Add Docker components and setup instructions. Warn on insecure LDAP connections

2025-01-18 15:32:54 +01:00 · 2018-06-04 15:20:53 +01:00 · 2018-06-04 15:20:53 +01:00 · 5ec202185c
commit 5ec202185c
parent 797ba68bc1
26 changed files with 366 additions and 163 deletions
--- a/18
+++ b/18
@ -0,0 +1,18 @@
 FROM php:7.0-apache
 COPY www/ /opt/ldap_user_manager
 COPY entrypoint /usr/local/bin/entrypoint
 RUN apt-get update && apt-get install -y --no-install-recommends libldb-dev libldap2-dev && rm -rf /var/lib/apt/lists/* && ln -s /usr/lib/x86_64-linux-gnu/libldap.so /usr/lib/libldap.so \
 && ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so
 RUN docker-php-source extract && docker-php-ext-install -j$(nproc) ldap && docker-php-source delete
 RUN chmod a+x /usr/local/bin/entrypoint
 RUN a2enmod rewrite ssl
 RUN a2dissite 000-default default-ssl
 EXPOSE 80
 EXPOSE 443
 CMD ["apache2-foreground"]
 ENTRYPOINT ["/usr/local/bin/entrypoint"]
--- a/README.md
+++ b/README.md
@ -1 +1,103 @@
-A PHP GUI admin interface for LDAP account management, designed to be run in a container.
+LDAP User Manager
 --
 A PHP web-based interface for LDAP user account management and self-service password change.
 Quick start
 ---
 ```
 docker run \
           --detach \
           --name=lum \
           -p 80:80 \
           -p 443:443 \
           -e SERVER_HOSTNAME=lum.example.com \
           -e LDAP_URI=ldap://ldap.example.com \
           -e LDAP_BASE_DN=dc=example,dc=com \
           -e LDAP_STARTTLS=TRUE \
           -e LDAP_ADMINS_GROUP=admins \
           -e LDAP_ADMIN_BIND_DN="cn=admin,dc=example,dc=com" \
           -e LDAP_ADMIN_BIND_PWD=secret\
           otrl/ldap-user-manager
 ```
 Now go to https://lum.example.com/setup.
 Purpose
 ---
 This presents a simple-to-use interface for setting up a new LDAP directory and managing user accounts and groups, as well as providing a way for users to change their own password.  It's designed to complement OpenLDAP servers such as *osixia/openldap* (https://hub.docker.com/r/osixia/openldap/).   
 *WARNING*: This interface should be used with populated LDAP directories with caution and at your own risk.   
 This tool needs to bind to LDAP as a user with permissions to modify everything under the base DN.  However, only members of a specific LDAP group will be able to access the management module.  Other users will be able to change their LDAP password.
 Configuration
 ---
 Configuration is via environmental variables.
 Mandatory:
 ----
 * `LDAP_URI`:  The URI of the LDAP server.  e.g. *ldap://ldap.example.com* or *ldaps://ldap.example.com*
 * `LDAP_BASE_DN`:  The base DN for your organisation.  e.g. *dc=example,dc=com`
 * `LDAP_ADMIN_BIND_DN`: The DN for the user with permission to modify all records under `LDAP_BASE_DN`. e.g. `cn=admin,dc=example,dc=com`
 * `LDAPADMIN_BIND_PWD`: The password for `LDAP_ADMIN_BIND_DN`
 * `LDAP_ADMINS_GROUP`: The name of the group used to define accounts that can use this tool to manage LDAP accounts.  e.g. `admins`
 Optional:
 ----
 * `LDAP_USER_OU` (default: *people*):  The name of the OU used to store user accounts (without the base DN appended).
 * `LDAP_GROUP_OU` (default: *groups*):  The name of the OU used to store groups (without the base DN appended).
 * `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *uniqueMember*):  The attribute used when adding a user to a group.
 * `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *FALSE*): If *TRUE* then the entry for a member of a group will be just the username.  Otherwise it's the member's full DN.
 * `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*):  The attribute used to identify account usernames.
 * `LDAP_REQUIRE_STARTTLS` (default: *TRUE*):  If *TRUE* then a TLS connection is required for this interface to work.  If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
 * `DEFAULT_USER_GROUP` (default: *everybody*):  The group that new accounts are automatically added to when created.  *NOTE*: If this group doesn't exist then a group is created with the same name as the username and the user is added to that group.
 * `DEFAULT_USER_SHELL` (default: */bin/bash*):  The shell that will be launched when the user logs into a server.
 * `EMAIL_DOMAIN` (no default):  The domain name to append to the email address when creating an account (username@email_domain).  If unset then the mail attribute won't be set.
 * `USERNAME_FORMAT` (default: *{first_name}.{last_name}*):  The template used to dynamically generate usernames.  See the _Usernames_ section below.
 * `USERNAME_REGEX` (default: *^[a-z][a-zA-Z0-9\._-]{3,32}$*): The regular expression used to ensure a username (and group name) is valid.  See the _Usernames_ section below.
