Code development platform for open source projects from the European Union institutions

Skip to content
Snippets Groups Projects
Commit 058e7866 authored by vernada's avatar vernada
Browse files

Fixing some access path as the script have been move fixes #19751

parent c2f6f26e
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
cgi-bin/check_users_in_AD_group.pl 0 → 100755
+ 262
0
View file @ 058e7866
#!/usr/bin/perl
# Check if user is member of an AD's group (up to 3 group of group deep)
# 1. check if user is a direct member of the group
# 2. check recursively in each user's group to find if a member's group is included in the target group
#
use strict;
use warnings;
#
use Data::Dumper;
use CGI qw/:standard start_ol/;
use Config::IniFiles;
use File::Basename;
use Net::LDAP;
# unbuffered output:
$| = 1;
sub is_memberOf ($$$);
sub get_memberOf ($$);
sub get_dn ($$$);
sub found ($$);
sub search_rec ($$$$$$);
BEGIN {
my $iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" );
push( @INC, $iniFile->val( 'APPLICATION', 'LIBRARY' ) );
}
use SNET::access;
use SNET::common;
use SNET::html;
use SNET::ActiveDirectory;
use vars qw($verbose $debug $help $env $script $cli_mode);
$debug = 0;
$verbose = 0;
( $script ) = split( /\./, basename( $0 ) );
my $title = "AD Group Checker";
my $function = "AD_Group_Checker";
my $href = "";
my $header = "";
my $html_msg = "";
my $AuthGroup = $ENV{"HTTP_AUTHGROUP"};
my $AuthUser = $ENV{"HTTP_AUTHUSER"};
$env = $ENV{"ENV"};
my $global_iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" );
if ( !defined( $env ) || ( $env =~ /^$/ ) ) {
$env = "test";
}
if ( !defined( $ENV{'DOCUMENT_ROOT'} )
&& !defined( $ENV{'REQUEST_URI'} )
&& !defined( $ENV{'HTTP_REFERER'} )
&& !defined( $ENV{'HTTP_CLIENT_IP'} )
&& !defined( $ENV{'SERVER_NAME'} )
&& !defined( $ENV{'HTTP_HOST'} )
&& ( $env eq "test" ) ) {
$cli_mode = 1;
} else {
$cli_mode = 0;
if ( ( ( !defined( $AuthGroup ) ) || ( $AuthGroup =~ /^$/ ) ) && ( $AuthUser =~ /^NET1\\(.*)$/ ) ) {
$AuthUser = $1;
my $html_msg_temp = '';
( $AuthGroup, $html_msg_temp ) = Access_LDAP_Get_User_Group( $global_iniFile, $AuthUser );
$html_msg .= $html_msg_temp;
undef $html_msg_temp;
$html_msg .= "AuthGroup:$AuthGroup" . br if $verbose;
} elsif ( $AuthGroup =~ /^cudgroup==/ ) {
$AuthGroup =~ s/cudgroup==//g;
}
if ( Access_Check_Script_Authorisation( $global_iniFile, $AuthGroup, $script ) != 1 ) {
$html_msg .= "AuthGroup:$AuthGroup" . br;
$html_msg .= "AuthUser:$AuthUser" . br;
Access_barf 401, "Not Authorized User", "Not Authorized User", $html_msg;
exit 1;
}
}
print header( -type => "text/html",
-charset => 'UTF-8', );
dg_header_html( $title, 1, 0, $href, $header );
print $html_msg;
print "Loading INI file Parameters" . br . "\n" if $verbose;
my $global_iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" );
my $AiniFile = new Config::IniFiles( -file => $global_iniFile->val( 'INI', 'AD' ) );
my $adserver = $AiniFile->val( 'AD_NET1', 'SERVER' );
print "error value of adserver is undefined" if ( !defined( $adserver ) );
my $aduser = $AiniFile->val( 'AD_NET1', 'USER' );
print "error value of aduser is undefined" if ( !defined( $aduser ) );
my $adpasswd = $AiniFile->val( 'AD_NET1', 'PASSWORD' );
print "error value of adpasswd is undefined" if ( !defined( $adpasswd ) );
my $searchbase = 'DC=net1,DC=cec,DC=eu,DC=int';
############ Get user name, group
my $action = '';
$action = param( 'action' ) if ( ( defined( param( 'action' ) ) ) && ( param( 'action' ) !~ /^$/ ) && ( param( 'action' ) =~ /^\w+$/ ) );
my $groupname = '';
$groupname = param( 'groupname' ) if ( ( defined( param( 'groupname' ) ) ) && ( param( 'groupname' ) !~ /^$/ ) && ( param( 'groupname' ) =~ /^[\w\.-]+$/ ) );
my $uid = '';
$uid = param( 'uid' ) if ( ( defined( param( 'uid' ) ) ) && ( param( 'uid' ) !~ /^$/ ) && ( param( 'uid' ) =~ /^\w+$/ ) );
if ( ( $action eq 'Search' ) && ( $uid =~ /^\w+$/ ) && ( $groupname =~ /^[\w\.-]+$/ ) ) {
my $ad_net1 = AD_connect( $adserver, $aduser, $adpasswd );
# TODO check for bind errors
#print "bind: ldap_error_text($mesg->code) \n";
#print Dumper($mesg);
##################################### MAIN ###########################################
##
## Get DN for user and goup
my $user_dn = get_dn( $ad_net1, $searchbase, $uid );
if ( $user_dn eq "Not found" ) {
print "uid $uid not found in AD !" . br;
exit 1;
}
print "User DN: $user_dn" . br;
my $grp_dn = get_dn( $ad_net1, $searchbase, $groupname );
if ( $grp_dn eq "Not found" ) {
print "group $groupname not found in AD !" . br;
exit 1;
}
print "Group DN: $grp_dn" . br;
