Automatically update DansGuardian Filter Groups List from LDAP

Update 20th March 2011: Heath has made some modifications to the original script and made it more efficient, see the comments below.

Here’s a script I wrote today, which updates the filtergroupslist file of Dansguardian. If you’re using LDAP authentication and want to give different levels of protection to certain groups of users, you need to update the list somehow, as Dansguardian doesn’t support LDAP groups. See this page for more info on filter groups.

The school I wrote this for is a Novell eDirectory site, and it will require a bit of modification to work on other sites. In particular you will need to alter the parameters of the ldapsearch command (filter string, server name, user credentials). Other LDAP servers may not support the ufn attribute, which this is based on. If your directory is well maintained and up to date you would probably be better of using the uid attribute, but this particular school hasn’t populated it for all users yet (only users created with ConsoleOne and iManager populate the uid attribute by default). If you do use uid, be sure to remove the cut command.

ldapsearch outputs data in ldif format, which is difficult to use in scripts. The tool to use to convert this is awk, which unfortunately is a language I haven’t learnt yet. So I found a premade awk script which converts ldif2csv (from here), removed out all the attributes and replaced them with just ufn (you may want to use uid instead).

If you use this script and modify or improve it, I’d appreciate you contributing the modifications back, as they may be useful to others (myself included)!

updateFilter.sh

#!/bin/bash 
#
# Dansguardian filter group update script
# Alex Forbes, Edtech Ltd
# Updated 9th September 2009
#

## Variables
# Dansguardian filtergroupslist file
DESTFILE=/root/filtergroupslist-test
LOGFILE=/var/log/dansfgupdate.log

# LDAP settings
LDAPFILTER="(&(objectClass=Person)(|(groupMembership=cn=ALL-TEACHERS,ou=TCHR,o=HWK)(groupMembership=cn=ALL-ADMIN,ou=ADM,o=HWK)(groupMembership=cn=OESAdmins,o=HWK)))"

# Which filtergroup do you want the users to be a member of
FILTERGROUP=filter2

# Path to the awk script (converts the ldif file to parseable text). I modified one from
# http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-ScriptsAndTools.html
AWKSCRIPT=/opt/ldif2csv.awk
TMP=/tmp

# Dansguardian filter group list file
# Temp path, creates folder for the temp files. There are probably better ways of doing it.

# Make temp directories
WIP=$TMP/dgFilterUpdate
mkdir -p $WIP

# Header message
echo "## This file is automatically updated, any changes will be overwritten" > $WIP/4final
echo "## See /opt/edir2dansg.sh" >> $WIP/4final
echo "" >>$WIP/4final

# Perform LDAP search. Outputs ldif file.
ldapsearch -uxvA -H ldaps://fs2.howick.school.nz -b "o=HWK" -S '' -s "sub" -D cn=ldapauth,o=hwk -w password "$LDAPFILTER" ufn > $WIP/1ldif

# Picks out the ufn attribute using a modified awk script I found:
awk -F ': ' -f $AWKSCRIPT  $WIP/2txt

# Picks the first field of the ufn attribute to generate a clean list of users
cut -d, -f1 $WIP/2txt > $WIP/3userlist

# Add the values required to meet the dansguardian filter format
for u in `cat $WIP/3userlist`; do
	echo "$u=$FILTERGROUP" >> $WIP/4final
done

# Finally, copy the file to overwrite the dansguardian list.
# I've done a simple check to make sure the file isn't too small in case of error, but it could be handled better.
SIZE=`stat -c %s $WIP/4final`
if [ $SIZE -gt 2500 ]; then
	cp $WIP/4final $DESTFILE
	echo $(date +"%Y/%m/%d %H:%M"): Updated filter groups list "("size $SIZE bytes")" >> $LOGFILE
else echo $(date +"%Y/%m/%d %H:%M"): Output file is too small, list not updated >> $LOGFILE
fi

# Gentle reload of dansguardian
dansguardian -g

And the modified awk script, ldif2csv.awk:

BEGIN {
        ufn = ""
      }
/^ufn: /              {ufn=$2}
/^dn/ {
        if(ufn != "") printf("%sn",ufn)
        ufn     = ""
      }
# Capture last dn
END {
        if(ufn != "") printf("%sn",ufn)
}

Update 9-9-09: Fixed a few dumb mistakes.

