Update 20th March 2011: Heath has made some modifications to the original script and made it more efficient, see the comments below.
Here’s a script I wrote today, which updates the filtergroupslist file of Dansguardian. If you’re using LDAP authentication and want to give different levels of protection to certain groups of users, you need to update the list somehow, as Dansguardian doesn’t support LDAP groups. See this page for more info on filter groups.
The school I wrote this for is a Novell eDirectory site, and it will require a bit of modification to work on other sites. In particular you will need to alter the parameters of the ldapsearch command (filter string, server name, user credentials). Other LDAP servers may not support the ufn attribute, which this is based on. If your directory is well maintained and up to date you would probably be better of using the uid attribute, but this particular school hasn’t populated it for all users yet (only users created with ConsoleOne and iManager populate the uid attribute by default). If you do use uid, be sure to remove the cut command.
ldapsearch outputs data in ldif format, which is difficult to use in scripts. The tool to use to convert this is awk, which unfortunately is a language I haven’t learnt yet. So I found a premade awk script which converts ldif2csv (from here), removed out all the attributes and replaced them with just ufn (you may want to use uid instead).
If you use this script and modify or improve it, I’d appreciate you contributing the modifications back, as they may be useful to others (myself included)!
updateFilter.sh
#!/bin/bash
#
# Dansguardian filter group update script
# Alex Forbes, Edtech Ltd
# Updated 9th September 2009
#
## Variables
# Dansguardian filtergroupslist file
DESTFILE=/root/filtergroupslist-test
LOGFILE=/var/log/dansfgupdate.log
# LDAP settings
LDAPFILTER="(&(objectClass=Person)(|(groupMembership=cn=ALL-TEACHERS,ou=TCHR,o=HWK)(groupMembership=cn=ALL-ADMIN,ou=ADM,o=HWK)(groupMembership=cn=OESAdmins,o=HWK)))"
# Which filtergroup do you want the users to be a member of
FILTERGROUP=filter2
# Path to the awk script (converts the ldif file to parseable text). I modified one from
# http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-ScriptsAndTools.html
AWKSCRIPT=/opt/ldif2csv.awk
TMP=/tmp
# Dansguardian filter group list file
# Temp path, creates folder for the temp files. There are probably better ways of doing it.
# Make temp directories
WIP=$TMP/dgFilterUpdate
mkdir -p $WIP
# Header message
echo "## This file is automatically updated, any changes will be overwritten" > $WIP/4final
echo "## See /opt/edir2dansg.sh" >> $WIP/4final
echo "" >>$WIP/4final
# Perform LDAP search. Outputs ldif file.
ldapsearch -uxvA -H ldaps://fs2.howick.school.nz -b "o=HWK" -S '' -s "sub" -D cn=ldapauth,o=hwk -w password "$LDAPFILTER" ufn > $WIP/1ldif
# Picks out the ufn attribute using a modified awk script I found:
awk -F ': ' -f $AWKSCRIPT $WIP/2txt
# Picks the first field of the ufn attribute to generate a clean list of users
cut -d, -f1 $WIP/2txt > $WIP/3userlist
# Add the values required to meet the dansguardian filter format
for u in `cat $WIP/3userlist`; do
echo "$u=$FILTERGROUP" >> $WIP/4final
done
# Finally, copy the file to overwrite the dansguardian list.
# I've done a simple check to make sure the file isn't too small in case of error, but it could be handled better.
SIZE=`stat -c %s $WIP/4final`
if [ $SIZE -gt 2500 ]; then
cp $WIP/4final $DESTFILE
echo $(date +"%Y/%m/%d %H:%M"): Updated filter groups list "("size $SIZE bytes")" >> $LOGFILE
else echo $(date +"%Y/%m/%d %H:%M"): Output file is too small, list not updated >> $LOGFILE
fi
# Gentle reload of dansguardian
dansguardian -g
And the modified awk script, ldif2csv.awk:
BEGIN {
ufn = ""
}
/^ufn: / {ufn=$2}
/^dn/ {
if(ufn != "") printf("%sn",ufn)
ufn = ""
}
# Capture last dn
END {
if(ufn != "") printf("%sn",ufn)
}
Update 9-9-09: Fixed a few dumb mistakes.
Hi Alex! I just wanted to thank you for sharing this through your blog. Your contribution is quite useful, and I think that many users will find it valuable in different scenarios.
