Всем привет!
Стоит необходимость установить CGPro и привязать аутентификацию к еДиру.
Почитал на форуме, установил, прикрутил перловый скрипт от Communigate, поправил
малость - заработало, а конкретнее - пользователи новые в CGPro создаются, в лдапе авторизуются.
Вопрос в удалении тех, которых в еДире нет. Взял скрипт по ссылке на форуме (для АД) поковырял, но результата толкового не добился. А именно - не удаляет аккаунты. Я вообще не спец в перле, помогите плиз.
И еще пара вопросов - можно ли прикрутить аутентификацию в Радиусе и локально на линуксе (pam?..). Если да, то как.
Вот скрипт удаления.
#!/usr/bin/perl -w
use CLI;
use Net::LDAP;
my $Domain = 'testdomain.ru'; # Read the domain name from standard input
my $CGServerAddress = '192.168.62.4';
my $Login = 'postmaster';
my $Password = '111';
my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress,
PeerPort => 106,
login => $Login,
password => $Password } )
|| die "Can't login to CGPro: ".$CGP::ERR_STRING."\n";
@special=("public", "dilest"); #Array of undeleted accounts
my $LDAPServerAddress = '192.168.62.3'; # You should redefine these values
my $LDAPAdminDN = 'cn=admin,o=cont';
my $LDAPAdminPassword = '12345';
my $LDAPSearchBase = 'o=cont';
my $accountList = $cli->ListAccounts($Domain);
die "\nError " . $cli->getErrMessage . "(".$cli->getErrCode.
") fetching accounts list\n"
unless ($accountList);
#Create array of accounts
$i=0;
foreach (keys %$accountList) {
$accounts[$i]=$_;
++$i;
};
# Delete special accounts from array of accounts
$i=0;
$j=0;
foreach (@special) {
foreach (@accounts) {
if ($accounts[$i] eq $special[$j])
{splice (@accounts, $i, 1);}
++$i;
}
++$j;
$i=0;
}
my $ldap = Net::LDAP->new($LDAPServerAddress,port=>389,timeout=>20)
|| return "Can't connect to $LDAPServerAddress via LDAP";
my $result=$ldap->bind($LDAPAdminDN,password=>$LDAPAdminPassword)
|| return "Can't bind:".$result->error;
open(MAIL,"|/usr/bin/mail -s Account_Removing postmaster"); #mail postmaster(use cgp mailer)
print MAIL "Following CGP Accounts were remove:\n\n";
foreach (@accounts) {
my $mesg = $ldap->search ( # perform a search
base => $LDAPSearchBase, #"cn=$domain",
filter => "(&(cn=$_)(objectclass=*))"
);
if ($mesg->count==0)
{
#print MAIL "$_\n"; #print accounts for testing purposes only
$cli->DeleteAccount("$_\@$Domain") #delete accounts from cgp domain
|| die "Can't delete: ".$cli->getErrMessage.", quitting";
}
}
close(MAIL);
$ldap->unbind(); # unbind & disconnect
$cli->Logout;
Communigate и eDir
Сообщений: 5
• Страница 1 из 1
Communigate и eDir
Tolik Mironov » 16 ноя 2009, 02:12
- Tolik Mironov
- Сообщения: 104
- Зарегистрирован: 17 июл 2006, 14:28
Re: Communigate и eDir
capricious » 16 ноя 2009, 12:37
Tolik Mironov писал(а):Всем привет!
Стоит необходимость установить CGPro и привязать аутентификацию к еДиру.
Почитал на форуме, установил, прикрутил перловый скрипт от Communigate, поправил
малость - заработало, а конкретнее - пользователи новые в CGPro создаются, в лдапе авторизуются.
Вопрос в удалении тех, которых в еДире нет. Взял скрипт по ссылке на форуме (для АД) поковырял, но результата толкового не добился. А именно - не удаляет аккаунты. Я вообще не спец в перле, помогите плиз.
И еще пара вопросов - можно ли прикрутить аутентификацию в Радиусе и локально на линуксе (pam?..). Если да, то как.
Вот скрипт удаления.
