From 495d31521a6b138a30d15b14a611ccab599b0ca6 Mon Sep 17 00:00:00 2001
From: Brian Lycett <brian@wheelybird.co.uk>
Date: Fri, 10 Jan 2020 12:01:31 +0000
Subject: [PATCH] Code tidy, encode URLs and add no-https option

---
 Dockerfile                          |   8 +-
 README.md                           |  12 +--
 entrypoint                          | 138 ++++++++++++++++------------
 www/account_manager/groups.php      |  30 +++---
 www/account_manager/index.php       |  20 ++--
 www/account_manager/new_user.php    |  22 +++--
 www/account_manager/show_group.php  |  15 +--
 www/account_manager/show_user.php   |  17 ++--
 www/change_password/index.php       |   6 +-
 www/includes/config.inc.php         |   2 +-
 www/includes/ldap_functions.inc.php |  53 ++++++-----
 www/includes/web_functions.inc.php  |   7 +-
 www/index.php                       |   4 +-
 www/log_in/index.php                |   6 +-
 www/log_out/index.php               |   3 +-
 www/setup/index.php                 |   6 +-
 www/setup/run_checks.php            |   8 +-
 www/setup/setup_ldap.php            |   8 +-
 18 files changed, 212 insertions(+), 153 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8daf0c1..803eefb 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,18 +1,18 @@
 FROM php:7.0-apache
 
-COPY www/ /opt/ldap_user_manager
-COPY entrypoint /usr/local/bin/entrypoint
-
 RUN apt-get update && apt-get install -y --no-install-recommends libldb-dev libldap2-dev && rm -rf /var/lib/apt/lists/* && ln -s /usr/lib/x86_64-linux-gnu/libldap.so /usr/lib/libldap.so \
 && ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so
 RUN docker-php-source extract && docker-php-ext-install -j$(nproc) ldap && docker-php-source delete
 
-RUN chmod a+x /usr/local/bin/entrypoint
 RUN a2enmod rewrite ssl
 RUN a2dissite 000-default default-ssl
 
 EXPOSE 80
 EXPOSE 443
 
+COPY www/ /opt/ldap_user_manager
+COPY entrypoint /usr/local/bin/entrypoint
+RUN chmod a+x /usr/local/bin/entrypoint
+
 CMD ["apache2-foreground"]
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
diff --git a/README.md b/README.md
index 18f365d..e6f8ee9 100644
--- a/README.md
+++ b/README.md
@@ -47,7 +47,7 @@ docker run \
            -e "SERVER_HOSTNAME=lum.example.com" \
            -e "LDAP_URI=ldap://ldap.example.com" \
            -e "LDAP_BASE_DN=dc=example,dc=com" \
-           -e "LDAP_STARTTLS=TRUE" \
+           -e "LDAP_REQUIRE_STARTTLS=TRUE" \
            -e "LDAP_ADMINS_GROUP=admins" \
            -e "LDAP_ADMIN_BIND_DN=cn=admin,dc=example,dc=com" \
            -e "LDAP_ADMIN_BIND_PWD=secret"\
@@ -78,6 +78,7 @@ Optional:
 ----
 
 * `SERVER_HOSTNAME` (default: *example.com*):  The hostname that this interface will be served from.
+* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption.  This is insecure and should only be used for testing.
    
 * `LDAP_USER_OU` (default: *people*):  The name of the OU used to store user accounts (without the base DN appended).
    
@@ -85,8 +86,6 @@ Optional:
 * `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *uniqueMember*):  The attribute used when adding a user to a group.
 * `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *FALSE*): If *TRUE* then the entry for a member of a group will be just the username.  Otherwise it's the member's full DN.
    
-* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*):  The attribute used to identify account usernames.
-   
 * `LDAP_REQUIRE_STARTTLS` (default: *TRUE*):  If *TRUE* then a TLS connection is required for this interface to work.  If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
    
 * `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable.  e.g. `-e LDAP_TLS_CERT=$(</path/to/ca.crt)`
@@ -106,8 +105,7 @@ Optional:
 Webserver SSL setup
 ---
 
-The webserver (Apache HTTPD) expects to find `/opt/ssl/server.key` and `/opt/ssl/server.crt`, and these certificates should match `SERVER_HOSTNAME`.   