Keep up the good work!
Best regards,
Marcus
Thanks Marcus, I appreciate the comment. You have a very interesting site.
Regards,
Alex
Great script! A friend of mine (Graham Pearson) and I modified it to include multiple LDAP groups and to write multiple DG filter groups. Would you like me to send you the code?
Glad it was useful.
If you’re happy to release your modifications into the public domain it would be great if you sent through the code. This script could do with some improvements and your contributions would be most welcome!
Just curious if the multogroup modification made it up to you for posting? We are doing something similar here with some filter groups and a fresh DG install.
This has been a very informative read/script.
Thanks for posting
Hi Heath, glad you found it useful but the modifications referenced above didn’t make it to me unfortunately.
I removed some of the need to external processing. Made it a little more efficient. I haven’t worked on multigroup yet, but that is next. I will submit those back once I have them working.
# Perform LDAP search. Outputs ldif file.
ldapsearch “$LDAPFILTER” -uxvALLL -H ldap://IP.OF.LDAP.SERVER -b “o=MYTREE” -S ” -s “sub” -D cn=BINDUSER,o=MYTREE -w PASSWORD ufn
> $WIP/1ldif
(REMOVE THE FOLLOWING 4 LINES)
#Make copy of current ldif (1ldif) working file
#cat $WIP/1ldif > $WIP/2txt
# Picks out the ufn attribute using a modified awk script I found:
#awk -F ‘: ‘ -f $AWKSCRIPT $WIP/2txt
# Picks the first field of the ufn attribute to generate a clean list of users
#cut -d, -f1 $WIP/2txt > $WIP/3userlist (REMOVE THIS LINE)
cat $WIP/1ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ | sed -e ‘s/^[ t]*//’ > $WIP/3userlist
Thanks for your contribution Heath. I can’t really test it as I don’t have an edirectory or even LDAP server around any more, but I’ll add a note to the article.
For Posterity, I have a working (not very clean) multigroup script running now. If someone posts an update to it, I would love to see it. There are some “appearance issues” with this script. It works, but some of the output isn’t as nice looking as I would like.
This is running on a CentOS 5.5 box so some commands may need to be adjusted for other systems
#!/bin/bash
#
# Dansguardian filter group update script
# Alex Forbes, Edtech Ltd
# Updated 20 March 2011
# by Heath Henderson, LCUSD2
# with Multigroup (removed external awk script)
#
## Variables
TMP=/tmp
LOGFILE=/var/log/dansguardian/dansfgupdate.log
#LDAP SERVER SPECIFIC SETTINGS
# Make temp directories
WIP=$TMP/dgFilterUpdate
mkdir -p $WIP
# LIST FILTERGROUPS HERE
FILTERGROUP1=filter1
FILTERGROUP2=filter2
FILTERGROUP3=filter3
FILTERGROUP4=filter4
FILTERGROUP5=filter5
FILTERGROUP6=filter6
FILTERGROUP7=filter7
#FILTERGROUP ROOTPATH
FILTERGRPATH=/tmp/dgFilterUpdate
# Dansguardian filtergroupslist file
DESTFILE1=$FILTERGRPATH/filtergroupslist1
DESTFILE2=$FILTERGRPATH/filtergroupslist2
DESTFILE3=$FILTERGRPATH/filtergroupslist3
DESTFILE4=$FILTERGRPATH/filtergroupslist4
DESTFILE5=$FILTERGRPATH/filtergroupslist5
DESTFILE6=$FILTERGRPATH/filtergroupslist6
DESTFILE7=$FILTERGRPATH/filtergroupslist7
LDAPSERVER=’-uxvALLL -H ldap://YOUR.SERVER.IP.ADDRESS -b o=LDAPBASE -S ” -s “one” -D cn=USER,LDAPBIND -w PASSWORD ufn’
