Code tidy, encode URLs and add no-https option

This commit is contained in:
Brian Lycett 2020-01-10 12:01:31 +00:00
parent c3244bdd7f
commit 495d31521a
18 changed files with 212 additions and 153 deletions

View File

@ -1,18 +1,18 @@
FROM php:7.0-apache FROM php:7.0-apache
COPY www/ /opt/ldap_user_manager
COPY entrypoint /usr/local/bin/entrypoint
RUN apt-get update && apt-get install -y --no-install-recommends libldb-dev libldap2-dev && rm -rf /var/lib/apt/lists/* && ln -s /usr/lib/x86_64-linux-gnu/libldap.so /usr/lib/libldap.so \ RUN apt-get update && apt-get install -y --no-install-recommends libldb-dev libldap2-dev && rm -rf /var/lib/apt/lists/* && ln -s /usr/lib/x86_64-linux-gnu/libldap.so /usr/lib/libldap.so \
&& ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so && ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so
RUN docker-php-source extract && docker-php-ext-install -j$(nproc) ldap && docker-php-source delete RUN docker-php-source extract && docker-php-ext-install -j$(nproc) ldap && docker-php-source delete
RUN chmod a+x /usr/local/bin/entrypoint
RUN a2enmod rewrite ssl RUN a2enmod rewrite ssl
RUN a2dissite 000-default default-ssl RUN a2dissite 000-default default-ssl
EXPOSE 80 EXPOSE 80
EXPOSE 443 EXPOSE 443
COPY www/ /opt/ldap_user_manager
COPY entrypoint /usr/local/bin/entrypoint
RUN chmod a+x /usr/local/bin/entrypoint
CMD ["apache2-foreground"] CMD ["apache2-foreground"]
ENTRYPOINT ["/usr/local/bin/entrypoint"] ENTRYPOINT ["/usr/local/bin/entrypoint"]

View File

@ -47,7 +47,7 @@ docker run \
-e "SERVER_HOSTNAME=lum.example.com" \ -e "SERVER_HOSTNAME=lum.example.com" \
-e "LDAP_URI=ldap://ldap.example.com" \ -e "LDAP_URI=ldap://ldap.example.com" \
-e "LDAP_BASE_DN=dc=example,dc=com" \ -e "LDAP_BASE_DN=dc=example,dc=com" \
-e "LDAP_STARTTLS=TRUE" \ -e "LDAP_REQUIRE_STARTTLS=TRUE" \
-e "LDAP_ADMINS_GROUP=admins" \ -e "LDAP_ADMINS_GROUP=admins" \
-e "LDAP_ADMIN_BIND_DN=cn=admin,dc=example,dc=com" \ -e "LDAP_ADMIN_BIND_DN=cn=admin,dc=example,dc=com" \
-e "LDAP_ADMIN_BIND_PWD=secret"\ -e "LDAP_ADMIN_BIND_PWD=secret"\
@ -78,6 +78,7 @@ Optional:
---- ----
* `SERVER_HOSTNAME` (default: *example.com*): The hostname that this interface will be served from. * `SERVER_HOSTNAME` (default: *example.com*): The hostname that this interface will be served from.
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing.
* `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended). * `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended).
@ -85,8 +86,6 @@ Optional:
* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *uniqueMember*): The attribute used when adding a user to a group. * `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *uniqueMember*): The attribute used when adding a user to a group.
* `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN. * `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN.
* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*): The attribute used to identify account usernames.
* `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page. * `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
* `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CERT=$(</path/to/ca.crt)` * `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CERT=$(</path/to/ca.crt)`
@ -106,8 +105,7 @@ Optional:
Webserver SSL setup Webserver SSL setup
--- ---
The webserver (Apache HTTPD) expects to find `/opt/ssl/server.key` and `/opt/ssl/server.crt`, and these certificates should match `SERVER_HOSTNAME`. When `NO_HTTPS` is set to **false** (the default), the webserver (Apache HTTPD) expects to find `/opt/ssl/server.key` and `/opt/ssl/server.crt`, and these certificates should match `SERVER_HOSTNAME`. If these files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`. To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`. The script will also look for `/opt/ssl/chain.pem` if you need to add a certificate chain file (the Apache `SSLCertificateChainFile` option).