-If those files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`.  To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`.  The script will also look for `/opt/ssl/chain.pem` if you need to add a certificate chain file (the Apache `SSLCertificateChainFile` option).
+When `NO_HTTPS` is set to **false** (the default), the webserver (Apache HTTPD) expects to find `/opt/ssl/server.key` and `/opt/ssl/server.crt`, and these certificates should match `SERVER_HOSTNAME`.  If these files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`.  To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`.  The script will also look for `/opt/ssl/chain.pem` if you need to add a certificate chain file (the Apache `SSLCertificateChainFile` option).
    
 e.g.:
 ```
@@ -152,5 +150,5 @@ If `EMAIL_DOMAIN` is set then the email address field will be automatically upda
 Details on accounts and groups
 ---
 
-This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts.   
-Groups are also created as a `groupOfUniqueNames` type in case you want to use the `memberOf` LDAP module.
+This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts.   The accounts created use `person`, `inetOrgPerson` & `posixAccount` objectClasses.  Usernames are defined via the `uid` attribute and groups are created as with `posixGroup` and `groupOfUniqueNames` objectClasses (the latter in case you want to use the `memberOf` LDAP module).
+
diff --git a/entrypoint b/entrypoint
index 1d7529a..7d3ab94 100644
--- a/entrypoint
+++ b/entrypoint
@@ -5,7 +5,6 @@ ssl_dir="/opt/ssl"
 
 if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi
 
-
 #If LDAP_TLS_CACERT is set then write it out as a file
 #and set up the LDAP client conf to use it.
 
@@ -15,79 +14,99 @@ if [ "$LDAP_TLS_CACERT" ]; then
 fi
 
 
-########################
-#If there aren't any SSL certs then create a CA and then CA-signed certificate
+if [ "$NO_HTTPS" = "TRUE" ]; then
 
-if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then
+  cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf
 
-  mkdir -p $ssl_dir
-  confout="${ssl_dir}/conf"
-  keyout="${ssl_dir}/server.key"
-  certout="${ssl_dir}/server.crt"
-  cakey="${ssl_dir}/ca.key"
-  cacert="${ssl_dir}/ca.crt"
-  serialfile="${ssl_dir}/serial"
+<VirtualHost *:80>
 
-  echo "Generating CA key"
-  openssl genrsa -out $cakey 2048
-  if [ $? -ne 0 ]; then exit 1 ; fi
+ ServerName $SERVER_HOSTNAME
+ DocumentRoot /opt/ldap_user_manager
 
-  echo "Generating CA certificate"
-  openssl req \
-          -x509 \
-          -new \
-          -nodes \
-          -subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
-          -key $cakey \
-          -sha256 \
-          -days 7300 \
-          -out $cacert
-  if [ $? -ne 0 ]; then exit 1 ; fi
+ DirectoryIndex index.php index.html
 
-  echo "Generating openssl configuration"
+ <Directory /opt/ldap_user_manager>
+   Require all granted
+ </Directory>
 
-  cat <<EoCertConf>$confout
+</VirtualHost>
+EoHTTPC
+
+
+else
+
+  ########################
+  #If there aren't any SSL certs then create a CA and then CA-signed certificate
+
+  if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then
+
+    mkdir -p $ssl_dir
+    confout="${ssl_dir}/conf"
+    keyout="${ssl_dir}/server.key"
+    certout="${ssl_dir}/server.crt"
+    cakey="${ssl_dir}/ca.key"
+    cacert="${ssl_dir}/ca.crt"
+    serialfile="${ssl_dir}/serial"
+
+    echo "Generating CA key"
+    openssl genrsa -out $cakey 2048
+    if [ $? -ne 0 ]; then exit 1 ; fi
+
+    echo "Generating CA certificate"
+    openssl req \
+            -x509 \
+            -new \
+            -nodes \
+            -subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
+            -key $cakey \
+            -sha256 \
+            -days 7300 \
+            -out $cacert
+    if [ $? -ne 0 ]; then exit 1 ; fi
+
+    echo "Generating openssl configuration"
+
+    cat <<EoCertConf>$confout
 subjectAltName = DNS:${SERVER_HOSTNAME},IP:127.0.0.1
 extendedKeyUsage = serverAuth
 EoCertConf
 
-  echo "Generating server key..."
