HomeLab/ldap-user-manager
2
0
Fork 0
mirror of https://github.com/wheelybird/ldap-user-manager.git synced 2025-01-18 15:32:54 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Added the ability to add/update the email address along with javascript to automatically generate it.

Browse Source
This commit is contained in:
Brian Lycett 2019-02-08 11:28:11 +00:00
parent e2f9636feb
commit 127511b65d
10 changed files with 123 additions and 254 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@ -13,13 +13,14 @@ docker run \
--name=lum \
-p 80:80 \
-p 443:443 \
-e SERVER_HOSTNAME=lum.example.com \
-e LDAP_URI=ldap://ldap.example.com \
-e LDAP_BASE_DN=dc=example,dc=com \
-e LDAP_STARTTLS=TRUE \
-e LDAP_ADMINS_GROUP=admins \
-e LDAP_ADMIN_BIND_DN="cn=admin,dc=example,dc=com" \
-e LDAP_ADMIN_BIND_PWD=secret\
-e "SERVER_HOSTNAME=lum.example.com" \
-e "LDAP_URI=ldap://ldap.example.com" \
-e "LDAP_BASE_DN=dc=example,dc=com" \
-e "LDAP_STARTTLS=TRUE" \
-e "LDAP_ADMINS_GROUP=admins" \
-e "LDAP_ADMIN_BIND_DN=cn=admin,dc=example,dc=com" \
-e "LDAP_ADMIN_BIND_PWD=secret"\
-e "EMAIL_DOMAIN=example.com"\
wheelybird/ldap-user-manager
```
Now go to https://lum.example.com/setup.
@ -68,7 +69,7 @@ Optional:
* `DEFAULT_USER_GROUP` (default: *everybody*): The group that new accounts are automatically added to when created. *NOTE*: If this group doesn't exist then a group is created with the same name as the username and the user is added to that group.
* `DEFAULT_USER_SHELL` (default: */bin/bash*): The shell that will be launched when the user logs into a server.
* `EMAIL_DOMAIN` (no default): The domain name to append to the email address when creating an account (username@email_domain). If unset then the mail attribute won't be set.
* `EMAIL_DOMAIN` (no default): If set then the email address field will be automatically populated in the form of `username@email_domain`).
* `USERNAME_FORMAT` (default: *{first_name}-{last_name}*): The template used to dynamically generate usernames. See the _Usernames_ section below.
* `USERNAME_REGEX` (default: *^[a-z][a-zA-Z0-9\._-]{3,32}$*): The regular expression used to ensure a username (and group name) is valid. See the _Usernames_ section below.
@ -119,6 +120,8 @@ Currently the available macros are:
Anything else in the `USERNAME_FORMAT` string is left as defined, but the username is also checked for validity against `USERNAME_REGEX`. This is to ensure that there aren't any characters forbidden by other systems (i.e. email or Linux/Unix accounts).
If `EMAIL_DOMAIN` is set then the email address field will be automatically updated in the form of `username@email_domain`. Entering anything manually in that field will stop the automatic update of the email field.
Details on accounts and groups
---

2
www/account_manager/index.php
View File

@ -59,6 +59,7 @@ ldap_close($ldap_connection);
<th>Username</th>
<th>First name</th>
<th>Last name</th>
<th>Email</th>
</tr>
</thead>
<tbody>
@ -67,6 +68,7 @@ foreach ($people as $username => $attribs){
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_user.php?username=$username'>$username</a></td>\n";
print " <td>" . $people[$username]['givenname'] . "</td>\n";
print " <td>" . $people[$username]['sn'] . "</td>\n";
print " <td>" . $people[$username]['mail'] . "</td>\n";
print " </tr>\n";
}
?>

95
www/account_manager/new_user.php
View File

@ -3,15 +3,34 @@
include_once("web_functions.inc.php");
include_once("ldap_functions.inc.php");
include_once("module_functions.inc.php");
set_page_access("admin");
render_header();
render_submenu();
if ( $_POST['setup_admin_account'] ) {
$admin_setup = TRUE;
validate_setup_cookie();
set_page_access("setup");
$completed_action="/log_in";
$page_title="New administrator account";
render_header("Setup administrator account", FALSE);
}
else {
set_page_access("admin");
$completed_action="/$THIS_MODULE_PATH/";
$page_title="New account";
render_header();
render_submenu();
}
$invalid_password = FALSE;
$mismatched_passwords = FALSE;
$invalid_username = FALSE;
$weak_password = FALSE;
$invalid_email = FALSE;
if (isset($_POST['create_account'])) {
@ -21,8 +40,12 @@ if (isset($_POST['create_account'])) {
$last_name = stripslashes($_POST['last_name']);
$username = stripslashes($_POST['username']);
$password = $_POST['password'];
if ($_POST['email']) { $email = stripslashes($_POST['email']); }
if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = TRUE; }
if (isset($email) and !is_valid_email($email)) { $invalid_email = TRUE; }
if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; }
if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = TRUE; }
@ -34,18 +57,30 @@ if (isset($_POST['create_account'])) {