 * `LOGIN_TIMEOUT_MINS` (default: 10 minutes):  How long before an idle session will be timed out.
 * `SITE_NAME` (default: *LDAP user manager*):  Change this to replace the title in the menu.  e.g. "My Company"
 Initial setup
 ---
 Ideally you'll be using this against an empty LDAP directory.  You can use the setup utility to create the LDAP structures that this tool needs in order to create accounts and groups.   Go to https://_website-hostname_/setup to get started.   You need to log in with the password for the admin user as set by `LDAP_ADMIN_BIND_DN`.   
 The setup utility will create the user and account trees, records that store the last UID and GID used when creating a user account or group, a group for admins and the initial admin account.
 Username format
 ---
 When entering the user's first and last names a bit of JavaScript automatically generates the username.  The way it generates is it based on a template format defined by `USERNAME_FORMAT`.  This is basically a string in which predefined macros are replaced by the formatted first and/or last name.   
 The default is `{first_name}-{last_name}` with which *Jonathan Testperson*'s username would be *jonathan-testperson*.   
 Currently the available macros are:
 * `{first_name}` : the first name in lowercase
 * `{first_name_initial}` : the first letter of the first name in lowercase
 * `{last_name}`: the last name in lowercase
 * '{last_name_initial}`: the first initial of the last name in lowercase
 Anything else in the `USERNAME_FORMAT` string is left as defined, but the username is also checked for validity against `USERNAME_REGEX`.  This is to ensure that there aren't any characters forbidden by other systems (i.e. email or Linux/Unix accounts).
 Details on accounts and groups
 ---
 This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts.   
 Groups are also created as a `groupOfUniqueNames` type in case you want to use the `memberOf` LDAP module.
--- a/88
+++ b/88
@ -0,0 +1,88 @@
 #!/bin/sh
 set -e
 if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi
 ########################
 #If there aren't any SSL certs then create a self-signed certificate.
 if [ ! -f "/opt/ssl/server.key" ] && [ ! -f "/opt/ssl/server.crt" ]; then
 ########################
 #Create self-signed cert
 mkdir -p /opt/ssl
 cat <<EoS >/opt/ssl/config
 [req]
 distinguished_name = req_distinguished_name
 x509_extensions = v3_req
 prompt = no
 [req_distinguished_name]
 C = GB
 ST = London
 L = London
 O = LUM
 OU = LUM
 CN = $SERVER_HOSTNAME
 [v3_req]
 keyUsage = critical, digitalSignature, keyAgreement
 extendedKeyUsage = serverAuth
 subjectAltName = @alt_names
 [alt_names]
 DNS.1 = $SERVER_HOSTNAME
 EoS
 /usr/bin/openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /opt/ssl/server.key -out /opt/ssl/server.crt -config /opt/ssl/config -sha256
 fi
 ########################
 #Create Apache config
 if [ -f "/opt/tls/chain.pem" ]; then $ssl_chain="SSLCertificateChainFile /opt/tls/chain.pem"; fi
 cat <<EoC >/etc/apache2/sites-enabled/lum.conf
 Listen 443
 <VirtualHost *:80> 
 RewriteEngine On 
 RewriteRule ^/?(.*) https://%{SERVER_NAME}/\$1 [R,L]
 </VirtualHost>
 <VirtualHost _default_:443>
 ServerName $SERVER_HOSTNAME
 DocumentRoot /opt/ldap_user_manager
 DirectoryIndex index.php index.html
 <Directory /opt/ldap_user_manager>
   Require all granted
 </Directory>
 SSLEngine On
 SSLCertificateFile /opt/ssl/server.crt
 SSLCertificateKeyFile /opt/ssl/server.key
 $ssl_chain
 php_value include_path "/opt/ldap_user_manager/includes"
 </VirtualHost>
 EoC
 ########################
 #Run Apache
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then
 	set -- apache2-foreground "$@"
 fi
 exec "$@"
--- a/www/account_manager/groups.php
+++ b/www/account_manager/groups.php
@ -1,10 +1,9 @@
 <?php
 include_once("web_functions.inc.php");
 set_page_access("admin");
 include_once("ldap_functions.inc.php");
 include_once("module_functions.inc.php");
 set_page_access("admin");
 render_header("LDAP manager");
 render_submenu();
@ -29,7 +28,7 @@ if (isset($_POST['delete_group'])) {
  if ($del_group) {
  ?>
  <div class="alert alert-success" role="alert">
-   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
   <strong>Success!</strong> Group <strong><?php print $this_group; ?> was deleted.
  </div>
  <?php
@ -37,7 +36,7 @@ if (isset($_POST['delete_group'])) {
  else {
  ?>
  <div class="alert alert-danger" role="alert">
-   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
   <strong>Problem!</strong> Group <strong><?php print $this_group; ?></strong> wasn't deleted.
  </div>
  <?php
--- a/www/account_manager/index.php
+++ b/www/account_manager/index.php
@ -3,7 +3,6 @@
 include_once("web_functions.inc.php");
 include_once("ldap_functions.inc.php");
 include_once("module_functions.inc.php");
 set_page_access("admin");
 render_header("LDAP manager");
@ -29,7 +28,7 @@ if (isset($_POST['delete_user'])) {
  if ($del_user) {
  ?>
  <div class="alert alert-success" role="alert">
-   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
   <strong>Success!</strong> User <strong><?php print $this_user; ?> was deleted.
