Simple username blocking of shiboleth users in ezproxy

What is this?

This script creates a shibuser.txt file according to the format in the shibboleth documentation at oclc either via a filewatcher or a cronjob.

Usage

With Filewatcher

Start deniedfilewatcher.sh at machine startup in the shibusers directory and it will stat shibuser.denied every 5 seconds.

With cronjob every 5 minutes

*/5 * * * * 	cd "path-to-shibusers-directory"; ./create-shibuser.sh 2>&1

Files needed

• shibuser.txt.pre
  • Containing information that needs to at the top of shibuser.txt
• shibuser.denied.txt
  • Containg usernames to be blocked. One username per line
• shibuser.txt.post
  • Containing group and admin information

All files should have an empty line as the last line

shibuser.txt.pre example

#
# Do not edit this file manually. If you want to block/unblock a user edit shibuser.denied
#
If !(auth:issuer eq "https://issuer.url");
   Deny unaffiliated.html

shibuser.txt.post example

Group Default
If Any(auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.9, "student user group");
   Group +Valid
If Any(auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.9, "employee user group");
   Group +Valid +Employee
If auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6 eq "admin@somewhere";
   Admin
Set login:loguser = auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.6

shibuser.denied.txt example

#
# Add one user per line between BEGIN and END
# You can add comments by having a # at the begining of the line.
#
# The shibuser.txt file is regenerated from this file every 5 minutes.
#
# BEGIN
user1@site
user2@site
# END
#
# Do not edit past this line