HomeLab/ldap-user-manager
2
0
Fork 0
mirror of https://github.com/wheelybird/ldap-user-manager.git synced 2025-01-18 07:32:53 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Code tidy, encode URLs and add no-https option

Browse Source
This commit is contained in:
Brian Lycett 2020-01-10 12:01:31 +00:00
parent c3244bdd7f
commit 495d31521a
18 changed files with 212 additions and 153 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
Dockerfile
View File

@ -1,18 +1,18 @@
FROM php:7.0-apache
COPY www/ /opt/ldap_user_manager
COPY entrypoint /usr/local/bin/entrypoint
RUN apt-get update && apt-get install -y --no-install-recommends libldb-dev libldap2-dev && rm -rf /var/lib/apt/lists/* && ln -s /usr/lib/x86_64-linux-gnu/libldap.so /usr/lib/libldap.so \
&& ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so
RUN docker-php-source extract && docker-php-ext-install -j$(nproc) ldap && docker-php-source delete
RUN chmod a+x /usr/local/bin/entrypoint
RUN a2enmod rewrite ssl
RUN a2dissite 000-default default-ssl
EXPOSE 80
EXPOSE 443
COPY www/ /opt/ldap_user_manager
COPY entrypoint /usr/local/bin/entrypoint
RUN chmod a+x /usr/local/bin/entrypoint
CMD ["apache2-foreground"]
ENTRYPOINT ["/usr/local/bin/entrypoint"]

12
README.md
View File

@ -47,7 +47,7 @@ docker run \
-e "SERVER_HOSTNAME=lum.example.com" \
-e "LDAP_URI=ldap://ldap.example.com" \
-e "LDAP_BASE_DN=dc=example,dc=com" \
-e "LDAP_STARTTLS=TRUE" \
-e "LDAP_REQUIRE_STARTTLS=TRUE" \
-e "LDAP_ADMINS_GROUP=admins" \
-e "LDAP_ADMIN_BIND_DN=cn=admin,dc=example,dc=com" \
-e "LDAP_ADMIN_BIND_PWD=secret"\
@ -78,6 +78,7 @@ Optional:
----
* `SERVER_HOSTNAME` (default: *example.com*): The hostname that this interface will be served from.
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing.
* `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended).
@ -85,8 +86,6 @@ Optional:
* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *uniqueMember*): The attribute used when adding a user to a group.
* `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN.
* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*): The attribute used to identify account usernames.
* `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
* `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CERT=$(</path/to/ca.crt)`
@ -106,8 +105,7 @@ Optional:
Webserver SSL setup
---
The webserver (Apache HTTPD) expects to find `/opt/ssl/server.key` and `/opt/ssl/server.crt`, and these certificates should match `SERVER_HOSTNAME`.
If those files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`. To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`. The script will also look for `/opt/ssl/chain.pem` if you need to add a certificate chain file (the Apache `SSLCertificateChainFile` option).
When `NO_HTTPS` is set to **false** (the default), the webserver (Apache HTTPD) expects to find `/opt/ssl/server.key` and `/opt/ssl/server.crt`, and these certificates should match `SERVER_HOSTNAME`. If these files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`. To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`. The script will also look for `/opt/ssl/chain.pem` if you need to add a certificate chain file (the Apache `SSLCertificateChainFile` option).
e.g.:
```
@ -152,5 +150,5 @@ If `EMAIL_DOMAIN` is set then the email address field will be automatically upda
Details on accounts and groups
---
This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts.
Groups are also created as a `groupOfUniqueNames` type in case you want to use the `memberOf` LDAP module.
This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts. The accounts created use `person`, `inetOrgPerson` & `posixAccount` objectClasses. Usernames are defined via the `uid` attribute and groups are created as with `posixGroup` and `groupOfUniqueNames` objectClasses (the latter in case you want to use the `memberOf` LDAP module).

138
entrypoint
View File

@ -5,7 +5,6 @@ ssl_dir="/opt/ssl"
if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi
#If LDAP_TLS_CACERT is set then write it out as a file
#and set up the LDAP client conf to use it.
