Mar 25 2004 - 07:59:23 MST
This archive was generated by hypermail pre-2.1.9 : Thu Apr 01 2004 - 12:00:03 MST