Cool Solutions

Squid Authentication from Novell Client AKA: SquidTrust



By:

April 28, 2011 10:39 am

Reads: 23

Comments:10

Score:0

Hi all,

Here’s my little script(s) to verify users against a squid proxy.

The difference between this script and most other solutions is the dll call to the NetWare client.

Most other solutions start by getting the IP of the proxy requester, and searching the LDAP dir for the IP address, and matching the username up that way. My version makes a call to the Novell calwin32.dll file that comes with the client. No tree walking or directory searching…just a dll call on the local workstation.

I started with this http://www.autohotkey.com/forum/topic42967.html and made a few small changes to make the script spit out the logged in Novell user any time a connection is made and a “1″ sent to the server. Sending a “2″ will give the computer name (%A_COMPUTERNAME%) and lastly a “3″ will send the windows user name (%A_USERNAME%).

Source code and a precompiled binary (SquidTrust.exe) are available at http://sourceforge.net/projects/squidtrust/

To test:

Run the script (or the .exe file).

From a cmd prompt, telnet to your IP on port 6399, press a “2″ to get the %A_COMPUTERNAME%. The script should immidately disconnect and drop you back to a prompt. Telnet again to port 6399 and press a “3″ to get the %A_USERNAME%.

To get a Novell username you will need the Novell client and to be logged into a server.

Part two of the authentication to a squid proxy is a little Perl.

This script requires IO::Socket, which is pretty common in most Perl installs, but is also available via CPAN.

I think I’ve documented this fairly well…if not….google is your friend.

This script is refered to as an “Authentication helper” and needs to be saved somewhere on the Squid Proxy, but, you should be able to test it on any box that has Perl installed.

***********************SquidTrust.pl********************************
##SquidTrust.pl

#!/usr/bin/perl

use IO::Socket;

$|=1;

## Main loop (START), sets the loop to wait for an input <STDIN> and sets the input to $host (clients IP address)  
START: while ($host = <STDIN>) {

## Sets up the socket connection to the client computer
$port = 6399;
$sock = new IO::Socket::INET(PeerAddr => $host,
                             PeerPort => $port,
                             Proto    => 'tcp',
                             Timeout  => '1',);

## if - else section to either print OK or ERR based on weather a successful connection was made 

if ($sock =~ /IO::Socket/) {
	#send a command to the workstation
	$cmd = "1";
	print $sock $cmd;
	# print workstation response
	$nwusername = <$sock>;
		if ( length $nwusername > 0 )
		{
    		print "OK user=$nwusername\n";
		close $sock;
		next START;
		}

		else
		{
		print "ERR\n";
		close $sock;
		next START;
		}

} else {
	print "ERR\n";
	close $sock;
	}

next START;
}

******************************************************

Run it as “perl SquidTrust.pl” and it should just sit there and wait for an IP address to be entered.

Once an IP address is entered, the script will try to connect to that IP on port 6399 (the AHK script) and send a “1″.

If it gets any return, it prints “OK user=$nwusername” if it doesn’t get a return, it prints “ERR”.

These are the standard returns expected by Squid. The script then just restarts and waits for the next IP address.

To get the windows username, change the line:
$cmd = “1″;
to
$cmd = “3″;

in my squid.conf the helper is added like this:

*****************snip of squid.conf********************************

external_acl_type IPUser ttl=60 children=10 %SRC /usr/local/squid/SquidTrust.pl
acl AuthNDS external IPUser
http_access allow AuthNDS

# These hosts do not have any restrictions
http_access allow unrestricted_hosts
# Always allow access to whitelist domains
http_access allow whitelist
auth_param basic program /usr/local/libexec/squid/squid_ldap_auth -v 2 -b T=MYTREE -f "(&(|(groupMembership=cn=LIMITEDaccess,o=INTERNET)(groupMembership=cn=FULLaccess,o=INTERNET))(objectclass=User)(cn=%s))" -u uid -P 10.1.1.7
auth_param basic children 70

**********************************************************

Notice how the “external_acl_type” (my perl helper script) is loaded before the default “squid_ldap_auth”.

If a user isn’t authenticated with the “helper” it will drop back to the standard LDAP auth and they will be prompted for a login username and password.

I’ve been running a slightly modified version of this script on 300-400 machines for almost 6 months and haven’t had a single issue. Machines are mostly XP, but the script seems to run fine on Windows 7.

This is just kind of the begining..there is a lot of fun stuff to do with this script….if there is any interest I’ll post more later.

VN:F [1.9.22_1171]
Rating: 0.0/5 (0 votes cast)

Tags:
Categories: Cool Tools, NetWare, Novell Client, Technical

Disclaimer: This content is not supported by Novell. It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test it thoroughly before using it in a production environment.