my $grp_cn = "CN=" . substr( $grp_dn, 3 );
print "Group CN: $grp_cn" . br;
##
## Simple match (user is part of group)
print br. "Searching using Fast path." . br;
my $fp = is_memberOf( $ad_net1, $user_dn, $grp_dn );
if ( 1 == $fp ) {
found( $uid, $groupname );
} else {
##
## Recursive check
print "Not found using Fast path." . br;
print "Searching using Slow path." . br;
$fp = search_rec( $ad_net1, $user_dn, $grp_dn, $fp, 1, $user_dn );
if ( 0 == $fp ) {
printf "User '$uid' NOT found in '$groupname'." . br;
}
}
} else {
print "Check if user is member of an AD's group (up to 3 group of group deep)" . br;
print start_ol();
print li( [ "Check if user is a direct member of the group.", "Check recursively in each user's group to find if a member's group is included in the target group." ] );
print end_ol();
print "Most of the groups are in the form of <DG>-IAP-Users" . br;
print start_form( -enctype => &CGI::URL_ENCODED );
print "<em>Username:</em>" . br;
print textfield( -name => 'uid', -value => $uid ) . br;
print "<em>Groupname:</em>" . br;
print textfield( -name => 'groupname', -value => $groupname ) . br . br . br;
print submit( -name => 'action', -value => 'Search' );
print endform;
}
print '</div>';
dg_footer_html();
################ Some functions ###############################
sub is_memberOf ($$$)
{
my ( $ad, $user, $grp ) = @_;
my $attrs = ['memberOf'];
my $filter = "memberOf=$grp";
my $results = $ad->search( base => $user, filter => $filter, attrs => $attrs, scope => 'base' );
my $count = $results->count;
if ( $count == 1 ) {
return 1;
} elsif ( $count == 0 ) {
return 0;
} else {
print "Should not happen\n";
print Dumper( $results );
return -1;
}
}
sub get_memberOf ($$)
{
my ( $ad, $grp ) = @_;
my @memberOf = ();
my $attrs = ['memberOf'];
my $filter = "objectclass=*";
my $results = $ad->search( base => $grp, filter => $filter, attrs => $attrs, scope => 'base' );
my $count = $results->count;
if ( $count == 1 ) {
my $entry = $results->entry( 0 );
#print Dumper($entry);
@memberOf = $entry->get_value( 'memberOf' );
}
return @memberOf;
}
sub get_dn ($$$)
{
my ( $ad, $searchbase, $user ) = @_;
my $attrs = ['cn'];
my $filter = "sAMAccountName=$user";
my $results = $ad->search( base => $searchbase, filter => $filter, attrs => $attrs );
my $count = $results->count;
if ( $count == 1 ) {
my $entry = $results->entry( 0 );
print "dn-> " . $entry->dn . "\n" if ( $main::debug );
return $entry->dn;
} else {
return "Not found";
}
}
sub found ($$)
{
my ( $uid, $groupname ) = @_;
printf br. "User '$uid' found in '$groupname'" . br;
}
sub search_rec ($$$$$$)
{
my ( $ad, $user_dn, $grp_dn, $fp, $level, $base ) = @_;
if ( 0 == $fp ) {
my @memberOf = get_memberOf( $ad, $base );
foreach my $grp ( @memberOf ) {
next if ( $grp =~ /Distribution|Resource/ );
#print ".";
$grp =~ /^CN=(.+?),OU=/;
print "$level: search in $1 \n" if ( $main::debug );
$fp = is_memberOf( $ad, $grp, $grp_dn );
if ( 1 == $fp ) {
found( $uid, $groupname );
last;
} elsif ( 0 == $fp && $level < 3 ) {
$level = $level + 1;
$grp =~ /^CN=(.+?),OU=/;
print "\tgoing to $1\n" if ( $main::debug );
$fp = search_rec( $ad, $user_dn, $grp_dn, $fp, $level, $grp );
$level = $level - 1;
}
last if ( 1 == $fp );
}
}
return $fp;
}
exit 0;
cgi-bin/get_groups_content_from_AD.pl 0 → 100755
+ 356
0
View file @ 058e7866
#!/usr/bin/perl
# Check if user is member of an AD's group (up to 3 group of group deep)
# 1. check if user is a direct member of the group
# 2. check recursively in each user's group to find if a member's group is included in the target group
#
use strict;
use warnings;
#
use Data::Dumper;
use CGI qw/:standard start_ol/;
use Config::IniFiles;
use File::Basename;
use Net::LDAP;
# unbuffered output:
$| = 1;
sub is_memberOf ($$$);
sub get_memberOf ($$$$$);
sub get_ldap_memberOf ($$$$$);
sub get_dn ($$$$$;$);
sub search_rec ($$$$);
BEGIN {
my $iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" );
push( @INC, $iniFile->val( 'APPLICATION', 'LIBRARY' ) );
}
use SNET::access;
use SNET::common;
use SNET::html;
use SNET::ActiveDirectory;
use vars qw($verbose $debug $help $env $script $cli_mode);
$debug = 0;
$verbose = 0;
( $script ) = split( /\./, basename( $0 ) );
my $title = "Group Dump";
my $function = $title;
$function =~ s/\s/_/g;
my $href = "";
my $header = h1( a( { href => "/snet/cgi-bin/auth/$script.pl" }, $title ) );
my $html_msg = "";
$env = $ENV{"ENV"};
my $global_iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" );
if ( !defined( $env ) || ( $env =~ /^$/ ) ) {
$env = "test";
}
