mirror of
https://github.com/wheelybird/ldap-user-manager.git
synced 2025-01-18 15:32:54 +01:00
Merge pull request #9 from wheelybird/updates
Code tidy, encode URLs and add no-https option
This commit is contained in:
commit
028fd217a6
@ -1,18 +1,18 @@
|
||||
FROM php:7.0-apache
|
||||
|
||||
COPY www/ /opt/ldap_user_manager
|
||||
COPY entrypoint /usr/local/bin/entrypoint
|
||||
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends libldb-dev libldap2-dev && rm -rf /var/lib/apt/lists/* && ln -s /usr/lib/x86_64-linux-gnu/libldap.so /usr/lib/libldap.so \
|
||||
&& ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so
|
||||
RUN docker-php-source extract && docker-php-ext-install -j$(nproc) ldap && docker-php-source delete
|
||||
|
||||
RUN chmod a+x /usr/local/bin/entrypoint
|
||||
RUN a2enmod rewrite ssl
|
||||
RUN a2dissite 000-default default-ssl
|
||||
|
||||
EXPOSE 80
|
||||
EXPOSE 443
|
||||
|
||||
COPY www/ /opt/ldap_user_manager
|
||||
COPY entrypoint /usr/local/bin/entrypoint
|
||||
RUN chmod a+x /usr/local/bin/entrypoint
|
||||
|
||||
CMD ["apache2-foreground"]
|
||||
ENTRYPOINT ["/usr/local/bin/entrypoint"]
|
||||
|
12
README.md
12
README.md
@ -47,7 +47,7 @@ docker run \
|
||||
-e "SERVER_HOSTNAME=lum.example.com" \
|
||||
-e "LDAP_URI=ldap://ldap.example.com" \
|
||||
-e "LDAP_BASE_DN=dc=example,dc=com" \
|
||||
-e "LDAP_STARTTLS=TRUE" \
|
||||
-e "LDAP_REQUIRE_STARTTLS=TRUE" \
|
||||
-e "LDAP_ADMINS_GROUP=admins" \
|
||||
-e "LDAP_ADMIN_BIND_DN=cn=admin,dc=example,dc=com" \
|
||||
-e "LDAP_ADMIN_BIND_PWD=secret"\
|
||||
@ -78,6 +78,7 @@ Optional:
|
||||
----
|
||||
|
||||
* `SERVER_HOSTNAME` (default: *example.com*): The hostname that this interface will be served from.
|
||||
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing.
|
||||
|
||||
* `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended).
|
||||
|
||||
@ -85,8 +86,6 @@ Optional:
|
||||
* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *uniqueMember*): The attribute used when adding a user to a group.
|
||||
* `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN.
|
||||
|
||||
* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*): The attribute used to identify account usernames.
|
||||
|
||||
* `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
|
||||
|
||||
* `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CERT=$(</path/to/ca.crt)`
|
||||
@ -106,8 +105,7 @@ Optional:
|
||||
Webserver SSL setup
|
||||
---
|
||||
|
||||
The webserver (Apache HTTPD) expects to find `/opt/ssl/server.key` and `/opt/ssl/server.crt`, and these certificates should match `SERVER_HOSTNAME`.
|
||||
If those files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`. To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`. The script will also look for `/opt/ssl/chain.pem` if you need to add a certificate chain file (the Apache `SSLCertificateChainFile` option).
|
||||
When `NO_HTTPS` is set to **false** (the default), the webserver (Apache HTTPD) expects to find `/opt/ssl/server.key` and `/opt/ssl/server.crt`, and these certificates should match `SERVER_HOSTNAME`. If these files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`. To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`. The script will also look for `/opt/ssl/chain.pem` if you need to add a certificate chain file (the Apache `SSLCertificateChainFile` option).
|
||||
|
||||
e.g.:
|
||||
```
|
||||
@ -152,5 +150,5 @@ If `EMAIL_DOMAIN` is set then the email address field will be automatically upda
|
||||
Details on accounts and groups
|
||||
---
|
||||
|
||||
This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts.