If those files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`. To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`. The script will also look for `/opt/ssl/chain.pem` if you need to add a certificate chain file (the Apache `SSLCertificateChainFile` option).
e.g.: e.g.:
``` ```
@ -152,5 +150,5 @@ If `EMAIL_DOMAIN` is set then the email address field will be automatically upda
Details on accounts and groups Details on accounts and groups
--- ---
This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts. This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts. The accounts created use `person`, `inetOrgPerson` & `posixAccount` objectClasses. Usernames are defined via the `uid` attribute and groups are created as with `posixGroup` and `groupOfUniqueNames` objectClasses (the latter in case you want to use the `memberOf` LDAP module).
Groups are also created as a `groupOfUniqueNames` type in case you want to use the `memberOf` LDAP module.

View File

@ -5,7 +5,6 @@ ssl_dir="/opt/ssl"
if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi
#If LDAP_TLS_CACERT is set then write it out as a file #If LDAP_TLS_CACERT is set then write it out as a file
#and set up the LDAP client conf to use it. #and set up the LDAP client conf to use it.
@ -15,79 +14,99 @@ if [ "$LDAP_TLS_CACERT" ]; then
fi fi
######################## if [ "$NO_HTTPS" = "TRUE" ]; then
#If there aren't any SSL certs then create a CA and then CA-signed certificate
if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf
mkdir -p $ssl_dir <VirtualHost *:80>
confout="${ssl_dir}/conf"
keyout="${ssl_dir}/server.key"
certout="${ssl_dir}/server.crt"
cakey="${ssl_dir}/ca.key"
cacert="${ssl_dir}/ca.crt"
serialfile="${ssl_dir}/serial"
echo "Generating CA key" ServerName $SERVER_HOSTNAME
openssl genrsa -out $cakey 2048 DocumentRoot /opt/ldap_user_manager
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating CA certificate" DirectoryIndex index.php index.html
openssl req \
-x509 \
-new \
-nodes \
-subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
-key $cakey \
-sha256 \
-days 7300 \
-out $cacert
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating openssl configuration" <Directory /opt/ldap_user_manager>
Require all granted
</Directory>
cat <<EoCertConf>$confout </VirtualHost>
EoHTTPC
else
########################
#If there aren't any SSL certs then create a CA and then CA-signed certificate
if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then
mkdir -p $ssl_dir
confout="${ssl_dir}/conf"
keyout="${ssl_dir}/server.key"
certout="${ssl_dir}/server.crt"
cakey="${ssl_dir}/ca.key"
cacert="${ssl_dir}/ca.crt"
serialfile="${ssl_dir}/serial"
echo "Generating CA key"
openssl genrsa -out $cakey 2048
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating CA certificate"
openssl req \
-x509 \
-new \
-nodes \
-subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
-key $cakey \
-sha256 \
-days 7300 \
-out $cacert
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating openssl configuration"
cat <<EoCertConf>$confout
subjectAltName = DNS:${SERVER_HOSTNAME},IP:127.0.0.1 subjectAltName = DNS:${SERVER_HOSTNAME},IP:127.0.0.1
extendedKeyUsage = serverAuth extendedKeyUsage = serverAuth
EoCertConf EoCertConf
echo "Generating server key..." echo "Generating server key..."
openssl genrsa -out $keyout 2048 openssl genrsa -out $keyout 2048
if [ $? -ne 0 ]; then exit 1 ; fi if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating server signing request..." echo "Generating server signing request..."
openssl req \ openssl req \
-subj "/CN=${SERVER_HOSTNAME}" \ -subj "/CN=${SERVER_HOSTNAME}" \
-sha256 \ -sha256 \
-new \ -new \
-key $keyout \ -key $keyout \
-out /tmp/server.csr -out /tmp/server.csr
if [ $? -ne 0 ]; then exit 1 ; fi if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating server cert..." echo "Generating server cert..."