( $html_msg ) = Access_snet_script_head( $script, $global_iniFile, $ENV, $env );
print header( -type => "text/html", -charset => 'UTF-8', );
dg_header_html( $title, 1, 0, $href, $header );
print $html_msg;
print "Loading INI file Parameters" . br . "\n" if $verbose;
my $AiniFile = new Config::IniFiles( -file => $global_iniFile->val( 'INI', 'LDAP' ) );
metaprint( "error", "error value of AiniFile is undefined" ) if ( !defined( $AiniFile ) );
my $credential = ();
$credential->{'NET1'}{'server'} = $AiniFile->val( 'AD_NET1', 'SERVER' );
metaprint( "error", "error value of adserver is undefined" ) if ( !defined( $credential->{'NET1'}{'server'} ) );
$credential->{'NET1'}{'user'} = $AiniFile->val( 'AD_NET1', 'USER' );
metaprint( "error", "error value of aduser is undefined" ) if ( !defined( $credential->{'NET1'}{'user'} ) );
$credential->{'NET1'}{'passwd'} = $AiniFile->val( 'AD_NET1', 'PASSWORD' );
metaprint( "error", "error value of adpasswd is undefined" ) if ( !defined( $credential->{'NET1'}{'passwd'} ) );
$credential->{'NET1'}{'base'} = 'DC=net1,DC=cec,DC=eu,DC=int';
$credential->{'NET1'}{'attrs'} = ['cn'];
$credential->{'NET1'}{'filter'} = "sAMAccountName=";
####
$credential->{'EC_LDAP'}{'server'} = $AiniFile->val( 'LDAP_EC', 'SERVER' );
metaprint( "error", "error value of ec_ldapserver is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'server'} ) );
$credential->{'EC_LDAP'}{'user'} = $AiniFile->val( 'LDAP_EC', 'USER' );
metaprint( "error", "error value of ec_ldapuser is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'user'} ) );
$credential->{'EC_LDAP'}{'passwd'} = $AiniFile->val( 'LDAP_EC', 'PASSWORD' );
metaprint( "error", "error value of ec_ldappasswd is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'passwd'} ) );
$credential->{'EC_LDAP'}{'base'} = $AiniFile->val( 'LDAP_EC', 'BASE' );
metaprint( "error", "error value of ec_basedn is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'base'} ) );
$credential->{'EC_LDAP'}{'attrs'} = ['cn'];
$credential->{'EC_LDAP'}{'attrs_gon'} = ['cudgroup'];
$credential->{'EC_LDAP'}{'filter'} = "(&(objectClass=cudperson)(cudgroup=";
$credential->{'EC_LDAP'}{'filter_post'} = "))";
$credential->{'EC_LDAP_Proxy'}{'server'} = $AiniFile->val( 'LDAP_EC', 'SERVER' );
metaprint( "error", "error value of ec_ldapserver is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'server'} ) );
$credential->{'EC_LDAP_Proxy'}{'user'} = $AiniFile->val( 'LDAP_EC', 'USER' );
metaprint( "error", "error value of ec_ldapuser is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'user'} ) );
$credential->{'EC_LDAP_Proxy'}{'passwd'} = $AiniFile->val( 'LDAP_EC', 'PASSWORD' );
metaprint( "error", "error value of ec_ldappasswd is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'passwd'} ) );
$credential->{'EC_LDAP_Proxy'}{'base'} = $AiniFile->val( 'LDAP_EC', 'BASE' );
metaprint( "error", "error value of ec_basedn is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'base'} ) );
$credential->{'EC_LDAP_Proxy'}{'attrs'} = ['cn'];
$credential->{'EC_LDAP_Proxy'}{'attrs_gon'} = ['cudgroup'];
$credential->{'EC_LDAP_Proxy'}{'filter'} = "(&(objectClass=cudperson)(cudgroup=";
$credential->{'EC_LDAP_Proxy'}{'filter_post'} = "))";
$credential->{'EC_LDAP_RP'}{'server'} = $AiniFile->val( 'LDAP_EC', 'SERVER' );
metaprint( "error", "error value of ec_ldapserver is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'server'} ) );
$credential->{'EC_LDAP_RP'}{'user'} = $AiniFile->val( 'LDAP_EC', 'USER' );
metaprint( "error", "error value of ec_ldapuser is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'user'} ) );
$credential->{'EC_LDAP_RP'}{'passwd'} = $AiniFile->val( 'LDAP_EC', 'PASSWORD' );
metaprint( "error", "error value of ec_ldappasswd is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'passwd'} ) );
$credential->{'EC_LDAP_RP'}{'base'} = $AiniFile->val( 'LDAP_EC', 'BASE' );
metaprint( "error", "error value of ec_basedn is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'base'} ) );
$credential->{'EC_LDAP_RP'}{'attrs'} = ['cn'];
$credential->{'EC_LDAP_RP'}{'attrs_gon'} = ['cudgroup'];
$credential->{'EC_LDAP_RP'}{'filter'} = "(&(objectClass=cudperson)(cudgroup=";
$credential->{'EC_LDAP_RP'}{'filter_post'} = "))";
####
$credential->{'SNMC_LDAP'}{'server'} = $AiniFile->val( 'LDAP_SNET_NG', 'SERVER' );
metaprint( "error", "error value of cfg_ldap_server is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'server'} ) );
$credential->{'SNMC_LDAP'}{'user'} = $AiniFile->val( 'LDAP_SNET_NG', 'USER' );
metaprint( "error", "error value of cfg_ldap_user is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'user'} ) );
