SquidGuard + LdapGroup



  • Hi,
    Exists any method to pfsense make squidGuard authenticate by LdapGroup direct in active directory ?

    I believe that squidguard using ldapusersearch this is possibe ….

    ldapbinddn     cn=root, dc=example, dc=com
    ldapbindpass   myultrasecretpassword

    ldap cache time in seconds

    ldapcachetime  300

    src my_users {
        ldapusersearch  ldap://ldap.example.com/cn=squidguardusers,ou=groups,dc=example,dc=com?memberUid?sub?(&(objectclass=posixGroup)(memberUid=%s))
     }

    But how to make this using pfsense GUI!? It possible usr GUI to this?

    Thanks

    Carlos



  • This is future not possible via GUI.



  • This is in roadmap? have you idea when implemented?!



  • @ccesario:

    This is in roadmap? have you idea when implemented?!

    In current time no such plans.



  • @dvserg:

    @ccesario:

    This is in roadmap? have you idea when implemented?!

    In current time no such plans.

    :/



  • A small contribution for this great package

    This script extract users from LDAP/Active Directory and apply on squidguard config

    To use this script, follow these steps:

    • Rename group acl to active directory group name you want to apply

    • Fill up AD info (hostname, username, dn, etc) on script

    • Run the script via console, ssh or via cron

    squidguard_ldap.php

    // based on http://samjlevy.com/2011/02/using-php-and-ldap-to-list-of-members-of-an-active-directory-group/
    // pfsense integration by marcelloc and ccesario
    
    # AD HOST (required)
    $ldap_host = "192.168.3.1";
    
    # AD DIRECTORY DN(required)
    $ldap_dn = "DC=domain,DC=local";
    
    # BIND USER(required)
    $user_bind = "cn=squidguard,cn=Users,DC=trf1,DC=gov,DC=br";
    
    # PASSWORD BIND(required)
    $password = "super_secret_password";
    
    #if you need to apply any prefix or sufix to retreived user
    #example: prefix user with domain(required)
    #$user_mask="DOMAIN\USER";
    $user_mask="USER";
    
    ####################
    # End of user options  #
    ####################
    
    require_once("/etc/inc/util.inc");
    require_once("/etc/inc/functions.inc");
    require_once("/etc/inc/pkg-utils.inc");
    require_once("/etc/inc/globals.inc");
    
    #mount filesystem writable
    conf_mount_rw();
    
    function explode_dn($dn, $with_attributes=0)
    {
        $result = ldap_explode_dn($dn, $with_attributes);
        foreach($result as $key => $value) {
             $result[$key] = $value;
        }
        return $result;
    }
    
    function get_ldap_members($group,$user,$password) {
    	global $ldap_host;
    	global $ldap_dn;
    	$LDAPFieldsToFind = array("member");
    	$ldap = ldap_connect($ldap_host) or die("Could not connect to LDAP");
    
    	// OPTIONS TO AD
    	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION,3);
    	ldap_set_option($ldap, LDAP_OPT_REFERRALS,0);
    
    	ldap_bind($ldap, $user, $password) or die("Could not bind to LDAP");
    
    	$results = ldap_search($ldap,$ldap_dn,"cn=" . $group,$LDAPFieldsToFind);
    
    	$member_list = ldap_get_entries($ldap, $results);
    	$group_member_details = array();
    	foreach($member_list[0] as $list)
    		if (is_array($list)) 
    			foreach($list as $member) {
    				$member_dn = explode_dn($member);
    				$member_cn = str_replace("CN=","",$member_dn[0]);
    				$member_search = ldap_search($ldap, $ldap_dn, "(CN=" . $member_cn . ")");
    				$member_details = ldap_get_entries($ldap, $member_search);
    				$group_member_details[] = array($member_details[0]['samaccountname'][0]);
    			}
    	ldap_close($ldap);
    	array_shift($group_member_details);
    	return $group_member_details;
    }
    
    // Read Pfsense config 
    global $config,$g;
    $id=0;
    $apply_config=0;
    if (is_array ($config['installedpackages']['squidguardacl']['config']))
    	foreach($config['installedpackages']['squidguardacl']['config'] as $group) {
       		$members="";
       		echo  "Group : " . $group['name']."\n";
       		$result = get_ldap_members($group['name'],$user_bind,$password);
       		foreach($result as $key => $value) {
    	    	if (preg_match ("/\w+/",$value[0]))
        	  		$members .= "'".preg_replace("/USER/",$value[0],$user_mask)."' ";
       		}
       		if (!empty($members))
       			if($config['installedpackages']['squidguardacl']['config'][$id]['source'] != $members){
       				$config['installedpackages']['squidguardacl']['config'][$id]['source'] = $members;
       				$apply_config++;
       			}
       	$id++;			
    	}
    if ($apply_config > 0){
    	print "user list from LDAP is different from current group, applying new configuration...";
    	write_config();
    	include("/usr/local/pkg/squidguard.inc");
    	squidguard_resync();
    	print "done\n";
    }
    
    #mount filesystem read-only
    conf_mount_ro();
    
    ?>
    

    I've tested it only on my domain, so test it before production  ;)

    att,
    Marcello Coutinho


Log in to reply