11 thoughts on “Automatically update DansGuardian Filter Groups List from LDAP

  1. Aron Leeper

    Great script! A friend of mine (Graham Pearson) and I modified it to include multiple LDAP groups and to write multiple DG filter groups. Would you like me to send you the code?

    Reply
    1. Alex

      Glad it was useful.

      If you’re happy to release your modifications into the public domain it would be great if you sent through the code. This script could do with some improvements and your contributions would be most welcome!

      Reply
      1. Heath

        Just curious if the multogroup modification made it up to you for posting? We are doing something similar here with some filter groups and a fresh DG install.
        This has been a very informative read/script.

        Thanks for posting

        Reply
        1. Alex

          Hi Heath, glad you found it useful but the modifications referenced above didn’t make it to me unfortunately.

          Reply
  2. Heath

    I removed some of the need to external processing. Made it a little more efficient. I haven’t worked on multigroup yet, but that is next. I will submit those back once I have them working.

    # Perform LDAP search. Outputs ldif file.
    ldapsearch “$LDAPFILTER” -uxvALLL -H ldap://IP.OF.LDAP.SERVER -b “o=MYTREE” -S ” -s “sub” -D cn=BINDUSER,o=MYTREE -w PASSWORD ufn
    > $WIP/1ldif

    (REMOVE THE FOLLOWING 4 LINES)
    #Make copy of current ldif (1ldif) working file
    #cat $WIP/1ldif > $WIP/2txt
    # Picks out the ufn attribute using a modified awk script I found:
    #awk -F ‘: ‘ -f $AWKSCRIPT $WIP/2txt

    # Picks the first field of the ufn attribute to generate a clean list of users
    #cut -d, -f1 $WIP/2txt > $WIP/3userlist (REMOVE THIS LINE)
    cat $WIP/1ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ | sed -e ‘s/^[ t]*//’ > $WIP/3userlist

    Reply
    1. Alex

      Thanks for your contribution Heath. I can’t really test it as I don’t have an edirectory or even LDAP server around any more, but I’ll add a note to the article.

      Reply
  3. Heath

    For Posterity, I have a working (not very clean) multigroup script running now. If someone posts an update to it, I would love to see it. There are some “appearance issues” with this script. It works, but some of the output isn’t as nice looking as I would like.
    This is running on a CentOS 5.5 box so some commands may need to be adjusted for other systems
    #!/bin/bash
    #
    # Dansguardian filter group update script
    # Alex Forbes, Edtech Ltd
    # Updated 20 March 2011
    # by Heath Henderson, LCUSD2
    # with Multigroup (removed external awk script)
    #
    ## Variables
    TMP=/tmp
    LOGFILE=/var/log/dansguardian/dansfgupdate.log

    #LDAP SERVER SPECIFIC SETTINGS

    # Make temp directories
    WIP=$TMP/dgFilterUpdate
    mkdir -p $WIP

    # LIST FILTERGROUPS HERE
    FILTERGROUP1=filter1
    FILTERGROUP2=filter2
    FILTERGROUP3=filter3
    FILTERGROUP4=filter4
    FILTERGROUP5=filter5
    FILTERGROUP6=filter6
    FILTERGROUP7=filter7

    #FILTERGROUP ROOTPATH
    FILTERGRPATH=/tmp/dgFilterUpdate

    # Dansguardian filtergroupslist file
    DESTFILE1=$FILTERGRPATH/filtergroupslist1
    DESTFILE2=$FILTERGRPATH/filtergroupslist2
    DESTFILE3=$FILTERGRPATH/filtergroupslist3
    DESTFILE4=$FILTERGRPATH/filtergroupslist4
    DESTFILE5=$FILTERGRPATH/filtergroupslist5
    DESTFILE6=$FILTERGRPATH/filtergroupslist6
    DESTFILE7=$FILTERGRPATH/filtergroupslist7