  </div>
  <?php
@ -37,7 +36,7 @@ if (isset($_POST['delete_user'])) {
  else {
  ?>
  <div class="alert alert-danger" role="alert">
-   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
   <strong>Problem!</strong> User <strong><?php print $this_user; ?></strong> wasn't deleted.
  </div>
  <?php
--- a/www/account_manager/module_functions.inc.php
+++ b/www/account_manager/module_functions.inc.php
--- a/www/account_manager/new_user.php
+++ b/www/account_manager/new_user.php
@ -3,15 +3,15 @@
 include_once("web_functions.inc.php");
 include_once("ldap_functions.inc.php");
 include_once("module_functions.inc.php");
 set_page_access("admin");
-render_header($WEBSITE_NAME);
+render_header();
 render_submenu();
-$invalid_password = False;
+$invalid_password = FALSE;
-$mismatched_passwords = False;
+$mismatched_passwords = FALSE;
-$invalid_username = False;
+$invalid_username = FALSE;
-$weak_password = False;
+$weak_password = FALSE;
 if (isset($_POST['create_account'])) {
@ -22,10 +22,10 @@ if (isset($_POST['create_account'])) {
 $username = stripslashes($_POST['username']);
 $password = $_POST['password'];
- if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = True; }
+ if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = TRUE; }
- if (preg_match("/\"|'/",$password)) { $invalid_password = True; }
+ if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
- if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = True; }
+ if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; }
- if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = True; }
+ if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = TRUE; }
 if (     isset($first_name)
      and isset($last_name)
--- a/www/account_manager/show_group.php
+++ b/www/account_manager/show_group.php
@ -1,10 +1,9 @@
 <?php
 include_once("web_functions.inc.php");
 set_page_access("admin");
 include_once("ldap_functions.inc.php");
 include_once("module_functions.inc.php");
 set_page_access("admin");
 render_header("LDAP manager");
 render_submenu();
@ -97,7 +96,7 @@ if (isset($_POST["update_members"])) {
                                 }, 4000);
  </script>
  <div class="alert alert-success" role="alert">
-   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+   <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
   <strong>Success!</strong> The group has been updated.
  </div>
@ -161,7 +160,7 @@ ldap_close($ldap_connection);
            $('.list-right ul li.active').removeClass('active');
            actives.remove();
        }
-        $("#submit_members").prop("disabled", false);
+        $("#submit_members").prop("disabled", FALSE);
    });
    $('.dual-list .selector').click(function () {
        var $checkBox = $(this);
--- a/www/account_manager/show_user.php
+++ b/www/account_manager/show_user.php
@ -3,15 +3,15 @@
 include_once("web_functions.inc.php");
 include_once("ldap_functions.inc.php");
 include_once("module_functions.inc.php");
 set_page_access("admin");
-render_header($WEBSITE_NAME);
+render_header();
 render_submenu();
-$invalid_password = False;
+$invalid_password = FALSE;
-$mismatched_passwords = False;
+$mismatched_passwords = FALSE;
-$invalid_username = False;
+$invalid_username = FALSE;
-$weak_password = False;
+$weak_password = FALSE;
 $attribute_map = array( "givenname"      => "First name",
                        "sn"             => "Last name",
@ -78,10 +78,10 @@ if ($ldap_search) {
    $password = $_POST['password'];
-    if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = True; }
+    if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = TRUE; }
-    if (preg_match("/\"|'/",$password)) { $invalid_password = True; }
+    if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
-    if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = True; }
+    if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; }
-    if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = True; }
+    if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = TRUE; }
   if ( !$mismatched_passwords
       and !$weak_password
@ -102,7 +102,7 @@ if ($ldap_search) {
                                  }, 4000);
   </script>
   <div class="alert alert-success" role="alert">
-    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
    <strong>Success!</strong> The group has been updated.
   </div>
  <?php
@ -115,7 +115,7 @@ if ($ldap_search) {
                                  }, 4000);
   </script>
   <div class="alert alert-success" role="alert">
-    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
    <strong>Success!</strong> The group has been updated.
   </div>
  <?php
@ -191,7 +191,7 @@ if ($ldap_search) {
                                  }, 4000);
   </script>
   <div class="alert alert-success" role="alert">
-    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
+    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
    <strong>Success!</strong> The group has been updated.