$credential->{'SNMC_LDAP'}{'passwd'} = $AiniFile->val( 'LDAP_SNET_NG', 'PASSWORD' );
metaprint( "error", "error value of cfg_ldap_passwd is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'passwd'} ) );
$credential->{'SNMC_LDAP'}{'base'} = $AiniFile->val( 'LDAP_SNET_NG', 'BASE' );
metaprint( "error", "error value of cfg_ldap_search_scope is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'base'} ) );
$credential->{'SNMC_LDAP'}{'cafile'} = $AiniFile->val( 'LDAP_SNET_NG', 'CA' );
metaprint( "error", "error value of cfg_ldap_cafile is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'cafile'} ) );
$credential->{'SNMC_LDAP'}{'attrs'} = [ 'cn', 'memberOf' ];
$credential->{'SNMC_LDAP'}{'attrs_gon'} = ['memberOf'];
$credential->{'SNMC_LDAP'}{'filter'} = "uid=";
#my $cfg_ldap_group_search = $AiniFile->val( 'LDAP_SNET_NG', 'GRP_SEARCH' );
#metaprint( "error", "error value of cfg_ldap_group_search is undefined" ) if ( !defined( $cfg_ldap_group_search ) );
#my $cfg_ldap_group_search_filter = $AiniFile->val( 'LDAP_SNET_NG', 'FILTER' );
#metaprint( "error", "error value of cfg_ldap_group_search_filter is undefined" ) if ( !defined( $cfg_ldap_group_search_filter ) );
#$cfg_ldap_group_search_filter = "(&(objectclass=posixGroup)(cn=REPLACE))";
#my $cfg_ldap_group_attribute = $AiniFile->val( 'LDAP_SNET_NG', 'GRP_ATTRIBUTE' );
#metaprint( "error", "error value of cfg_ldap_group_attribute is undefined" ) if ( !defined( $cfg_ldap_group_attribute ) );
#$cfg_ldap_group_attribute = ["memberuid"];
#my $cfg_ldap_search_scope = $AiniFile->val( 'LDAP_SNET_NG', 'SEARCH_SCOPE' );
#metaprint( "error", "error value of cfg_ldap_search_scope is undefined" ) if ( !defined( $cfg_ldap_search_scope ) );
############ Get user name, group
my $action = '';
$action = param( 'action' ) if ( ( defined( param( 'action' ) ) ) && ( param( 'action' ) !~ /^$/ ) && ( param( 'action' ) =~ /^\w+$/ ) );
my $uid = '';
$uid = param( 'uid' ) if ( ( defined( param( 'uid' ) ) ) && ( param( 'uid' ) !~ /^$/ ) && ( param( 'uid' ) =~ /^\w+$/ ) );
my $type = 'NET1';
$type = param( 'type' ) if ( ( defined( param( 'type' ) ) ) && ( param( 'type' ) !~ /^$/ ) && ( param( 'type' ) =~ /^((EC|SNMC)_LDAP(_Proxy|RP)?|NET1)$/ ) );
my $format = '';
$format = param( 'format' ) if ( ( defined( param( 'format' ) ) ) && ( param( 'format' ) !~ /^$/ ) && ( param( 'format' ) =~ /^\w+$/ ) );
$verbose = 1 if ( ( defined( param( 'verbose' ) ) ) && ( param( 'verbose' ) !~ /^$/ ) && ( param( 'verbose' ) =~ /^[\d\w]+$/ ) && ( param( 'verbose' ) eq 'godmode1' ) );
$debug = 1 if ( ( defined( param( 'debug' ) ) ) && ( param( 'debug' ) !~ /^$/ ) && ( param( 'debug' ) =~ /^[\d\w]+$/ ) && ( param( 'debug' ) eq 'godmode1' ) );
if ( ( $action eq 'Search' ) && ( $uid =~ /^\w+$/ ) && ( $type =~ /^((EC|SNMC)_LDAP(_Proxy|RP)?|NET1)$/ ) ) {
print '<div class="preview">';
my ( $status, $connection ) =
AD_connect( $credential->{$type}{'server'}, $credential->{$type}{'user'}, $credential->{$type}{'passwd'}, ( $credential->{$type}{'cafile'} ? $credential->{$type}{'cafile'} : '' ) );
if ( !$status ) {
print "ERROR: $connection." . nl();
exit 1;
}
my $searchbase = $credential->{$type}{'base'};
# TODO check for bind errors
#print "bind: ldap_error_text($mesg->code) \n";
#print Dumper($mesg);
##################################### MAIN ###########################################
print "Searching for group '$uid' in $type !" . nl();
##
## Get DN for user and goup
my $user_dn = undef;
if ( defined( $credential->{$type}{'filter_post'} ) && $credential->{$type}{'filter_post'} ) {
$user_dn = get_dn( $connection, $searchbase, $uid, $credential->{$type}{'attrs'}, $credential->{$type}{'filter'}, $credential->{$type}{'filter_post'} );
} else {
$user_dn = get_dn( $connection, $searchbase, $uid, $credential->{$type}{'attrs'}, $credential->{$type}{'filter'} );
}
if ( $user_dn eq "Not found" ) {
print "uid $uid not found in $type ($searchbase) with query (" . $credential->{$type}{'filter'} . ")!" . nl();
exit 1;
}
print "User DN: $user_dn" . nl();
##
## Recursive check
print "Searching all group recursivly." . nl();
if ( defined( $credential->{$type}{'attrs_gon'} ) ) {
print "Searching for groupOfName membership." . nl();
my @ldap_group = get_ldap_memberOf( $connection, $searchbase, $uid, $credential->{$type}{'attrs_gon'}, $credential->{$type}{'filter'} );
foreach ( @ldap_group ) {
print "level 0 groupname: '$_'" . nl();
}
}
if ( $type eq 'SNMC_LDAP' ) {
print "Searching for PosixGroup membership." . nl();
my $attrs = ['cn'];