# LDAP SEARCH CRITERIA
LDAPFILTERBASE1='”(&(groupMembership=cn=inetdisabled,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLDO1='”(&(groupMembership=cn=inetdisabled,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLJSH1='”(&(groupMembership=cn=inetdisabled,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLES1='”(&(groupMembership=cn=inetdisabled,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLPA1='”(&(groupMembership=cn=inetdisabled,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERBASE2='”(&(groupMembership=cn=inetguest,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLDO2='”(&(groupMembership=cn=inetguest,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLJSH2='”(&(groupMembership=cn=inetguest,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLES2='”(&(groupMembership=cn=inetguest,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLPA2='”(&(groupMembership=cn=inetguest,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERBASE3='”(&(groupMembership=cn=inetlimited,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLDO3='”(&(groupMembership=cn=inetlimited,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLJSH3='”(&(groupMembership=cn=inetlimited,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLES3='”(&(groupMembership=cn=inetlimited,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLPA3='”(&(groupMembership=cn=inetlimited,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERBASE4='”(&(groupMembership=cn=inetpupils,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLDO4='”(&(groupMembership=cn=inetpupils,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLJSH4='”(&(groupMembership=cn=inetpupils,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLES4='”(&(groupMembership=cn=inetpupils,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLPA4='”(&(groupMembership=cn=inetpupils,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERBASE5='”(&(groupMembership=cn=inetstaff,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLDO5='”(&(groupMembership=cn=inetstaff,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLJSH5='”(&(groupMembership=cn=inetstaff,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLES5='”(&(groupMembership=cn=inetstaff,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLPA5='”(&(groupMembership=cn=inetstaff,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERBASE6='”(&(groupMembership=cn=inetstaffextended,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLDO6='”(&(groupMembership=cn=inetstaffextended,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLJSH6='”(&(groupMembership=cn=inetstaffextended,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLES6='”(&(groupMembership=cn=inetstaffextended,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLPA6='”(&(groupMembership=cn=inetstaffextended,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERBASE7='”(&(groupMembership=cn=inetwebadmin,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLDO7='”(&(groupMembership=cn=inetwebadmin,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLJSH7='”(&(groupMembership=cn=inetwebadmin,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLES7='”(&(groupMembership=cn=inetwebadmin,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