   </div>
@ -288,7 +288,7 @@ if ($ldap_search) {
            $('.list-right ul li.active').removeClass('active');
            actives.remove();
        }
-        $("#submit_members").prop("disabled", false);
+        $("#submit_members").prop("disabled", FALSE);
    });
    $('.dual-list .selector').click(function () {
        var $checkBox = $(this);
--- a/www/change_password/README.md
+++ b/www/change_password/README.md
--- a/www/change_password/index.php
+++ b/www/change_password/index.php
--- a/www/includes/config.inc.php
+++ b/www/includes/config.inc.php
@ -15,19 +15,19 @@
 $LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people');
 $LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : 'uniquemember');
- $LDAP['group_membership_uses_uid'] = (getenv('LDAP_GROUP_MEMBERSHIP_USES_UID') ? TRUE : FALSE);
+ $LDAP['group_membership_uses_uid'] = ((strcmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : FALSE);
 $LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid');
- $LDAP['starttls'] = (getenv('LDAP_STARTTLS') ? TRUE : FALSE);
+ $LDAP['require_starttls'] = ((strcmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
 $DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
 $DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_SHELL') : '/bin/bash');
 $EMAIL_DOMAIN = (getenv('EMAIL_DOMAIN') ? getenv('EMAIL_DOMAIN') : Null);
 $LOGIN_TIMEOUT_MINS = (getenv('SESSION_TIMEOUT') ? getenv('SESSION_TIMEOUT') : 10);
- $WEBSITE_NAME = (getenv('SITE_NAME') ? getenv('SITE_NAME') : 'LDAP user manager');
+ $SITE_NAME = (getenv('SITE_NAME') ? getenv('SITE_NAME') : 'LDAP user manager');
- $USERNAME_FORMAT = (getenv('USERNAME_SEPARATOR') ? getenv('USERNAME_SEPARATOR') : '{first_name}.{last_name}');
+ $USERNAME_FORMAT = (getenv('USERNAME+FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
 $USERNAME_REGEX = '^[a-z][a-zA-Z0-9\._-]{3,32}$';
 #We'll use the username regex for groups too.
--- a/www/includes/ldap_functions.inc.php
+++ b/www/includes/ldap_functions.inc.php
@ -6,7 +6,7 @@ $log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
 function open_ldap_connection() {
- global $log_prefix, $LDAP, $ENCRYPTED;
+ global $log_prefix, $LDAP, $LDAP_CONNECTION_WARNING;
 $ldap_connection = ldap_connect($LDAP['uri']);
@ -18,6 +18,29 @@ function open_ldap_connection() {
 ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
 if (!preg_match("/^ldaps:/", $LDAP['uri'])) {
  $tls_result = ldap_start_tls($ldap_connection);
  if ($tls_result != TRUE) {
   error_log("$log_prefix Failed to start STARTTLS connection to ${LDAP['uri']}",0);
   if ($LDAP["require_starttls"] == TRUE) {
    print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-danger'>Fatal:  Couldn't create a secure connection to ${LDAP['uri']} and LDAP_REQUIRE_STARTTLS is TRUE.</div>";
    exit(0);
   }
   else {
    print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-warning'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>";
    ldap_close($ldap_connection);
    $ldap_connection = ldap_connect($LDAP['uri']);
    ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
   }
  }
 }
 $bind_result = ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
 if ($bind_result != TRUE) {
@ -26,16 +49,6 @@ function open_ldap_connection() {
  exit(1);
 }
 if ($LDAP["starttls"]) {
  $tls_result = ldap_start_tls($ldap_connection);
  if ($tls_result != TRUE) {
   error_log("$log_prefix Failed to start STARTTLS connection to ${LDAP['uri']}",0);
  }
  else {
   $ENCRYPTED=TRUE;
  }
 }
 return $ldap_connection;
 }
@ -96,30 +109,6 @@ function ldap_setup_auth($ldap_connection, $password) {
 }
 ###################################
 function ldap_check_is_admin($username, $ldap_connection) {
 #Checks to see if $username is in the group defined by $LDAP['admins_group']
 global $log_prefix, $LDAP;
 ##Check via memberOf.
 ##TODO: check via parsing group membership otherwise.