    LDAPSERVER=’-uxvALLL -H ldap://YOUR.SERVER.IP.ADDRESS -b o=LDAPBASE -S ” -s “one” -D cn=USER,LDAPBIND -w PASSWORD ufn’

    # LDAP SEARCH CRITERIA
    LDAPFILTERBASE1='”(&(groupMembership=cn=inetdisabled,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLDO1='”(&(groupMembership=cn=inetdisabled,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLJSH1='”(&(groupMembership=cn=inetdisabled,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLES1='”(&(groupMembership=cn=inetdisabled,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLPA1='”(&(groupMembership=cn=inetdisabled,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERBASE2='”(&(groupMembership=cn=inetguest,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLDO2='”(&(groupMembership=cn=inetguest,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLJSH2='”(&(groupMembership=cn=inetguest,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLES2='”(&(groupMembership=cn=inetguest,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLPA2='”(&(groupMembership=cn=inetguest,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERBASE3='”(&(groupMembership=cn=inetlimited,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLDO3='”(&(groupMembership=cn=inetlimited,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLJSH3='”(&(groupMembership=cn=inetlimited,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLES3='”(&(groupMembership=cn=inetlimited,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLPA3='”(&(groupMembership=cn=inetlimited,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERBASE4='”(&(groupMembership=cn=inetpupils,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLDO4='”(&(groupMembership=cn=inetpupils,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLJSH4='”(&(groupMembership=cn=inetpupils,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLES4='”(&(groupMembership=cn=inetpupils,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLPA4='”(&(groupMembership=cn=inetpupils,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERBASE5='”(&(groupMembership=cn=inetstaff,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLDO5='”(&(groupMembership=cn=inetstaff,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLJSH5='”(&(groupMembership=cn=inetstaff,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLES5='”(&(groupMembership=cn=inetstaff,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLPA5='”(&(groupMembership=cn=inetstaff,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERBASE6='”(&(groupMembership=cn=inetstaffextended,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLDO6='”(&(groupMembership=cn=inetstaffextended,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLJSH6='”(&(groupMembership=cn=inetstaffextended,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLES6='”(&(groupMembership=cn=inetstaffextended,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLPA6='”(&(groupMembership=cn=inetstaffextended,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERBASE7='”(&(groupMembership=cn=inetwebadmin,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLDO7='”(&(groupMembership=cn=inetwebadmin,ou=MYOU,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLJSH7='”(&(groupMembership=cn=inetwebadmin,ou=MYOU1,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLES7='”(&(groupMembership=cn=inetwebadmin,ou=MYOU2,o=LDAPBASE))” ‘$LDAPSERVER”
    LDAPFILTERLPA7='”(&(groupMembership=cn=inetwebadmin,ou=MYOU3,o=LDAPBASE))” ‘$LDAPSERVER”

    # Header message
    #echo “## This file is automatically updated, any changes will be overwritten” > $WIP/4final
    #echo “## See /opt/edir2dansg.sh” >> $WIP/4final
    #echo “” >>$WIP/4final

    # Perform LDAP search. Outputs ldif file.
    #FILTER1
    ldapqueryf11=”ldapsearch $LDAPFILTERBASE1 >”
    ldapqueryf12=”ldapsearch $LDAPFILTERLDO1 >”
    ldapqueryf13=”ldapsearch $LDAPFILTERLJSH1 >”
    ldapqueryf14=”ldapsearch $LDAPFILTERLES1 >”
    ldapqueryf15=”ldapsearch $LDAPFILTERLPA1 >”
    echo “${ldapqueryf11} $WIP/1ldif.f11” > $WIP/1ldif.f11 |bash $WIP/1ldif.f11 | sleep 1
    echo “${ldapqueryf12} $WIP/1ldif.f12” > $WIP/1ldif.f12 | bash $WIP/1ldif.f12 | sleep 1
    echo “${ldapqueryf13} $WIP/1ldif.f13” > $WIP/1ldif.f13 | bash $WIP/1ldif.f13 | sleep 1
    echo “${ldapqueryf14} $WIP/1ldif.f14” > $WIP/1ldif.f14 | bash $WIP/1ldif.f14 | sleep 1
    echo “${ldapqueryf15} $WIP/1ldif.f15″ > $WIP/1ldif.f15 | bash $WIP/1ldif.f15 | sleep 1
    cat $WIP/1ldif.f1* > $WIP/1ldif