LDAPFILTERLPA7='”(&(groupMembership=cn=inetwebadmin,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
# Header message
#echo “## This file is automatically updated, any changes will be overwritten” > $WIP/4final
#echo “## See /opt/edir2dansg.sh” >> $WIP/4final
#echo “” >>$WIP/4final
# Perform LDAP search. Outputs ldif file.
#FILTER1
ldapqueryf11=”ldapsearch $LDAPFILTERBASE1 >”
ldapqueryf12=”ldapsearch $LDAPFILTERLDO1 >”
ldapqueryf13=”ldapsearch $LDAPFILTERLJSH1 >”
ldapqueryf14=”ldapsearch $LDAPFILTERLES1 >”
ldapqueryf15=”ldapsearch $LDAPFILTERLPA1 >”
echo “${ldapqueryf11} $WIP/1ldif.f11” > $WIP/1ldif.f11 |bash $WIP/1ldif.f11 | sleep 1
echo “${ldapqueryf12} $WIP/1ldif.f12” > $WIP/1ldif.f12 | bash $WIP/1ldif.f12 | sleep 1
echo “${ldapqueryf13} $WIP/1ldif.f13” > $WIP/1ldif.f13 | bash $WIP/1ldif.f13 | sleep 1
echo “${ldapqueryf14} $WIP/1ldif.f14” > $WIP/1ldif.f14 | bash $WIP/1ldif.f14 | sleep 1
echo “${ldapqueryf15} $WIP/1ldif.f15″ > $WIP/1ldif.f15 | bash $WIP/1ldif.f15 | sleep 1
cat $WIP/1ldif.f1* > $WIP/1ldif
#FILTER2
ldapqueryf21=”ldapsearch $LDAPFILTERBASE2 >”
ldapqueryf22=”ldapsearch $LDAPFILTERLDO2 >”
ldapqueryf23=”ldapsearch $LDAPFILTERLJSH2 >”
ldapqueryf24=”ldapsearch $LDAPFILTERLES2 >”
ldapqueryf25=”ldapsearch $LDAPFILTERLPA2 >”
echo “${ldapqueryf21} $WIP/2ldif.f21” > $WIP/2ldif.f21 | bash $WIP/2ldif.f21 | sleep 1
echo “${ldapqueryf22} $WIP/2ldif.f22” > $WIP/2ldif.f22 | bash $WIP/2ldif.f22 | sleep 1
echo “${ldapqueryf23} $WIP/2ldif.f23” > $WIP/2ldif.f23 | bash $WIP/2ldif.f23 | sleep 1
echo “${ldapqueryf24} $WIP/2ldif.f24” > $WIP/2ldif.f24 | bash $WIP/2ldif.f24 | sleep 1
echo “${ldapqueryf25} $WIP/2ldif.f25″ > $WIP/2ldif.f25 | bash $WIP/2ldif.f25 | sleep 1
cat $WIP/2ldif.f2* > $WIP/2ldif
#FILTER3
ldapquery31=”ldapsearch $LDAPFILTERBASE3 >”
ldapquery32=”ldapsearch $LDAPFILTERLDO3 >”
ldapquery33=”ldapsearch $LDAPFILTERLJSH3 >”
ldapquery34=”ldapsearch $LDAPFILTERLES3 >”
ldapquery35=”ldapsearch $LDAPFILTERLPA3 >”
echo “${ldapquery31} $WIP/3ldif.f31” > $WIP/3ldif.f31 | bash $WIP/3ldif.f31 | sleep 1
echo “${ldapquery32} $WIP/3ldif.f32” > $WIP/3ldif.f32 | bash $WIP/3ldif.f32 | sleep 1
echo “${ldapquery33} $WIP/3ldif.f33” > $WIP/3ldif.f33 | bash $WIP/3ldif.f33 | sleep 1
echo “${ldapquery34} $WIP/3ldif.f34” > $WIP/3ldif.f34 | bash $WIP/3ldif.f34 | sleep 1
echo “${ldapquery35} $WIP/3ldif.f35″ > $WIP/3ldif.f35 | bash $WIP/3ldif.f35 | sleep 1
cat $WIP/3ldif.f3* > $WIP/3ldif
#FILTER4
ldapquery41=”ldapsearch $LDAPFILTERBASE4 >”
ldapquery42=”ldapsearch $LDAPFILTERLDO4 >”
ldapquery43=”ldapsearch $LDAPFILTERLJSH4 >”
ldapquery44=”ldapsearch $LDAPFILTERLES4 >”
ldapquery45=”ldapsearch $LDAPFILTERLPA4 >”
echo “${ldapquery41} $WIP/4ldif.f41” > $WIP/4ldif.f41 | bash $WIP/4ldif.f41 | sleep 1
echo “${ldapquery42} $WIP/4ldif.f42” > $WIP/4ldif.f42 | bash $WIP/4ldif.f42 | sleep 1
echo “${ldapquery43} $WIP/4ldif.f43” > $WIP/4ldif.f43 | bash $WIP/4ldif.f43 | sleep 1
echo “${ldapquery44} $WIP/4ldif.f44” > $WIP/4ldif.f44 | bash $WIP/4ldif.f44 | sleep 1
echo “${ldapquery45} $WIP/4ldif.f45″ > $WIP/4ldif.f45 | bash $WIP/4ldif.f45 | sleep 1
cat $WIP/4ldif.f4* > $WIP/4ldif
#FILTER5
ldapquery51=”ldapsearch $LDAPFILTERBASE5 >”
ldapquery52=”ldapsearch $LDAPFILTERLDO5 >”
ldapquery53=”ldapsearch $LDAPFILTERLJSH5 >”
