A small contribution for this great package
This script extract users from LDAP/Active Directory and apply on squidguard config
To use this script, follow these steps:
Rename group acl to active directory group name you want to apply
Fill up AD info (hostname, username, dn, etc) on script
Run the script via console, ssh or via cron
squidguard_ldap.php
// based on http://samjlevy.com/2011/02/using-php-and-ldap-to-list-of-members-of-an-active-directory-group/
// pfsense integration by marcelloc and ccesario
# AD HOST (required)
$ldap_host = "192.168.3.1";
# AD DIRECTORY DN(required)
$ldap_dn = "DC=domain,DC=local";
# BIND USER(required)
$user_bind = "cn=squidguard,cn=Users,DC=trf1,DC=gov,DC=br";
# PASSWORD BIND(required)
$password = "super_secret_password";
#if you need to apply any prefix or sufix to retreived user
#example: prefix user with domain(required)
#$user_mask="DOMAIN\USER";
$user_mask="USER";
####################
# End of user options #
####################
require_once("/etc/inc/util.inc");
require_once("/etc/inc/functions.inc");
require_once("/etc/inc/pkg-utils.inc");
require_once("/etc/inc/globals.inc");
#mount filesystem writable
conf_mount_rw();
function explode_dn($dn, $with_attributes=0)
{
$result = ldap_explode_dn($dn, $with_attributes);
foreach($result as $key => $value) {
$result[$key] = $value;
}
return $result;
}
function get_ldap_members($group,$user,$password) {
global $ldap_host;
global $ldap_dn;
$LDAPFieldsToFind = array("member");
$ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP");
// OPTIONS TO AD
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION,3);
ldap_set_option($ldap, LDAP_OPT_REFERRALS,0);
ldap_bind($ldap, $user, $password) or die("Could not bind to LDAP");
$results = ldap_search($ldap,$ldap_dn,"cn=" . $group,$LDAPFieldsToFind);
$member_list = ldap_get_entries($ldap, $results);
$group_member_details = array();
foreach($member_list[0] as $list)
if (is_array($list))
foreach($list as $member) {
$member_dn = explode_dn($member);
$member_cn = str_replace("CN=","",$member_dn[0]);
$member_search = ldap_search($ldap, $ldap_dn, "(CN=" . $member_cn . ")");
$member_details = ldap_get_entries($ldap, $member_search);
$group_member_details[] = array($member_details[0]['samaccountname'][0]);
}
ldap_close($ldap);
array_shift($group_member_details);
return $group_member_details;
}
// Read Pfsense config
global $config,$g;
$id=0;
$apply_config=0;
if (is_array ($config['installedpackages']['squidguardacl']['config']))
foreach($config['installedpackages']['squidguardacl']['config'] as $group) {
$members="";
echo "Group : " . $group['name']."\n";
$result = get_ldap_members($group['name'],$user_bind,$password);
foreach($result as $key => $value) {
if (preg_match ("/\w+/",$value[0]))
$members .= "'".preg_replace("/USER/",$value[0],$user_mask)."' ";
}
if (!empty($members))
if($config['installedpackages']['squidguardacl']['config'][$id]['source'] != $members){
$config['installedpackages']['squidguardacl']['config'][$id]['source'] = $members;
$apply_config++;
}
$id++;
}
if ($apply_config > 0){
print "user list from LDAP is different from current group, applying new configuration...";
write_config();
include("/usr/local/pkg/squidguard.inc");
squidguard_resync();
print "done\n";
}
#mount filesystem read-only
conf_mount_ro();
?>
I've tested it only on my domain, so test it before production ;)
att,
Marcello Coutinho