openssl x509 \ openssl x509 \
-req \ -req \
-days 7300 \ -days 7300 \
-sha256 \ -sha256 \
-in /tmp/server.csr \ -in /tmp/server.csr \
-CA $cacert \ -CA $cacert \
-CAkey $cakey \ -CAkey $cakey \
-CAcreateserial \ -CAcreateserial \
-CAserial $serialfile \ -CAserial $serialfile \
-out $certout \ -out $certout \
-extfile $confout -extfile $confout
if [ $? -ne 0 ]; then exit 1 ; fi if [ $? -ne 0 ]; then exit 1 ; fi
fi fi
######################## ########################
#Create Apache config #Create Apache config
if [ -f "/opt/tls/chain.pem" ]; then $ssl_chain="SSLCertificateChainFile /opt/tls/chain.pem"; fi
if [ -f "/opt/tls/chain.pem" ]; then $ssl_chain="SSLCertificateChainFile /opt/tls/chain.pem"; fi cat <<EoHTTPSC >/etc/apache2/sites-enabled/lum.conf
cat <<EoC >/etc/apache2/sites-enabled/lum.conf
Listen 443 Listen 443
@ -114,11 +133,10 @@ Listen 443
SSLCertificateKeyFile /opt/ssl/server.key SSLCertificateKeyFile /opt/ssl/server.key
$ssl_chain $ssl_chain
php_value include_path "/opt/ldap_user_manager/includes"
</VirtualHost> </VirtualHost>
EoC EoHTTPSC
fi
######################## ########################
#Run Apache #Run Apache

View File

@ -1,8 +1,10 @@
<?php <?php
include_once __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php"; include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
set_page_access("admin"); set_page_access("admin");
render_header("LDAP manager"); render_header("LDAP manager");
@ -21,6 +23,8 @@ if (isset($_POST['delete_group'])) {
<?php <?php
$this_group = $_POST['delete_group']; $this_group = $_POST['delete_group'];
$this_group = urldecode($this_group);
if (preg_match("/$USERNAME_REGEX/",$this_group)) { if (preg_match("/$USERNAME_REGEX/",$this_group)) {
$del_group = ldap_delete_group($ldap_connection,$this_group); $del_group = ldap_delete_group($ldap_connection,$this_group);
@ -84,7 +88,7 @@ render_js_username_check();
<tbody> <tbody>
<?php <?php
foreach ($groups as $group){ foreach ($groups as $group){
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_group.php?group_name=$group'>$group</a></td>\n </tr>\n"; print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_group.php?group_name=" . urlencode($group) . "'>$group</a></td>\n </tr>\n";
} }
?> ?>
</tbody> </tbody>

View File

@ -1,8 +1,10 @@
<?php <?php
include_once __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php"; include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
set_page_access("admin"); set_page_access("admin");
render_header("LDAP manager"); render_header("LDAP manager");
@ -21,6 +23,8 @@ if (isset($_POST['delete_user'])) {
<?php <?php
$this_user = $_POST['delete_user']; $this_user = $_POST['delete_user'];
$this_user = urldecode($this_user);
if (preg_match("/$USERNAME_REGEX/",$this_user)) { if (preg_match("/$USERNAME_REGEX/",$this_user)) {
$del_user = ldap_delete_account($ldap_connection,$this_user); $del_user = ldap_delete_account($ldap_connection,$this_user);
@ -65,7 +69,7 @@ ldap_close($ldap_connection);
<tbody> <tbody>
<?php <?php
foreach ($people as $username => $attribs){ foreach ($people as $username => $attribs){
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_user.php?username=$username'>$username</a></td>\n"; print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_user.php?username=" . urlencode($username) . "'>$username</a></td>\n";
print " <td>" . $people[$username]['givenname'] . "</td>\n"; print " <td>" . $people[$username]['givenname'] . "</td>\n";
print " <td>" . $people[$username]['sn'] . "</td>\n"; print " <td>" . $people[$username]['sn'] . "</td>\n";
print " <td>" . $people[$username]['mail'] . "</td>\n"; print " <td>" . $people[$username]['mail'] . "</td>\n";

View File

@ -1,8 +1,10 @@
<?php <?php
include_once __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php"; include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
if ( $_POST['setup_admin_account'] ) { if ( $_POST['setup_admin_account'] ) {
$admin_setup = TRUE; $admin_setup = TRUE;
@ -180,7 +182,7 @@ render_js_email_generator('username','email');
</script> </script>
<div class="container"> <div class="container">
<div class="col-sm-7"> <div class="col-sm-8">
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-heading text-center"><?php print $page_title; ?></div> <div class="panel-heading text-center"><?php print $page_title; ?></div>
@ -193,35 +195,35 @@ render_js_email_generator('username','email');
<input type="hidden" id="pass_score" value="0" name="pass_score"> <input type="hidden" id="pass_score" value="0" name="pass_score">