@ -15,79 +14,99 @@ if [ "$LDAP_TLS_CACERT" ]; then
fi
########################
#If there aren't any SSL certs then create a CA and then CA-signed certificate
if [ "$NO_HTTPS" = "TRUE" ]; then
if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then
cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf
mkdir -p $ssl_dir
confout="${ssl_dir}/conf"
keyout="${ssl_dir}/server.key"
certout="${ssl_dir}/server.crt"
cakey="${ssl_dir}/ca.key"
cacert="${ssl_dir}/ca.crt"
serialfile="${ssl_dir}/serial"
<VirtualHost *:80>
echo "Generating CA key"
openssl genrsa -out $cakey 2048
if [ $? -ne 0 ]; then exit 1 ; fi
ServerName $SERVER_HOSTNAME
DocumentRoot /opt/ldap_user_manager
echo "Generating CA certificate"
openssl req \
-x509 \
-new \
-nodes \
-subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
-key $cakey \
-sha256 \
-days 7300 \
-out $cacert
if [ $? -ne 0 ]; then exit 1 ; fi
DirectoryIndex index.php index.html
echo "Generating openssl configuration"
<Directory /opt/ldap_user_manager>
Require all granted
</Directory>
cat <<EoCertConf>$confout
</VirtualHost>
EoHTTPC
else
########################
#If there aren't any SSL certs then create a CA and then CA-signed certificate
if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then
mkdir -p $ssl_dir
confout="${ssl_dir}/conf"
keyout="${ssl_dir}/server.key"
certout="${ssl_dir}/server.crt"
cakey="${ssl_dir}/ca.key"
cacert="${ssl_dir}/ca.crt"
serialfile="${ssl_dir}/serial"
echo "Generating CA key"
openssl genrsa -out $cakey 2048
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating CA certificate"
openssl req \
-x509 \
-new \
-nodes \
-subj "/C=GB/ST=GB/L=GB/O=CA/OU=CA/CN=Wheelybird" \
-key $cakey \
-sha256 \
-days 7300 \
-out $cacert
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating openssl configuration"
cat <<EoCertConf>$confout
subjectAltName = DNS:${SERVER_HOSTNAME},IP:127.0.0.1
extendedKeyUsage = serverAuth
EoCertConf
echo "Generating server key..."
openssl genrsa -out $keyout 2048
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating server key..."
openssl genrsa -out $keyout 2048
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating server signing request..."
openssl req \
-subj "/CN=${SERVER_HOSTNAME}" \
-sha256 \
-new \
-key $keyout \
-out /tmp/server.csr
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating server signing request..."
openssl req \
-subj "/CN=${SERVER_HOSTNAME}" \
-sha256 \
-new \
-key $keyout \
-out /tmp/server.csr
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating server cert..."
openssl x509 \
-req \
-days 7300 \
-sha256 \
-in /tmp/server.csr \
-CA $cacert \
-CAkey $cakey \
-CAcreateserial \
-CAserial $serialfile \
-out $certout \
-extfile $confout
if [ $? -ne 0 ]; then exit 1 ; fi
echo "Generating server cert..."