 $this_filter="(&(${LDAP['account_attribute']}=${username})(memberOf=cn=${LDAP['admins_group']},${LDAP['group_dn']}))";
 $ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $this_filter);
 $no_results = ldap_count_entries($ldap_connection,$ldap_search);
 if ($no_results == 1) {
  return TRUE;
 }
 else {
  return FALSE;
 }
 }
 ##################################
--- a/www/includes/modules.inc.php
+++ b/www/includes/modules.inc.php
@ -10,7 +10,7 @@
 $MODULES = array(  
                    'log_in'          => 'hidden_on_login',
                    'change_password' => 'auth',
-                    'ldap_manager'    => 'admin',
+                    'account_manager'    => 'admin',
                    'log_out'         => 'auth'
                  );
--- a/www/includes/web_functions.inc.php
+++ b/www/includes/web_functions.inc.php
@ -2,10 +2,9 @@
 #Security level vars
-$VALIDATED = False;
+$VALIDATED = FALSE;
-$IS_ADMIN = False;
+$IS_ADMIN = FALSE;
-$IS_SETUP_ADMIN = False;
+$IS_SETUP_ADMIN = FALSE;
 $ENCRYPTED = False;
 $ACCESS_LEVEL_NAME = array('account','admin');
 unset($USER_ID);
 $CURRENT_PAGE=htmlentities($_SERVER['PHP_SELF']);
@ -30,7 +29,7 @@ function generate_passkey() {
 $rnd2 = rand(10000000,100000000000);
 $rnd3 = rand(10000000,100000000000);
 return sprintf("%0x",$rnd1) . sprintf("%0x",$rnd2) . sprintf("%0x",$rnd3);
- 
+
 }
@ -42,20 +41,20 @@ function set_passkey_cookie($user_id,$is_admin) {
 global $LOGIN_TIMEOUT_MINS, $VALIDATED, $USER_ID, $IS_ADMIN;
- 
+
 $passkey = generate_passkey();
 $this_time=time();
 $admin_val = 0;
- if ($is_admin == True ) {
+ if ($is_admin == TRUE ) {
  $admin_val = 1;
-  $IS_ADMIN = True;
+  $IS_ADMIN = TRUE;
 }
 $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
 file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time");
 setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
- $VALIDATED = True;
+ $VALIDATED = TRUE;
 }
@ -71,15 +70,21 @@ function validate_passkey_cookie() {
  list($user_id,$c_passkey) = explode(":",$_COOKIE['orf_cookie']);
  $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
  $session_file = file_get_contents("/tmp/$filename");
-  list($f_passkey,$f_is_admin,$f_time) = explode(":",$session_file);
+  if (!$session_file) {
-  $this_time=time();
+   $VALIDATED = FALSE;
-  if (!empty($c_passkey) and $f_passkey == $c_passkey and $this_time < $f_time+(60 * $LOGIN_TIMEOUT_MINS)) {
+   unset($USER_ID);
-   if ($f_is_admin == 1) { $IS_ADMIN = True; }
+   $IS_ADMIN = FALSE;
-   $VALIDATED = True;
+  }
-   $USER_ID=$user_id;
+  else {
-   set_passkey_cookie($USER_ID,$IS_ADMIN);
+   list($f_passkey,$f_is_admin,$f_time) = explode(":",$session_file);
   $this_time=time();
   if (!empty($c_passkey) and $f_passkey == $c_passkey and $this_time < $f_time+(60 * $LOGIN_TIMEOUT_MINS)) {
    if ($f_is_admin == 1) { $IS_ADMIN = TRUE; }
    $VALIDATED = TRUE;
    $USER_ID=$user_id;
    set_passkey_cookie($USER_ID,$IS_ADMIN);
   }
  }
 }
 }
@ -95,7 +100,7 @@ function set_setup_cookie() {
 $passkey = generate_passkey();
 $this_time=time();
- $IS_SETUP_ADMIN = True;
+ $IS_SETUP_ADMIN = TRUE;
 file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
 setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
@ -113,10 +118,13 @@ function validate_setup_cookie() {
  $c_passkey = $_COOKIE['setup_cookie'];
  $session_file = file_get_contents("/tmp/ldap_setup");
  if (!$session_file) {
   $IS_SETUP_ADMIN = FALSE;
  }
  list($f_passkey,$f_time) = explode(":",$session_file);
  $this_time=time();
  if (!empty($c_passkey) and $f_passkey == $c_passkey and $this_time < $f_time+(60 * $LOGIN_TIMEOUT_MINS)) {
-   $IS_SETUP_ADMIN = True;
+   $IS_SETUP_ADMIN = TRUE;
   set_setup_cookie();
  }
@ -148,9 +156,9 @@ function log_out($method='normal') {
 function render_header($title="",$menu=TRUE) {
- global $WEBSITE_NAME, $IS_ADMIN;
+ global $SITE_NAME, $IS_ADMIN, $LDAP_CONNECTION_WARNING;
- if (empty($title)) { $title = $WEBSITE_NAME; }
+ if (empty($title)) { $title = $SITE_NAME; }
 #Initialise the HTML output for the page.
@ -167,7 +175,7 @@ function render_header($title="",$menu=TRUE) {
 <BODY>
 <?php
- if ($menu == True) {
+ if ($menu == TRUE) {
  render_menu();
 }
@ -181,13 +189,13 @@ function render_menu() {
 #Render the navigation menu.
 #The menu is dynamically rendered the $MODULES hash
- global $WEBSITE_NAME, $MODULES, $THIS_MODULE_PATH, $VALIDATED, $IS_ADMIN;
+ global $SITE_NAME, $MODULES, $THIS_MODULE_PATH, $VALIDATED, $IS_ADMIN;
 ?>
  <nav class="navbar navbar-default">
   <div class="container-fluid">
   <div class="navbar-header">
-     <a class="navbar-brand" href="#"><?php print $WEBSITE_NAME ?></a>
+     <a class="navbar-brand" href="#"><?php print $SITE_NAME ?></a>
   </div>
     <ul class="nav navbar-nav">
     <?php
@ -195,16 +203,16 @@ function render_menu() {
      $this_module_name=stripslashes(ucwords(preg_replace('/_/',' ',$module)));
-      $show_this_module = True;
+      $show_this_module = TRUE;
-      if ($VALIDATED == True) {
+      if ($VALIDATED == TRUE) {
-       if ($access == 'hidden_on_login') { $show_this_module = False; }
+       if ($access == 'hidden_on_login') { $show_this_module = FALSE; }
-       if ($IS_ADMIN == False and $access == 'admin' ){ $show_this_module = False; }
+       if ($IS_ADMIN == FALSE and $access == 'admin' ){ $show_this_module = FALSE; }
      }
      else {
-       if ($access != 'hidden_on_login') { $show_this_module = False; }
+       if ($access != 'hidden_on_login') { $show_this_module = FALSE; }
      }
      #print "<p>$module - access is $access & show is $show_this_module</p>";
-      if ($show_this_module == True ) {
+      if ($show_this_module == TRUE ) {
       if ($module == $THIS_MODULE_PATH) {
        print "<li class='active'>";
       }
@ -248,7 +256,7 @@ function set_page_access($level) {
 #Either 'setup', 'admin' or 'user'.