    #FILTER2
    ldapqueryf21=”ldapsearch $LDAPFILTERBASE2 >”
    ldapqueryf22=”ldapsearch $LDAPFILTERLDO2 >”
    ldapqueryf23=”ldapsearch $LDAPFILTERLJSH2 >”
    ldapqueryf24=”ldapsearch $LDAPFILTERLES2 >”
    ldapqueryf25=”ldapsearch $LDAPFILTERLPA2 >”
    echo “${ldapqueryf21} $WIP/2ldif.f21” > $WIP/2ldif.f21 | bash $WIP/2ldif.f21 | sleep 1
    echo “${ldapqueryf22} $WIP/2ldif.f22” > $WIP/2ldif.f22 | bash $WIP/2ldif.f22 | sleep 1
    echo “${ldapqueryf23} $WIP/2ldif.f23” > $WIP/2ldif.f23 | bash $WIP/2ldif.f23 | sleep 1
    echo “${ldapqueryf24} $WIP/2ldif.f24” > $WIP/2ldif.f24 | bash $WIP/2ldif.f24 | sleep 1
    echo “${ldapqueryf25} $WIP/2ldif.f25″ > $WIP/2ldif.f25 | bash $WIP/2ldif.f25 | sleep 1
    cat $WIP/2ldif.f2* > $WIP/2ldif

    #FILTER3
    ldapquery31=”ldapsearch $LDAPFILTERBASE3 >”
    ldapquery32=”ldapsearch $LDAPFILTERLDO3 >”
    ldapquery33=”ldapsearch $LDAPFILTERLJSH3 >”
    ldapquery34=”ldapsearch $LDAPFILTERLES3 >”
    ldapquery35=”ldapsearch $LDAPFILTERLPA3 >”
    echo “${ldapquery31} $WIP/3ldif.f31” > $WIP/3ldif.f31 | bash $WIP/3ldif.f31 | sleep 1
    echo “${ldapquery32} $WIP/3ldif.f32” > $WIP/3ldif.f32 | bash $WIP/3ldif.f32 | sleep 1
    echo “${ldapquery33} $WIP/3ldif.f33” > $WIP/3ldif.f33 | bash $WIP/3ldif.f33 | sleep 1
    echo “${ldapquery34} $WIP/3ldif.f34” > $WIP/3ldif.f34 | bash $WIP/3ldif.f34 | sleep 1
    echo “${ldapquery35} $WIP/3ldif.f35″ > $WIP/3ldif.f35 | bash $WIP/3ldif.f35 | sleep 1
    cat $WIP/3ldif.f3* > $WIP/3ldif

    #FILTER4
    ldapquery41=”ldapsearch $LDAPFILTERBASE4 >”
    ldapquery42=”ldapsearch $LDAPFILTERLDO4 >”
    ldapquery43=”ldapsearch $LDAPFILTERLJSH4 >”
    ldapquery44=”ldapsearch $LDAPFILTERLES4 >”
    ldapquery45=”ldapsearch $LDAPFILTERLPA4 >”
    echo “${ldapquery41} $WIP/4ldif.f41” > $WIP/4ldif.f41 | bash $WIP/4ldif.f41 | sleep 1
    echo “${ldapquery42} $WIP/4ldif.f42” > $WIP/4ldif.f42 | bash $WIP/4ldif.f42 | sleep 1
    echo “${ldapquery43} $WIP/4ldif.f43” > $WIP/4ldif.f43 | bash $WIP/4ldif.f43 | sleep 1
    echo “${ldapquery44} $WIP/4ldif.f44” > $WIP/4ldif.f44 | bash $WIP/4ldif.f44 | sleep 1
    echo “${ldapquery45} $WIP/4ldif.f45″ > $WIP/4ldif.f45 | bash $WIP/4ldif.f45 | sleep 1
    cat $WIP/4ldif.f4* > $WIP/4ldif