<div class="form-group"> <div class="form-group">
<label for="first_name" class="col-sm-2 control-label">First name</label> <label for="first_name" class="col-sm-3 control-label">First name</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();"> <input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
</div> </div>
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="last_name" class="col-sm-2 control-label">Last name</label> <label for="last_name" class="col-sm-3 control-label">Last name</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();"> <input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
</div> </div>
</div> </div>
<div class="form-group" id="username_div"> <div class="form-group" id="username_div">
<label for="username" class="col-sm-2 control-label">Username</label> <label for="username" class="col-sm-3 control-label">Username</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();"> <input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
</div> </div>
</div> </div>
<div class="form-group" id="email_div"> <div class="form-group" id="email_div">
<label for="username" class="col-sm-2 control-label">Email</label> <label for="username" class="col-sm-3 control-label">Email</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;"> <input type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
</div> </div>
</div> </div>
<div class="form-group" id="password_div"> <div class="form-group" id="password_div">
<label for="password" class="col-sm-2 control-label">Password</label> <label for="password" class="col-sm-3 control-label">Password</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');"> <input type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
</div> </div>
@ -231,7 +233,7 @@ render_js_email_generator('username','email');
</div> </div>
<div class="form-group" id="confirm_div"> <div class="form-group" id="confirm_div">
<label for="confirm" class="col-sm-2 control-label">Confirm</label> <label for="confirm" class="col-sm-3 control-label">Confirm</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()"> <input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
</div> </div>

View File

@ -1,8 +1,10 @@
<?php <?php
include_once __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php"; include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
set_page_access("admin"); set_page_access("admin");
render_header("LDAP manager"); render_header("LDAP manager");
@ -22,6 +24,7 @@ exit(0);
} }
else { else {
$group_cn = (isset($_POST['group_name']) ? $_POST['group_name'] : $_GET['group_name']); $group_cn = (isset($_POST['group_name']) ? $_POST['group_name'] : $_GET['group_name']);
$group_cn = urldecode($group_cn);
} }
if (!preg_match("/$USERNAME_REGEX/",$group_cn)) { if (!preg_match("/$USERNAME_REGEX/",$group_cn)) {
@ -41,8 +44,8 @@ if (isset($_POST['new_group'])) {
###################################################################################### ######################################################################################
$ldap_search_query="cn=" . ldap_escape($group_cn, "", LDAP_ESCAPE_FILTER);
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "cn=$group_cn"); $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = ldap_get_entries($ldap_connection, $ldap_search);
$current_members = array(); $current_members = array();
@ -260,7 +263,7 @@ ldap_close($ldap_connection);
</button> </button>
<form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post"> <form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
<input type="hidden" name="update_members"> <input type="hidden" name="update_members">
<input type="hidden" name="group_name" value="<?php print $group_cn; ?>"> <input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
</form> </form>
<button id="submit_members" class="btn btn-info" disabled type="submit" onclick="update_form_with_users()">Save</button> <button id="submit_members" class="btn btn-info" disabled type="submit" onclick="update_form_with_users()">Save</button>
</div> </div>

View File

@ -1,8 +1,10 @@
<?php <?php
include_once __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php"; include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
set_page_access("admin"); set_page_access("admin");
render_header(); render_header();
@ -37,20 +39,21 @@ exit(0);
} }
else { else {
$username = (isset($_POST['username']) ? $_POST['username'] : $_GET['username']); $username = (isset($_POST['username']) ? $_POST['username'] : $_GET['username']);
$username = urldecode($username);
} }
