From 318091fc354454dee9ce09ddee9561f7a974f55e Mon Sep 17 00:00:00 2001
From: Brian Lycett <brian.lycett.nonstaff@which.co.uk>
Date: Mon, 10 Oct 2022 13:55:14 +0100
Subject: [PATCH] Bugfixes including SHOW_POSIX_ATTRIBUTES not working for new
 accounts.

---
 Dockerfile                          |  2 +-
 README.md                           |  2 +-
 www/account_manager/index.php       | 34 ++++++++++++------------
 www/account_manager/new_user.php    |  8 +++---
 www/includes/ldap_functions.inc.php | 41 ++++++++++++++++++++++++-----
 www/log_in/index.php                |  2 +-
 6 files changed, 58 insertions(+), 31 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3090e11..7f49e3d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -25,7 +25,7 @@ COPY www/ /opt/ldap_user_manager
 RUN tar -xzf /tmp/v6.3.0.tar.gz -C /opt && mv /opt/PHPMailer-6.3.0 /opt/PHPMailer
 
 COPY entrypoint /usr/local/bin/entrypoint
-RUN chmod a+x /usr/local/bin/entrypoint
+RUN chmod a+x /usr/local/bin/entrypoint && touch /etc/ldap/ldap.conf
 
 CMD ["apache2-foreground"]
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
diff --git a/README.md b/README.md
index ed079ad..6dc9ea0 100644
--- a/README.md
+++ b/README.md
@@ -181,7 +181,7 @@ To send emails you'll need to use an existing SMTP server.  Email sending will b
    
 * `SMTP_PASSWORD` (no default): The password to use when the SMTP server requires authentication.
    
-* `SMTP_USE_TLS` (default: *FALSE*): Set to TRUE if the SMTP server requires TLS to be enabled.  Overrides `SMTP_USE_TLS`.
+* `SMTP_USE_TLS` (default: *FALSE*): Set to TRUE if the SMTP server requires TLS to be enabled.  Overrides `SMTP_USE_SSL`.
    
 * `SMTP_USE_SSL` (default: *FALSE*): Set to TRUE if the SMTP server requires SSL to be enabled.  This will be unset if `SMTP_USE_TLS` is `TRUE`.
    
diff --git a/www/account_manager/index.php b/www/account_manager/index.php
index ade7f0d..67dcd7a 100644
--- a/www/account_manager/index.php
+++ b/www/account_manager/index.php
@@ -14,17 +14,17 @@ $ldap_connection = open_ldap_connection();
 
 if (isset($_POST['delete_user'])) {
 
- $this_user = $_POST['delete_user'];
- $this_user = urldecode($this_user);
+  $this_user = $_POST['delete_user'];
+  $this_user = urldecode($this_user);
 
- $del_user = ldap_delete_account($ldap_connection,$this_user);
+  $del_user = ldap_delete_account($ldap_connection,$this_user);
 
- if ($del_user) {
-   render_alert_banner("User <strong>$this_user</strong> was deleted.");
- }
- else {
-   render_alert_banner("User <strong>$this_user</strong> wasn't deleted.  See the logs for more information.","danger",15000);
- }
+  if ($del_user) {
+    render_alert_banner("User <strong>$this_user</strong> was deleted.");
+  }
+  else {
+    render_alert_banner("User <strong>$this_user</strong> wasn't deleted.  See the logs for more information.","danger",15000);
+  }
 
 
 }
@@ -61,15 +61,15 @@ $people = ldap_get_user_list($ldap_connection);
 <?php
 foreach ($people as $account_identifier => $attribs){
 