ldapquery54=”ldapsearch $LDAPFILTERLES5 >”
ldapquery55=”ldapsearch $LDAPFILTERLPA5 >”
echo “${ldapquery51} $WIP/5ldif.f51” > $WIP/5ldif.f51 | bash $WIP/5ldif.f51 | sleep 1
echo “${ldapquery52} $WIP/5ldif.f52” > $WIP/5ldif.f52 | bash $WIP/5ldif.f52 | sleep 1
echo “${ldapquery53} $WIP/5ldif.f53” > $WIP/5ldif.f53 | bash $WIP/5ldif.f53 | sleep 1
echo “${ldapquery54} $WIP/5ldif.f54” > $WIP/5ldif.f54 | bash $WIP/5ldif.f54 | sleep 1
echo “${ldapquery55} $WIP/5ldif.f55″ > $WIP/5ldif.f55 | bash $WIP/5ldif.f55 | sleep 1
cat $WIP/5ldif.f5* > $WIP/5ldif
#FILTER6
ldapquery61=”ldapsearch $LDAPFILTERBASE6 >”
ldapquery62=”ldapsearch $LDAPFILTERLDO6 >”
ldapquery63=”ldapsearch $LDAPFILTERLJSH6 >”
ldapquery64=”ldapsearch $LDAPFILTERLES6 >”
ldapquery65=”ldapsearch $LDAPFILTERLPA6 >”
echo “${ldapquery61} $WIP/6ldif.f61” > $WIP/6ldif.f61 | bash $WIP/6ldif.f61 | sleep 1
echo “${ldapquery62} $WIP/6ldif.f62” > $WIP/6ldif.f62 | bash $WIP/6ldif.f62 | sleep 1
echo “${ldapquery63} $WIP/6ldif.f63” > $WIP/6ldif.f63 | bash $WIP/6ldif.f63 | sleep 1
echo “${ldapquery64} $WIP/6ldif.f64” > $WIP/6ldif.f64 | bash $WIP/6ldif.f64 | sleep 1
echo “${ldapquery65} $WIP/6ldif.f65″ > $WIP/6ldif.f65 | bash $WIP/6ldif.f65 | sleep 1
cat $WIP/6ldif.f6* > $WIP/6ldif
#FILTER7
ldapquery71=”ldapsearch $LDAPFILTERBASE7 >”
ldapquery72=”ldapsearch $LDAPFILTERLDO7 >”
ldapquery73=”ldapsearch $LDAPFILTERLJSH7 >”
ldapquery74=”ldapsearch $LDAPFILTERLES7 >”
ldapquery75=”ldapsearch $LDAPFILTERLPA7 >”
echo “${ldapquery71} $WIP/7ldif.f71” > $WIP/7ldif.f71 | bash $WIP/7ldif.f71 | sleep 1
echo “${ldapquery72} $WIP/7ldif.f72” > $WIP/7ldif.f72 | bash $WIP/7ldif.f72 | sleep 1
echo “${ldapquery73} $WIP/7ldif.f73” > $WIP/7ldif.f73 | bash $WIP/7ldif.f73 | sleep 1
echo “${ldapquery74} $WIP/7ldif.f74” > $WIP/7ldif.f74 | bash $WIP/7ldif.f74 | sleep 1
echo “${ldapquery75} $WIP/7ldif.f75” > $WIP/7ldif.f75 | bash $WIP/7ldif.f75 | sleep 1
cat $WIP/7ldif.f7* > $WIP/7ldif
# Picks the first field of the ufn attribute to generate a clean list of users
cat $WIP/1ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP1/” > $WIP/1final
cat $WIP/2ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP2/” > $WIP/2final
cat $WIP/3ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP3/” > $WIP/3final
cat $WIP/4ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP4/” > $WIP/4final
cat $WIP/5ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP5/” > $WIP/5final
cat $WIP/6ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP6/” > $WIP/6final
cat $WIP/7ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP7/” > $WIP/7final
###################################################################
# Finally, copy the file to overwrite the dansguardian list.
# I’ve done a simple check to make sure the file isn’t too small in
# case of error, but it could be handled better.
# FILTERUSERGROUPS LISTED IN ORDER OF FEWEST MEMBERS > MOST MEMBERS
# EASIER TO READ THIS WAY
# ADMIN, GUEST, AND DISABLED USERS ARE GENERALLY EASIER TO MANAGE
# IF YOU DON’T HAVE TO GO LOOKING
####################################################################
echo “###############################################################” > $DESTFILE1
echo “#############” >> $DESTFILE1
echo “# NO ACCESS #” >> $DESTFILE1
echo “#############” >> $DESTFILE1