my $filter = "(&(objectclass=posixGroup)(memberuid=$uid))";
my $base = 'sub';
my @ldap_group = get_memberOf( $connection, $searchbase, $attrs, $filter, $base );
foreach ( @ldap_group ) {
print "level 0 groupname: '$_'" . nl();
}
}
if ( $type eq 'NET1' ) {
my $known = ();
search_rec( $connection, $user_dn, 1, $known );
}
print '</div>';
} else {
print "Display the group membership" . nl();
print start_ol();
print "Please fill the groupname in lower case." . nl();
print "Please choose the authorisation to perform the audit." . nl();
print end_ol();
print start_form( -enctype => &CGI::URL_ENCODED );
print "<em>Groupname:</em>" . nl();
print textfield( -name => 'uid', -value => $uid ) . nl();
print popup_menu( 'type', [ 'EC_LDAP', 'SNMC_LDAP', 'NET1', 'EC_LDAP_Proxy', 'EC_LDAP_RP' ], 'NET1' );
print submit( -name => 'action', -value => 'Search' );
print end_form();
}
print '</div>';
dg_footer_html();
################ Some functions ###############################
sub is_memberOf ($$$)
{
my ( $ad, $user, $grp ) = @_;
my $attrs = ['memberOf'];
my $filter = "memberOf=$grp";
my $results = $ad->search( base => $user, filter => $filter, attrs => $attrs, scope => 'base' );
my $count = $results->count;
if ( $count == 1 ) {
return 1;
} elsif ( $count == 0 ) {
return 0;
} else {
print "Should not happen\n";
print Dumper( $results );
return -1;
}
}
sub get_memberOf ($$$$$)
{
my ( $ad, $grp, $attrs, $filter, $base ) = @_;
my @memberOf = ();
my $results = $ad->search( base => $grp, filter => $filter, attrs => $attrs, scope => $base );
my $count = $results->count;
# print html_rendering ( Dumper( $results->as_struct() ) ); # if $verbose;
if ( $results->is_error() ) {
metaprint( 'error', 'search failed: ' . $results->error_text );
metaprint( 'error', 'search failed: ' . $results->code );
metaprint( 'error', 'search failed: ' . $results->error );
} elsif ( $count == 0 ) {
metaprint( 'error', 'Not found' );
} elsif ( $count >= 1 ) {
foreach my $entry ( $results->entries ) {
# print html_rendering( Dumper( $entry ) );
foreach my $key ( @$attrs ) {
my @tmp = $entry->get_value( lc( $key ) );
foreach my $v ( @tmp ) {
push( @memberOf, $v );
}
}
}
}
return @memberOf;
}
sub get_ldap_memberOf ($$$$$)
{
my ( $ad, $searchbase, $user, $attrs, $filter ) = @_;
$filter = $filter . $user;
my @memberOf = ();
my $results = $ad->search( base => $searchbase, filter => $filter, attrs => $attrs, scope => 'sub' );
my $count = $results->count;
# print html_rendering ( Dumper( $results->as_struct() ) ) if $verbose;
if ( $count >= 1 ) {
foreach my $entry ( $results->entries ) {
# print html_rendering( Dumper( $entry ) );
foreach my $key ( @$attrs ) {
my @tmp = $entry->get_value( lc( $key ) );
foreach my $v ( @tmp ) {
push( @memberOf, $v );
}
}
}
}
return @memberOf;
}
sub get_dn ($$$$$;$)
{
my ( $ad, $searchbase, $user, $attrs, $filter, $filter_post ) = @_;
$filter = $filter . $user;
if ( defined( $filter_post ) ) {
$filter = $filter . $filter_post;
}
metaprint( 'error', $filter);
my $results = $ad->search( base => $searchbase, filter => $filter, attrs => $attrs, scope => 'sub' );
my $count = $results->count;
print html_rendering ( Dumper( $results->as_struct() ) ) if $verbose;
if ( $results->is_error() ) {
metaprint( 'error', 'search failed: ' . $results->error_text );
metaprint( 'error', 'search failed: ' . $results->code );
metaprint( 'error', 'search failed: ' . $results->error );
} elsif ( $count == 0 ) {
metaprint( 'error', 'Not found' );
} elsif ( $count == 1 ) {
my $entry = $results->entry( 0 );
print "dn-> " . $entry->dn . "\n" if ( $main::debug );
return $entry->dn;
} else {
return "Not found";
}
}
sub search_rec ($$$$)
{
my ( $ad, $user_dn, $level, $known ) = @_;
my $attrs = ['memberOf'];
my $filter = "objectclass=*";
my $base = 'base';
my @memberOf = get_memberOf( $ad, $user_dn, $attrs, $filter, $base );
foreach my $grp ( @memberOf ) {
print "'$grp'<br>";
next if ( $grp =~ /Distribution|Resource/ );
print "level $level groupname: '$grp'" . nl();
if ( ( !defined( $known->{$grp} ) ) && ( $grp =~ /^CN=(.+?),OU=/ ) ) {
$known->{$grp} = $1;
$level++;
search_rec( $ad, $grp, $level, $known );
$level--;
}
}
}
exit 0;
cgi-bin/get_users_in_AD_group.pl 0 → 100755
+ 344
0
View file @ 058e7866
#!/usr/bin/perl
# Check if user is member of an AD's group (up to 3 group of group deep)
# 1. check if user is a direct member of the group
# 2. check recursively in each user's group to find if a member's group is included in the target group
#
use strict;
use warnings;
#
use Data::Dumper;
use CGI qw/:standard start_ol/;