- $group_membership = ldap_user_group_membership($ldap_connection,$account_identifier);
- if (isset($people[$account_identifier]['mail'])) { $this_mail = $people[$account_identifier]['mail']; } else { $this_mail = ""; }
+  $group_membership = ldap_user_group_membership($ldap_connection,$account_identifier);
+  if (isset($people[$account_identifier]['mail'])) { $this_mail = $people[$account_identifier]['mail']; } else { $this_mail = ""; }
+  print " <tr>\n   <td><a href='${THIS_MODULE_PATH}/show_user.php?account_identifier=" . urlencode($account_identifier) . "'>$account_identifier</a></td>\n";
+  print "   <td>" . $people[$account_identifier]['givenname'] . "</td>\n";
+  print "   <td>" . $people[$account_identifier]['sn'] . "</td>\n";
+  print "   <td>$this_mail</td>\n"; 
+  print "   <td>" . implode(", ", $group_membership) . "</td>\n";
+  print " </tr>\n";
 
- print " <tr>\n   <td><a href='${THIS_MODULE_PATH}/show_user.php?account_identifier=" . urlencode($account_identifier) . "'>$account_identifier</a></td>\n";
- print "   <td>" . $people[$account_identifier]['givenname'] . "</td>\n";
- print "   <td>" . $people[$account_identifier]['sn'] . "</td>\n";
- print "   <td>$this_mail</td>\n";
- print "   <td>" . implode(", ", $group_membership) . "</td>\n";
- print " </tr>\n";
 }
 ?>
   </tbody>
diff --git a/www/account_manager/new_user.php b/www/account_manager/new_user.php
index c029eed..9fcd7e2 100644
--- a/www/account_manager/new_user.php
+++ b/www/account_manager/new_user.php
@@ -8,8 +8,6 @@ include_once "module_functions.inc.php";
 
 $attribute_map = $LDAP['default_attribute_map'];
 if (isset($LDAP['account_additional_attributes'])) { $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['account_additional_attributes']); }
-unset($attribute_map['uidnumber']);
-unset($attribute_map['gidnumber']);
 
 if (! array_key_exists($LDAP['account_attribute'], $attribute_map)) {
   $attribute_r = array_merge($attribute_map, array($LDAP['account_attribute'] => array("label" => "Account UID")));
@@ -51,6 +49,10 @@ $account_attribute = $LDAP['account_attribute'];
 
 $new_account_r = array();
 
+if ($SHOW_POSIX_ATTRIBUTES == TRUE) {
+
+}
+
 foreach ($attribute_map as $attribute => $attr_r) {
 
   if (isset($_FILES[$attribute]['size']) and $_FILES[$attribute]['size'] > 0) {
@@ -103,11 +105,9 @@ if (isset($_GET['account_request'])) {
 
   $givenname[0]=filter_var($_GET['first_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
   $new_account_r['givenname'] = $givenname[0];
-  unset($new_account_r['givenname']['count']);
 
   $sn[0]=filter_var($_GET['last_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
   $new_account_r['sn'] = $sn[0];
-  unset($new_account_r['sn']['count']);
 
   $mail[0]=filter_var($_GET['email'], FILTER_SANITIZE_EMAIL);
   if ($mail[0] == "") {
diff --git a/www/includes/ldap_functions.inc.php b/www/includes/ldap_functions.inc.php
index c255929..6ec1e8d 100644
--- a/www/includes/ldap_functions.inc.php
+++ b/www/includes/ldap_functions.inc.php
@@ -174,7 +174,7 @@ function generate_salt($length) {
 
  $permitted_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./';
 
- mt_srand((double)microtime() * 1000000);
+ mt_srand(intval(microtime()) * 1000000);
 
  $salt = '';
  while (strlen($salt) < $length) {
@@ -724,6 +724,29 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
 }
 