10 Comments

  1. By:gbianchi77

    Awesome!!!! What did you use to compile the source code?

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • By:sowenatedzonedotnet

      Glad you like it!

      To complie your own…..
      Download and install Autohotkey from http://www.ahtohotkey.com (I use the “basic” version.)
      Once you have Autohotkey installed, save the .ahk script from the source.
      Within an open Explorer window, you can right-click any .ahk file and select “Compile Script” This make it into an *.exe.

      More info here…with advanced option to add icons etc….
      http://www.autohotkey.com/forum/topic70171.html&highlight=compileahk

      Also…I forgot to mention…..make sure to mark the perl helper as “executable” on the squid proxy.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  2. By:mcando

    I’m already using ldap auth but it has the drawback of asking the password each time I open Firefox.
    I wonder if your script will bring some kind of SSO as CLNTRST used to.

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    • By:sowenatedzonedotnet

      Yes, it pretty much works exactly like the old Border Manager ClientTrust (which is why I named it SquidTrust).

      How it all works–the short version:
      1. Install and get the perl “auth helper” script running on your squid proxy.
      2. Run the SquidTrust.exe on your workstation.
      3. Set the proxy setting in your browser.
      4. open a browser.
      5. the browser sends it’s IP address info to the squid proxy “auth helper” when you start a browser
      6. the “auth helper” connects to the squidtrust.exe running on the workstation
      7. the squidtrust.exe makes a dll call to the novell clinets calwin32.dll
      8. the squidtrust.exe passes the current logged in novell user back to the “auth helper”
      9. The novell user is automatically passed with an “OK” by the squid proxy.
      10. the user will show up in the squid logs as their Netware “username”.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      • By:mcando

        I only had to modify the line ‘external_acl_type IPUser ttl=60 children=10 %SRC /usr/local/squid/SquidTrust.pl’ to
        external_acl_type IPUser ttl=60 children=10 %SRC perl /usr/local/squid/SquidTrust.pl for my squid server to work.
        I’ve looking for this for a long time. Thanks!

        VN:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)
  3. By:jtopp

    This has made life at our college so much easier. I know squid but not border manager (which works well in our environment but does not allow some things we would like).
    This will allow us to move forward and is yet another reason to stay with Novell.

    Well done!!!

    Keep up the good work!!!

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  4. By:mcando

    We were forced to install Windows 7 on several workstations. In spite of squidtrust is running and obtaining ComputerName and IPAddress values ok, sso authentication doesn’t work as in our XP machines. I’m using Novell Client 2 for Windows 7 IR9a version.
    Is there a fix available?
    Thanks!

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  5. By:sowenatedzonedotnet

    I have run squidtrust on window 7 machines with no issues. I do not recall the Novell client version that I had on the test machine. I would guess that your problems are with the client version, or a firewall issue.

    Are you getting the username and IP fromn the squidtrust icon (right clicking on the icon) or from telneting to port 6399 and entering a number ( 1 for netware username, 2 for computer name etc…)

    Port 6399 must be open on the client machine.

    Do you get any data when telneting to port 6399 and entering a “1″ ?

    Drop to a cmd prompt on the windows 7 machine and typ “set” …. do you see a NWUSERNAME value ? (should be your logged in netware user).

    The currently posted version of squidtrust uses a bindry call, which could be an issue as well….. I could probably whip up a version that uses a NDS call if it becomes necessary.

    Please contact me directly at:
    sowenREMOVE-THIS@edzone.net

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  6. By:mdemoulin

    Many thanks to sowenatedzonedotnet for the idea, and the method !
    Otherwise, we had issues here to recompile the source code and to get it works perfectly, so we decided to rewrite the utility in MS Visual C++ 2005.

    Please, check http://sourceforge.net/projects/squidtrustvc/files/ for code and build.

    I have added a timer in the code, so the trayicon “reappears” when explorer.exe crashes or is too long to launch (and does not get the trayicon) when the Novell login script is running on session startup.

    Hope it can help !

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  7. By:sowenatedzonedotnet

    Includes ability to add ACL’s based on NetWare or AD group membership

    Updates/differences:
    – Netware user name calls now made via NDS rather than bindry.
    – Ability to return Netware user and Group Membership information.
    – Ability to return Active Directory user and Group Membership information
    – Port changed from 6399 to 2199
    – Removed “who am I” from icon menu.
    Make sure to download and READ the doc
    “Transparent Squid authentication with SquidTrustIII.doc”

    http://sourceforge.net/projects/squidtrust/files/SquidtrustIII/

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)

Comment

RSS