Маловат твой скрипт
или не весь скопировал
#!/usr/bin/perl -w
# Sample External Authenticaton program for CommuniGate Pro
# that employs LDAP "bind", supports the account creation
# via NEW command and supports SASL authentication. For SASL
# to work the script must be able to retrieve account password
# in plain text from the LDAP server.
#
# See for more info:
# <http>
# You may need to install the following modules:
# ASN1 from <http>
# LDAP from <http>
use Net::LDAP;
# Take the CLI.pm module from <http>
use CLI;
#
# You should redefine these values
#
my @ldap_servers=( # you can specify multiple LDAP servers here
{ address=>'ldapmaster', # the address or IP of LDAP server
port=>389, # LDAP port, 389 by default
timeout=>5, # timeout in seconds, 20 by default
adminDN=>'cn=cgp,ou=nex,o=nk', # the DN for admin bind
adminPassword=>'cgp',
searchBase=>'ou=nex,o=nk', # search base for NEW and SASL commands
searchFilter=>'(&(cn=*)(objectClass=Person))',
bindDN=>'cn=cgp,ou=nex,o=nk', # the account DN for direct bind for VRFY command
},
{ address=>'127.0.0.2',
adminDN=>'postmaster',
adminPassword=>'pass',
searchBase=>'cn=<domain>',
searchFilter=>'(&(uid=<user>)(objectclass=*))',
bindDN=>'uid=<user>,cn=<domain>',
},
);
my $CGServerAddress = '172.16.22.10'; # You should redefine these values
my $CLILogin = 'postmaster';
my $CLIPassword = 'G0@head';
#
# END of user customiseable parameters
#
$| = 1; #force STDOUT autoflush after each write
print "* authLDAPNew.pl started\n";
my ($ldapServerID,$ldapServerTried)=(0,0);
while(<STDIN>) {
chomp; # remove \n from the end of line
my ($prefix,$method,@eargs) = split(/ /);
if($method eq 'VRFY') {
unless($prefix && $method && $eargs[0] && $eargs[1]) {
print "$prefix ERROR Expected: nnn VRFY (mode) user\@domain password\n";
} else {
if($eargs[0] =~ /^\(.*\)$/) {
shift @eargs;
}
my $errorMsg=vrfy_command($prefix,$eargs[0],$eargs[1]);
if(defined $errorMsg) {
print "$prefix ERROR $errorMsg\n";
}
}
} elsif($method =~ /^SASL/) {
unless($prefix && $method && $eargs[0] && $eargs[1]) {
print "$prefix ERROR Expected: nnn SASL(method) (mode) user\@domain key\n";
} else {
if($eargs[0] =~ /^\(.*\)$/) {
shift @eargs;
}
my $errorMsg=sasl_command($prefix,$eargs[0]);
if(defined $errorMsg) {
print "$prefix ERROR $errorMsg\n";
}
}
} elsif($method =~ /^READPLAIN/) {
unless($prefix && $method && $eargs[0]) {
print "$prefix ERROR Expected: nnn READPLAIN user\@domain\n";
} else {
my $errorMsg=sasl_command($prefix,$eargs[0]); #same for sasl and readplain
if(defined $errorMsg) {
print "$prefix FAILURE $errorMsg\n";
}
}
} elsif($method eq 'NEW') {
unless($prefix && $method && $eargs[0]) {
print "$prefix ERROR Expected: nnn NEW user\@domain\n";
} else {
my $errorMsg=new_command($prefix,$eargs[0]);
if(defined $errorMsg) {
print "$prefix ERROR $errorMsg\n";
}
}
} elsif($method eq 'INTF') {
print "$prefix INTF 7\n";
} elsif($method eq 'QUIT') {
print "$prefix OK\n";
last;
} else {
print "$prefix ERROR Only INTF, VRFY, SASL, READPLAIN and NEW commands supported\n";
}
}
print "* authLDAPNew.pl done\n";
exit(0);
sub tryConnectServer {
my $theServer=$ldap_servers[$ldapServerID];
print "* trying to connect to $theServer->{address}\n";
my $ldap = Net::LDAP->new($theServer->{address},port=>($theServer->{port} || 389),timeout=>($theServer->{timeout} || 20) )
|| return undef;
return $ldap;
}
sub tryConnect {
my $nServers=scalar(@ldap_servers);
for(my $nTried=0;$nTried<nServers>=$nServers) { $ldapServerID=0;}
my $ldap=tryConnectServer();
return $ldap if($ldap);
++$ldapServerID;
}
return undef;
}
sub vrfy_command {
my ($prefix,$user,$password)=@_;
my ($name,$domain)=("","");
if($user =~ /(.+)\@(.+)/) {
$name=$1;
$domain=$2;
} else {
return "Full account name with \@ and domain part expected";
}
my $ldap = tryConnect();
unless($ldap) {
return "Failed to connect to all LDAP servers";
}
my $bindDN=$ldap_servers[$ldapServerID]->{bindDN};
$bindDN=~s/<user>/$name/;
$bindDN=~s/<domain>/$domain/;
$password=decodeString($password);
print "* binding $bindDN with password=$password\n";
my $result=$ldap->bind($bindDN,password=>$password)
|| return "Can't bind: ".$result->error;
$ldap->unbind(); # unbind & disconnect
#$ldap->disconnect();
$result->code && return $result->error; # return error message if failed
print "$prefix OK\n";
return undef; # return "undef" on success
}
sub new_command {
my ($prefix,$user)=@_;