and !$mismatched_passwords
and !$weak_password
and !$invalid_password
and !$invalid_username ) {
and !$invalid_username
and !$invalid_email) {
$ldap_connection = open_ldap_connection();
$new_account = ldap_new_account($ldap_connection, $first_name, $last_name, $username, $password);
$new_account = ldap_new_account($ldap_connection, $first_name, $last_name, $username, $password, $email);
if ($new_account) {
if ($admin_setup == TRUE) {
$member_add = ldap_add_member_to_group($ldap_connection, $LDAP['admins_group'], $username);
if (!$member_add) { ?>
<div class="alert alert-warning">
<p class="text-center">The account was created but adding it to the admin group failed.</p>
</div>
<?php
}
}
?>
<div class="alert alert-success">
<p class="text-center">Account created.</p>
</div>
<form action='/<?php print $THIS_MODULE_PATH; ?>/'>
<form action='<?php print $completed_action; ?>'>
<p align="center">
<input type='submit' class="btn btn-success" value='Finished'>
</p>
@ -57,9 +92,9 @@ if (isset($_POST['create_account'])) {
else {
if (!$new_account) { ?>
<div class="alert alert-warning">
<p class="text-center">Couldn't create the account.</p>
<p class="text-center">Failed to create the account.</p>
</div>
<?php
<?php
}
render_footer();
@ -73,7 +108,7 @@ if (isset($_POST['create_account'])) {
if ($weak_password) { ?>
<div class="alert alert-warning">
<p class="text-center">The password wasn't strong enough.</p>
<p class="text-center">The password is too weak.</p>
</div>
<?php }
@ -83,12 +118,17 @@ if ($invalid_password) { ?>
</div>
<?php }
if ($mismatched_passwords) { ?>
if ($invalid_email) { ?>
<div class="alert alert-warning">
<p class="text-center">The passwords didn't match.</p>
<p class="text-center">The email address is invalid.</p>
</div>
<?php }
if ($mismatched_passwords) { ?>
<div class="alert alert-warning">
<p class="text-center">The passwords are mismatched.</p>
</div>
<?php }
if ($invalid_username) { ?>
<div class="alert alert-warning">
@ -97,19 +137,20 @@ if ($invalid_username) { ?>
<?php }
render_js_username_generator('first_name','last_name','username','username_div');
render_js_email_generator('username','email');
?>
<script src="//cdnjs.cloudflare.com/ajax/libs/zxcvbn/1.0/zxcvbn.min.js"></script>
<script type="text/javascript" src="/js/zxcvbn-bootstrap-strength-meter.js"></script>
<script type="text/javascript">
$(document).ready(function(){
$(document).ready(function(){
$("#StrengthProgressBar").zxcvbnProgressBar({ passwordInput: "#password" });
});
</script>
<script type="text/javascript" src="/js/generate_passphrase.js"></script>
<script type="text/javascript" src="/js/wordlist.js"></script>
<script>
function check_passwords_match() {
if (document.getElementById('password').value != document.getElementById('confirm').value ) {
@ -123,11 +164,11 @@ render_js_username_generator('first_name','last_name','username','username_div')
}
function random_password() {
generatePassword(4,'-','password','confirm');
$("#StrengthProgressBar").zxcvbnProgressBar({ passwordInput: "#password" });
}
function back_to_hidden(passwordField,confirmField) {
var passwordField = document.getElementById(passwordField).type = 'password';
@ -135,46 +176,54 @@ render_js_username_generator('first_name','last_name','username','username_div')
}
</script>
<div class="container">
<div class="col-sm-7">
<div class="panel panel-default">
<div class="panel-heading text-center">New account</div>
<div class="panel-heading text-center"><?php print $page_title; ?></div>
<div class="panel-body text-center">
<form class="form-horizontal" action="" method="post">
<?php if ($admin_setup == TRUE) { ?><input type="hidden" name="setup_admin_account" value="true"><?php } ?>
<input type="hidden" name="create_account">
<input type="hidden" id="pass_score" value="0" name="pass_score">
<div class="form-group">
<label for="first_name" class="col-sm-2 control-label">First name</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username()">
<input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
</div>
</div>
<div class="form-group">
<label for="last_name" class="col-sm-2 control-label">Last name</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username()">
<input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
</div>
</div>
<div class="form-group" id="username_div">
<label for="username" class="col-sm-2 control-label">Username</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value)">
<input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
</div>
</div>
<div class="form-group" id="email_div">
<label for="username" class="col-sm-2 control-label">Email</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