|
||||
Groups are also created as a `groupOfUniqueNames` type in case you want to use the `memberOf` LDAP module.
|
||||
This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts. The accounts created use `person`, `inetOrgPerson` & `posixAccount` objectClasses. Usernames are defined via the `uid` attribute and groups are created as with `posixGroup` and `groupOfUniqueNames` objectClasses (the latter in case you want to use the `memberOf` LDAP module).
|
||||
|
||||
|
138
entrypoint
138
entrypoint
@ -5,7 +5,6 @@ ssl_dir="/opt/ssl"
|
||||
|
||||
if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi
|
||||
|
||||
|
||||
#If LDAP_TLS_CACERT is set then write it out as a file
|
||||
#and set up the LDAP client conf to use it.
|
||||
|
||||
@ -15,79 +14,99 @@ if [ "$LDAP_TLS_CACERT" ]; then
|
||||
fi
|
||||
|
||||
|
||||
########################
|
||||
#If there aren't any SSL certs then create a CA and then CA-signed certificate
|
||||
if [ "$NO_HTTPS" = "TRUE" ]; then
|
||||
|
||||
if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then
|
||||
cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf
|
||||
|
||||
mkdir -p $ssl_dir
|
||||
confout="${ssl_dir}/conf"
|
||||
keyout="${ssl_dir}/server.key"
|
||||
certout="${ssl_dir}/server.crt"
|
||||
cakey="${ssl_dir}/ca.key"
|
||||
cacert="${ssl_dir}/ca.crt"
|
||||
serialfile="${ssl_dir}/serial"
|
||||
<VirtualHost *:80>
|
||||
|
||||
echo "Generating CA key"
|
||||
openssl genrsa -out $cakey 2048
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
ServerName $SERVER_HOSTNAME
|
||||
DocumentRoot /opt/ldap_user_manager
|
||||
|
||||
echo "Generating CA certificate"
|
||||
openssl req \
|
||||
-x509 \
|
||||
-new \
|
||||
-nodes \
|
||||
-subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
|
||||
-key $cakey \
|
||||
-sha256 \
|
||||
-days 7300 \
|
||||
-out $cacert
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
DirectoryIndex index.php index.html
|
||||
|
||||
echo "Generating openssl configuration"
|
||||
<Directory /opt/ldap_user_manager>
|
||||
Require all granted
|
||||
</Directory>
|
||||
|
||||
cat <<EoCertConf>$confout
|
||||
</VirtualHost>
|
||||
EoHTTPC
|
||||
|
||||
|
||||
else
|
||||
|
||||
########################
|
||||
#If there aren't any SSL certs then create a CA and then CA-signed certificate
|
||||
|
||||
if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then
|
||||
|
||||
mkdir -p $ssl_dir
|
||||
confout="${ssl_dir}/conf"
|
||||
keyout="${ssl_dir}/server.key"
|
||||
certout="${ssl_dir}/server.crt"
|
||||
cakey="${ssl_dir}/ca.key"
|
||||
cacert="${ssl_dir}/ca.crt"
|
||||
serialfile="${ssl_dir}/serial"
|
||||
|
||||
echo "Generating CA key"
|
||||
openssl genrsa -out $cakey 2048
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
|
||||
echo "Generating CA certificate"
|
||||
openssl req \
|
||||
-x509 \
|
||||
-new \
|
||||
-nodes \
|
||||
-subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
|
||||
-key $cakey \
|
||||
-sha256 \
|
||||
-days 7300 \
|
||||
-out $cacert
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
|
||||
echo "Generating openssl configuration"
|
||||
|
||||
cat <<EoCertConf>$confout
|
||||
subjectAltName = DNS:${SERVER_HOSTNAME},IP:127.0.0.1
|
||||
extendedKeyUsage = serverAuth
|
||||
EoCertConf
|
||||
|
||||
echo "Generating server key..."
|
||||
openssl genrsa -out $keyout 2048
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
echo "Generating server key..."
|
||||
openssl genrsa -out $keyout 2048
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
|
||||
echo "Generating server signing request..."