-  openssl genrsa -out $keyout 2048
-  if [ $? -ne 0 ]; then exit 1 ; fi
+    echo "Generating server key..."
+    openssl genrsa -out $keyout 2048
+    if [ $? -ne 0 ]; then exit 1 ; fi
 
-  echo "Generating server signing request..."
-  openssl req \
-               -subj "/CN=${SERVER_HOSTNAME}" \
-               -sha256 \
-               -new \
-               -key $keyout \
-               -out /tmp/server.csr
-  if [ $? -ne 0 ]; then exit 1 ; fi
+    echo "Generating server signing request..."
+    openssl req \
+                 -subj "/CN=${SERVER_HOSTNAME}" \
+                 -sha256 \
+                 -new \
+                 -key $keyout \
+                 -out /tmp/server.csr
+    if [ $? -ne 0 ]; then exit 1 ; fi
 
-  echo "Generating server cert..."
-  openssl x509 \
-                -req \
-                -days 7300 \
-                -sha256 \
-                -in /tmp/server.csr \
-                -CA $cacert \
-                -CAkey $cakey \
-                -CAcreateserial \
-                -CAserial $serialfile \
-                -out $certout \
-                -extfile $confout
-  if [ $? -ne 0 ]; then exit 1 ; fi
+    echo "Generating server cert..."
+    openssl x509 \
+                  -req \
+                  -days 7300 \
+                  -sha256 \
+                  -in /tmp/server.csr \
+                  -CA $cacert \
+                  -CAkey $cakey \
+                  -CAcreateserial \
+                  -CAserial $serialfile \
+                  -out $certout \
+                  -extfile $confout
+    if [ $? -ne 0 ]; then exit 1 ; fi
 
-fi
+  fi
 
 
-########################
-#Create Apache config
+  ########################
+  #Create Apache config
 
+  if [ -f "/opt/tls/chain.pem" ]; then $ssl_chain="SSLCertificateChainFile /opt/tls/chain.pem"; fi
 
-if [ -f "/opt/tls/chain.pem" ]; then $ssl_chain="SSLCertificateChainFile /opt/tls/chain.pem"; fi
-
-cat <<EoC >/etc/apache2/sites-enabled/lum.conf
+  cat <<EoHTTPSC >/etc/apache2/sites-enabled/lum.conf
 
 Listen 443
 
@@ -114,11 +133,10 @@ Listen 443
  SSLCertificateKeyFile /opt/ssl/server.key
  $ssl_chain
 
- php_value include_path "/opt/ldap_user_manager/includes"
-
 </VirtualHost>
-EoC
+EoHTTPSC
 
+fi
 
 ########################
 #Run Apache
diff --git a/www/account_manager/groups.php b/www/account_manager/groups.php
index 3d4671f..158c903 100644
--- a/www/account_manager/groups.php
+++ b/www/account_manager/groups.php
@@ -1,8 +1,10 @@
 <?php
 
-include_once __DIR__ . "/../includes/web_functions.inc.php";
-include_once __DIR__ . "/../includes/ldap_functions.inc.php";
-include_once __DIR__ . "/../includes/module_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
+include_once "module_functions.inc.php";
 set_page_access("admin");
 
 render_header("LDAP manager");
@@ -11,7 +13,7 @@ render_submenu();
 $ldap_connection = open_ldap_connection();
 
 if (isset($_POST['delete_group'])) {
- 
+
  ?>
  <script>
     window.setTimeout(function() {
@@ -19,12 +21,14 @@ if (isset($_POST['delete_group'])) {
                                  }, 4000);
  </script>
  <?php
- 
+
  $this_group = $_POST['delete_group'];
+ $this_group = urldecode($this_group);
+
  if (preg_match("/$USERNAME_REGEX/",$this_group)) {
- 
+
   $del_group = ldap_delete_group($ldap_connection,$this_group);
-  
+
   if ($del_group) {
   ?>
   <div class="alert alert-success" role="alert">
@@ -55,26 +59,26 @@ render_js_username_check();
 <script type="text/javascript">
 
  function show_new_group_form() {
- 
+
   group_form = document.getElementById('group_name');
   group_submit = document.getElementById('add_group');
   group_form.classList.replace('invisible','visible');
   group_submit.classList.replace('invisible','visible');
-  
-  
+
+
  }
 
 </script>
 <div class="container">
 
- <div class="form-inline" id="new_group_div"> 
+ <div class="form-inline" id="new_group_div">
   <form action="/<?php print $THIS_MODULE_PATH; ?>/show_group.php" method="post">
    <input type="hidden" name="new_group">
    <button id="show_new_group" class="form-control btn btn-default" type="button" onclick="show_new_group_form();">New group</button>