if (!preg_match("/$USERNAME_REGEX/",$username)) { if (!preg_match("/$USERNAME_REGEX/",$username)) {
?> ?>
<div class="alert alert-danger"> <div class="alert alert-danger">
<p class="text-center">The username is invalid.</p> <p class="text-center">The username <b><?php print "$username"; ?></b> is invalid.</p>
</div> </div>
<?php <?php
render_footer(); render_footer();
exit(0); exit(0);
} }
$ldap_search_query="(${LDAP['account_attribute']}=". ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "(${LDAP['account_attribute']}=$username)" ); $ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
if ($ldap_search) { if ($ldap_search) {
@ -325,7 +328,7 @@ if ($ldap_search) {
<div class="panel-heading clearfix"> <div class="panel-heading clearfix">
<h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $user[0]['uid'][0]; ?></h3> <h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $user[0]['uid'][0]; ?></h3>
<button class="btn btn-warning pull-right" onclick="show_delete_user_button();">Delete account</button> <button class="btn btn-warning pull-right" onclick="show_delete_user_button();">Delete account</button>
<form action="/<?php print $THIS_MODULE_PATH; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print $username; ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form> <form action="/<?php print $THIS_MODULE_PATH; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print urlencode($username); ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
</div> </div>
<div class="panel-body"> <div class="panel-body">
<form class="form-horizontal" action="" method="post"> <form class="form-horizontal" action="" method="post">

View File

@ -1,7 +1,9 @@
<?php <?php
include_once __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
set_page_access("user"); set_page_access("user");

View File

@ -17,7 +17,7 @@
$LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : 'uniquemember'); $LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : 'uniquemember');
$LDAP['group_membership_uses_uid'] = ((strcmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : FALSE); $LDAP['group_membership_uses_uid'] = ((strcmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid'); $LDAP['account_attribute'] = 'uid';
$LDAP['require_starttls'] = ((strcmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE); $LDAP['require_starttls'] = ((strcmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody'); $DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');

View File

@ -1,14 +1,15 @@
<?php <?php
$log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - "; $log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
$LDAP_CONNECTION_WARNING = FALSE;
################################### ###################################
function open_ldap_connection() { function open_ldap_connection() {
global $log_prefix, $LDAP, $LDAP_CONNECTION_WARNING; global $log_prefix, $LDAP, $SENT_HEADERS;
$ldap_connection = ldap_connect($LDAP['uri']); $ldap_connection = @ ldap_connect($LDAP['uri']);
if (!$ldap_connection) { if (!$ldap_connection) {
print "Problem: Can't connect to the LDAP server at ${LDAP['uri']}"; print "Problem: Can't connect to the LDAP server at ${LDAP['uri']}";
@ -18,10 +19,9 @@ function open_ldap_connection() {
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!preg_match("/^ldaps:/", $LDAP['uri'])) { if (!preg_match("/^ldaps:/", $LDAP['uri'])) {
$tls_result = ldap_start_tls($ldap_connection); $tls_result = @ ldap_start_tls($ldap_connection);
if ($tls_result != TRUE) { if ($tls_result != TRUE) {
@ -32,16 +32,17 @@ function open_ldap_connection() {
exit(0); exit(0);
} }
else { else {
print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-warning'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>"; if ($SENT_HEADERS == TRUE) {
print "<div style='position: fixed;bottom: 0px;width: 100%;height: 20px;border-bottom:solid 20px yellow;'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>";
}
ldap_close($ldap_connection); ldap_close($ldap_connection);
$ldap_connection = ldap_connect($LDAP['uri']); $ldap_connection = @ ldap_connect($LDAP['uri']);
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
} }
} }
} }
$bind_result = ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']); $bind_result = @ ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
if ($bind_result != TRUE) { if ($bind_result != TRUE) {
print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}"; print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