|
||||
openssl req \
|
||||
-subj "/CN=${SERVER_HOSTNAME}" \
|
||||
-sha256 \
|
||||
-new \
|
||||
-key $keyout \
|
||||
-out /tmp/server.csr
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
echo "Generating server signing request..."
|
||||
openssl req \
|
||||
-subj "/CN=${SERVER_HOSTNAME}" \
|
||||
-sha256 \
|
||||
-new \
|
||||
-key $keyout \
|
||||
-out /tmp/server.csr
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
|
||||
echo "Generating server cert..."
|
||||
openssl x509 \
|
||||
-req \
|
||||
-days 7300 \
|
||||
-sha256 \
|
||||
-in /tmp/server.csr \
|
||||
-CA $cacert \
|
||||
-CAkey $cakey \
|
||||
-CAcreateserial \
|
||||
-CAserial $serialfile \
|
||||
-out $certout \
|
||||
-extfile $confout
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
echo "Generating server cert..."
|
||||
openssl x509 \
|
||||
-req \
|
||||
-days 7300 \
|
||||
-sha256 \
|
||||
-in /tmp/server.csr \
|
||||
-CA $cacert \
|
||||
-CAkey $cakey \
|
||||
-CAcreateserial \
|
||||
-CAserial $serialfile \
|
||||
-out $certout \
|
||||
-extfile $confout
|
||||
if [ $? -ne 0 ]; then exit 1 ; fi
|
||||
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
########################
|
||||
#Create Apache config
|
||||
########################
|
||||
#Create Apache config
|
||||
|
||||
if [ -f "/opt/tls/chain.pem" ]; then $ssl_chain="SSLCertificateChainFile /opt/tls/chain.pem"; fi
|
||||
|
||||
if [ -f "/opt/tls/chain.pem" ]; then $ssl_chain="SSLCertificateChainFile /opt/tls/chain.pem"; fi
|
||||
|
||||
cat <<EoC >/etc/apache2/sites-enabled/lum.conf
|
||||
cat <<EoHTTPSC >/etc/apache2/sites-enabled/lum.conf
|
||||
|
||||
Listen 443
|
||||
|
||||
@ -114,11 +133,10 @@ Listen 443
|
||||
SSLCertificateKeyFile /opt/ssl/server.key
|
||||
$ssl_chain
|
||||
|
||||
php_value include_path "/opt/ldap_user_manager/includes"
|
||||
|
||||
</VirtualHost>
|
||||
EoC
|
||||
EoHTTPSC
|
||||
|
||||
fi
|
||||
|
||||
########################
|
||||
#Run Apache
|
||||
|
@ -1,8 +1,10 @@
|
||||
<?php
|
||||
|
||||
include_once __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/module_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include_once "web_functions.inc.php";
|
||||
include_once "ldap_functions.inc.php";
|
||||
include_once "module_functions.inc.php";
|
||||
set_page_access("admin");
|
||||
|
||||
render_header("LDAP manager");
|
||||
@ -11,7 +13,7 @@ render_submenu();
|
||||
$ldap_connection = open_ldap_connection();
|
||||
|
||||
if (isset($_POST['delete_group'])) {
|
||||
|
||||
|
||||
?>
|
||||
<script>
|
||||
window.setTimeout(function() {
|
||||
@ -19,12 +21,14 @@ if (isset($_POST['delete_group'])) {
|
||||
}, 4000);
|
||||
</script>
|
||||
<?php
|
||||
|
||||
|
||||
$this_group = $_POST['delete_group'];
|
||||
$this_group = urldecode($this_group);
|
||||
|
||||
if (preg_match("/$USERNAME_REGEX/",$this_group)) {
|
||||
|
||||
|
||||
$del_group = ldap_delete_group($ldap_connection,$this_group);
|
||||
|
||||
|
||||
if ($del_group) {
|
||||
?>
|
||||
<div class="alert alert-success" role="alert">
|
||||
@ -55,26 +59,26 @@ render_js_username_check();
|
||||
<script type="text/javascript">
|
||||
|
||||
function show_new_group_form() {
|
||||
|
||||
|
||||
group_form = document.getElementById('group_name');
|
||||
group_submit = document.getElementById('add_group');
|
||||
group_form.classList.replace('invisible','visible');
|
||||
group_submit.classList.replace('invisible','visible');
|
||||
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
</script>
|
||||
<div class="container">
|
||||
|
||||
<div class="form-inline" id="new_group_div">
|
||||
<div class="form-inline" id="new_group_div">
|
||||
<form action="/<?php print $THIS_MODULE_PATH; ?>/show_group.php" method="post">
|
||||
<input type="hidden" name="new_group">
|
||||
<button id="show_new_group" class="form-control btn btn-default" type="button" onclick="show_new_group_form();">New group</button>