    <input type="text" class="form-control invisible" name="group_name" id="group_name" placeholder="Group name" onkeyup="check_entity_name_validity(document.getElementById('group_name').value,'new_group_div');"><button id="add_group" class="form-control btn btn-primary btn-sm invisible" type="submit">Add</button>
   </form>
  </div>
- 
+
  <table class="table table-striped">
   <thead>
    <tr>
@@ -84,7 +88,7 @@ render_js_username_check();
  <tbody>
 <?php
 foreach ($groups as $group){
- print " <tr>\n   <td><a href='/$THIS_MODULE_PATH/show_group.php?group_name=$group'>$group</a></td>\n </tr>\n";
+ print " <tr>\n   <td><a href='/$THIS_MODULE_PATH/show_group.php?group_name=" . urlencode($group) . "'>$group</a></td>\n </tr>\n";
 }
 ?>
   </tbody>
diff --git a/www/account_manager/index.php b/www/account_manager/index.php
index b1ccb04..e989755 100644
--- a/www/account_manager/index.php
+++ b/www/account_manager/index.php
@@ -1,8 +1,10 @@
 <?php
 
-include_once __DIR__ . "/../includes/web_functions.inc.php";
-include_once __DIR__ . "/../includes/ldap_functions.inc.php";
-include_once __DIR__ . "/../includes/module_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
+include_once "module_functions.inc.php";
 set_page_access("admin");
 
 render_header("LDAP manager");
@@ -11,7 +13,7 @@ render_submenu();
 $ldap_connection = open_ldap_connection();
 
 if (isset($_POST['delete_user'])) {
- 
+
  ?>
  <script>
     window.setTimeout(function() {
@@ -19,12 +21,14 @@ if (isset($_POST['delete_user'])) {
                                  }, 4000);
  </script>
  <?php
- 
+
  $this_user = $_POST['delete_user'];
+ $this_user = urldecode($this_user);
+
  if (preg_match("/$USERNAME_REGEX/",$this_user)) {
- 
+
   $del_user = ldap_delete_account($ldap_connection,$this_user);
-  
+
   if ($del_user) {
   ?>
   <div class="alert alert-success" role="alert">
@@ -65,7 +69,7 @@ ldap_close($ldap_connection);
  <tbody>
 <?php
 foreach ($people as $username => $attribs){
- print " <tr>\n   <td><a href='/$THIS_MODULE_PATH/show_user.php?username=$username'>$username</a></td>\n";
+ print " <tr>\n   <td><a href='/$THIS_MODULE_PATH/show_user.php?username=" . urlencode($username) . "'>$username</a></td>\n";
  print "   <td>" . $people[$username]['givenname'] . "</td>\n";
  print "   <td>" . $people[$username]['sn'] . "</td>\n";
  print "   <td>" . $people[$username]['mail'] . "</td>\n";
diff --git a/www/account_manager/new_user.php b/www/account_manager/new_user.php
index 3160132..bf92e94 100644
--- a/www/account_manager/new_user.php
+++ b/www/account_manager/new_user.php
@@ -1,8 +1,10 @@
 <?php
 
-include_once __DIR__ . "/../includes/web_functions.inc.php";
-include_once __DIR__ . "/../includes/ldap_functions.inc.php";
-include_once __DIR__ . "/../includes/module_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
+include_once "module_functions.inc.php";
 
 if ( $_POST['setup_admin_account'] ) {
  $admin_setup = TRUE;
@@ -180,7 +182,7 @@ render_js_email_generator('username','email');
 </script>
 
 <div class="container">
- <div class="col-sm-7">
+ <div class="col-sm-8">
 
   <div class="panel panel-default">
    <div class="panel-heading text-center"><?php print $page_title; ?></div>
@@ -193,35 +195,35 @@ render_js_email_generator('username','email');
      <input type="hidden" id="pass_score" value="0" name="pass_score">
 
      <div class="form-group">
-      <label for="first_name" class="col-sm-2 control-label">First name</label>
+      <label for="first_name" class="col-sm-3 control-label">First name</label>
       <div class="col-sm-6">
        <input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
       </div>
      </div>
 
      <div class="form-group">
-      <label for="last_name" class="col-sm-2 control-label">Last name</label>
+      <label for="last_name" class="col-sm-3 control-label">Last name</label>
       <div class="col-sm-6">
        <input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
       </div>
      </div>
 
      <div class="form-group" id="username_div">
-      <label for="username" class="col-sm-2 control-label">Username</label>
+      <label for="username" class="col-sm-3 control-label">Username</label>
       <div class="col-sm-6">
        <input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
