Hi Folks, these weeks I was working in a Paloalto Networks Firewall integration with E-Directory. In order to did that, Palaolto said to us, we must to upgrade the customer E-directory to higher release or forget it. The same answer for other LDAP connections. At this point, a friend of mine, David Rivas decided to create a Perl script to solve it, and IT WORKS GREAT!! So, all that you to do is:
- Save the scipt to a perl file(edirectory.pl for instance).
- Download the perl module. http://www.perl.org
- Download the PAN API for User-id identification from the PAN support site.
- Run both scripts, they will talk together.
- Check it at the paloalto using: show pan-agent or show user pan-agent statistics
- Write me a comment ;)
Obviously, you can find more info at: https://live.pa
You can find more information about David Rivas at
http://es.linkedin.com/pub/david-rivas-cordero/21/694/664
You can find more information about David Rivas at
http://es.linkedin.com/pub/david-rivas-cordero/21/694/664
BUT, if you need more help about this problem, don't hesitate to contact me.
Robclav
# Created by David Rivas. Barcelona 2011
# Comments added by Robclav
#!/usr/bin/perl -w
use PAN::API;
use Net::LDAP;
#put the domain of e-directory
my $domain = "dominio";
#put the ip address of e-directory server
$ldap = Net::LDAP->new ( "192.168.1.1" ) or die "$@";
#put ldap credentials, user and password
$ldap->bind ( "cn=user,dc=$domain", password => "password", version => 3 ); # use for changes/edits
#this sub creates a LDAP search
sub LDAPsearch
{
my ($ldap,$searchString,$attrs,$base) = @_ ;
if (!$base ) { $base = "dc=$domain"; }
if (!$attrs ) { $attrs = ['cn','networkAddress' ]; }
my $result = $ldap->search (
base => "$base",
scope => "sub",
filter => "$searchString",
attrs => $attrs
);
}
my @Attrs = ();
#you can consult all attributes using @Attrs instead of 'networkAddress'
my $attrs = ['cn', 'networkAddress' ];
#loop to check e-directory information every 20 seconds
while(1){
sleep 20;
my $result = LDAPsearch($ldap,"sn=*",$attrs);
my $href = $result->as_struct;
my @arrayOfDNs = keys %$href ;
foreach (@arrayOfDNs) {
my $valref = $$href{$_};
my @arrayOfAttrs = sort keys %$valref;
my $attrName;
my $userName ='';
my $IPAddress= '';
foreach $attrName (@arrayOfAttrs) {
# skip any binary data:
next if ( $attrName =~ /;binary$/ );
# get the attribute value (pointer) using the
# attribute name as the hash
$attrVal = @$valref{$attrName} ;
#print " @$attrVal \n";
#print "$attrName \n";
$string = 'networkaddress';
if ($attrName eq $string) {
#print "\t $attrName: @$attrVal \n";
$network = "@$attrVal \n";
#printf "variable entera: $network \n";
($type,$rest) = split(/#/,$network);
#uncoment next line to debug the information obtained of e-directroy
#printf "Type: %d # Rest: %vd\n", $type, $rest;
if ($type==1 || $type==9) {
#change the substring values 2, and 4 to select correctly the bytes (substrng)
#that corresponds to the ipaddress
$addr = substr($rest,2,4);
#print "substring: $addr \n";
$ip_addr = sprintf("%vd\n", $addr);
#print "decoded ip: $ip_addr";
$networkAddress = $ip_addr;
$IPAddress = $networkAddress;
}
} else {
$user = "@$attrVal";
$userName = $user;
}
}
#Only sends information of users that have networkAddress
#the users that are not logged would be excluded
if($IPAddress ne ''){
print "$userName $IPAddress \n";
#put the useridagent ip
$useridagent = '192.168.1.2';
$useridapi = PAN::API::UID->new($useridagent);
$useridapi->login("$domain"."\\"."$userName",$IPAddress);
}
}
}
No hay comentarios:
Publicar un comentario