 if ($level == "setup") {
-  if ($IS_SETUP_ADMIN == True) {
+  if ($IS_SETUP_ADMIN == TRUE) {
   return;
  }
  else {
@ -256,9 +264,9 @@ function set_page_access($level) {
   exit(0);
  }
 }
- 
+
 if ($level == "admin") {
-  if ($IS_ADMIN == True and $VALIDATED == True) {
+  if ($IS_ADMIN == TRUE and $VALIDATED == TRUE) {
   return;
  }
  else {
@ -266,9 +274,9 @@ function set_page_access($level) {
   exit(0);
  }
 }
- 
+
 if ($level == "user") {
-  if ($VALIDATED == True){
+  if ($VALIDATED == TRUE){
   return;
  }
  else {
@ -276,7 +284,7 @@ function set_page_access($level) {
   exit(0);
  }
 }
- 
+
 }
@ -285,10 +293,10 @@ function set_page_access($level) {
 function is_valid_email($email) {
 if (ereg('^[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+'.'@'.'[-!#$%&\'*+\\/0-9=?A-Z^_`a-z{|}~]+\.'.'[-!#$%&\'*+\\./0-9=?A-Z^_`a-z{|}~]+$', $email)) {
-   return true;
+   return TRUE;
  }
  else {
-   return false;
+   return FALSE;
  }
 }
@ -301,7 +309,7 @@ function render_js_username_check(){
 print <<<EoCheckJS
 <script>
- 
+
 function check_entity_name_validity(name,div_id) {
  var check_regex = /$USERNAME_REGEX/;
@ -331,7 +339,7 @@ function render_js_username_generator($firstname_field_id,$lastname_field_id,$us
 global $USERNAME_FORMAT, $USERNAME_REGEX;
  render_js_username_check();
-  
+
  print <<<EoRenderJS
 <script>
@ -340,16 +348,16 @@ function render_js_username_generator($firstname_field_id,$lastname_field_id,$us
  var first_name = document.getElementById('$firstname_field_id').value;
  var last_name  = document.getElementById('$lastname_field_id').value;
  var template = '$USERNAME_FORMAT';
-    
+
  var actual_username = template;
  actual_username = actual_username.replace('{first_name}', first_name.toLowerCase() );
-  actual_username = actual_username.replace('{first_initial}', first_name.charAt(0).toLowerCase() );
+  actual_username = actual_username.replace('{first_name_initial}', first_name.charAt(0).toLowerCase() );
  actual_username = actual_username.replace('{last_name}', last_name.toLowerCase() );
-  actual_username = actual_username.replace('{last_initial}', last_name.charAt(0).toLowerCase() );
+  actual_username = actual_username.replace('{last_name_initial}', last_name.charAt(0).toLowerCase() );
-  
+
  check_entity_name_validity(actual_username,'$username_div_id');
-  
+
  document.getElementById('$username_field_id').value = actual_username;
 }
--- a/www/index.php
+++ b/www/index.php
@ -1,7 +1,7 @@
 <?php
 include_once("web_functions.inc.php");
-render_header($WEBSITE_NAME);
+render_header();
 if (isset($_GET['logged_out'])) {
 ?>
--- a/www/js/generate_passphrase.js
+++ b/www/js/generate_passphrase.js
--- a/www/js/wordlist.js
+++ b/www/js/wordlist.js
--- a/www/js/zxcvbn-bootstrap-strength-meter.js
+++ b/www/js/zxcvbn-bootstrap-strength-meter.js
--- a/www/log_in/index.php
+++ b/www/log_in/index.php
@ -7,10 +7,11 @@ if (isset($_POST["user_id"]) and isset($_POST["password"])) {
 $ldap_connection = open_ldap_connection();
 $user_auth = ldap_auth_username($ldap_connection,$_POST["user_id"],$_POST["password"]);
- $is_admin = ldap_check_is_admin($_POST["user_id"],$ldap_connection);
+ $is_admin = ldap_is_group_member($ldap_connection,$LDAP['admins_group'],$_POST["user_id"]);
 ldap_close($ldap_connection);
- if ($user_auth != False) {
+ if ($user_auth != FALSE) {
  set_passkey_cookie($user_auth,$is_admin);
  if (isset($_POST["sendto"])) {
--- a/www/log_out/index.php
+++ b/www/log_out/index.php
--- a/www/setup/index.php
+++ b/www/setup/index.php
@ -9,7 +9,7 @@ if (isset($_POST["admin_password"])) {
 $user_auth = ldap_setup_auth($ldap_connection,$_POST["admin_password"]);
 ldap_close($ldap_connection);
- if ($user_auth != False) {
+ if ($user_auth != FALSE) {
  set_setup_cookie($user_auth);
  header("Location: //${_SERVER["HTTP_HOST"]}/${THIS_MODULE_PATH}/run_checks.php\n\n");
 }
--- a/www/setup/module_functions.inc.php
+++ b/www/setup/module_functions.inc.php
--- a/www/setup/run_checks.php
+++ b/www/setup/run_checks.php
@ -7,9 +7,9 @@ validate_setup_cookie();
 set_page_access("setup");
-render_header($WEBSITE_NAME);
+render_header();
-$show_finish_button = True;
+$show_finish_button = TRUE;
 $ldap_connection = open_ldap_connection();
@ -36,7 +36,7 @@ $ldap_connection = open_ldap_connection();
 print "$li_good Connected to ${LDAP['uri']}</li>\n";
 #TLS?