|
||||
<input type="text" class="form-control invisible" name="group_name" id="group_name" placeholder="Group name" onkeyup="check_entity_name_validity(document.getElementById('group_name').value,'new_group_div');"><button id="add_group" class="form-control btn btn-primary btn-sm invisible" type="submit">Add</button>
|
||||
</form>
|
||||
</div>
|
||||
|
||||
|
||||
<table class="table table-striped">
|
||||
<thead>
|
||||
<tr>
|
||||
@ -84,7 +88,7 @@ render_js_username_check();
|
||||
<tbody>
|
||||
<?php
|
||||
foreach ($groups as $group){
|
||||
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_group.php?group_name=$group'>$group</a></td>\n </tr>\n";
|
||||
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_group.php?group_name=" . urlencode($group) . "'>$group</a></td>\n </tr>\n";
|
||||
}
|
||||
?>
|
||||
</tbody>
|
||||
|
@ -1,8 +1,10 @@
|
||||
<?php
|
||||
|
||||
include_once __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/module_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include_once "web_functions.inc.php";
|
||||
include_once "ldap_functions.inc.php";
|
||||
include_once "module_functions.inc.php";
|
||||
set_page_access("admin");
|
||||
|
||||
render_header("LDAP manager");
|
||||
@ -11,7 +13,7 @@ render_submenu();
|
||||
$ldap_connection = open_ldap_connection();
|
||||
|
||||
if (isset($_POST['delete_user'])) {
|
||||
|
||||
|
||||
?>
|
||||
<script>
|
||||
window.setTimeout(function() {
|
||||
@ -19,12 +21,14 @@ if (isset($_POST['delete_user'])) {
|
||||
}, 4000);
|
||||
</script>
|
||||
<?php
|
||||
|
||||
|
||||
$this_user = $_POST['delete_user'];
|
||||
$this_user = urldecode($this_user);
|
||||
|
||||
if (preg_match("/$USERNAME_REGEX/",$this_user)) {
|
||||
|
||||
|
||||
$del_user = ldap_delete_account($ldap_connection,$this_user);
|
||||
|
||||
|
||||
if ($del_user) {
|
||||
?>
|
||||
<div class="alert alert-success" role="alert">
|
||||
@ -65,7 +69,7 @@ ldap_close($ldap_connection);
|
||||
<tbody>
|
||||
<?php
|
||||
foreach ($people as $username => $attribs){
|
||||
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_user.php?username=$username'>$username</a></td>\n";
|
||||
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_user.php?username=" . urlencode($username) . "'>$username</a></td>\n";
|
||||
print " <td>" . $people[$username]['givenname'] . "</td>\n";
|
||||
print " <td>" . $people[$username]['sn'] . "</td>\n";
|
||||
print " <td>" . $people[$username]['mail'] . "</td>\n";
|
||||
|
@ -1,8 +1,10 @@
|
||||
<?php
|
||||
|
||||
include_once __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/module_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include_once "web_functions.inc.php";
|
||||
include_once "ldap_functions.inc.php";
|
||||
include_once "module_functions.inc.php";
|
||||
|
||||
if ( $_POST['setup_admin_account'] ) {
|
||||
$admin_setup = TRUE;
|
||||
@ -180,7 +182,7 @@ render_js_email_generator('username','email');
|
||||
</script>
|
||||
|
||||
<div class="container">
|
||||
<div class="col-sm-7">
|
||||
<div class="col-sm-8">
|
||||
|
||||
<div class="panel panel-default">
|
||||
<div class="panel-heading text-center"><?php print $page_title; ?></div>
|
||||
@ -193,35 +195,35 @@ render_js_email_generator('username','email');
|
||||
<input type="hidden" id="pass_score" value="0" name="pass_score">
|
||||
|
||||
<div class="form-group">
|
||||
<label for="first_name" class="col-sm-2 control-label">First name</label>
|
||||
<label for="first_name" class="col-sm-3 control-label">First name</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label for="last_name" class="col-sm-2 control-label">Last name</label>
|
||||
<label for="last_name" class="col-sm-3 control-label">Last name</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group" id="username_div">
|
||||
<label for="username" class="col-sm-2 control-label">Username</label>