@ -63,7 +64,8 @@ function ldap_auth_username($ldap_connection,$username, $password) {
global $log_prefix, $LDAP; global $log_prefix, $LDAP;
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "${LDAP['account_attribute']}=${username}"); $ldap_search_query="${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query );
if (!$ldap_search) { if (!$ldap_search) {
error_log("$log_prefix Couldn't search for $username",0); error_log("$log_prefix Couldn't search for $username",0);
@ -127,7 +129,8 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
global $log_prefix, $LDAP; global $log_prefix, $LDAP;
if (!isset($fields)) { $fields = array("uid", "givenname", "sn", "mail"); } if (!isset($fields)) { $fields = array_unique( array("${LDAP['account_attribute']}", "givenname", "sn", "mail")); }
if (!isset($sort_key)) { $sort_key = $LDAP['account_attribute']; } if (!isset($sort_key)) { $sort_key = $LDAP['account_attribute']; }
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(&(${LDAP['account_attribute']}=*)$filters)", $fields); $ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(&(${LDAP['account_attribute']}=*)$filters)", $fields);
@ -241,7 +244,8 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
global $log_prefix, $LDAP; global $log_prefix, $LDAP;
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)", array($LDAP['group_membership_attribute'])); $ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = ldap_get_entries($ldap_connection, $ldap_search);
@ -267,7 +271,8 @@ function ldap_is_group_member($ldap_connection,$group_name,$username) {
global $log_prefix, $LDAP; global $log_prefix, $LDAP;
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)"); $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP['group_membership_uses_uid'] == FALSE) { if ($LDAP['group_membership_uses_uid'] == FALSE) {
@ -292,7 +297,8 @@ function ldap_new_group($ldap_connection,$group_name) {
if (isset($group_name)) { if (isset($group_name)) {
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name,${LDAP['group_dn']})"); $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']})";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = ldap_get_entries($ldap_connection, $ldap_search);
if ($result['count'] == 0) { if ($result['count'] == 0) {
@ -343,7 +349,8 @@ function ldap_delete_group($ldap_connection,$group_name) {
if (isset($group_name)) { if (isset($group_name)) {
$delete = ldap_delete($ldap_connection, "cn=$group_name,${LDAP['group_dn']}"); $delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
$delete = ldap_delete($ldap_connection, $delete_query);
if ($delete) { if ($delete) {
error_log("$log_prefix Deleted group $group_name",0); error_log("$log_prefix Deleted group $group_name",0);
@ -367,7 +374,8 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
if (isset($group_name)) { if (isset($group_name)) {
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)", array("gidNumber")); $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = ldap_get_entries($ldap_connection, $ldap_search);
if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) { if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) {
@ -389,7 +397,8 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
if (isset($first_name) and isset($last_name) and isset($username) and isset($password)) { if (isset($first_name) and isset($last_name) and isset($username) and isset($password)) {
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(${LDAP['account_attribute']}=$username,${LDAP['user_dn']})"); $ldap_search_query = "(${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']})";
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = ldap_get_entries($ldap_connection, $ldap_search);
if ($result['count'] == 0) { if ($result['count'] == 0) {
@ -425,7 +434,7 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
'mail' => $email 'mail' => $email
); );
$add_account = ldap_add($ldap_connection, $add_account = ldap_add($ldap_connection,
"${LDAP['account_attribute']}=$username,${LDAP['user_dn']}", "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}",
$user_info $user_info
); );
@ -471,7 +480,8 @@ function ldap_delete_account($ldap_connection,$username) {
if (isset($username)) { if (isset($username)) {
$delete = ldap_delete($ldap_connection, "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}"); $delete_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']}";
$delete = ldap_delete($ldap_connection, $delete_query);
if ($delete) { if ($delete) {
error_log("$log_prefix Deleted account for $username",0); error_log("$log_prefix Deleted account for $username",0);
