#!/bin/bash # # # This script will retrieve a list of users from a NT Domain controller, and based on group membership of the username, # assign the username to a certain Dansguardian filtergroup. NOTE: You MUST modify several elements of this script to # match your particular configuration. Also, this script depends upon SAMBA 3.02 being installed and joined to a working # NT domain. While this script does not give Dansguardian the ability to select content filtering based on group membership, # it does permit the assignment of users to filtergroups based on group membership thus saving the system administrator # many keystrokes... especially on larger systems. # # If you install this script as a cron job, you can schedule user mapping to take place as often as you like. # # Written by Christopher R. Nighswonger cnighswonger [at] foundations [dot] edu # Modified by Andrew W Gawronski agawronski [at] gmail [dot] com ########## ########## # No copyright retained. This script is in the Public Domain. # This package is distributed in the hope that it will be useful, but # WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. ########## ########## # History # # 0.9 - Dec. 11, 2006 - original release. # 0.91 - Aug. 7, 2009 - Modified by Andrew Gawronski to use net rpc instead of net ads in order to query group membership instead of querying each user's group membership individually. # - Also created arrays, so for each group it will loop through the process, a lot cleaner and easier to add more groups if needed. ########## # First define some variables (You may need to adjust these to match your context.)... uinfo="-U=username%password"; # User account that has access to query directory sinfo="-S=10.10.1.1"; # Server to connect to pwdfile=""; # Initialize password file path/name domain="MyDOMAIN"; # domain name prefix in front of username (leave off .local) dgrestart=0; # Initialize restart variable to 0 (No restart) dggroupfile="/etc/dansguardian/lists/filtergroupslist"; # Path/name of filtergroupslist file dgtempfile="/tmp/dgtempfile"; # Path/name of a temporary file # Declare array with all security groups you want queried. Add as many as you want. group=( 'GroupName1' 'GroupName2' 'GroupName3' 'GroupName4' ) # Declare array with all corresponding Dansguardian filter groups. NOTE: Must have the same number of elements as the security group array above. dggroup=( 'filter1' 'filter2' 'filter3' 'filter4' ) ########## # If you modify/add anything below this point, please send me a copy at the address commented above... TNX ########## # Verify that we're running as root... if (( `id -u` != 0 )); then { $ECHO "Sorry, must be root. Exiting..."; exit 1; } fi # Define some functions... function usage { echo "usage: usermap [[[-U uname%password] | [-P filename][-r]] | [-h]]"; echo "-U | --Username parameter is required except when using the -P option"; echo "-S | --Server Domain Server to connect to"; echo "-P | --Pwdfile permits the uname%password to be stored more securely"; echo "-r | --restart parameter is optional and invokes a hard restart of DansGuardian"; echo "-h | --help displays this message"; echo; echo "NOTE: You MUST adjust the variables in the script itself to match your system!"; } function error_exit { echo "$1" 1>&2 exit 1 } # Begin the main script... while [ "$1" != "" ]; do # Grab command line parameters... case $1 in -U | --Username ) shift; uinfo="-U$1"; ;; -P | --Pwdfile ) shift; pwdfile="$1"; ;; -S | --Server ) shift; sinfo="-S$1"; ;; -r | --restart ) dgrestart=1; ;; -h | --help ) usage; exit; ;; * ) usage; exit 1; ;; esac shift; done; # Verify presence of -U or -P parameter... if [ "$uinfo" = "" ] && [ "$pwdfile" = "" ]; then echo "The -U or -P parameter is required!"; echo; usage; exit 1; fi # Verify presence of -S parameter... if [ "$sinfo" = "" ]; then echo "The -S parameter is required!"; echo; usage; exit 1; fi # Now we backup the existing filtergroupslist file... # NOTE: You may need to modify these paths to match your context... echo; if [ -e /etc/dansguardian/lists/filtergroupslist ]; then echo "Backing up the current filtergroupslist file..."; mv /etc/dansguardian/lists/filtergroupslist /etc/dansguardian/lists/filtergroupslist.bak; fi #If the -P option is used, retrieve the uname%password data from the indicated file... if [ ! "$pwdfile" = "" ]; then echo "Retrieving uname%password data..."; echo; if read -s <$pwdfile; then uinfo="-U$REPLY"; else error_exit "Unable to retrieve uname%password! Aborting."; fi fi # Length of Domain Prefix on Username dlen=${#domain}+1 # Get number of elements in the group array groupelements=${#group[@]} # Get number of elements in the dggroup array dggroupelements=${#dggroup[@]} for (( i=0;i<$groupelements;i++)); do echo "Mapping users according to group membership of ${group[${i}]}..."; uname=$(net rpc $uinfo $sinfo group MEMBERS ${group[${i}]}); # Get a list of users from W2K Server... for un in $uname; do # For each user in the list... ulen=${#un} un2=${un:$dlen:$ulen} echo "$un2 is a member of ${group[${i}]}."; echo -e "$un2=${dggroup[${i}]} # ${group[${i}]}\c" >>$dggroupfile; echo >>$dggroupfile; done; done; # Let's neaten up the file a bit... echo "Tidying up filtergroupslist..."; echo "" >$dgtempfile; echo; for (( i=0;i<$groupelements;i++)); do echo "# <-----------${group[${i}]} user accounts----------->" >>$dgtempfile; grep ${group[${i}]} $dggroupfile | sort >>$dgtempfile; done; # Now put the neatened file in place... echo "Moving new filtergroupslist file into place..."; echo; mv $dgtempfile $dggroupfile; # Now restart DG if called for... if [ $dgrestart = 1 ]; then # You may need to modify this to fit your context... /etc/init.d/dansguardian restart; echo; else echo "All finished..."; exit; fi # And we are done. echo "All finished..."; exit