my ($name,$domain)=("","");
if($user =~ /(.+)\@(.+)/) {
$name=$1;
$domain=$2;
} else {
return "Full account name with \@ and domain part expected";
}
my $ldap = tryConnect();
unless($ldap) {
return "Failed to connect to all LDAP servers";
}
my $adminDN=$ldap_servers[$ldapServerID]->{adminDN};
my $adminPassword=$ldap_servers[$ldapServerID]->{adminPassword};
my $result=$ldap->bind($adminDN,password=>$adminPassword)
|| return "Can't bind as admin: ".$result->error;
$result->code && return "Can't bind as admin: ".$result->error;
my $searchBase=$ldap_servers[$ldapServerID]->{searchBase};
$searchBase=~s/<user>/$name/;
$searchBase=~s/<domain>/$domain/;
my $searchFilter=$ldap_servers[$ldapServerID]->{searchFilter};
$searchFilter=~s/<user>/$name/;
$searchFilter=~s/<domain>/$domain/;
print "* searching $searchBase for $searchFilter\n";
my $mesg = $ldap->search ( # perform a search
base => $searchBase,
filter => $searchFilter
);
$ldap->unbind(); # unbind & disconnect
unless(defined $mesg) {
return "LDAP search failed";
}
if($mesg->all_entries() eq 0) {
return "LDAP: nothing found for $searchFilter";
}
my ($realName,$password);
foreach $entry ($mesg->all_entries) {
my $ref1=@$entry{'asn'};
my $attrs=@$ref1{'attributes'};
foreach $atrRef (@$attrs) {
my $type=@$atrRef{'type'};
my $vals=@$atrRef{'vals'};
$realName=@$vals[0] if($type eq 'cn');
$password=@$vals[0] if($type eq 'userPassword');
}
last; # we need only 1 entry
}
my %userData;
$userData{'RealName'}=$realName if(defined $realName);
$userData{'Password'}=$password if(defined $password);
my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress,
PeerPort => 106,
login => $CLILogin,
password => $CLIPassword
} )
|| return "Can't login to CGPro via CLI: ".$CGP::ERR_STRING;
$cli->CreateAccount(accountName=>"$user",settings=>\%userData)
|| return "Can't create account via CLI:".$cli->getErrMessage;
$cli->Logout();
print "$prefix OK\n";
return undef;
}
sub sasl_command {
my ($prefix,$user)=@_;
my ($name,$domain)=("","");
if($user =~ /(.+)\@(.+)/) {
$name=$1;
$domain=$2;
} else {
return "Full account name with \@ and domain part expected";
}
my $ldap = tryConnect();
unless($ldap) {
return "Failed to connect to all LDAP servers";
}
my $adminDN=$ldap_servers[$ldapServerID]->{adminDN};
my $adminPassword=$ldap_servers[$ldapServerID]->{adminPassword};
my $result=$ldap->bind($adminDN,password=>$adminPassword)
|| return "Can't bind as admin: ".$result->error;
$result->code && return "Can't bind as admin: ".$result->error;
my $searchBase=$ldap_servers[$ldapServerID]->{searchBase};
$searchBase=~s/<user>/$name/;
$searchBase=~s/<domain>/$domain/;
my $searchFilter=$ldap_servers[$ldapServerID]->{searchFilter};
$searchFilter=~s/<user>/$name/;
$searchFilter=~s/<domain>/$domain/;
print "* searching $searchBase for $searchFilter\n";
my $mesg = $ldap->search ( # perform a search
base => $searchBase,
filter => $searchFilter
);
$ldap->unbind(); # unbind & disconnect
unless(defined $mesg) {
return "LDAP search failed";
}
if($mesg->all_entries() eq 0) {
return "LDAP: nothing found for $searchFilter";
}
my ($realName,$password);
foreach $entry ($mesg->all_entries) {
my $ref1=@$entry{'asn'};
my $attrs=@$ref1{'attributes'};
foreach $atrRef (@$attrs) {
my $type=@$atrRef{'type'};
my $vals=@$atrRef{'vals'};
$realName=@$vals[0] if($type eq 'cn');
$password=@$vals[0] if($type eq 'userPassword');
}
last; # we need only 1 entry
}
unless($password) {
return "no plain text password was found";
}
print "$prefix PLAIN ".encodeString($password)."\n";
return undef;
}
sub encodeString {
my ($data)=@_;
if($data =~ /\W/) {
$data =~ s/\\/\\\\/g;
$data =~ s/"/\\"/g;
$data =~ s/([\x00-\x1F\x7F])/'\\'.('0'x(3-length(ord($1)))).ord($1)/ge;
}
return '"' . $data . '"';
}
sub decodeString {
my ($data)=@_;
my $isQuoted=0;
unless($data=~/^"(.*)"$/) { # check "'s
return $data;
}
$data=$1;
my $result="";
my $span=0;
my $len=length($data);
while($span < $len) {
my $ch=substr($data,$span,1);
if($ch eq '\\') {
$span++;
if(substr($data,$span,3) =~ /^(\d\d\d)/) {
$ch=chr($1); $span+=3;
}else {
$ch=substr($data,$span,1);
}
}
$result .= $ch;
++$span;
}
return $result;
}
__END__
-
capricious - Сообщения: 393
- Зарегистрирован: 21 апр 2003, 14:36
- Откуда: Moscow
Tolik Mironov » 16 ноя 2009, 14:38
Это скрипт удаления аккаунтов (взял тут: http://system-administrators.info/?p=1894). Он то как раз толком и не работает.