SIZE=`stat -c %s $WIP/1final`
if [ $SIZE -gt 2 ]; then
cat $WIP/1final >> $DESTFILE1
echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
fi
echo ” ” > $DESTFILE2
echo “#########” >> $DESTFILE2
echo “# GUEST #” >> $DESTFILE2
echo “#########” >> $DESTFILE2
SIZE=`stat -c %s $WIP/2final`
if [ $SIZE -gt 2 ]; then
cat $WIP/2final >> $DESTFILE2
echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
fi
echo ” ” > $DESTFILE7
echo “#########” >> $DESTFILE7
echo “# ADMIN #” >> $DESTFILE7
echo “#########” >> $DESTFILE7
SIZE=`stat -c %s $WIP/7final`
if [ $SIZE -gt 2 ]; then
cat $WIP/7final >> $DESTFILE7
echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
fi
echo ” ” > $DESTFILE6
echo “#################################” >> $DESTFILE6
echo “# EXTENDED STAFF (FACEBOOK ETC) #” >> $DESTFILE6
echo “#################################” >> $DESTFILE6
SIZE=`stat -c %s $WIP/6final`
if [ $SIZE -gt 2 ]; then
cat $WIP/6final >> $DESTFILE6
echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
fi
echo ” ” > $DESTFILE3
echo “#######################” >> $DESTFILE3
echo “# RESTRICTED STUDENTS #” >> $DESTFILE3
echo “#######################” >> $DESTFILE3
SIZE=`stat -c %s $WIP/3final`
if [ $SIZE -gt 2 ]; then
cat $WIP/3final >> $DESTFILE3
echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
fi
echo ” ” > $DESTFILE5
echo “#########” >> $DESTFILE5
echo “# STAFF #” >> $DESTFILE5
echo “#########” >> $DESTFILE5
SIZE=`stat -c %s $WIP/5final`
if [ $SIZE -gt 2 ]; then
cat $WIP/5final >> $DESTFILE5
echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
fi
echo ” ” > $DESTFILE4
echo “############” >> $DESTFILE4
echo “# STUDENTS #” >> $DESTFILE4
echo “############” >> $DESTFILE4
SIZE=`stat -c %s $WIP/4final`
if [ $SIZE -gt 2 ]; then
cat $WIP/4final >> $DESTFILE4
echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
fi
#FULL PATH TO filtergroupslist
FULLPATH=/etc/dansguardian/lists
#BACKUP ORIGINAL FILE
cat $FULLPATH/filtergroupslist > $FULLPATH/filtergroupslist.bak
##################################
#COMBINE AND BUILD FILTERGROUPFILE
##################################
echo “###############################################################” > $FULLPATH/filtergroupslist
echo “# Filter Groups List file for DansGuardian” >> $FULLPATH/filtergroupslist
echo “#” >> $FULLPATH/filtergroupslist
echo “# Format is (user)=filter(1-9) where 1-9 are the groups” >> $FULLPATH/filtergroupslist
echo “#” >> $FULLPATH/filtergroupslist
echo “# Eg:” >> $FULLPATH/filtergroupslist
echo “# daniel=filter2” >> $FULLPATH/filtergroupslist
echo “#” >> $FULLPATH/filtergroupslist
echo “# This file is only of use if you have more than 1 filter group” >> $FULLPATH/filtergroupslist
cat $DESTFILE1 >> $FULLPATH/filtergroupslist
cat $DESTFILE2 >> $FULLPATH/filtergroupslist
cat $DESTFILE7 >> $FULLPATH/filtergroupslist
cat $DESTFILE6 >> $FULLPATH/filtergroupslist
cat $DESTFILE3 >> $FULLPATH/filtergroupslist
cat $DESTFILE5 >> $FULLPATH/filtergroupslist
cat $DESTFILE4 >> $FULLPATH/filtergroupslist
chmod 644 $FULLPATH/filtergroupslist
chown nobody.nobody $FULLPATH/filtergroupslist
# Gentle reload of dansguardian
service dansguardian stop
sleep 10
service dansguardian start
Sorry guys. I though I shared this code with you. Here’s what we did to do multiple user groups.