-if ($LDAP['starttls'] && $ENCRYPTED == True) {
+if ($LDAP['starttls'] && $ENCRYPTED == TRUE) {
 print "$li_good Encrypted connection to ${LDAP['uri']} via STARTTLS</li>\n";
 }
 else {
@ -70,7 +70,7 @@ if ($group_result['count'] != 1) {
 print "'>What's this?</a>";
 print "<label class='pull-right'><input type='checkbox' name='setup_group_ou' class='pull-right' checked>Create?&nbsp;</label>";
 print "</li>\n";
- $show_finish_button = False;
+ $show_finish_button = FALSE;
 }
 else {
@ -89,7 +89,7 @@ if ($user_result['count'] != 1) {
 print "'>What's this?</a>";
 print "<label class='pull-right'><input type='checkbox' name='setup_user_ou' class='pull-right' checked>Create?&nbsp;</label>";
 print "</li>\n";
- $show_finish_button = False;
+ $show_finish_button = FALSE;
 }
 else {
@ -119,7 +119,7 @@ if ($gid_result['count'] != 1) {
 print "'>What's this?</a>";
 print "<label class='pull-right'><input type='checkbox' name='setup_last_gid' class='pull-right' checked>Create?&nbsp;</label>";
 print "</li>\n";
- $show_finish_button = False;
+ $show_finish_button = FALSE;
 }
 else {
@ -139,7 +139,7 @@ if ($uid_result['count'] != 1) {
 print "'>What's this?</a>";
 print "<label class='pull-right'><input type='checkbox' name='setup_last_uid' class='pull-right' checked>Create?&nbsp;</label>";
 print "</li>\n";
- $show_finish_button = False;
+ $show_finish_button = FALSE;
 }
 else {
@ -159,7 +159,7 @@ if ($defgroup_result['count'] != 1) {
 print "'>What's this?</a>";
 print "<label class='pull-right'><input type='checkbox' name='setup_default_group' class='pull-right' checked>Create?&nbsp;</label>";
 print "</li>\n";
- $show_finish_button = False;
+ $show_finish_button = FALSE;
 }
 else {
@ -179,7 +179,7 @@ if ($adminsgroup_result['count'] != 1) {
 print "'>What's this?</a>";
 print "<label class='pull-right'><input type='checkbox' name='setup_admins_group' class='pull-right' checked>Create?&nbsp;</label>";
 print "</li>\n";
- $show_finish_button = False;
+ $show_finish_button = FALSE;
 }
 else {
@ -189,7 +189,7 @@ else {
 if (count($admins) < 1) {
  print "$li_fail The LDAP administration group is empty. You can add an admin account in the next section.</li>";
-  $show_finish_button = False;
+  $show_finish_button = FALSE;
 }
 }
@ -205,7 +205,7 @@ else {
 ##############
-if ($show_finish_button == True) {
+if ($show_finish_button == TRUE) {
 ?>
     </form>
     <div class='well'>
--- a/www/setup/setup_admin_account.php
+++ b/www/setup/setup_admin_account.php
@ -7,12 +7,12 @@ validate_setup_cookie();
 set_page_access("setup");
-render_header($WEBSITE_NAME);
+render_header();
-$invalid_password = False;
+$invalid_password = FALSE;
-$mismatched_passwords = False;
+$mismatched_passwords = FALSE;
-$invalid_username = False;
+$invalid_username = FALSE;
-$weak_password = False;
+$weak_password = FALSE;
 if (isset($_POST['create_account'])) {
@ -23,10 +23,10 @@ if (isset($_POST['create_account'])) {
 $username = stripslashes($_POST['username']);
 $password = $_POST['password'];
- if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = True; }
+ if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = TRUE; }
- if (preg_match("/\"|'/",$password)) { $invalid_password = True; }
+ if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
- if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = True; }
+ if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; }
- if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = True; }
+ if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = TRUE; }
 if (     isset($first_name)
      and isset($last_name)
--- a/www/setup/setup_ldap.php
+++ b/www/setup/setup_ldap.php
@ -7,12 +7,12 @@ validate_setup_cookie();
 set_page_access("setup");
-render_header($WEBSITE_NAME);
+render_header();
 $ldap_connection = open_ldap_connection();