А скрипт авторизации я вот так подправил:
#!/usr/bin/perl -w
# Sample External Authenticaton program for CommuniGate Pro
# that employs LDAP "bind", supports the account creation
# via NEW command and supports SASL authentication. For SASL
# to work the script must be able to retrieve account password
# in plain text from the LDAP server.
#
# See for more info:
# <http>
# You may need to install the following modules:
# ASN1 from <http>
# LDAP from <http>
use Net::LDAP;
# Take the CLI.pm module from <http>
use CLI;
#
# You should redefine these values
#
my @ldap_servers=( # you can specify multiple LDAP servers here
{ address=>'192.168.62.3', # the address or IP of LDAP server
port=>389, # LDAP port, 389 by default
timeout=>5, # timeout in seconds, 20 by default
adminDN=>'cn=admin,o=cont', # the DN for admin bind
adminPassword=>'12345',
searchBase=>'o=cont', # search base for NEW and SASL commands
searchFilter=>'(&(cn=<user>)(objectclass=*))',
bindDN=>'cn=<user>,o=cont', # the account DN for direct bind for VRFY command
}
);
my $CGServerAddress = '192.168.62.4'; # You should redefine these values
my $CLILogin = 'postmaster';
my $CLIPassword = '111';
#
# END of user customiseable parameters
#
$| = 1; #force STDOUT autoflush after each write
print "* authLDAPNew.pl started\n";
my ($ldapServerID,$ldapServerTried)=(0,0);
while(<STDIN>) {
chomp; # remove \n from the end of line
my ($prefix,$method,@eargs) = split(/ /);
if($method eq 'VRFY') {
unless($prefix && $method && $eargs[0] && $eargs[1]) {
print "$prefix ERROR Expected: nnn VRFY (mode) user\@domain password\n";
} else {
if($eargs[0] =~ /^\(.*\)$/) {
shift @eargs;
}
my $errorMsg=vrfy_command($prefix,$eargs[0],$eargs[1]);
if(defined $errorMsg) {
print "$prefix ERROR $errorMsg\n";
}
}
} elsif($method =~ /^SASL/) {
unless($prefix && $method && $eargs[0] && $eargs[1]) {
print "$prefix ERROR Expected: nnn SASL(method) (mode) user\@domain key\n";
} else {
if($eargs[0] =~ /^\(.*\)$/) {
shift @eargs;
}
my $errorMsg=sasl_command($prefix,$eargs[0]);
if(defined $errorMsg) {
print "$prefix ERROR $errorMsg\n";
}
}
} elsif($method =~ /^READPLAIN/) {
unless($prefix && $method && $eargs[0]) {
print "$prefix ERROR Expected: nnn READPLAIN user\@domain\n";
} else {
my $errorMsg=sasl_command($prefix,$eargs[0]); #same for sasl and readplain
if(defined $errorMsg) {
print "$prefix FAILURE $errorMsg\n";
}
}
} elsif($method eq 'NEW') {
unless($prefix && $method && $eargs[0]) {
print "$prefix ERROR Expected: nnn NEW user\@domain\n";
} else {
my $errorMsg=new_command($prefix,$eargs[0]);
if(defined $errorMsg) {
print "$prefix ERROR $errorMsg\n";
}
}
} elsif($method eq 'INTF') {
print "$prefix INTF 7\n";
} elsif($method eq 'QUIT') {
print "$prefix OK\n";
last;
} else {
print "$prefix ERROR Only INTF, VRFY, SASL, READPLAIN and NEW commands supported\n";
}
}
print "* authLDAPNew.pl done\n";
exit(0);
sub tryConnectServer {
my $theServer=$ldap_servers[$ldapServerID];
print "* trying to connect to $theServer->{address}\n";
my $ldap = Net::LDAP->new($theServer->{address},port=>($theServer->{port} || 389),timeout=>($theServer->{timeout} || 20) )
|| return undef;
return $ldap;
}
sub tryConnect {
my $nServers=scalar(@ldap_servers);
for(my $nTried=0;$nTried<nServers>=$nServers) { $ldapServerID=0;}
my $ldap=tryConnectServer();
return $ldap if($ldap);
++$ldapServerID;
}
return undef;
}
sub vrfy_command {
my ($prefix,$user,$password)=@_;
my ($name,$domain)=("","");
if($user =~ /(.+)\@(.+)/) {
$name=$1;