#!/bin/bash
#
# Dansguardian filter group update script
# Alex Forbes, Edtech Ltd
# Updated 9th September 2009
# Edited 4/20/2010 Graham Pearson/Aron Leeper
## Variables
# Dansguardian filtergroupslist file
DESTFILE=/etc/dansguardian/lists/filtergroupslist
LOGFILE=/var/log/dansfgupdate.log
# LDAP settings
#LDAPFILTER=”(&(objectClass=Person)(|(groupMembership=cn=ALL-TEACHERS,ou=TCHR,o=HWK)(groupMembership=cn=ALL-ADMIN,ou=ADM,o=HWK)(groupMembership=cn=OESAdmins,o=HWK)))”
#LDAPFILTER=”(&(objectClass=Person)(|(groupMembership=cn=InternetAccess,o=Argos))”
LDAPTeacherAccessFILTER=”(groupMembership=cn=dgTeacherAccess,o=Argos)”
LDAPElemStudentAccessFILTER=”(groupMembership=cn=dgElemAccess,o=Argos)”
LDAPJrSrStudentAccessFILTER=”(groupMembership=cn=dgJrSrAccess,o=Argos)”
LDAPAdministratorAccessFILTER=”(groupMembership=cn=dgAdminAccess,o=Argos)”
# Path to the awk script (converts the ldif file to parseable text). I modified one from
# http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-ScriptsAndTools.html
AWKSCRIPT=/etc/dansguardian/ldif2csv.awk
TMP=/tmp
# Make temp directories
WIP=$TMP/dgFilterUpdate
mkdir -p $WIP
# Header message
echo “## This file is automatically updated, any changes will be overwritten” > $WIP/4final
echo “## See /etc/dansguardian/updatefilter.sh” >> $WIP/4final
echo “” >>$WIP/4final
touch $DESTFILE
touch $WIP/Step.1.ElementaryStudents
touch $WIP/Step.1.JrSrStudents
touch $WIP/Step.1.Teachers
touch $WIP/Step.1.Administrators
touch $WIP/Step.2.ElementaryStudents
touch $WIP/Step.2.JrSrStudents
touch $WIP/Step.2.Teachers
touch $WIP/Step.2.Administrators
# Perform LDAP search. Outputs ldif file.
ldapsearch -uxvA -H ldap://192.168.0.1 -b “o=Argos” -S ” -s “sub” -D cn=ldapadmin,o=Argos -w ldapadmin “$LDAPElemStudentAccessFILTER” ufn > $WIP/Step.1.ElementaryStudents
ldapsearch -uxvA -H ldap://192.168.0.1 -b “o=Argos” -S ” -s “sub” -D cn=ldapadmin,o=Argos -w ldapadmin “$LDAPJrSrStudentAccessFILTER” ufn > $WIP/Step.1.JrSrStudents
ldapsearch -uxvA -H ldap://192.168.0.1 -b “o=Argos” -S ” -s “sub” -D cn=ldapadmin,o=Argos -w ldapadmin “$LDAPTeacherAccessFILTER” ufn > $WIP/Step.1.Teachers
ldapsearch -uxvA -H ldap://192.168.0.1 -b “o=Argos” -S ” -s “sub” -D cn=ldapadmin,o=Argos -w ldapadmin “$LDAPAdministratorAccessFILTER” ufn > $WIP/Step.1.Administrators
# Picks out the ufn attribute using a modified awk script I found:
cat $WIP/Step.1.ElementaryStudents | awk -F ‘: ‘ -f $AWKSCRIPT | cut -d, -f1 | sed ‘s/$/=filter2/’ > $WIP/Step.2.ElementaryStudents
cat $WIP/Step.1.JrSrStudents | awk -F ‘: ‘ -f $AWKSCRIPT | cut -d, -f1 | sed ‘s/$/=filter3/’ > $WIP/Step.2.JrSrStudents
cat $WIP/Step.1.Teachers | awk -F ‘: ‘ -f $AWKSCRIPT | cut -d, -f1 | sed ‘s/$/=filter4/’ > $WIP/Step.2.Teachers
cat $WIP/Step.1.Administrators | awk -F ‘: ‘ -f $AWKSCRIPT | cut -d, -f1 | sed ‘s/$/=filter5/’ > $WIP/Step.2.Administrators
# Finally, copy the file to overwrite the dansguardian list.
# I’ve done a simple check to make sure the file isn’t too small in case of error, but it could be handled better.
SIZE=`stat -c %s $WIP/Step.2.Administrators`
if [ $SIZE -gt 30 ]; then
cp $WIP/Step.2.Administrators $DESTFILE
cat $WIP/Step.2.Teachers >> $DESTFILE
cat $WIP/Step.2.JrSrStudents >> $DESTFILE
cat $WIP/Step.2.ElementaryStudents >> $DESTFILE
echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
else
echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
fi
# Gentle reload of dansguardian
dansguardian -g
Nice work. This is probably now at the point where it should be on Github, but when I wrote the original script I knew nothing about source control! I don’t have a need for it any more as I’m no longer working in an environment that uses Dansguardian, but if someone wants to start a Github project I’d happily link to it from this page.
There are many ways in which these scripts could be improved. :)