</div>
</div>
<div class="form-group" id="password_div">
<label for="password" class="col-sm-2 control-label">Password</label>
<div class="col-sm-6">
<input type="password" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
<input type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
</div>
<div class="col-sm-1">
<input type="button" class="btn btn-sm" id="password_generator" onclick="random_password();" value="Generate password">

3
www/account_manager/show_user.php
View File

@ -18,7 +18,8 @@ $attribute_map = array( "givenname" => "First name",
"uidnumber" => "UID",
"gidnumber" => "GID",
"loginshell" => "Login shell",
"homedirectory" => "Home directory"
"homedirectory" => "Home directory",
"mail" => "Email"
);

8
www/includes/ldap_functions.inc.php
View File

@ -127,7 +127,7 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
global $log_prefix, $LDAP;
if (!isset($fields)) { $fields = array("uid", "givenname", "sn"); }
if (!isset($fields)) { $fields = array("uid", "givenname", "sn", "mail"); }
if (!isset($sort_key)) { $sort_key = $LDAP['account_attribute']; }
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(&(${LDAP['account_attribute']}=*)$filters)", $fields);
@ -383,7 +383,7 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
##################################
function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$password) {
function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$password,$email) {
global $log_prefix, $LDAP, $DEFAULT_USER_SHELL, $DEFAULT_USER_GROUP, $EMAIL_DOMAIN;
@ -424,8 +424,8 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
'userPassword' => $hashed_pass
);
if (isset($EMAIL_DOMAIN)) {
array_push($user_info, ['mail' => "$username@$EMAIL_DOMAIN"]);
if (isset($email) and $email != "") {
array_push($user_info, ['mail' => $email]);
}
$add_account = ldap_add($ldap_connection,

8
www/includes/modules.inc.php
View File

@ -1,16 +1,16 @@
<?php
#Modules and how they can be accessed.
#access:
#user = need to be logged-in to see it
#hidden_on_login = only visible when not logged in
#admin = need to be logged in as an admin to see it
$MODULES = array(
$MODULES = array(
'log_in' => 'hidden_on_login',
'change_password' => 'auth',
'account_manager' => 'admin',
'account_manager' => 'admin',
'log_out' => 'auth'
);

30
www/includes/web_functions.inc.php
View File

@ -292,12 +292,7 @@ function set_page_access($level) {
function is_valid_email($email) {
if (ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.'@'.'[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.'[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$', $email)) {
return TRUE;
}
else {
return FALSE;
}
return (!preg_match("/^([a-z0-9\+_\-]+)(\.[a-z0-9\+_\-]+)*@([a-z0-9\-]+\.)+[a-z]{2,6}$/ix", $email)) ? FALSE : TRUE;
}
@ -367,4 +362,27 @@ EoRenderJS;
}
######################################################
function render_js_email_generator($username_field_id,$email_field_id) {
global $EMAIL_DOMAIN;
print <<<EoRenderEmailJS
<script>
var auto_email_update = true;
function update_email() {
if ( auto_email_update == true && "$EMAIL_DOMAIN" != "" ) {
var username = document.getElementById('$username_field_id').value;
document.getElementById('$email_field_id').value = username + '@' + "$EMAIL_DOMAIN";
}
}
</script>
EoRenderEmailJS;
}
?>

2
www/setup/run_checks.php
View File

@ -3,8 +3,8 @@
include_once("web_functions.inc.php");
include_once("ldap_functions.inc.php");
include_once("module_functions.inc.php");
validate_setup_cookie();
validate_setup_cookie();
set_page_access("setup");
render_header();

204
www/setup/setup_admin_account.php
View File

@ -1,204 +0,0 @@
<?php
include_once("web_functions.inc.php");
include_once("ldap_functions.inc.php");
include_once("module_functions.inc.php");
validate_setup_cookie();
set_page_access("setup");
render_header();
$invalid_password = FALSE;
$mismatched_passwords = FALSE;
$invalid_username = FALSE;
$weak_password = FALSE;
if (isset($_POST['create_account'])) {
$ldap_connection = open_ldap_connection();
$first_name = stripslashes($_POST['first_name']);
$last_name = stripslashes($_POST['last_name']);
$username = stripslashes($_POST['username']);
$password = $_POST['password'];
if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = TRUE; }
if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; }
if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = TRUE; }
if ( isset($first_name)
and isset($last_name)
and isset($username)
and isset($password)
and !$mismatched_passwords
and !$weak_password
and !$invalid_password
and !$invalid_username ) {
$ldap_connection = open_ldap_connection();