openssl x509 \
-req \
-days 7300 \
-sha256 \
-in /tmp/server.csr \
-CA $cacert \
-CAkey $cakey \
-CAcreateserial \
-CAserial $serialfile \
-out $certout \
-extfile $confout
if [ $? -ne 0 ]; then exit 1 ; fi
fi
fi
########################
#Create Apache config
########################
#Create Apache config
if [ -f "/opt/tls/chain.pem" ]; then $ssl_chain="SSLCertificateChainFile /opt/tls/chain.pem"; fi
if [ -f "/opt/tls/chain.pem" ]; then $ssl_chain="SSLCertificateChainFile /opt/tls/chain.pem"; fi
cat <<EoC >/etc/apache2/sites-enabled/lum.conf
cat <<EoHTTPSC >/etc/apache2/sites-enabled/lum.conf
Listen 443
@ -114,11 +133,10 @@ Listen 443
SSLCertificateKeyFile /opt/ssl/server.key
$ssl_chain
php_value include_path "/opt/ldap_user_manager/includes"
</VirtualHost>
EoC
EoHTTPSC
fi
########################
#Run Apache

30
www/account_manager/groups.php
View File

@ -1,8 +1,10 @@
<?php
include_once __DIR__ . "/../includes/web_functions.inc.php";
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
set_page_access("admin");
render_header("LDAP manager");
@ -11,7 +13,7 @@ render_submenu();
$ldap_connection = open_ldap_connection();
if (isset($_POST['delete_group'])) {
?>
<script>
window.setTimeout(function() {
@ -19,12 +21,14 @@ if (isset($_POST['delete_group'])) {
}, 4000);
</script>
<?php
$this_group = $_POST['delete_group'];
$this_group = urldecode($this_group);
if (preg_match("/$USERNAME_REGEX/",$this_group)) {
$del_group = ldap_delete_group($ldap_connection,$this_group);
if ($del_group) {
?>
<div class="alert alert-success" role="alert">
@ -55,26 +59,26 @@ render_js_username_check();
<script type="text/javascript">
function show_new_group_form() {
group_form = document.getElementById('group_name');
group_submit = document.getElementById('add_group');
group_form.classList.replace('invisible','visible');
group_submit.classList.replace('invisible','visible');
}
</script>
<div class="container">
<div class="form-inline" id="new_group_div">
<div class="form-inline" id="new_group_div">
<form action="/<?php print $THIS_MODULE_PATH; ?>/show_group.php" method="post">
<input type="hidden" name="new_group">
<button id="show_new_group" class="form-control btn btn-default" type="button" onclick="show_new_group_form();">New group</button>
<input type="text" class="form-control invisible" name="group_name" id="group_name" placeholder="Group name" onkeyup="check_entity_name_validity(document.getElementById('group_name').value,'new_group_div');"><button id="add_group" class="form-control btn btn-primary btn-sm invisible" type="submit">Add</button>
</form>
</div>
<table class="table table-striped">
<thead>
<tr>
@ -84,7 +88,7 @@ render_js_username_check();
<tbody>
<?php
foreach ($groups as $group){
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_group.php?group_name=$group'>$group</a></td>\n </tr>\n";
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_group.php?group_name=" . urlencode($group) . "'>$group</a></td>\n </tr>\n";
}
?>
</tbody>

20
www/account_manager/index.php
View File

@ -1,8 +1,10 @@
<?php
include_once __DIR__ . "/../includes/web_functions.inc.php";
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
set_page_access("admin");
render_header("LDAP manager");
@ -11,7 +13,7 @@ render_submenu();
$ldap_connection = open_ldap_connection();
if (isset($_POST['delete_user'])) {
?>
<script>
window.setTimeout(function() {
@ -19,12 +21,14 @@ if (isset($_POST['delete_user'])) {
}, 4000);
</script>
<?php
$this_user = $_POST['delete_user'];
$this_user = urldecode($this_user);
if (preg_match("/$USERNAME_REGEX/",$this_user)) {
$del_user = ldap_delete_account($ldap_connection,$this_user);
if ($del_user) {
?>
<div class="alert alert-success" role="alert">
@ -65,7 +69,7 @@ ldap_close($ldap_connection);
<tbody>
<?php
foreach ($people as $username => $attribs){
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_user.php?username=$username'>$username</a></td>\n";
print " <tr>\n <td><a href='/$THIS_MODULE_PATH/show_user.php?username=" . urlencode($username) . "'>$username</a></td>\n";
print " <td>" . $people[$username]['givenname'] . "</td>\n";
print " <td>" . $people[$username]['sn'] . "</td>\n";
print " <td>" . $people[$username]['mail'] . "</td>\n";

22
www/account_manager/new_user.php
View File

@ -1,8 +1,10 @@
<?php
include_once __DIR__ . "/../includes/web_functions.inc.php";
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
if ( $_POST['setup_admin_account'] ) {
$admin_setup = TRUE;
@ -180,7 +182,7 @@ render_js_email_generator('username','email');
</script>
<div class="container">
<div class="col-sm-7">
<div class="col-sm-8">
<div class="panel panel-default">