-$no_errors = True;
+$no_errors = TRUE;
-$show_create_admin_button = False;
+$show_create_admin_button = FALSE;
 # Set up missing stuff
@ -34,26 +34,26 @@ if (isset($_POST['fix_problems'])) {
 if (isset($_POST['setup_group_ou'])) {
  $ou_add = ldap_add($ldap_connection, $LDAP['group_dn'], array( 'objectClass' => 'organizationalUnit', 'ou' => $LDAP['group_ou'] ));
-  if ($ou_add == True) {
+  if ($ou_add == TRUE) {
   print "$li_good Created OU <strong>${LDAP['group_dn']}</strong></li>\n";
  }
  else {
   $error = ldap_error($ldap_connection);
   print "$li_fail Couldn't create ${LDAP['group_dn']}: <pre>$error</pre></li>\n";
-   $no_errors = False;
+   $no_errors = FALSE;
  }
 }
 if (isset($_POST['setup_user_ou'])) {
  $ou_add = ldap_add($ldap_connection, $LDAP['user_dn'], array( 'objectClass' => 'organizationalUnit', 'ou' => $LDAP['user_ou'] ));
-  if ($ou_add == True) {
+  if ($ou_add == TRUE) {
   print "$li_good Created OU <strong>${LDAP['user_dn']}</strong></li>\n";
  }
  else {
   $error = ldap_error($ldap_connection);
   print "$li_fail Couldn't create ${LDAP['user_dn']}: <pre>$error</pre></li>\n";
-   $no_errors = False;
+   $no_errors = FALSE;
  }
 }
@ -68,13 +68,13 @@ if (isset($_POST['fix_problems'])) {
                                                                                'description' => $description )
                     );
-  if ($gid_add == True) {
+  if ($gid_add == TRUE) {
   print "$li_good Created <strong>cn=lastGID,${LDAP['base_dn']}</strong></li>\n";
  }
  else {
   $error = ldap_error($ldap_connection);
   print "$li_fail Couldn't create cn=lastGID,${LDAP['base_dn']}: <pre>$error</pre></li>\n";
-   $no_errors = False;
+   $no_errors = FALSE;
  }
 }
@ -89,13 +89,13 @@ if (isset($_POST['fix_problems'])) {
                                                                                'description' => $description )
                    );
-  if ($uid_add == True) {
+  if ($uid_add == TRUE) {
   print "$li_good Created <strong>cn=lastUID,${LDAP['base_dn']}</strong></li>\n";
  }
  else {
   $error = ldap_error($ldap_connection);
   print "$li_fail Couldn't create cn=lastUID,${LDAP['base_dn']}: <pre>$error</pre></li>\n";
-   $no_errors = False;
+   $no_errors = FALSE;
  }
 }
@ -104,13 +104,13 @@ if (isset($_POST['fix_problems'])) {
  $group_add = ldap_new_group($ldap_connection,$DEFAULT_USER_GROUP);
-  if ($group_add == True) {
+  if ($group_add == TRUE) {
   print "$li_good Created default group: <strong>$DEFAULT_USER_GROUP</strong></li>\n";
  }
  else {
   $error = ldap_error($ldap_connection);
   print "$li_fail Couldn't create default group: <pre>$error</pre></li>\n";
-   $no_errors = False;
+   $no_errors = FALSE;
  }
 }
@ -118,13 +118,13 @@ if (isset($_POST['fix_problems'])) {
  $group_add = ldap_new_group($ldap_connection,$LDAP['admins_group']);
-  if ($group_add == True) {
+  if ($group_add == TRUE) {
   print "$li_good Created LDAP administrators group: <strong>${LDAP['admins_group']}</strong></li>\n";
  }
  else {
   $error = ldap_error($ldap_connection);
   print "$li_fail Couldn't create LDAP administrators group: <pre>$error</pre></li>\n";
-   $no_errors = False;
+   $no_errors = FALSE;
  }
 }
@ -143,7 +143,7 @@ if (isset($_POST['fix_problems'])) {
  print "'>What's this?</a>";
  print "<label class='pull-right'><input type='checkbox' name='setup_admin_account' class='pull-right' checked>Create a new account and add it to the admin group?&nbsp;</label>";
  print "</li>\n";
-  $show_create_admin_button = True;
+  $show_create_admin_button = TRUE;
 }
 else {
@ -159,8 +159,8 @@ if (isset($_POST['fix_problems'])) {
 ##############
- if ($no_errors == True) {
+ if ($no_errors == TRUE) {
-  if ($show_create_admin_button == False) {
+  if ($show_create_admin_button == FALSE) {
 ?>
 <div class='well'>
  <form action="/">