use Config::IniFiles;
use File::Basename;
use Net::LDAP;
# unbuffered output:
$| = 1;
sub is_memberOf ($$$);
sub get_memberOf ($$$$$);
sub get_ldap_memberOf ($$$$$);
sub get_dn ($$$$$);
sub search_rec ($$$$);
BEGIN {
my $iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" );
push( @INC, $iniFile->val( 'APPLICATION', 'LIBRARY' ) );
}
use SNET::access;
use SNET::common;
use SNET::html;
use SNET::ActiveDirectory;
use vars qw($verbose $debug $help $env $script $cli_mode);
$debug = 0;
$verbose = 0;
( $script ) = split( /\./, basename( $0 ) );
my $title = "User Dump";
my $function = $title;
$function =~ s/\s/_/g;
my $href = "";
my $header = h1( a( { href => "/snet/cgi-bin/auth/$script.pl" }, $title ) );
my $html_msg = "";
$env = $ENV{"ENV"};
my $global_iniFile = new Config::IniFiles( -file => "/opt/etc/ini/global.ini" );
if ( !defined( $env ) || ( $env =~ /^$/ ) ) {
$env = "test";
}
( $html_msg ) = Access_snet_script_head( $script, $global_iniFile, $ENV, $env );
print header( -type => "text/html", -charset => 'UTF-8', );
dg_header_html( $title, 1, 0, $href, $header );
print $html_msg;
print "Loading INI file Parameters" . br . "\n" if $verbose;
my $AiniFile = new Config::IniFiles( -file => $global_iniFile->val( 'INI', 'LDAP' ) );
metaprint( "error", "error value of AiniFile is undefined" ) if ( !defined( $AiniFile ) );
my $credential = ();
$credential->{'NET1'}{'server'} = $AiniFile->val( 'AD_NET1', 'SERVER' );
metaprint( "error", "error value of adserver is undefined" ) if ( !defined( $credential->{'NET1'}{'server'} ) );
$credential->{'NET1'}{'user'} = $AiniFile->val( 'AD_NET1', 'USER' );
metaprint( "error", "error value of aduser is undefined" ) if ( !defined( $credential->{'NET1'}{'user'} ) );
$credential->{'NET1'}{'passwd'} = $AiniFile->val( 'AD_NET1', 'PASSWORD' );
metaprint( "error", "error value of adpasswd is undefined" ) if ( !defined( $credential->{'NET1'}{'passwd'} ) );
$credential->{'NET1'}{'base'} = 'DC=net1,DC=cec,DC=eu,DC=int';
$credential->{'NET1'}{'attrs'} = ['cn'];
$credential->{'NET1'}{'filter'} = "sAMAccountName=";
####
$credential->{'EC_LDAP'}{'server'} = $AiniFile->val( 'LDAP_EC', 'SERVER' );
metaprint( "error", "error value of ec_ldapserver is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'server'} ) );
$credential->{'EC_LDAP'}{'user'} = $AiniFile->val( 'LDAP_EC', 'USER' );
metaprint( "error", "error value of ec_ldapuser is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'user'} ) );
$credential->{'EC_LDAP'}{'passwd'} = $AiniFile->val( 'LDAP_EC', 'PASSWORD' );
metaprint( "error", "error value of ec_ldappasswd is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'passwd'} ) );
$credential->{'EC_LDAP'}{'base'} = $AiniFile->val( 'LDAP_EC', 'BASE' );
metaprint( "error", "error value of ec_basedn is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'base'} ) );
$credential->{'EC_LDAP'}{'attrs'} = ['cn'];
$credential->{'EC_LDAP'}{'attrs_gon'} = ['cudgroup'];
$credential->{'EC_LDAP'}{'filter'} = "uid=";
$credential->{'EC_LDAP_Proxy'}{'server'} = $AiniFile->val( 'LDAP_EC', 'SERVER' );
metaprint( "error", "error value of ec_ldapserver is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'server'} ) );
$credential->{'EC_LDAP_Proxy'}{'user'} = $AiniFile->val( 'LDAP_EC', 'USER' );
metaprint( "error", "error value of ec_ldapuser is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'user'} ) );
$credential->{'EC_LDAP_Proxy'}{'passwd'} = $AiniFile->val( 'LDAP_EC', 'PASSWORD' );
metaprint( "error", "error value of ec_ldappasswd is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'passwd'} ) );
$credential->{'EC_LDAP_Proxy'}{'base'} = $AiniFile->val( 'LDAP_EC', 'BASE' );
metaprint( "error", "error value of ec_basedn is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'base'} ) );
$credential->{'EC_LDAP_Proxy'}{'attrs'} = ['cn'];
$credential->{'EC_LDAP_Proxy'}{'attrs_gon'} = ['cudgroup'];
$credential->{'EC_LDAP_Proxy'}{'filter'} = "uid=";
$credential->{'EC_LDAP_RP'}{'server'} = $AiniFile->val( 'LDAP_EC', 'SERVER' );
metaprint( "error", "error value of ec_ldapserver is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'server'} ) );
$credential->{'EC_LDAP_RP'}{'user'} = $AiniFile->val( 'LDAP_EC', 'USER' );
metaprint( "error", "error value of ec_ldapuser is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'user'} ) );
$credential->{'EC_LDAP_RP'}{'passwd'} = $AiniFile->val( 'LDAP_EC', 'PASSWORD' );
metaprint( "error", "error value of ec_ldappasswd is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'passwd'} ) );