       </div>
      </div>
 
      <div class="form-group" id="email_div">
-      <label for="username" class="col-sm-2 control-label">Email</label>
+      <label for="username" class="col-sm-3 control-label">Email</label>
       <div class="col-sm-6">
        <input type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
       </div>
      </div>
 
      <div class="form-group" id="password_div">
-      <label for="password" class="col-sm-2 control-label">Password</label>
+      <label for="password" class="col-sm-3 control-label">Password</label>
       <div class="col-sm-6">
        <input type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
       </div>
@@ -231,7 +233,7 @@ render_js_email_generator('username','email');
      </div>
 
      <div class="form-group" id="confirm_div">
-      <label for="confirm" class="col-sm-2 control-label">Confirm</label>
+      <label for="confirm" class="col-sm-3 control-label">Confirm</label>
       <div class="col-sm-6">
        <input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
       </div>
diff --git a/www/account_manager/show_group.php b/www/account_manager/show_group.php
index 0a0266a..64a3276 100644
--- a/www/account_manager/show_group.php
+++ b/www/account_manager/show_group.php
@@ -1,8 +1,10 @@
 <?php
 
-include_once __DIR__ . "/../includes/web_functions.inc.php";
-include_once __DIR__ . "/../includes/ldap_functions.inc.php";
-include_once __DIR__ . "/../includes/module_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
+include_once "module_functions.inc.php";
 set_page_access("admin");
 
 render_header("LDAP manager");
@@ -22,6 +24,7 @@ exit(0);
 }
 else {
  $group_cn =  (isset($_POST['group_name']) ? $_POST['group_name'] : $_GET['group_name']);
+ $group_cn = urldecode($group_cn);
 }
 
 if (!preg_match("/$USERNAME_REGEX/",$group_cn)) {
@@ -41,8 +44,8 @@ if (isset($_POST['new_group'])) {
 
 ######################################################################################
 
-
-$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "cn=$group_cn");
+$ldap_search_query="cn=" . ldap_escape($group_cn, "", LDAP_ESCAPE_FILTER);
+$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
 $result = ldap_get_entries($ldap_connection, $ldap_search);
 
 $current_members = array();
@@ -260,7 +263,7 @@ ldap_close($ldap_connection);
          </button>
          <form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
           <input type="hidden" name="update_members">
-          <input type="hidden" name="group_name" value="<?php print $group_cn; ?>">
+          <input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
          </form>
          <button id="submit_members" class="btn btn-info" disabled type="submit" onclick="update_form_with_users()">Save</button>
         </div>
diff --git a/www/account_manager/show_user.php b/www/account_manager/show_user.php
index 6d94850..7d55f25 100644
--- a/www/account_manager/show_user.php
+++ b/www/account_manager/show_user.php
@@ -1,8 +1,10 @@
 <?php
 
-include_once __DIR__ . "/../includes/web_functions.inc.php";
-include_once __DIR__ . "/../includes/ldap_functions.inc.php";
-include_once __DIR__ . "/../includes/module_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
+include_once "module_functions.inc.php";
 set_page_access("admin");
 
 render_header();
@@ -37,20 +39,21 @@ exit(0);
 }
 else {
  $username =  (isset($_POST['username']) ? $_POST['username'] : $_GET['username']);
+ $username = urldecode($username);
 }
 
 if (!preg_match("/$USERNAME_REGEX/",$username)) {
 ?>
  <div class="alert alert-danger">
-  <p class="text-center">The username is invalid.</p>
+  <p class="text-center">The username <b><?php print "$username"; ?></b> is invalid.</p>
  </div>
 <?php
 render_footer();
 exit(0);
 }
 
-
-$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "(${LDAP['account_attribute']}=$username)" );
+$ldap_search_query="(${LDAP['account_attribute']}=". ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ")";
+$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
 
  
 if ($ldap_search) {
@@ -325,7 +328,7 @@ if ($ldap_search) {
     <div class="panel-heading clearfix">