 
+##################################
+
+function ldap_get_group_name_from_gid($ldap_connection,$gid) {
+
+ global $log_prefix, $LDAP, $LDAP_DEBUG;
+
+ if (isset($gid)) {
+
+  $ldap_search_query = "(gidnumber=" . ldap_escape($gid, "", LDAP_ESCAPE_FILTER) . ")";
+  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("cn"));
+  $result = @ ldap_get_entries($ldap_connection, $ldap_search);
+
+  if (isset($result[0]['cn'][0])) {
+    return $result[0]['cn'][0];
+  }
+
+ }
+
+ return FALSE;
+
+}
+
+
 ##################################
 
 function ldap_complete_attribute_array($default_attributes,$additional_attributes) {
@@ -812,22 +835,26 @@ function ldap_new_account($ldap_connection,$account_r) {
 
      $account_attributes = array_merge($account_r, $account_attributes);
 
-     if (!isset($account_attributes['uidnumber']) or !is_numeric($account_attributes['uidnumber'])) {
+     if (!isset($account_attributes['uidnumber'][0]) or !is_numeric($account_attributes['uidnumber'][0])) {
        $highest_uid = ldap_get_highest_id($ldap_connection,'uid');
-       $account_attributes['uidnumber'] = $highest_uid + 1;
+       $account_attributes['uidnumber'][0] = $highest_uid + 1;
      }
 
-     if (!isset($account_attributes['gidnumber']) or !is_numeric($account_attributes['gidnumber'])) {
+     if (!isset($account_attributes['gidnumber'][0]) or !is_numeric($account_attributes['gidnumber'][0])) {
        $default_gid = ldap_get_gid_of_group($ldap_connection,$DEFAULT_USER_GROUP);
        if (!is_numeric($default_gid)) {
          $group_add = ldap_new_group($ldap_connection,$account_identifier,$account_identifier);
-         $account_attributes['gidnumber'] = ldap_get_gid_of_group($ldap_connection,$account_identifier);
+         $account_attributes['gidnumber'][0] = ldap_get_gid_of_group($ldap_connection,$account_identifier);
        }
        else {
-        $account_attributes['gidnumber'] = $default_gid;
+        $account_attributes['gidnumber'][0] = $default_gid;
         $add_to_group = $DEFAULT_USER_GROUP;
        }
      }
+     else {
+       $add_to_group = ldap_get_group_name_from_gid($ldap_connection,$account_attributes['gidnumber'][0]);
+       if (!$add_to_group) { $add_to_group = $DEFAULT_USER_GROUP; }
+     }
 
      if (empty($account_attributes['loginshell']))    { $account_attributes['loginshell']    = $DEFAULT_USER_SHELL; }
      if (empty($account_attributes['homedirectory'])) { $account_attributes['homedirectory'] = "/home/" . $account_r['uid'][0]; }
@@ -842,7 +869,7 @@ function ldap_new_account($ldap_connection,$account_r) {
        ldap_add_member_to_group($ldap_connection,$add_to_group,$account_identifier);
 
        $this_uid = fetch_id_stored_in_ldap($ldap_connection,"uid");
-       $new_uid = $account_attributes['uidnumber'];
+       $new_uid = $account_attributes['uidnumber'][0];
 
        if ($this_uid != FALSE) {
          $update_uid = @ ldap_mod_replace($ldap_connection, "cn=lastUID,${LDAP['base_dn']}", array( 'serialNumber' => $new_uid ));
diff --git a/www/log_in/index.php b/www/log_in/index.php
index e7e552c..ce6b843 100644
--- a/www/log_in/index.php
+++ b/www/log_in/index.php
@@ -75,7 +75,7 @@ else {
    <?php } ?>
 
    <form class="form-horizontal" action='' method='post'>
-    <?php if (isset($redirect_to) and ($redirect_to != "")) { ?><input type="hidden" name="redirect_to" value="<?php print $redirect_to; ?>"><?php } ?>
+    <?php if (isset($redirect_to) and ($redirect_to != "")) { ?><input type="hidden" name="redirect_to" value="<?php print htmlspecialchars($redirect_to); ?>"><?php } ?>
 
     <div class="form-group">
      <label for="username" class="col-sm-4 control-label">Username</label>