$credential->{'EC_LDAP_RP'}{'base'} = $AiniFile->val( 'LDAP_EC', 'BASE' );
metaprint( "error", "error value of ec_basedn is undefined" ) if ( !defined( $credential->{'EC_LDAP'}{'base'} ) );
$credential->{'EC_LDAP_RP'}{'attrs'} = ['cn'];
$credential->{'EC_LDAP_RP'}{'attrs_gon'} = ['cudgroup'];
$credential->{'EC_LDAP_RP'}{'filter'} = "uid=";
####
$credential->{'SNMC_LDAP'}{'server'} = $AiniFile->val( 'LDAP_SNET_NG', 'SERVER' );
metaprint( "error", "error value of cfg_ldap_server is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'server'} ) );
$credential->{'SNMC_LDAP'}{'user'} = $AiniFile->val( 'LDAP_SNET_NG', 'USER' );
metaprint( "error", "error value of cfg_ldap_user is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'user'} ) );
$credential->{'SNMC_LDAP'}{'passwd'} = $AiniFile->val( 'LDAP_SNET_NG', 'PASSWORD' );
metaprint( "error", "error value of cfg_ldap_passwd is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'passwd'} ) );
$credential->{'SNMC_LDAP'}{'base'} = $AiniFile->val( 'LDAP_SNET_NG', 'BASE' );
metaprint( "error", "error value of cfg_ldap_search_scope is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'base'} ) );
$credential->{'SNMC_LDAP'}{'cafile'} = $AiniFile->val( 'LDAP_SNET_NG', 'CA' );
metaprint( "error", "error value of cfg_ldap_cafile is undefined" ) if ( !defined( $credential->{'SNMC_LDAP'}{'cafile'} ) );
$credential->{'SNMC_LDAP'}{'attrs'} = [ 'cn', 'memberOf' ];
$credential->{'SNMC_LDAP'}{'attrs_gon'} = ['memberOf'];
$credential->{'SNMC_LDAP'}{'filter'} = "uid=";
#my $cfg_ldap_group_search = $AiniFile->val( 'LDAP_SNET_NG', 'GRP_SEARCH' );
#metaprint( "error", "error value of cfg_ldap_group_search is undefined" ) if ( !defined( $cfg_ldap_group_search ) );
#my $cfg_ldap_group_search_filter = $AiniFile->val( 'LDAP_SNET_NG', 'FILTER' );
#metaprint( "error", "error value of cfg_ldap_group_search_filter is undefined" ) if ( !defined( $cfg_ldap_group_search_filter ) );
#$cfg_ldap_group_search_filter = "(&(objectclass=posixGroup)(cn=REPLACE))";
#my $cfg_ldap_group_attribute = $AiniFile->val( 'LDAP_SNET_NG', 'GRP_ATTRIBUTE' );
#metaprint( "error", "error value of cfg_ldap_group_attribute is undefined" ) if ( !defined( $cfg_ldap_group_attribute ) );
#$cfg_ldap_group_attribute = ["memberuid"];
#my $cfg_ldap_search_scope = $AiniFile->val( 'LDAP_SNET_NG', 'SEARCH_SCOPE' );
#metaprint( "error", "error value of cfg_ldap_search_scope is undefined" ) if ( !defined( $cfg_ldap_search_scope ) );
############ Get user name, group
my $action = '';
$action = param( 'action' ) if ( ( defined( param( 'action' ) ) ) && ( param( 'action' ) !~ /^$/ ) && ( param( 'action' ) =~ /^\w+$/ ) );
my $uid = '';
$uid = param( 'uid' ) if ( ( defined( param( 'uid' ) ) ) && ( param( 'uid' ) !~ /^$/ ) && ( param( 'uid' ) =~ /^\w+$/ ) );
my $type = 'NET1';
$type = param( 'type' ) if ( ( defined( param( 'type' ) ) ) && ( param( 'type' ) !~ /^$/ ) && ( param( 'type' ) =~ /^((EC|SNMC)_LDAP(_Proxy|RP)?|NET1)$/ ) );
my $format = '';
$format = param( 'format' ) if ( ( defined( param( 'format' ) ) ) && ( param( 'format' ) !~ /^$/ ) && ( param( 'format' ) =~ /^\w+$/ ) );
$verbose = 1 if ( ( defined( param( 'verbose' ) ) ) && ( param( 'verbose' ) !~ /^$/ ) && ( param( 'verbose' ) =~ /^[\d\w]+$/ ) && ( param( 'verbose' ) eq 'godmode1' ) );
$debug = 1 if ( ( defined( param( 'debug' ) ) ) && ( param( 'debug' ) !~ /^$/ ) && ( param( 'debug' ) =~ /^[\d\w]+$/ ) && ( param( 'debug' ) eq 'godmode1' ) );
if ( ( $action eq 'Search' ) && ( $uid =~ /^\w+$/ ) && ( $type =~ /^((EC|SNMC)_LDAP(_Proxy|RP)?|NET1)$/ ) ) {
print '<div class="preview">';
my ( $status, $connection ) =
AD_connect( $credential->{$type}{'server'}, $credential->{$type}{'user'}, $credential->{$type}{'passwd'}, ( $credential->{$type}{'cafile'} ? $credential->{$type}{'cafile'} : '' ) );
if ( !$status ) {
print "ERROR: $connection." . nl();
exit 1;
}
my $searchbase = $credential->{$type}{'base'};
# TODO check for bind errors
#print "bind: ldap_error_text($mesg->code) \n";
#print Dumper($mesg);
##################################### MAIN ###########################################
print "Searching for uid '$uid' in $type !" . nl();
##
## Get DN for user and goup
my $user_dn = get_dn( $connection, $searchbase, $uid, $credential->{$type}{'attrs'}, $credential->{$type}{'filter'} );
if ( $user_dn eq "Not found" ) {
print "uid $uid not found in $type ($searchbase)!" . nl();
exit 1;
}
print "User DN: $user_dn" . nl();
##
## Recursive check
print "Searching all group recursivly." . nl();
if ( defined( $credential->{$type}{'attrs_gon'} ) ) {