<div class="panel-heading text-center"><?php print $page_title; ?></div>
@ -193,35 +195,35 @@ render_js_email_generator('username','email');
<input type="hidden" id="pass_score" value="0" name="pass_score">
<div class="form-group">
<label for="first_name" class="col-sm-2 control-label">First name</label>
<label for="first_name" class="col-sm-3 control-label">First name</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
</div>
</div>
<div class="form-group">
<label for="last_name" class="col-sm-2 control-label">Last name</label>
<label for="last_name" class="col-sm-3 control-label">Last name</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
</div>
</div>
<div class="form-group" id="username_div">
<label for="username" class="col-sm-2 control-label">Username</label>
<label for="username" class="col-sm-3 control-label">Username</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
</div>
</div>
<div class="form-group" id="email_div">
<label for="username" class="col-sm-2 control-label">Email</label>
<label for="username" class="col-sm-3 control-label">Email</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
</div>
</div>
<div class="form-group" id="password_div">
<label for="password" class="col-sm-2 control-label">Password</label>
<label for="password" class="col-sm-3 control-label">Password</label>
<div class="col-sm-6">
<input type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
</div>
@ -231,7 +233,7 @@ render_js_email_generator('username','email');
</div>
<div class="form-group" id="confirm_div">
<label for="confirm" class="col-sm-2 control-label">Confirm</label>
<label for="confirm" class="col-sm-3 control-label">Confirm</label>
<div class="col-sm-6">
<input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
</div>

15
www/account_manager/show_group.php
View File

@ -1,8 +1,10 @@
<?php
include_once __DIR__ . "/../includes/web_functions.inc.php";
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
set_page_access("admin");
render_header("LDAP manager");
@ -22,6 +24,7 @@ exit(0);
}
else {
$group_cn = (isset($_POST['group_name']) ? $_POST['group_name'] : $_GET['group_name']);
$group_cn = urldecode($group_cn);
}
if (!preg_match("/$USERNAME_REGEX/",$group_cn)) {
@ -41,8 +44,8 @@ if (isset($_POST['new_group'])) {
######################################################################################
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "cn=$group_cn");
$ldap_search_query="cn=" . ldap_escape($group_cn, "", LDAP_ESCAPE_FILTER);
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search);
$current_members = array();
@ -260,7 +263,7 @@ ldap_close($ldap_connection);
</button>
<form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
<input type="hidden" name="update_members">
<input type="hidden" name="group_name" value="<?php print $group_cn; ?>">
<input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
</form>
<button id="submit_members" class="btn btn-info" disabled type="submit" onclick="update_form_with_users()">Save</button>
</div>

17
www/account_manager/show_user.php
View File

@ -1,8 +1,10 @@
<?php
include_once __DIR__ . "/../includes/web_functions.inc.php";
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
set_page_access("admin");
render_header();
@ -37,20 +39,21 @@ exit(0);
}
else {
$username = (isset($_POST['username']) ? $_POST['username'] : $_GET['username']);
$username = urldecode($username);
}
if (!preg_match("/$USERNAME_REGEX/",$username)) {
?>
<div class="alert alert-danger">
<p class="text-center">The username is invalid.</p>
<p class="text-center">The username <b><?php print "$username"; ?></b> is invalid.</p>
</div>
<?php
render_footer();
exit(0);
}
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "(${LDAP['account_attribute']}=$username)" );
$ldap_search_query="(${LDAP['account_attribute']}=". ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
if ($ldap_search) {
@ -325,7 +328,7 @@ if ($ldap_search) {
<div class="panel-heading clearfix">
<h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $user[0]['uid'][0]; ?></h3>
<button class="btn btn-warning pull-right" onclick="show_delete_user_button();">Delete account</button>
<form action="/<?php print $THIS_MODULE_PATH; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print $username; ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
<form action="/<?php print $THIS_MODULE_PATH; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print urlencode($username); ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
</div>
<div class="panel-body">
<form class="form-horizontal" action="" method="post">

6
www/change_password/index.php
