Tag Archives: ldap

Automatically update DansGuardian Filter Groups List from LDAP

Update 20th March 2011: Heath has made some modifications to the original script and made it more efficient, see the comments below.

Here’s a script I wrote today, which updates the filtergroupslist file of Dansguardian. If you’re using LDAP authentication and want to give different levels of protection to certain groups of users, you need to update the list somehow, as Dansguardian doesn’t support LDAP groups. See this page for more info on filter groups.

The school I wrote this for is a Novell eDirectory site, and it will require a bit of modification to work on other sites. In particular you will need to alter the parameters of the ldapsearch command (filter string, server name, user credentials). Other LDAP servers may not support the ufn attribute, which this is based on. If your directory is well maintained and up to date you would probably be better of using the uid attribute, but this particular school hasn’t populated it for all users yet (only users created with ConsoleOne and iManager populate the uid attribute by default). If you do use uid, be sure to remove the cut command.

ldapsearch outputs data in ldif format, which is difficult to use in scripts. The tool to use to convert this is awk, which unfortunately is a language I haven’t learnt yet. So I found a premade awk script which converts ldif2csv (from here), removed out all the attributes and replaced them with just ufn (you may want to use uid instead).

If you use this script and modify or improve it, I’d appreciate you contributing the modifications back, as they may be useful to others (myself included)!

updateFilter.sh

#!/bin/bash 
#
# Dansguardian filter group update script
# Alex Forbes, Edtech Ltd
# Updated 9th September 2009
#

## Variables
# Dansguardian filtergroupslist file
DESTFILE=/root/filtergroupslist-test
LOGFILE=/var/log/dansfgupdate.log

# LDAP settings
LDAPFILTER="(&(objectClass=Person)(|(groupMembership=cn=ALL-TEACHERS,ou=TCHR,o=HWK)(groupMembership=cn=ALL-ADMIN,ou=ADM,o=HWK)(groupMembership=cn=OESAdmins,o=HWK)))"

# Which filtergroup do you want the users to be a member of
FILTERGROUP=filter2

# Path to the awk script (converts the ldif file to parseable text). I modified one from
# http://www.yolinux.com/TUTORIALS/LinuxTutorialLDAP-ScriptsAndTools.html
AWKSCRIPT=/opt/ldif2csv.awk
TMP=/tmp

# Dansguardian filter group list file
# Temp path, creates folder for the temp files. There are probably better ways of doing it.

# Make temp directories
WIP=$TMP/dgFilterUpdate
mkdir -p $WIP

# Header message
echo "## This file is automatically updated, any changes will be overwritten" > $WIP/4final
echo "## See /opt/edir2dansg.sh" >> $WIP/4final
echo "" >>$WIP/4final

# Perform LDAP search. Outputs ldif file.
ldapsearch -uxvA -H ldaps://fs2.howick.school.nz -b "o=HWK" -S '' -s "sub" -D cn=ldapauth,o=hwk -w password "$LDAPFILTER" ufn > $WIP/1ldif

# Picks out the ufn attribute using a modified awk script I found:
awk -F ': ' -f $AWKSCRIPT  $WIP/2txt

# Picks the first field of the ufn attribute to generate a clean list of users
cut -d, -f1 $WIP/2txt > $WIP/3userlist

# Add the values required to meet the dansguardian filter format
for u in `cat $WIP/3userlist`; do
	echo "$u=$FILTERGROUP" >> $WIP/4final
done

# Finally, copy the file to overwrite the dansguardian list.
# I've done a simple check to make sure the file isn't too small in case of error, but it could be handled better.
SIZE=`stat -c %s $WIP/4final`
if [ $SIZE -gt 2500 ]; then
	cp $WIP/4final $DESTFILE
	echo $(date +"%Y/%m/%d %H:%M"): Updated filter groups list "("size $SIZE bytes")" >> $LOGFILE
else echo $(date +"%Y/%m/%d %H:%M"): Output file is too small, list not updated >> $LOGFILE
fi

# Gentle reload of dansguardian
dansguardian -g

And the modified awk script, ldif2csv.awk:

BEGIN {
        ufn = ""
      }
/^ufn: /              {ufn=$2}
/^dn/ {
        if(ufn != "") printf("%sn",ufn)
        ufn     = ""
      }
# Capture last dn
END {
        if(ufn != "") printf("%sn",ufn)
}

Update 9-9-09: Fixed a few dumb mistakes.

The perfect LDAP Browser

In my job I do a lot of work with Directory Services such as Novell eDirectory and Microsoft Active Directory, even Apple’s implementation of Open Directory once in a while. All 3 have their own tools to manage them, but generally they are proprietary in nature and differ greatly – no commonality whatsoever. For Novell there’s ConsoleOne and iManager, Microsoft have their Management Console and the rather narrowly defined plugin “Active Directory Users and Computers”. All of these are fairly high level in nature, and are limited in the information they present, particularly in the Windows Server 2003 case although they’ve made significant improvements in Server 2008. Apple – well they tride to hide the fact that you’re using a directory service at all… any organisation seriously deploying a directory service does not do it with Apple.

Whenever I’ve needed to access a directory via the standard LDAP protocol in the past I’ve used a very old Java ldap browser called… ldapbrowser (which is still available at CoolSolutions). It’s been extremely useful for structuring queries and exporting data, but it’s now 7 years old, and quite frankly ugly to use. To export data in a usable format I was exporting an LDIF, then converting it to CSV with a free .net app I found called “LDIF2CSV” and cleaning up the resulting data. It was messy, but ldap queries are so much more flexible, and I could get data out of a directory that you couldn’t using the official administration tools.

Another solution was the free Softerra LDAP Browser. It’s a bit limited though as they want you to pay for the full version (LDAP Administrator). I tried it and it is an excellent tool, but at USD$250 not exactly value for money (not too bad if you’re paying in USD but in NZD it’s a difficult sell). The free version may suffice for some but is Windows only.

Recently however I came across Apache Directory Studio, and I don’t normally gush over software like this but it’s been a revelation. It’s fully open sourc e, based on Eclipse, and designed to manage any LDAP directory.  Ticks just about every box I can think of. Runs on Windows, Mac, Linux. Exports directly to ldif, csv or even xls.
If you need to access an LDAP directory via the LDAP protocol, this is your tool.

Screenshot-Apache Directory Studio

Website: Apache Directory Studio

I’m curious too see what Apache Directory Server is like, although by the looks of it I’ll be wanting to wait for version 2.0. Maybe if I get a free R&D slot…