print "Searching for groupOfName membership." . nl();
my @ldap_group = get_ldap_memberOf( $connection, $searchbase, $uid, $credential->{$type}{'attrs_gon'}, $credential->{$type}{'filter'} );
foreach ( @ldap_group ) {
print "level 0 groupname: '$_'" . nl();
}
}
if ( $type eq 'SNMC_LDAP' ) {
print "Searching for PosixGroup membership." . nl();
my $attrs = ['cn'];
my $filter = "(&(objectclass=posixGroup)(memberuid=$uid))";
my $base = 'sub';
my @ldap_group = get_memberOf( $connection, $searchbase, $attrs, $filter, $base );
foreach ( @ldap_group ) {
print "level 0 groupname: '$_'" . nl();
}
}
if ( $type eq 'NET1' ) {
my $known = ();
search_rec( $connection, $user_dn, 1, $known );
}
print '</div>';
} else {
print "Display the user membership" . nl();
print start_ol();
print "Please fill the username in lower case." . nl();
print "Please choose the authorisation to perform the audit." . nl();
print end_ol();
print start_form( -enctype => &CGI::URL_ENCODED );
print "<em>Username:</em>" . nl();
print textfield( -name => 'uid', -value => $uid ) . nl();
print popup_menu( 'type', [ 'EC_LDAP', 'SNMC_LDAP', 'NET1', 'EC_LDAP_Proxy', 'EC_LDAP_RP' ], 'NET1' );
print submit( -name => 'action', -value => 'Search' );
print end_form();
}
print '</div>';
dg_footer_html();
################ Some functions ###############################
sub is_memberOf ($$$)
{
my ( $ad, $user, $grp ) = @_;
my $attrs = ['memberOf'];
my $filter = "memberOf=$grp";
my $results = $ad->search( base => $user, filter => $filter, attrs => $attrs, scope => 'base' );
my $count = $results->count;
if ( $count == 1 ) {
return 1;
} elsif ( $count == 0 ) {
return 0;
} else {
print "Should not happen\n";
print Dumper( $results );
return -1;
}
}
sub get_memberOf ($$$$$)
{
my ( $ad, $grp, $attrs, $filter, $base ) = @_;
my @memberOf = ();
my $results = $ad->search( base => $grp, filter => $filter, attrs => $attrs, scope => $base );
my $count = $results->count;
# print html_rendering ( Dumper( $results->as_struct() ) ); # if $verbose;
if ( $results->is_error() ) {
metaprint( 'error', 'search failed: ' . $results->error_text );
metaprint( 'error', 'search failed: ' . $results->code );
metaprint( 'error', 'search failed: ' . $results->error );
} elsif ( $count == 0 ) {
metaprint( 'error', 'Not found' );
} elsif ( $count >= 1 ) {
foreach my $entry ( $results->entries ) {
# print html_rendering( Dumper( $entry ) );
foreach my $key ( @$attrs ) {
my @tmp = $entry->get_value( lc( $key ) );
foreach my $v ( @tmp ) {
push( @memberOf, $v );
}
}
}
}
return @memberOf;
}
sub get_ldap_memberOf ($$$$$)
{
my ( $ad, $searchbase, $user, $attrs, $filter ) = @_;
$filter = $filter . $user;
my @memberOf = ();
my $results = $ad->search( base => $searchbase, filter => $filter, attrs => $attrs, scope => 'sub' );
my $count = $results->count;
# print html_rendering ( Dumper( $results->as_struct() ) ) if $verbose;
if ( $count >= 1 ) {
foreach my $entry ( $results->entries ) {
# print html_rendering( Dumper( $entry ) );
foreach my $key ( @$attrs ) {
my @tmp = $entry->get_value( lc( $key ) );
foreach my $v ( @tmp ) {
push( @memberOf, $v );
}
}
}
}
return @memberOf;
}
sub get_dn ($$$$$)
{
my ( $ad, $searchbase, $user, $attrs, $filter ) = @_;
$filter = $filter . $user;
my $results = $ad->search( base => $searchbase, filter => $filter, attrs => $attrs, scope => 'sub' );
my $count = $results->count;
print html_rendering ( Dumper( $results->as_struct() ) ) if $verbose;
if ( $results->is_error() ) {
metaprint( 'error', 'search failed: ' . $results->error_text );
metaprint( 'error', 'search failed: ' . $results->code );
metaprint( 'error', 'search failed: ' . $results->error );
} elsif ( $count == 0 ) {
metaprint( 'error', 'Not found' );
} elsif ( $count == 1 ) {
my $entry = $results->entry( 0 );
print "dn-> " . $entry->dn . "\n" if ( $main::debug );
return $entry->dn;
} else {
return "Not found";
}
}
sub search_rec ($$$$)
{
my ( $ad, $user_dn, $level, $known ) = @_;
my $attrs = ['memberOf'];
my $filter = "objectclass=*";
my $base = 'base';
my @memberOf = get_memberOf( $ad, $user_dn, $attrs, $filter, $base );
foreach my $grp ( @memberOf ) {
print "'$grp'<br>";
next if ( $grp =~ /Distribution|Resource/ );
print "level $level groupname: '$grp'" . nl();
if ( ( !defined( $known->{$grp} ) ) && ( $grp =~ /^CN=(.+?),OU=/ ) ) {
$known->{$grp} = $1;
$level++;
search_rec( $ad, $grp, $level, $known );
$level--;
}
}
}
exit 0;
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment

For further information about the platform and support, please see https://code.europa.eu/info/about