$domain=$2;
} else {
return "Full account name with \@ and domain part expected";
}
my $ldap = tryConnect();
unless($ldap) {
return "Failed to connect to all LDAP servers";
}
my $bindDN=$ldap_servers[$ldapServerID]->{bindDN};
$bindDN=~s/<user>/$name/;
$bindDN=~s/<domain>/$domain/;
$password=decodeString($password);
print "* binding $bindDN with password=$password\n";
my $result=$ldap->bind($bindDN,password=>$password)
|| return "Can't bind: ".$result->error;
$ldap->unbind(); # unbind & disconnect
#$ldap->disconnect();
$result->code && return $result->error; # return error message if failed
print "$prefix OK\n";
return undef; # return "undef" on success
}
sub new_command {
my ($prefix,$user)=@_;
my ($name,$domain)=("","");
if($user =~ /(.+)\@(.+)/) {
$name=$1;
$domain=$2;
} else {
return "Full account name with \@ and domain part expected";
}
my $ldap = tryConnect();
unless($ldap) {
return "Failed to connect to all LDAP servers";
}
my $adminDN=$ldap_servers[$ldapServerID]->{adminDN};
my $adminPassword=$ldap_servers[$ldapServerID]->{adminPassword};
my $result=$ldap->bind($adminDN,password=>$adminPassword)
|| return "Can't bind as admin: ".$result->error;
$result->code && return "Can't bind as admin: ".$result->error;
my $searchBase=$ldap_servers[$ldapServerID]->{searchBase};
$searchBase=~s/<user>/$name/;
$searchBase=~s/<domain>/$domain/;
my $searchFilter=$ldap_servers[$ldapServerID]->{searchFilter};
$searchFilter=~s/<user>/$name/;
$searchFilter=~s/<domain>/$domain/;
print "* searching $searchBase for $searchFilter\n";
my $mesg = $ldap->search ( # perform a search
base => $searchBase,
filter => $searchFilter
);
$ldap->unbind(); # unbind & disconnect
unless(defined $mesg) {
return "LDAP search failed";
}
if($mesg->all_entries() eq 0) {
return "LDAP: nothing found for $searchFilter";
}
my ($realName,$password);
foreach $entry ($mesg->all_entries) {
my $ref1=@$entry{'asn'};
my $attrs=@$ref1{'attributes'};
foreach $atrRef (@$attrs) {
my $type=@$atrRef{'type'};
my $vals=@$atrRef{'vals'};
$realName=@$vals[0] if($type eq 'cn');
$password=@$vals[0] if($type eq 'userPassword');
}
last; # we need only 1 entry
}
my %userData;
$userData{'RealName'}=$realName if(defined $realName);
$userData{'Password'}=$password if(defined $password);
my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress,
PeerPort => 106,
login => $CLILogin,
password => $CLIPassword
} )
|| return "Can't login to CGPro via CLI: ".$CGP::ERR_STRING;
$cli->CreateAccount(accountName=>"$user",settings=>\%userData)
|| return "Can't create account via CLI:".$cli->getErrMessage;
$cli->Logout();
print "$prefix OK\n";
return undef;
}
sub sasl_command {
my ($prefix,$user)=@_;
my ($name,$domain)=("","");
if($user =~ /(.+)\@(.+)/) {
$name=$1;
$domain=$2;
} else {
return "Full account name with \@ and domain part expected";
}
my $ldap = tryConnect();
unless($ldap) {
return "Failed to connect to all LDAP servers";
}
my $adminDN=$ldap_servers[$ldapServerID]->{adminDN};
my $adminPassword=$ldap_servers[$ldapServerID]->{adminPassword};
my $result=$ldap->bind($adminDN,password=>$adminPassword)
|| return "Can't bind as admin: ".$result->error;
$result->code && return "Can't bind as admin: ".$result->error;
my $searchBase=$ldap_servers[$ldapServerID]->{searchBase};
$searchBase=~s/<user>/$name/;
$searchBase=~s/<domain>/$domain/;
my $searchFilter=$ldap_servers[$ldapServerID]->{searchFilter};
$searchFilter=~s/<user>/$name/;
$searchFilter=~s/<domain>/$domain/;