      <h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $user[0]['uid'][0]; ?></h3>
      <button class="btn btn-warning pull-right" onclick="show_delete_user_button();">Delete account</button>
-     <form action="/<?php print $THIS_MODULE_PATH; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print $username; ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
+     <form action="/<?php print $THIS_MODULE_PATH; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print urlencode($username); ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
     </div>
     <div class="panel-body">
      <form class="form-horizontal" action="" method="post">
diff --git a/www/change_password/index.php b/www/change_password/index.php
index f41901e..475bb32 100644
--- a/www/change_password/index.php
+++ b/www/change_password/index.php
@@ -1,7 +1,9 @@
 <?php
 
-include_once __DIR__ . "/../includes/web_functions.inc.php";
-include_once __DIR__ . "/../includes/ldap_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
 
 set_page_access("user");
 
diff --git a/www/includes/config.inc.php b/www/includes/config.inc.php
index 5da515d..3bf2f06 100644
--- a/www/includes/config.inc.php
+++ b/www/includes/config.inc.php
@@ -17,7 +17,7 @@
  $LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : 'uniquemember');
  $LDAP['group_membership_uses_uid'] = ((strcmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : FALSE);
 
- $LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid');
+ $LDAP['account_attribute'] = 'uid';
  $LDAP['require_starttls'] = ((strcmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
 
  $DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
diff --git a/www/includes/ldap_functions.inc.php b/www/includes/ldap_functions.inc.php
index eee19be..40d1365 100644
--- a/www/includes/ldap_functions.inc.php
+++ b/www/includes/ldap_functions.inc.php
@@ -1,14 +1,15 @@
 <?php
 
 $log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
+$LDAP_CONNECTION_WARNING = FALSE;
 
 ###################################
 
 function open_ldap_connection() {
 
- global $log_prefix, $LDAP, $LDAP_CONNECTION_WARNING;
+ global $log_prefix, $LDAP, $SENT_HEADERS;
 
- $ldap_connection = ldap_connect($LDAP['uri']);
+ $ldap_connection = @ ldap_connect($LDAP['uri']);
 
  if (!$ldap_connection) {
   print "Problem: Can't connect to the LDAP server at ${LDAP['uri']}";
@@ -18,10 +19,9 @@ function open_ldap_connection() {
 
  ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
 
- 
  if (!preg_match("/^ldaps:/", $LDAP['uri'])) {
 
-  $tls_result = ldap_start_tls($ldap_connection);
+  $tls_result = @ ldap_start_tls($ldap_connection);
 
   if ($tls_result != TRUE) {
 
@@ -32,16 +32,17 @@ function open_ldap_connection() {
     exit(0);
    }
    else {
-    print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-warning'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>";
-
+    if ($SENT_HEADERS == TRUE) {
+      print "<div style='position: fixed;bottom: 0px;width: 100%;height: 20px;border-bottom:solid 20px yellow;'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>";
+    }
     ldap_close($ldap_connection);
-    $ldap_connection = ldap_connect($LDAP['uri']);
+    $ldap_connection = @ ldap_connect($LDAP['uri']);
     ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
    }
   }
  }
 
- $bind_result = ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
+ $bind_result = @ ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
 
  if ($bind_result != TRUE) {
   print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
@@ -63,7 +64,8 @@ function ldap_auth_username($ldap_connection,$username, $password) {
 
  global $log_prefix, $LDAP;
 
- $ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "${LDAP['account_attribute']}=${username}");
+ $ldap_search_query="${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
+ $ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query );
 
  if (!$ldap_search) {
   error_log("$log_prefix Couldn't search for $username",0);
@@ -127,7 +129,8 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
 
  global $log_prefix, $LDAP;
 
- if (!isset($fields)) { $fields = array("uid", "givenname", "sn", "mail"); }
+ if (!isset($fields)) { $fields = array_unique( array("${LDAP['account_attribute']}", "givenname", "sn", "mail")); }