|
||||
<label for="username" class="col-sm-3 control-label">Username</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group" id="email_div">
|
||||
<label for="username" class="col-sm-2 control-label">Email</label>
|
||||
<label for="username" class="col-sm-3 control-label">Email</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group" id="password_div">
|
||||
<label for="password" class="col-sm-2 control-label">Password</label>
|
||||
<label for="password" class="col-sm-3 control-label">Password</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
|
||||
</div>
|
||||
@ -231,7 +233,7 @@ render_js_email_generator('username','email');
|
||||
</div>
|
||||
|
||||
<div class="form-group" id="confirm_div">
|
||||
<label for="confirm" class="col-sm-2 control-label">Confirm</label>
|
||||
<label for="confirm" class="col-sm-3 control-label">Confirm</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
|
||||
</div>
|
||||
|
@ -1,8 +1,10 @@
|
||||
<?php
|
||||
|
||||
include_once __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/module_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include_once "web_functions.inc.php";
|
||||
include_once "ldap_functions.inc.php";
|
||||
include_once "module_functions.inc.php";
|
||||
set_page_access("admin");
|
||||
|
||||
render_header("LDAP manager");
|
||||
@ -22,6 +24,7 @@ exit(0);
|
||||
}
|
||||
else {
|
||||
$group_cn = (isset($_POST['group_name']) ? $_POST['group_name'] : $_GET['group_name']);
|
||||
$group_cn = urldecode($group_cn);
|
||||
}
|
||||
|
||||
if (!preg_match("/$USERNAME_REGEX/",$group_cn)) {
|
||||
@ -41,8 +44,8 @@ if (isset($_POST['new_group'])) {
|
||||
|
||||
######################################################################################
|
||||
|
||||
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "cn=$group_cn");
|
||||
$ldap_search_query="cn=" . ldap_escape($group_cn, "", LDAP_ESCAPE_FILTER);
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
$current_members = array();
|
||||
@ -260,7 +263,7 @@ ldap_close($ldap_connection);
|
||||
</button>
|
||||
<form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
|
||||
<input type="hidden" name="update_members">
|
||||
<input type="hidden" name="group_name" value="<?php print $group_cn; ?>">
|
||||
<input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
|
||||
</form>
|
||||
<button id="submit_members" class="btn btn-info" disabled type="submit" onclick="update_form_with_users()">Save</button>
|
||||
</div>
|
||||
|
@ -1,8 +1,10 @@
|
||||
<?php
|
||||
|
||||
include_once __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/module_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include_once "web_functions.inc.php";
|
||||
include_once "ldap_functions.inc.php";
|
||||
include_once "module_functions.inc.php";
|
||||
set_page_access("admin");
|
||||
|
||||
render_header();
|
||||
@ -37,20 +39,21 @@ exit(0);
|
||||
}
|
||||
else {
|
||||
$username = (isset($_POST['username']) ? $_POST['username'] : $_GET['username']);
|
||||
$username = urldecode($username);
|
||||
}
|
||||
|
||||
if (!preg_match("/$USERNAME_REGEX/",$username)) {
|
||||
?>
|
||||
<div class="alert alert-danger">
|
||||
<p class="text-center">The username is invalid.</p>
|
||||
<p class="text-center">The username <b><?php print "$username"; ?></b> is invalid.</p>
|
||||
</div>
|
||||
<?php
|
||||
render_footer();
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
||||
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "(${LDAP['account_attribute']}=$username)" );
|
||||
$ldap_search_query="(${LDAP['account_attribute']}=". ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ")";
|
||||
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
|
||||
|
||||
|
||||
if ($ldap_search) {
|
||||
@ -325,7 +328,7 @@ if ($ldap_search) {
|
||||
<div class="panel-heading clearfix">
|