print "* searching $searchBase for $searchFilter\n";
my $mesg = $ldap->search ( # perform a search
base => $searchBase,
filter => $searchFilter
);
$ldap->unbind(); # unbind & disconnect
unless(defined $mesg) {
return "LDAP search failed";
}
if($mesg->all_entries() eq 0) {
return "LDAP: nothing found for $searchFilter";
}
my ($realName,$password);
foreach $entry ($mesg->all_entries) {
my $ref1=@$entry{'asn'};
my $attrs=@$ref1{'attributes'};
foreach $atrRef (@$attrs) {
my $type=@$atrRef{'type'};
my $vals=@$atrRef{'vals'};
$realName=@$vals[0] if($type eq 'cn');
$password=@$vals[0] if($type eq 'userPassword');
}
last; # we need only 1 entry
}
unless($password) {
return "no plain text password was found";
}
print "$prefix PLAIN ".encodeString($password)."\n";
return undef;
}
sub encodeString {
my ($data)=@_;
if($data =~ /\W/) {
$data =~ s/\\/\\\\/g;
$data =~ s/\"/\\\"/g;
$data =~ s/([\x00-\x1F\x7F])/'\\'.('0'x(3-length(ord($1)))).ord($1)/ge;
}
return '"' . $data . '"';
}
sub decodeString {
my ($data)=@_;
my $isQuoted=0;
unless($data=~/^\"(.*)\"$/) { # check "'s
return $data;
}
$data=$1;
my $result="";
my $span=0;
my $len=length($data);
while($span < $len) {
my $ch=substr($data,$span,1);
if($ch eq '\\') {
$span++;
if(substr($data,$span,3) =~ /^(\d\d\d)/) {
$ch=chr($1); $span+=3;
}else {
$ch=substr($data,$span,1);
}
}
$result .= $ch;
++$span;
}
return $result;
}
__END__
А скрипт авторизации я вот так подправил:
#!/usr/bin/perl -w
# Sample External Authenticaton program for CommuniGate Pro
# that employs LDAP "bind", supports the account creation
# via NEW command and supports SASL authentication. For SASL
# to work the script must be able to retrieve account password
# in plain text from the LDAP server.
#
# See for more info:
# <http>
# You may need to install the following modules:
# ASN1 from <http>
# LDAP from <http>
use Net::LDAP;
# Take the CLI.pm module from <http>
use CLI;
#
# You should redefine these values
#
my @ldap_servers=( # you can specify multiple LDAP servers here
{ address=>'192.168.62.3', # the address or IP of LDAP server
port=>389, # LDAP port, 389 by default
timeout=>5, # timeout in seconds, 20 by default
adminDN=>'cn=admin,o=cont', # the DN for admin bind
adminPassword=>'12345',
searchBase=>'o=cont', # search base for NEW and SASL commands
searchFilter=>'(&(cn=<user>)(objectclass=*))',
bindDN=>'cn=<user>,o=cont', # the account DN for direct bind for VRFY command
}
);
my $CGServerAddress = '192.168.62.4'; # You should redefine these values
my $CLILogin = 'postmaster';
my $CLIPassword = '111';
#
# END of user customiseable parameters
#
$| = 1; #force STDOUT autoflush after each write
print "* authLDAPNew.pl started\n";
my ($ldapServerID,$ldapServerTried)=(0,0);
while(<STDIN>) {
chomp; # remove \n from the end of line
my ($prefix,$method,@eargs) = split(/ /);
if($method eq 'VRFY') {
unless($prefix && $method && $eargs[0] && $eargs[1]) {
print "$prefix ERROR Expected: nnn VRFY (mode) user\@domain password\n";
} else {
if($eargs[0] =~ /^\(.*\)$/) {
shift @eargs;
}
my $errorMsg=vrfy_command($prefix,$eargs[0],$eargs[1]);
if(defined $errorMsg) {
print "$prefix ERROR $errorMsg\n";
}
}
} elsif($method =~ /^SASL/) {
unless($prefix && $method && $eargs[0] && $eargs[1]) {
print "$prefix ERROR Expected: nnn SASL(method) (mode) user\@domain key\n";
} else {
if($eargs[0] =~ /^\(.*\)$/) {
shift @eargs;
}
my $errorMsg=sasl_command($prefix,$eargs[0]);
if(defined $errorMsg) {
print "$prefix ERROR $errorMsg\n";
}
}