View File

@ -1,7 +1,9 @@
<?php
include_once __DIR__ . "/../includes/web_functions.inc.php";
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
set_page_access("user");

2
www/includes/config.inc.php
View File

@ -17,7 +17,7 @@
$LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : 'uniquemember');
$LDAP['group_membership_uses_uid'] = ((strcmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid');
$LDAP['account_attribute'] = 'uid';
$LDAP['require_starttls'] = ((strcmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');

53
www/includes/ldap_functions.inc.php
View File

@ -1,14 +1,15 @@
<?php
$log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
$LDAP_CONNECTION_WARNING = FALSE;
###################################
function open_ldap_connection() {
global $log_prefix, $LDAP, $LDAP_CONNECTION_WARNING;
global $log_prefix, $LDAP, $SENT_HEADERS;
$ldap_connection = ldap_connect($LDAP['uri']);
$ldap_connection = @ ldap_connect($LDAP['uri']);
if (!$ldap_connection) {
print "Problem: Can't connect to the LDAP server at ${LDAP['uri']}";
@ -18,10 +19,9 @@ function open_ldap_connection() {
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
if (!preg_match("/^ldaps:/", $LDAP['uri'])) {
$tls_result = ldap_start_tls($ldap_connection);
$tls_result = @ ldap_start_tls($ldap_connection);
if ($tls_result != TRUE) {
@ -32,16 +32,17 @@ function open_ldap_connection() {
exit(0);
}
else {
print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-warning'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>";
if ($SENT_HEADERS == TRUE) {
print "<div style='position: fixed;bottom: 0px;width: 100%;height: 20px;border-bottom:solid 20px yellow;'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>";
}
ldap_close($ldap_connection);
$ldap_connection = ldap_connect($LDAP['uri']);
$ldap_connection = @ ldap_connect($LDAP['uri']);
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
}
}
}
$bind_result = ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
$bind_result = @ ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
if ($bind_result != TRUE) {
print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
@ -63,7 +64,8 @@ function ldap_auth_username($ldap_connection,$username, $password) {
global $log_prefix, $LDAP;
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "${LDAP['account_attribute']}=${username}");
$ldap_search_query="${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query );
if (!$ldap_search) {
error_log("$log_prefix Couldn't search for $username",0);
@ -127,7 +129,8 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
global $log_prefix, $LDAP;
if (!isset($fields)) { $fields = array("uid", "givenname", "sn", "mail"); }
if (!isset($fields)) { $fields = array_unique( array("${LDAP['account_attribute']}", "givenname", "sn", "mail")); }
if (!isset($sort_key)) { $sort_key = $LDAP['account_attribute']; }
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(&(${LDAP['account_attribute']}=*)$filters)", $fields);
@ -241,7 +244,8 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
global $log_prefix, $LDAP;
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)", array($LDAP['group_membership_attribute']));
$ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
$result = ldap_get_entries($ldap_connection, $ldap_search);
@ -267,7 +271,8 @@ function ldap_is_group_member($ldap_connection,$group_name,$username) {
global $log_prefix, $LDAP;
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)");
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP['group_membership_uses_uid'] == FALSE) {
@ -292,7 +297,8 @@ function ldap_new_group($ldap_connection,$group_name) {
if (isset($group_name)) {
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name,${LDAP['group_dn']})");
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']})";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search);
if ($result['count'] == 0) {
@ -343,7 +349,8 @@ function ldap_delete_group($ldap_connection,$group_name) {
if (isset($group_name)) {
$delete = ldap_delete($ldap_connection, "cn=$group_name,${LDAP['group_dn']}");
$delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
$delete = ldap_delete($ldap_connection, $delete_query);
if ($delete) {
error_log("$log_prefix Deleted group $group_name",0);
@ -367,7 +374,8 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
if (isset($group_name)) {
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", "(cn=$group_name)", array("gidNumber"));
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
$result = ldap_get_entries($ldap_connection, $ldap_search);
if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) {