    #FILTER5
    ldapquery51=”ldapsearch $LDAPFILTERBASE5 >”
    ldapquery52=”ldapsearch $LDAPFILTERLDO5 >”
    ldapquery53=”ldapsearch $LDAPFILTERLJSH5 >”
    ldapquery54=”ldapsearch $LDAPFILTERLES5 >”
    ldapquery55=”ldapsearch $LDAPFILTERLPA5 >”
    echo “${ldapquery51} $WIP/5ldif.f51” > $WIP/5ldif.f51 | bash $WIP/5ldif.f51 | sleep 1
    echo “${ldapquery52} $WIP/5ldif.f52” > $WIP/5ldif.f52 | bash $WIP/5ldif.f52 | sleep 1
    echo “${ldapquery53} $WIP/5ldif.f53” > $WIP/5ldif.f53 | bash $WIP/5ldif.f53 | sleep 1
    echo “${ldapquery54} $WIP/5ldif.f54” > $WIP/5ldif.f54 | bash $WIP/5ldif.f54 | sleep 1
    echo “${ldapquery55} $WIP/5ldif.f55″ > $WIP/5ldif.f55 | bash $WIP/5ldif.f55 | sleep 1
    cat $WIP/5ldif.f5* > $WIP/5ldif

    #FILTER6
    ldapquery61=”ldapsearch $LDAPFILTERBASE6 >”
    ldapquery62=”ldapsearch $LDAPFILTERLDO6 >”
    ldapquery63=”ldapsearch $LDAPFILTERLJSH6 >”
    ldapquery64=”ldapsearch $LDAPFILTERLES6 >”
    ldapquery65=”ldapsearch $LDAPFILTERLPA6 >”
    echo “${ldapquery61} $WIP/6ldif.f61” > $WIP/6ldif.f61 | bash $WIP/6ldif.f61 | sleep 1
    echo “${ldapquery62} $WIP/6ldif.f62” > $WIP/6ldif.f62 | bash $WIP/6ldif.f62 | sleep 1
    echo “${ldapquery63} $WIP/6ldif.f63” > $WIP/6ldif.f63 | bash $WIP/6ldif.f63 | sleep 1
    echo “${ldapquery64} $WIP/6ldif.f64” > $WIP/6ldif.f64 | bash $WIP/6ldif.f64 | sleep 1
    echo “${ldapquery65} $WIP/6ldif.f65″ > $WIP/6ldif.f65 | bash $WIP/6ldif.f65 | sleep 1
    cat $WIP/6ldif.f6* > $WIP/6ldif

    #FILTER7
    ldapquery71=”ldapsearch $LDAPFILTERBASE7 >”
    ldapquery72=”ldapsearch $LDAPFILTERLDO7 >”
    ldapquery73=”ldapsearch $LDAPFILTERLJSH7 >”
    ldapquery74=”ldapsearch $LDAPFILTERLES7 >”
    ldapquery75=”ldapsearch $LDAPFILTERLPA7 >”
    echo “${ldapquery71} $WIP/7ldif.f71” > $WIP/7ldif.f71 | bash $WIP/7ldif.f71 | sleep 1
    echo “${ldapquery72} $WIP/7ldif.f72” > $WIP/7ldif.f72 | bash $WIP/7ldif.f72 | sleep 1
    echo “${ldapquery73} $WIP/7ldif.f73” > $WIP/7ldif.f73 | bash $WIP/7ldif.f73 | sleep 1
    echo “${ldapquery74} $WIP/7ldif.f74” > $WIP/7ldif.f74 | bash $WIP/7ldif.f74 | sleep 1
    echo “${ldapquery75} $WIP/7ldif.f75” > $WIP/7ldif.f75 | bash $WIP/7ldif.f75 | sleep 1
    cat $WIP/7ldif.f7* > $WIP/7ldif