||||
<h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $user[0]['uid'][0]; ?></h3>
|
||||
<button class="btn btn-warning pull-right" onclick="show_delete_user_button();">Delete account</button>
|
||||
<form action="/<?php print $THIS_MODULE_PATH; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print $username; ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
|
||||
<form action="/<?php print $THIS_MODULE_PATH; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print urlencode($username); ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
|
||||
</div>
|
||||
<div class="panel-body">
|
||||
<form class="form-horizontal" action="" method="post">
|
||||
|
@ -1,7 +1,9 @@
|
||||
<?php
|
||||
|
||||
include_once __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include_once "web_functions.inc.php";
|
||||
include_once "ldap_functions.inc.php";
|
||||
|
||||
set_page_access("user");
|
||||
|
||||
|
@ -17,7 +17,7 @@
|
||||
$LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : 'uniquemember');
|
||||
$LDAP['group_membership_uses_uid'] = ((strcmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : FALSE);
|
||||
|
||||
$LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid');
|
||||
$LDAP['account_attribute'] = 'uid';
|
||||
$LDAP['require_starttls'] = ((strcmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
|
||||
|
||||
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
|
||||
|
@ -1,14 +1,15 @@
|
||||
<?php
|
||||
|
||||
$log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
|
||||
$LDAP_CONNECTION_WARNING = FALSE;
|
||||
|
||||
###################################
|
||||
|
||||
function open_ldap_connection() {
|
||||
|
||||
global $log_prefix, $LDAP, $LDAP_CONNECTION_WARNING;
|
||||
global $log_prefix, $LDAP, $SENT_HEADERS;
|
||||
|
||||
$ldap_connection = ldap_connect($LDAP['uri']);
|
||||
$ldap_connection = @ ldap_connect($LDAP['uri']);
|
||||
|
||||
if (!$ldap_connection) {
|
||||
print "Problem: Can't connect to the LDAP server at ${LDAP['uri']}";
|
||||
@ -18,10 +19,9 @@ function open_ldap_connection() {
|
||||
|
||||
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||
|
||||
|
||||
if (!preg_match("/^ldaps:/", $LDAP['uri'])) {
|
||||
|
||||
$tls_result = ldap_start_tls($ldap_connection);
|
||||
$tls_result = @ ldap_start_tls($ldap_connection);
|
||||
|
||||
if ($tls_result != TRUE) {
|
||||
|
||||
@ -32,16 +32,17 @@ function open_ldap_connection() {
|
||||
exit(0);
|
||||
}
|
||||
else {
|
||||
print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-warning'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>";
|
||||
|
||||
if ($SENT_HEADERS == TRUE) {
|
||||
print "<div style='position: fixed;bottom: 0px;width: 100%;height: 20px;border-bottom:solid 20px yellow;'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>";
|
||||
}
|
||||
ldap_close($ldap_connection);
|
||||
$ldap_connection = ldap_connect($LDAP['uri']);
|
||||
$ldap_connection = @ ldap_connect($LDAP['uri']);
|
||||
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$bind_result = ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
|
||||
$bind_result = @ ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
|
||||
|
||||
if ($bind_result != TRUE) {
|
||||
print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
|
||||
@ -63,7 +64,8 @@ function ldap_auth_username($ldap_connection,$username, $password) {
|
||||
|
||||
global $log_prefix, $LDAP;
|
||||
|
||||
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "${LDAP['account_attribute']}=${username}");
|
||||
$ldap_search_query="${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
|
||||
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query );
|
||||
|
||||
if (!$ldap_search) {
|
||||
error_log("$log_prefix Couldn't search for $username",0);
|
||||
@ -127,7 +129,8 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
|
||||
|
||||