@ -389,7 +397,8 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
if (isset($first_name) and isset($last_name) and isset($username) and isset($password)) {
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", "(${LDAP['account_attribute']}=$username,${LDAP['user_dn']})");
$ldap_search_query = "(${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']})";
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search);
if ($result['count'] == 0) {
@ -425,7 +434,7 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
'mail' => $email
);
$add_account = ldap_add($ldap_connection,
$add_account = ldap_add($ldap_connection,
"${LDAP['account_attribute']}=$username,${LDAP['user_dn']}",
$user_info
);
@ -471,7 +480,8 @@ function ldap_delete_account($ldap_connection,$username) {
if (isset($username)) {
$delete = ldap_delete($ldap_connection, "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}");
$delete_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']}";
$delete = ldap_delete($ldap_connection, $delete_query);
if ($delete) {
error_log("$log_prefix Deleted account for $username",0);
@ -493,7 +503,7 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {
global $log_prefix, $LDAP;
$group_dn = "cn=${group_name},${LDAP['group_dn']}";
$group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
if ($LDAP['group_membership_uses_uid'] == FALSE) {
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
@ -520,7 +530,7 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
global $log_prefix, $LDAP;
$group_dn = "cn=${group_name},${LDAP['group_dn']}";
$group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
if ($LDAP['group_membership_uses_uid'] == FALSE) {
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
@ -549,7 +559,8 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
#Find DN of user
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], "${LDAP['account_attribute']}=${username}");
$ldap_search_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
if ($ldap_search) {
$result = ldap_get_entries($ldap_connection, $ldap_search);
if ($result["count"] == 1) {

7
www/includes/web_functions.inc.php
View File

@ -8,6 +8,7 @@ $IS_SETUP_ADMIN = FALSE;
$ACCESS_LEVEL_NAME = array('account','admin');
unset($USER_ID);
$CURRENT_PAGE=htmlentities($_SERVER['PHP_SELF']);
$SENT_HEADERS = FALSE;
$paths=explode('/',getcwd());
$THIS_MODULE_PATH=end($paths);
@ -69,7 +70,7 @@ function validate_passkey_cookie() {
list($user_id,$c_passkey) = explode(":",$_COOKIE['orf_cookie']);
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
$session_file = file_get_contents("/tmp/$filename");
$session_file = @ file_get_contents("/tmp/$filename");
if (!$session_file) {
$VALIDATED = FALSE;
unset($USER_ID);
@ -156,7 +157,7 @@ function log_out($method='normal') {
function render_header($title="",$menu=TRUE) {
global $SITE_NAME, $IS_ADMIN, $LDAP_CONNECTION_WARNING;
global $SITE_NAME, $IS_ADMIN, $SENT_HEADERS;
if (empty($title)) { $title = $SITE_NAME; }
@ -179,6 +180,8 @@ function render_header($title="",$menu=TRUE) {
render_menu();
}
$SENT_HEADERS = TRUE;
}

4
www/index.php
View File

@ -1,6 +1,8 @@
<?php
include_once __DIR__ . "/includes/web_functions.inc.php";
set_include_path( __DIR__ . "/includes/");
include_once "web_functions.inc.php";
render_header();
if (isset($_GET['logged_out'])) {

6
www/log_in/index.php
View File

@ -1,7 +1,9 @@
<?php
include __DIR__ . "/../includes/web_functions.inc.php";
include __DIR__ . "/../includes/ldap_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include "web_functions.inc.php";
include "ldap_functions.inc.php";
if (isset($_POST["user_id"]) and isset($_POST["password"])) {

3
www/log_out/index.php
View File

@ -1,4 +1,5 @@
<?php
include __DIR__ . "/../includes/web_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
log_out();
?>

6
www/setup/index.php
View File

@ -1,7 +1,9 @@
<?php
include __DIR__ . "/../includes/web_functions.inc.php";
include __DIR__ . "/../includes/ldap_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
if (isset($_POST["admin_password"])) {

8
www/setup/run_checks.php
View File

@ -1,8 +1,10 @@
<?php
include_once __DIR__ . "/../includes/web_functions.inc.php";
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
validate_setup_cookie();
set_page_access("setup");

8
www/setup/setup_ldap.php
View File

@ -1,8 +1,10 @@
<?php
include_once __DIR__ . "/../includes/web_functions.inc.php";
include_once __DIR__ . "/../includes/ldap_functions.inc.php";
include_once __DIR__ . "/../includes/module_functions.inc.php";
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
validate_setup_cookie();
set_page_access("setup");