    # Picks the first field of the ufn attribute to generate a clean list of users
    cat $WIP/1ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP1/” > $WIP/1final
    cat $WIP/2ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP2/” > $WIP/2final
    cat $WIP/3ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP3/” > $WIP/3final
    cat $WIP/4ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP4/” > $WIP/4final
    cat $WIP/5ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP5/” > $WIP/5final
    cat $WIP/6ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP6/” > $WIP/6final
    cat $WIP/7ldif | sed ‘/^dn: /d’ |cut -d: -f2 |cut -d, -f1 | cut -d= -f1 | sed ‘/^$/d’ |sed -e ‘s/^[ t]*//’ | sed “s/$/=$FILTERGROUP7/” > $WIP/7final

    ###################################################################
    # Finally, copy the file to overwrite the dansguardian list.
    # I’ve done a simple check to make sure the file isn’t too small in
    # case of error, but it could be handled better.
    # FILTERUSERGROUPS LISTED IN ORDER OF FEWEST MEMBERS > MOST MEMBERS
    # EASIER TO READ THIS WAY
    # ADMIN, GUEST, AND DISABLED USERS ARE GENERALLY EASIER TO MANAGE
    # IF YOU DON’T HAVE TO GO LOOKING
    ####################################################################
    echo “###############################################################” > $DESTFILE1
    echo “#############” >> $DESTFILE1
    echo “# NO ACCESS #” >> $DESTFILE1
    echo “#############” >> $DESTFILE1
    SIZE=`stat -c %s $WIP/1final`
    if [ $SIZE -gt 2 ]; then
    cat $WIP/1final >> $DESTFILE1
    echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
    else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
    fi

    echo ” ” > $DESTFILE2
    echo “#########” >> $DESTFILE2
    echo “# GUEST #” >> $DESTFILE2
    echo “#########” >> $DESTFILE2
    SIZE=`stat -c %s $WIP/2final`
    if [ $SIZE -gt 2 ]; then
    cat $WIP/2final >> $DESTFILE2
    echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
    else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
    fi

    echo ” ” > $DESTFILE7
    echo “#########” >> $DESTFILE7
    echo “# ADMIN #” >> $DESTFILE7
    echo “#########” >> $DESTFILE7
    SIZE=`stat -c %s $WIP/7final`
    if [ $SIZE -gt 2 ]; then
    cat $WIP/7final >> $DESTFILE7
    echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
    else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
    fi

    echo ” ” > $DESTFILE6
    echo “#################################” >> $DESTFILE6
    echo “# EXTENDED STAFF (FACEBOOK ETC) #” >> $DESTFILE6
    echo “#################################” >> $DESTFILE6
    SIZE=`stat -c %s $WIP/6final`
    if [ $SIZE -gt 2 ]; then
    cat $WIP/6final >> $DESTFILE6
    echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
    else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
    fi

    echo ” ” > $DESTFILE3
    echo “#######################” >> $DESTFILE3
    echo “# RESTRICTED STUDENTS #” >> $DESTFILE3
    echo “#######################” >> $DESTFILE3
    SIZE=`stat -c %s $WIP/3final`
    if [ $SIZE -gt 2 ]; then
    cat $WIP/3final >> $DESTFILE3
    echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
    else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
    fi

    echo ” ” > $DESTFILE5
    echo “#########” >> $DESTFILE5
    echo “# STAFF #” >> $DESTFILE5
    echo “#########” >> $DESTFILE5
    SIZE=`stat -c %s $WIP/5final`
    if [ $SIZE -gt 2 ]; then
    cat $WIP/5final >> $DESTFILE5
    echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
    else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
    fi

    echo ” ” > $DESTFILE4
    echo “############” >> $DESTFILE4
    echo “# STUDENTS #” >> $DESTFILE4
    echo “############” >> $DESTFILE4
    SIZE=`stat -c %s $WIP/4final`
    if [ $SIZE -gt 2 ]; then
    cat $WIP/4final >> $DESTFILE4
    echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
    else echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
    fi