} elsif($method =~ /^READPLAIN/) {
unless($prefix && $method && $eargs[0]) {
print "$prefix ERROR Expected: nnn READPLAIN user\@domain\n";
} else {
my $errorMsg=sasl_command($prefix,$eargs[0]); #same for sasl and readplain
if(defined $errorMsg) {
print "$prefix FAILURE $errorMsg\n";
}
}
} elsif($method eq 'NEW') {
unless($prefix && $method && $eargs[0]) {
print "$prefix ERROR Expected: nnn NEW user\@domain\n";
} else {
my $errorMsg=new_command($prefix,$eargs[0]);
if(defined $errorMsg) {
print "$prefix ERROR $errorMsg\n";
}
}
} elsif($method eq 'INTF') {
print "$prefix INTF 7\n";
} elsif($method eq 'QUIT') {
print "$prefix OK\n";
last;
} else {
print "$prefix ERROR Only INTF, VRFY, SASL, READPLAIN and NEW commands supported\n";
}
}
print "* authLDAPNew.pl done\n";
exit(0);
sub tryConnectServer {
my $theServer=$ldap_servers[$ldapServerID];
print "* trying to connect to $theServer->{address}\n";
my $ldap = Net::LDAP->new($theServer->{address},port=>($theServer->{port} || 389),timeout=>($theServer->{timeout} || 20) )
|| return undef;
return $ldap;
}
sub tryConnect {
my $nServers=scalar(@ldap_servers);
for(my $nTried=0;$nTried<nServers>=$nServers) { $ldapServerID=0;}
my $ldap=tryConnectServer();
return $ldap if($ldap);
++$ldapServerID;
}
return undef;
}
sub vrfy_command {
my ($prefix,$user,$password)=@_;
my ($name,$domain)=("","");
if($user =~ /(.+)\@(.+)/) {
$name=$1;
$domain=$2;
} else {
return "Full account name with \@ and domain part expected";
}
my $ldap = tryConnect();
unless($ldap) {
return "Failed to connect to all LDAP servers";
}
my $bindDN=$ldap_servers[$ldapServerID]->{bindDN};
$bindDN=~s/<user>/$name/;
$bindDN=~s/<domain>/$domain/;
$password=decodeString($password);
print "* binding $bindDN with password=$password\n";
my $result=$ldap->bind($bindDN,password=>$password)
|| return "Can't bind: ".$result->error;
$ldap->unbind(); # unbind & disconnect
#$ldap->disconnect();
$result->code && return $result->error; # return error message if failed
print "$prefix OK\n";
return undef; # return "undef" on success
}
sub new_command {
my ($prefix,$user)=@_;
my ($name,$domain)=("","");
if($user =~ /(.+)\@(.+)/) {
$name=$1;
$domain=$2;
} else {
return "Full account name with \@ and domain part expected";
}
my $ldap = tryConnect();
unless($ldap) {
return "Failed to connect to all LDAP servers";
}
my $adminDN=$ldap_servers[$ldapServerID]->{adminDN};
my $adminPassword=$ldap_servers[$ldapServerID]->{adminPassword};
my $result=$ldap->bind($adminDN,password=>$adminPassword)
|| return "Can't bind as admin: ".$result->error;
$result->code && return "Can't bind as admin: ".$result->error;
my $searchBase=$ldap_servers[$ldapServerID]->{searchBase};
$searchBase=~s/<user>/$name/;
$searchBase=~s/<domain>/$domain/;
my $searchFilter=$ldap_servers[$ldapServerID]->{searchFilter};
$searchFilter=~s/<user>/$name/;
$searchFilter=~s/<domain>/$domain/;
print "* searching $searchBase for $searchFilter\n";
my $mesg = $ldap->search ( # perform a search
base => $searchBase,
filter => $searchFilter
);
$ldap->unbind(); # unbind & disconnect
unless(defined $mesg) {
return "LDAP search failed";
}
if($mesg->all_entries() eq 0) {
return "LDAP: nothing found for $searchFilter";
}
my ($realName,$password);
foreach $entry ($mesg->all_entries) {
my $ref1=@$entry{'asn'};
my $attrs=@$ref1{'attributes'};
foreach $atrRef (@$attrs) {
my $type=@$atrRef{'type'};
my $vals=@$atrRef{'vals'};
$realName=@$vals[0] if($type eq 'cn');
$password=@$vals[0] if($type eq 'userPassword');