@ -493,7 +503,7 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {
global $log_prefix, $LDAP; global $log_prefix, $LDAP;
$group_dn = "cn=${group_name},${LDAP['group_dn']}"; $group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
if ($LDAP['group_membership_uses_uid'] == FALSE) { if ($LDAP['group_membership_uses_uid'] == FALSE) {
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}"; $username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
@ -520,7 +530,7 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
global $log_prefix, $LDAP; global $log_prefix, $LDAP;
$group_dn = "cn=${group_name},${LDAP['group_dn']}"; $group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
if ($LDAP['group_membership_uses_uid'] == FALSE) { if ($LDAP['group_membership_uses_uid'] == FALSE) {
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}"; $username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
@ -549,7 +559,8 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
#Find DN of user #Find DN of user
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "${LDAP['account_attribute']}=${username}"); $ldap_search_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
if ($ldap_search) { if ($ldap_search) {
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = ldap_get_entries($ldap_connection, $ldap_search);
if ($result["count"] == 1) { if ($result["count"] == 1) {

View File

@ -8,6 +8,7 @@ $IS_SETUP_ADMIN = FALSE;
$ACCESS_LEVEL_NAME = array('account','admin'); $ACCESS_LEVEL_NAME = array('account','admin');
unset($USER_ID); unset($USER_ID);
$CURRENT_PAGE=htmlentities($_SERVER['PHP_SELF']); $CURRENT_PAGE=htmlentities($_SERVER['PHP_SELF']);
$SENT_HEADERS = FALSE;
$paths=explode('/',getcwd()); $paths=explode('/',getcwd());
$THIS_MODULE_PATH=end($paths); $THIS_MODULE_PATH=end($paths);
@ -69,7 +70,7 @@ function validate_passkey_cookie() {
list($user_id,$c_passkey) = explode(":",$_COOKIE['orf_cookie']); list($user_id,$c_passkey) = explode(":",$_COOKIE['orf_cookie']);
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id); $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
$session_file = file_get_contents("/tmp/$filename"); $session_file = @ file_get_contents("/tmp/$filename");
if (!$session_file) { if (!$session_file) {
$VALIDATED = FALSE; $VALIDATED = FALSE;
unset($USER_ID); unset($USER_ID);
@ -156,7 +157,7 @@ function log_out($method='normal') {
function render_header($title="",$menu=TRUE) { function render_header($title="",$menu=TRUE) {
global $SITE_NAME, $IS_ADMIN, $LDAP_CONNECTION_WARNING; global $SITE_NAME, $IS_ADMIN, $SENT_HEADERS;
if (empty($title)) { $title = $SITE_NAME; } if (empty($title)) { $title = $SITE_NAME; }
@ -179,6 +180,8 @@ function render_header($title="",$menu=TRUE) {
render_menu(); render_menu();
} }
$SENT_HEADERS = TRUE;
} }

View File

@ -1,6 +1,8 @@
<?php <?php
include_once __DIR__ . "/includes/web_functions.inc.php"; set_include_path( __DIR__ . "/includes/");
include_once "web_functions.inc.php";
render_header(); render_header();
if (isset($_GET['logged_out'])) { if (isset($_GET['logged_out'])) {

View File

@ -1,7 +1,9 @@
<?php <?php
include __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include __DIR__ . "/../includes/ldap_functions.inc.php";
include "web_functions.inc.php";
include "ldap_functions.inc.php";
if (isset($_POST["user_id"]) and isset($_POST["password"])) { if (isset($_POST["user_id"]) and isset($_POST["password"])) {

View File

@ -1,4 +1,5 @@
<?php <?php
include __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
log_out(); log_out();
?> ?>

View File

@ -1,7 +1,9 @@
<?php <?php
include __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include __DIR__ . "/../includes/ldap_functions.inc.php";
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
if (isset($_POST["admin_password"])) { if (isset($_POST["admin_password"])) {

View File

@ -1,8 +1,10 @@
<?php <?php
include_once __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php"; include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
validate_setup_cookie(); validate_setup_cookie();
set_page_access("setup"); set_page_access("setup");

View File

@ -1,8 +1,10 @@
<?php <?php
include_once __DIR__ . "/../includes/web_functions.inc.php"; set_include_path( ".:" . __DIR__ . "/../includes/");
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php"; include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
validate_setup_cookie(); validate_setup_cookie();
set_page_access("setup"); set_page_access("setup");