    #FULL PATH TO filtergroupslist
    FULLPATH=/etc/dansguardian/lists

    #BACKUP ORIGINAL FILE
    cat $FULLPATH/filtergroupslist > $FULLPATH/filtergroupslist.bak

    ##################################
    #COMBINE AND BUILD FILTERGROUPFILE
    ##################################
    echo “###############################################################” > $FULLPATH/filtergroupslist
    echo “# Filter Groups List file for DansGuardian” >> $FULLPATH/filtergroupslist
    echo “#” >> $FULLPATH/filtergroupslist
    echo “# Format is (user)=filter(1-9) where 1-9 are the groups” >> $FULLPATH/filtergroupslist
    echo “#” >> $FULLPATH/filtergroupslist
    echo “# Eg:” >> $FULLPATH/filtergroupslist
    echo “# daniel=filter2” >> $FULLPATH/filtergroupslist
    echo “#” >> $FULLPATH/filtergroupslist
    echo “# This file is only of use if you have more than 1 filter group” >> $FULLPATH/filtergroupslist
    cat $DESTFILE1 >> $FULLPATH/filtergroupslist
    cat $DESTFILE2 >> $FULLPATH/filtergroupslist
    cat $DESTFILE7 >> $FULLPATH/filtergroupslist
    cat $DESTFILE6 >> $FULLPATH/filtergroupslist
    cat $DESTFILE3 >> $FULLPATH/filtergroupslist
    cat $DESTFILE5 >> $FULLPATH/filtergroupslist
    cat $DESTFILE4 >> $FULLPATH/filtergroupslist
    chmod 644 $FULLPATH/filtergroupslist
    chown nobody.nobody $FULLPATH/filtergroupslist
    # Gentle reload of dansguardian
    service dansguardian stop
    sleep 10
    service dansguardian start

    Reply
  4. Aron Leeper

    Sorry guys. I though I shared this code with you. Here’s what we did to do multiple user groups.

    #!/bin/bash
    #
    # Dansguardian filter group update script
    # Alex Forbes, Edtech Ltd
    # Updated 9th September 2009
    # Edited 4/20/2010 Graham Pearson/Aron Leeper

    ## Variables
    # Dansguardian filtergroupslist file
    DESTFILE=/etc/dansguardian/lists/filtergroupslist
    LOGFILE=/var/log/dansfgupdate.log

    # LDAP settings
    #LDAPFILTER=”(&(objectClass=Person)(|(groupMembership=cn=ALL-TEACHERS,ou=TCHR,o=HWK)(groupMembership=cn=ALL-ADMIN,ou=ADM,o=HWK)(groupMembership=cn=OESAdmins,o=HWK)))”
    #LDAPFILTER=”(&(objectClass=Person)(|(groupMembership=cn=InternetAccess,o=Argos))”
    LDAPTeacherAccessFILTER=”(groupMembership=cn=dgTeacherAccess,o=Argos)”
    LDAPElemStudentAccessFILTER=”(groupMembership=cn=dgElemAccess,o=Argos)”
    LDAPJrSrStudentAccessFILTER=”(groupMembership=cn=dgJrSrAccess,o=Argos)”
    LDAPAdministratorAccessFILTER=”(groupMembership=cn=dgAdminAccess,o=Argos)”

    # Path to the awk script (converts the ldif file to parseable text). I modified one from
    # http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-ScriptsAndTools.html
    AWKSCRIPT=/etc/dansguardian/ldif2csv.awk
    TMP=/tmp