}
last; # we need only 1 entry
}
my %userData;
$userData{'RealName'}=$realName if(defined $realName);
$userData{'Password'}=$password if(defined $password);
my $cli = new CGP::CLI( { PeerAddr => $CGServerAddress,
PeerPort => 106,
login => $CLILogin,
password => $CLIPassword
} )
|| return "Can't login to CGPro via CLI: ".$CGP::ERR_STRING;
$cli->CreateAccount(accountName=>"$user",settings=>\%userData)
|| return "Can't create account via CLI:".$cli->getErrMessage;
$cli->Logout();
print "$prefix OK\n";
return undef;
}
sub sasl_command {
my ($prefix,$user)=@_;
my ($name,$domain)=("","");
if($user =~ /(.+)\@(.+)/) {
$name=$1;
$domain=$2;
} else {
return "Full account name with \@ and domain part expected";
}
my $ldap = tryConnect();
unless($ldap) {
return "Failed to connect to all LDAP servers";
}
my $adminDN=$ldap_servers[$ldapServerID]->{adminDN};
my $adminPassword=$ldap_servers[$ldapServerID]->{adminPassword};
my $result=$ldap->bind($adminDN,password=>$adminPassword)
|| return "Can't bind as admin: ".$result->error;
$result->code && return "Can't bind as admin: ".$result->error;
my $searchBase=$ldap_servers[$ldapServerID]->{searchBase};
$searchBase=~s/<user>/$name/;
$searchBase=~s/<domain>/$domain/;
my $searchFilter=$ldap_servers[$ldapServerID]->{searchFilter};
$searchFilter=~s/<user>/$name/;
$searchFilter=~s/<domain>/$domain/;
print "* searching $searchBase for $searchFilter\n";
my $mesg = $ldap->search ( # perform a search
base => $searchBase,
filter => $searchFilter
);
$ldap->unbind(); # unbind & disconnect
unless(defined $mesg) {
return "LDAP search failed";
}
if($mesg->all_entries() eq 0) {
return "LDAP: nothing found for $searchFilter";
}
my ($realName,$password);
foreach $entry ($mesg->all_entries) {
my $ref1=@$entry{'asn'};
my $attrs=@$ref1{'attributes'};
foreach $atrRef (@$attrs) {
my $type=@$atrRef{'type'};
my $vals=@$atrRef{'vals'};
$realName=@$vals[0] if($type eq 'cn');
$password=@$vals[0] if($type eq 'userPassword');
}
last; # we need only 1 entry
}
unless($password) {
return "no plain text password was found";
}
print "$prefix PLAIN ".encodeString($password)."\n";
return undef;
}
sub encodeString {
my ($data)=@_;
if($data =~ /\W/) {
$data =~ s/\\/\\\\/g;
$data =~ s/\"/\\\"/g;
$data =~ s/([\x00-\x1F\x7F])/'\\'.('0'x(3-length(ord($1)))).ord($1)/ge;
}
return '"' . $data . '"';
}
sub decodeString {
my ($data)=@_;
my $isQuoted=0;
unless($data=~/^\"(.*)\"$/) { # check "'s
return $data;
}
$data=$1;
my $result="";
my $span=0;
my $len=length($data);
while($span < $len) {
my $ch=substr($data,$span,1);
if($ch eq '\\') {
$span++;
if(substr($data,$span,3) =~ /^(\d\d\d)/) {
$ch=chr($1); $span+=3;
}else {
$ch=substr($data,$span,1);
}
}
$result .= $ch;
++$span;
}
return $result;
}
__END__
- Tolik Mironov
- Сообщения: 104
- Зарегистрирован: 17 июл 2006, 14:28
Дополнительный вопрос
Tolik Mironov » 16 ноя 2009, 17:29
а как сделать авторизацию по нескольким контейнерам в дереве? Что то пока мыслей нет.
- Tolik Mironov
- Сообщения: 104
- Зарегистрирован: 17 июл 2006, 14:28
Ага. :)
Tolik Mironov » 16 ноя 2009, 20:39
Немного пошаманив со скриптами - прикрутил CGPro к нетваревому Радиусу. Авторизует, пользовательские аккаунты в CG создает. Красота. 
Если надо кому, могу скрипт выложить.
Если надо кому, могу скрипт выложить.- Tolik Mironov
- Сообщения: 104
- Зарегистрирован: 17 июл 2006, 14:28
Сообщений: 5
• Страница 1 из 1
Кто сейчас на конференции
Сейчас этот форум просматривают: Majestic-12 [Bot] и гости: 15