+
  if (!isset($sort_key)) { $sort_key = $LDAP['account_attribute']; }
 
  $ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(&(${LDAP['account_attribute']}=*)$filters)", $fields);
@@ -241,7 +244,8 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
 
  global $log_prefix, $LDAP;
 
- $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)", array($LDAP['group_membership_attribute']));
+ $ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
+ $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
 
  $result = ldap_get_entries($ldap_connection, $ldap_search);
 
@@ -267,7 +271,8 @@ function ldap_is_group_member($ldap_connection,$group_name,$username) {
 
  global $log_prefix, $LDAP;
 
- $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)");
+ $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
+ $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
  $result = ldap_get_entries($ldap_connection, $ldap_search);
 
  if ($LDAP['group_membership_uses_uid'] == FALSE) {
@@ -292,7 +297,8 @@ function ldap_new_group($ldap_connection,$group_name) {
 
  if (isset($group_name)) {
 
-  $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name,${LDAP['group_dn']})");
+  $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']})";
+  $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
   $result = ldap_get_entries($ldap_connection, $ldap_search);
 
   if ($result['count'] == 0) {
@@ -343,7 +349,8 @@ function ldap_delete_group($ldap_connection,$group_name) {
 
  if (isset($group_name)) {
 
-  $delete = ldap_delete($ldap_connection, "cn=$group_name,${LDAP['group_dn']}");
+  $delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
+  $delete = ldap_delete($ldap_connection, $delete_query);
 
   if ($delete) {
    error_log("$log_prefix Deleted group $group_name",0);
@@ -367,7 +374,8 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
 
  if (isset($group_name)) {
 
-  $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)", array("gidNumber"));
+  $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
+  $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
   $result = ldap_get_entries($ldap_connection, $ldap_search);
 
   if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) {
@@ -389,7 +397,8 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
 
  if (isset($first_name) and isset($last_name) and isset($username) and isset($password)) {
 
-  $ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(${LDAP['account_attribute']}=$username,${LDAP['user_dn']})");
+  $ldap_search_query = "(${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']})";
+  $ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
   $result = ldap_get_entries($ldap_connection, $ldap_search);
 
   if ($result['count'] == 0) {
@@ -425,7 +434,7 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
                          'mail' => $email
                       );
 
-    $add_account = ldap_add($ldap_connection,
+      $add_account = ldap_add($ldap_connection,
                           "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}",
                           $user_info
                          );
@@ -471,7 +480,8 @@ function ldap_delete_account($ldap_connection,$username) {
 
  if (isset($username)) {
 
-  $delete = ldap_delete($ldap_connection, "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}");
+  $delete_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']}";
+  $delete = ldap_delete($ldap_connection, $delete_query);
 
   if ($delete) {
    error_log("$log_prefix Deleted account for $username",0);
@@ -493,7 +503,7 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {
 
   global $log_prefix, $LDAP;
 
-  $group_dn = "cn=${group_name},${LDAP['group_dn']}";
+  $group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
 
   if ($LDAP['group_membership_uses_uid'] == FALSE) {
    $username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
@@ -520,7 +530,7 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
 
   global $log_prefix, $LDAP;
 
-  $group_dn = "cn=${group_name},${LDAP['group_dn']}";
+  $group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
 