    # Make temp directories
    WIP=$TMP/dgFilterUpdate
    mkdir -p $WIP

    # Header message
    echo “## This file is automatically updated, any changes will be overwritten” > $WIP/4final
    echo “## See /etc/dansguardian/updatefilter.sh” >> $WIP/4final
    echo “” >>$WIP/4final

    touch $DESTFILE
    touch $WIP/Step.1.ElementaryStudents
    touch $WIP/Step.1.JrSrStudents
    touch $WIP/Step.1.Teachers
    touch $WIP/Step.1.Administrators
    touch $WIP/Step.2.ElementaryStudents
    touch $WIP/Step.2.JrSrStudents
    touch $WIP/Step.2.Teachers
    touch $WIP/Step.2.Administrators

    # Perform LDAP search. Outputs ldif file.
    ldapsearch -uxvA -H ldap://192.168.0.1 -b “o=Argos” -S ” -s “sub” -D cn=ldapadmin,o=Argos -w ldapadmin “$LDAPElemStudentAccessFILTER” ufn > $WIP/Step.1.ElementaryStudents
    ldapsearch -uxvA -H ldap://192.168.0.1 -b “o=Argos” -S ” -s “sub” -D cn=ldapadmin,o=Argos -w ldapadmin “$LDAPJrSrStudentAccessFILTER” ufn > $WIP/Step.1.JrSrStudents
    ldapsearch -uxvA -H ldap://192.168.0.1 -b “o=Argos” -S ” -s “sub” -D cn=ldapadmin,o=Argos -w ldapadmin “$LDAPTeacherAccessFILTER” ufn > $WIP/Step.1.Teachers
    ldapsearch -uxvA -H ldap://192.168.0.1 -b “o=Argos” -S ” -s “sub” -D cn=ldapadmin,o=Argos -w ldapadmin “$LDAPAdministratorAccessFILTER” ufn > $WIP/Step.1.Administrators

    # Picks out the ufn attribute using a modified awk script I found:
    cat $WIP/Step.1.ElementaryStudents | awk -F ‘: ‘ -f $AWKSCRIPT | cut -d, -f1 | sed ‘s/$/=filter2/’ > $WIP/Step.2.ElementaryStudents
    cat $WIP/Step.1.JrSrStudents | awk -F ‘: ‘ -f $AWKSCRIPT | cut -d, -f1 | sed ‘s/$/=filter3/’ > $WIP/Step.2.JrSrStudents
    cat $WIP/Step.1.Teachers | awk -F ‘: ‘ -f $AWKSCRIPT | cut -d, -f1 | sed ‘s/$/=filter4/’ > $WIP/Step.2.Teachers
    cat $WIP/Step.1.Administrators | awk -F ‘: ‘ -f $AWKSCRIPT | cut -d, -f1 | sed ‘s/$/=filter5/’ > $WIP/Step.2.Administrators

    # Finally, copy the file to overwrite the dansguardian list.
    # I’ve done a simple check to make sure the file isn’t too small in case of error, but it could be handled better.
    SIZE=`stat -c %s $WIP/Step.2.Administrators`

    if [ $SIZE -gt 30 ]; then
    cp $WIP/Step.2.Administrators $DESTFILE
    cat $WIP/Step.2.Teachers >> $DESTFILE
    cat $WIP/Step.2.JrSrStudents >> $DESTFILE
    cat $WIP/Step.2.ElementaryStudents >> $DESTFILE
    echo $(date +”%Y/%m/%d %H:%M”): Updated filter groups list “(“size $SIZE bytes”)” >> $LOGFILE
    else
    echo $(date +”%Y/%m/%d %H:%M”): Output file is too small, list not updated >> $LOGFILE
    fi

    # Gentle reload of dansguardian
    dansguardian -g

    Reply
  5. Alex

    Nice work. This is probably now at the point where it should be on Github, but when I wrote the original script I knew nothing about source control! I don’t have a need for it any more as I’m no longer working in an environment that uses Dansguardian, but if someone wants to start a Github project I’d happily link to it from this page.

    There are many ways in which these scripts could be improved. :)

    Reply

Leave a Reply