$new_account = ldap_new_account($ldap_connection, $first_name, $last_name, $username, $password);
$member_add = ldap_add_member_to_group($ldap_connection, $LDAP['admins_group'], $username);
if ($new_account and $member_add) {
?>
<div class="alert alert-success">
<p class="text-center">Account created.</p>
</div>
<form action='/log_in'>
<p align="center">
<input type='submit' class="btn btn-success" value='Finished'>
</p>
</form>
<?php
render_footer();
exit(0);
}
else {
if (!$new_account) { ?>
<div class="alert alert-warning">
<p class="text-center">Couldn't create the account.</p>
</div>
<?php
}
if (!$member_add) { ?>
<div class="alert alert-warning">
<p class="text-center">Couldn't add the account to the admin group.</p>
</div>
<?php
}
?>
<form action='/setup/run_checks.php'>
<p align="center">
<input type='submit' class="btn btn-danger" value='Start again'>
</p>
</form>
<?php
render_footer();
exit(0);
}
}
}
if ($weak_password) { ?>
<div class="alert alert-warning">
<p class="text-center">The password wasn't strong enough.</p>
</div>
<?php }
if ($invalid_password) { ?>
<div class="alert alert-warning">
<p class="text-center">The password contained invalid characters.</p>
</div>
<?php }
if ($mismatched_passwords) { ?>
<div class="alert alert-warning">
<p class="text-center">The passwords didn't match.</p>
</div>
<?php }
if ($invalid_username) { ?>
<div class="alert alert-warning">
<p class="text-center">The username is invalid.</p>
</div>
<?php }
render_js_username_generator('first_name','last_name','username','username_div');
?>
<script src="//cdnjs.cloudflare.com/ajax/libs/zxcvbn/1.0/zxcvbn.min.js"></script>
<script type="text/javascript" src="/js/zxcvbn-bootstrap-strength-meter.js"></script>
<script type="text/javascript">$(document).ready(function(){ $("#StrengthProgressBar").zxcvbnProgressBar({ passwordInput: "#password" });});</script>
<script>
function check_passwords_match() {
if (document.getElementById('password').value != document.getElementById('confirm').value ) {
document.getElementById('password_div').classList.add("has-error");
document.getElementById('confirm_div').classList.add("has-error");
}
else {
document.getElementById('password_div').classList.remove("has-error");
document.getElementById('confirm_div').classList.remove("has-error");
}
}
</script>
<div class="container">
<div class="col-sm-8">
<div class="panel panel-default">
<div class="panel-heading text-center">New administrator account</div>
<div class="panel-body text-center">
<form class="form-horizontal" action="" method="post">
<input type="hidden" name="create_account">
<input type="hidden" id="pass_score" value="0" name="pass_score">
<div class="form-group">
<label for="first_name" class="col-sm-4 control-label">First name</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username()">
</div>
</div>
<div class="form-group">
<label for="last_name" class="col-sm-4 control-label">Last name</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username()">
</div>
</div>
<div class="form-group" id="username_div">
<label for="username" class="col-sm-4 control-label">Username</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value)">
</div>
</div>
<div class="form-group" id="password_div">
<label for="password" class="col-sm-4 control-label">Password</label>
<div class="col-sm-6">
<input type="password" class="form-control" id="password" name="password">
</div>
</div>
<div class="col-sm-4 "></div>
<div class="col-sm-6 progress">
<div id="StrengthProgressBar" class="progress-bar"></div>
</div>
<div class="form-group" id="confirm_div">
<label for="password" class="col-sm-4 control-label">Confirm</label>
<div class="col-sm-6">
<input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
</div>
</div>
<div class="form-group">
<button type="submit" class="btn btn-warning">Create account</button>
</div>
</form>
</div>
</div>
</div>
</div>
<?php
render_footer();
?>

6
www/setup/setup_ldap.php
View File

@ -3,8 +3,8 @@
include_once("web_functions.inc.php");
include_once("ldap_functions.inc.php");
include_once("module_functions.inc.php");
validate_setup_cookie();
validate_setup_cookie();
set_page_access("setup");
render_header();
@ -134,8 +134,8 @@ if (isset($_POST['fix_problems'])) {
?>
<div class="form-group">
<form action="<?php print "/$THIS_MODULE_PATH/setup_admin_account.php"; ?>" method="post">
<input type="hidden" name="setup_account">
<form action="<?php print "/account_manager/new_user.php"; ?>" method="post">
<input type="hidden" name="setup_admin_account">
<?php
print "$li_fail The LDAP administration group is empty. ";
print "<a href='#' data-toggle='popover' title='LDAP account administrators' data-content='";