   if ($LDAP['group_membership_uses_uid'] == FALSE) {
    $username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
@@ -549,7 +559,8 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
 
  #Find DN of user
 
- $ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "${LDAP['account_attribute']}=${username}");
+ $ldap_search_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
+ $ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
  if ($ldap_search) {
   $result = ldap_get_entries($ldap_connection, $ldap_search);
   if ($result["count"] == 1) {
diff --git a/www/includes/web_functions.inc.php b/www/includes/web_functions.inc.php
index 81428b9..bb5b18c 100644
--- a/www/includes/web_functions.inc.php
+++ b/www/includes/web_functions.inc.php
@@ -8,6 +8,7 @@ $IS_SETUP_ADMIN = FALSE;
 $ACCESS_LEVEL_NAME = array('account','admin');
 unset($USER_ID);
 $CURRENT_PAGE=htmlentities($_SERVER['PHP_SELF']);
+$SENT_HEADERS = FALSE;
 
 $paths=explode('/',getcwd());
 $THIS_MODULE_PATH=end($paths);
@@ -69,7 +70,7 @@ function validate_passkey_cookie() {
 
   list($user_id,$c_passkey) = explode(":",$_COOKIE['orf_cookie']);
   $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
-  $session_file = file_get_contents("/tmp/$filename");
+  $session_file = @ file_get_contents("/tmp/$filename");
   if (!$session_file) {
    $VALIDATED = FALSE;
    unset($USER_ID);
@@ -156,7 +157,7 @@ function log_out($method='normal') {
 
 function render_header($title="",$menu=TRUE) {
 
- global $SITE_NAME, $IS_ADMIN, $LDAP_CONNECTION_WARNING;
+ global $SITE_NAME, $IS_ADMIN, $SENT_HEADERS;
 
  if (empty($title)) { $title = $SITE_NAME; }
 
@@ -179,6 +180,8 @@ function render_header($title="",$menu=TRUE) {
   render_menu();
  }
 
+ $SENT_HEADERS = TRUE;
+
 }
 
 
diff --git a/www/index.php b/www/index.php
index bd8944b..51228ea 100644
--- a/www/index.php
+++ b/www/index.php
@@ -1,6 +1,8 @@
 <?php
 
-include_once __DIR__ . "/includes/web_functions.inc.php";
+set_include_path( __DIR__ . "/includes/");
+include_once "web_functions.inc.php";
+
 render_header();
 
  if (isset($_GET['logged_out'])) {
diff --git a/www/log_in/index.php b/www/log_in/index.php
index d1cb154..853c365 100644
--- a/www/log_in/index.php
+++ b/www/log_in/index.php
@@ -1,7 +1,9 @@
 <?php
 
-include __DIR__ . "/../includes/web_functions.inc.php";
-include __DIR__ . "/../includes/ldap_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include "web_functions.inc.php";
+include "ldap_functions.inc.php";
 
 if (isset($_POST["user_id"]) and isset($_POST["password"])) {
 
diff --git a/www/log_out/index.php b/www/log_out/index.php
index 8b9e839..e77dfd9 100644
--- a/www/log_out/index.php
+++ b/www/log_out/index.php
@@ -1,4 +1,5 @@
 <?php
-include __DIR__ . "/../includes/web_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+include_once "web_functions.inc.php";
 log_out();
 ?>
diff --git a/www/setup/index.php b/www/setup/index.php
index ae115aa..c4d9a21 100644
--- a/www/setup/index.php
+++ b/www/setup/index.php
@@ -1,7 +1,9 @@
 <?php
 
-include __DIR__ . "/../includes/web_functions.inc.php";
-include __DIR__ . "/../includes/ldap_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
 
 if (isset($_POST["admin_password"])) {
 
diff --git a/www/setup/run_checks.php b/www/setup/run_checks.php
index 7ff8850..3de2817 100644
--- a/www/setup/run_checks.php
+++ b/www/setup/run_checks.php
@@ -1,8 +1,10 @@
 <?php 
 
-include_once __DIR__ . "/../includes/web_functions.inc.php";
-include_once __DIR__ . "/../includes/ldap_functions.inc.php";
-include_once __DIR__ . "/../includes/module_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
+include_once "module_functions.inc.php";
 
 validate_setup_cookie();
 set_page_access("setup");
diff --git a/www/setup/setup_ldap.php b/www/setup/setup_ldap.php
index 0bc38b5..63da182 100644
--- a/www/setup/setup_ldap.php
+++ b/www/setup/setup_ldap.php
@@ -1,8 +1,10 @@
 <?php
 
-include_once __DIR__ . "/../includes/web_functions.inc.php";
-include_once __DIR__ . "/../includes/ldap_functions.inc.php";
-include_once __DIR__ . "/../includes/module_functions.inc.php";
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
+include_once "module_functions.inc.php";
 
 validate_setup_cookie();
 set_page_access("setup");