global $log_prefix, $LDAP;
|
||||
|
||||
if (!isset($fields)) { $fields = array("uid", "givenname", "sn", "mail"); }
|
||||
if (!isset($fields)) { $fields = array_unique( array("${LDAP['account_attribute']}", "givenname", "sn", "mail")); }
|
||||
|
||||
if (!isset($sort_key)) { $sort_key = $LDAP['account_attribute']; }
|
||||
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(&(${LDAP['account_attribute']}=*)$filters)", $fields);
|
||||
@ -241,7 +244,8 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
|
||||
|
||||
global $log_prefix, $LDAP;
|
||||
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)", array($LDAP['group_membership_attribute']));
|
||||
$ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
|
||||
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
@ -267,7 +271,8 @@ function ldap_is_group_member($ldap_connection,$group_name,$username) {
|
||||
|
||||
global $log_prefix, $LDAP;
|
||||
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)");
|
||||
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
if ($LDAP['group_membership_uses_uid'] == FALSE) {
|
||||
@ -292,7 +297,8 @@ function ldap_new_group($ldap_connection,$group_name) {
|
||||
|
||||
if (isset($group_name)) {
|
||||
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name,${LDAP['group_dn']})");
|
||||
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']})";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
if ($result['count'] == 0) {
|
||||
@ -343,7 +349,8 @@ function ldap_delete_group($ldap_connection,$group_name) {
|
||||
|
||||
if (isset($group_name)) {
|
||||
|
||||
$delete = ldap_delete($ldap_connection, "cn=$group_name,${LDAP['group_dn']}");
|
||||
$delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
|
||||
$delete = ldap_delete($ldap_connection, $delete_query);
|
||||
|
||||
if ($delete) {
|
||||
error_log("$log_prefix Deleted group $group_name",0);
|
||||
@ -367,7 +374,8 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
|
||||
|
||||
if (isset($group_name)) {
|
||||
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)", array("gidNumber"));
|
||||
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) {
|
||||
@ -389,7 +397,8 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
|
||||
|
||||
if (isset($first_name) and isset($last_name) and isset($username) and isset($password)) {
|
||||
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(${LDAP['account_attribute']}=$username,${LDAP['user_dn']})");
|
||||
$ldap_search_query = "(${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']})";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
if ($result['count'] == 0) {
|
||||
@ -425,7 +434,7 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
|
||||
'mail' => $email
|
||||
);
|
||||
|
||||
$add_account = ldap_add($ldap_connection,
|
||||
$add_account = ldap_add($ldap_connection,
|
||||
"${LDAP['account_attribute']}=$username,${LDAP['user_dn']}",
|
||||
$user_info
|
||||
);
|
||||
@ -471,7 +480,8 @@ function ldap_delete_account($ldap_connection,$username) {
|
||||
|
||||
if (isset($username)) {
|
||||
|
||||
$delete = ldap_delete($ldap_connection, "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}");
|
||||
$delete_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']}";
|
||||
$delete = ldap_delete($ldap_connection, $delete_query);
|
||||
|
||||
if ($delete) {
|
||||
error_log("$log_prefix Deleted account for $username",0);
|
||||
@ -493,7 +503,7 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {
|
||||
|
||||
global $log_prefix, $LDAP;
|
||||
|
||||
$group_dn = "cn=${group_name},${LDAP['group_dn']}";
|
||||
$group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
|
||||
|
||||
if ($LDAP['group_membership_uses_uid'] == FALSE) {
|
||||
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
|
||||
@ -520,7 +530,7 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
|
||||
|
||||
