SquidGuard + LdapGroup
-
Hi,
Exists any method to pfsense make squidGuard authenticate by LdapGroup direct in active directory ?I believe that squidguard using ldapusersearch this is possibe ….
ldapbinddn cn=root, dc=example, dc=com
ldapbindpass myultrasecretpasswordldap cache time in seconds
ldapcachetime 300
src my_users {
ldapusersearch ldap://ldap.example.com/cn=squidguardusers,ou=groups,dc=example,dc=com?memberUid?sub?(&(objectclass=posixGroup)(memberUid=%s))
}But how to make this using pfsense GUI!? It possible usr GUI to this?
Thanks
Carlos
-
This is future not possible via GUI.
-
This is in roadmap? have you idea when implemented?!
-
-
-
A small contribution for this great package
This script extract users from LDAP/Active Directory and apply on squidguard config
To use this script, follow these steps:
-
Rename group acl to active directory group name you want to apply
-
Fill up AD info (hostname, username, dn, etc) on script
-
Run the script via console, ssh or via cron
squidguard_ldap.php
// based on http://samjlevy.com/2011/02/using-php-and-ldap-to-list-of-members-of-an-active-directory-group/ // pfsense integration by marcelloc and ccesario # AD HOST (required) $ldap_host = "192.168.3.1"; # AD DIRECTORY DN(required) $ldap_dn = "DC=domain,DC=local"; # BIND USER(required) $user_bind = "cn=squidguard,cn=Users,DC=trf1,DC=gov,DC=br"; # PASSWORD BIND(required) $password = "super_secret_password"; #if you need to apply any prefix or sufix to retreived user #example: prefix user with domain(required) #$user_mask="DOMAIN\USER"; $user_mask="USER"; #################### # End of user options # #################### require_once("/etc/inc/util.inc"); require_once("/etc/inc/functions.inc"); require_once("/etc/inc/pkg-utils.inc"); require_once("/etc/inc/globals.inc"); #mount filesystem writable conf_mount_rw(); function explode_dn($dn, $with_attributes=0) { $result = ldap_explode_dn($dn, $with_attributes); foreach($result as $key => $value) { $result[$key] = $value; } return $result; } function get_ldap_members($group,$user,$password) { global $ldap_host; global $ldap_dn; $LDAPFieldsToFind = array("member"); $ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP"); // OPTIONS TO AD ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION,3); ldap_set_option($ldap, LDAP_OPT_REFERRALS,0); ldap_bind($ldap, $user, $password) or die("Could not bind to LDAP"); $results = ldap_search($ldap,$ldap_dn,"cn=" . $group,$LDAPFieldsToFind); $member_list = ldap_get_entries($ldap, $results); $group_member_details = array(); foreach($member_list[0] as $list) if (is_array($list)) foreach($list as $member) { $member_dn = explode_dn($member); $member_cn = str_replace("CN=","",$member_dn[0]); $member_search = ldap_search($ldap, $ldap_dn, "(CN=" . $member_cn . ")"); $member_details = ldap_get_entries($ldap, $member_search); $group_member_details[] = array($member_details[0]['samaccountname'][0]); } ldap_close($ldap); array_shift($group_member_details); return $group_member_details; } // Read Pfsense config global $config,$g; $id=0; $apply_config=0; if (is_array ($config['installedpackages']['squidguardacl']['config'])) foreach($config['installedpackages']['squidguardacl']['config'] as $group) { $members=""; echo "Group : " . $group['name']."\n"; $result = get_ldap_members($group['name'],$user_bind,$password); foreach($result as $key => $value) { if (preg_match ("/\w+/",$value[0])) $members .= "'".preg_replace("/USER/",$value[0],$user_mask)."' "; } if (!empty($members)) if($config['installedpackages']['squidguardacl']['config'][$id]['source'] != $members){ $config['installedpackages']['squidguardacl']['config'][$id]['source'] = $members; $apply_config++; } $id++; } if ($apply_config > 0){ print "user list from LDAP is different from current group, applying new configuration..."; write_config(); include("/usr/local/pkg/squidguard.inc"); squidguard_resync(); print "done\n"; } #mount filesystem read-only conf_mount_ro(); ?>
I've tested it only on my domain, so test it before production ;)
att,
Marcello Coutinho -