global $log_prefix, $LDAP;
|
||||
|
||||
$group_dn = "cn=${group_name},${LDAP['group_dn']}";
|
||||
$group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
|
||||
|
||||
if ($LDAP['group_membership_uses_uid'] == FALSE) {
|
||||
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
|
||||
@ -549,7 +559,8 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
|
||||
|
||||
#Find DN of user
|
||||
|
||||
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "${LDAP['account_attribute']}=${username}");
|
||||
$ldap_search_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
|
||||
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
|
||||
if ($ldap_search) {
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
if ($result["count"] == 1) {
|
||||
|
@ -8,6 +8,7 @@ $IS_SETUP_ADMIN = FALSE;
|
||||
$ACCESS_LEVEL_NAME = array('account','admin');
|
||||
unset($USER_ID);
|
||||
$CURRENT_PAGE=htmlentities($_SERVER['PHP_SELF']);
|
||||
$SENT_HEADERS = FALSE;
|
||||
|
||||
$paths=explode('/',getcwd());
|
||||
$THIS_MODULE_PATH=end($paths);
|
||||
@ -69,7 +70,7 @@ function validate_passkey_cookie() {
|
||||
|
||||
list($user_id,$c_passkey) = explode(":",$_COOKIE['orf_cookie']);
|
||||
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
|
||||
$session_file = file_get_contents("/tmp/$filename");
|
||||
$session_file = @ file_get_contents("/tmp/$filename");
|
||||
if (!$session_file) {
|
||||
$VALIDATED = FALSE;
|
||||
unset($USER_ID);
|
||||
@ -156,7 +157,7 @@ function log_out($method='normal') {
|
||||
|
||||
function render_header($title="",$menu=TRUE) {
|
||||
|
||||
global $SITE_NAME, $IS_ADMIN, $LDAP_CONNECTION_WARNING;
|
||||
global $SITE_NAME, $IS_ADMIN, $SENT_HEADERS;
|
||||
|
||||
if (empty($title)) { $title = $SITE_NAME; }
|
||||
|
||||
@ -179,6 +180,8 @@ function render_header($title="",$menu=TRUE) {
|
||||
render_menu();
|
||||
}
|
||||
|
||||
$SENT_HEADERS = TRUE;
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
@ -1,6 +1,8 @@
|
||||
<?php
|
||||
|
||||
include_once __DIR__ . "/includes/web_functions.inc.php";
|
||||
set_include_path( __DIR__ . "/includes/");
|
||||
include_once "web_functions.inc.php";
|
||||
|
||||
render_header();
|
||||
|
||||
if (isset($_GET['logged_out'])) {
|
||||
|
@ -1,7 +1,9 @@
|
||||
<?php
|
||||
|
||||
include __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include "web_functions.inc.php";
|
||||
include "ldap_functions.inc.php";
|
||||
|
||||
if (isset($_POST["user_id"]) and isset($_POST["password"])) {
|
||||
|
||||
|
@ -1,4 +1,5 @@
|
||||
<?php
|
||||
include __DIR__ . "/../includes/web_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
include_once "web_functions.inc.php";
|
||||
log_out();
|
||||
?>
|
||||
|
@ -1,7 +1,9 @@
|
||||
<?php
|
||||
|
||||
include __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include_once "web_functions.inc.php";
|
||||
include_once "ldap_functions.inc.php";
|
||||
|
||||
if (isset($_POST["admin_password"])) {
|
||||
|
||||
|
@ -1,8 +1,10 @@
|
||||
<?php
|
||||
|
||||
include_once __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/module_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include_once "web_functions.inc.php";
|
||||
include_once "ldap_functions.inc.php";
|
||||
include_once "module_functions.inc.php";
|
||||
|
||||
validate_setup_cookie();
|
||||
set_page_access("setup");
|
||||
|
@ -1,8 +1,10 @@
|
||||
<?php
|
||||
|
||||
include_once __DIR__ . "/../includes/web_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
|
||||
include_once __DIR__ . "/../includes/module_functions.inc.php";
|
||||
set_include_path( ".:" . __DIR__ . "/../includes/");
|
||||
|
||||
include_once "web_functions.inc.php";
|
||||
include_once "ldap_functions.inc.php";
|
||||
include_once "module_functions.inc.php";
|
||||
|
||||
validate_setup_cookie();
|
||||
set_page_access("setup");
|
||||
|
Loading…
x
Reference in New Issue
Block a user