diff --git a/README.md b/README.md index 2689181..787da2c 100644 --- a/README.md +++ b/README.md @@ -112,7 +112,7 @@ For example, if you're using Docker Swarm and you've set the LDAP bind password * `SITE_NAME` (default: *`ORGANISATION_NAME` user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management". -* `SIMPLE_INTERFACE` (default: *FALSE*): If set to `TRUE` this will hide most **posixAccount** and **posixGroup** attributes from the account and group forms. This is useful if you won't use the LDAP accounts for server accounts. The Posix values are still set in the background using the default values. Enabling this won't prevent any `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` or `LDAP_GROUP_ADDITIONAL_ATTRIBUTES` from being displayed. +* `SHOW_POSIX_ATTRIBUTES` (default: *FALSE*): If set to `TRUE` this show extra attributes for **posixAccount** and **posixGroup** in the account and group forms. Leave this set to `FALSE` if you don't use LDAP accounts to log into servers etc., as it makes the interface much simpler. The Posix values are still set in the background using the default values. This setting doesn't hide any Posix attributes set via `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` or `LDAP_GROUP_ADDITIONAL_ATTRIBUTES`. #### LDAP settings diff --git a/entrypoint b/entrypoint index 8f21b43..767e012 100644 --- a/entrypoint +++ b/entrypoint @@ -58,7 +58,7 @@ else ######################## #If there aren't any SSL certs then create a CA and then CA-signed certificate - if [ ! -f "${ssl_dir}/{$SERVER_CERT_FILENAME:-server.crt}" ] && [ ! -f "${ssl_dir}/{$SERVER_KEY_FILENAME:-server.key}" ]; then + if [ ! -f "${ssl_dir}/${SERVER_CERT_FILENAME:-server.crt}" ] && [ ! -f "${ssl_dir}/${SERVER_KEY_FILENAME:-server.key}" ]; then mkdir -p $ssl_dir confout="${ssl_dir}/conf" @@ -124,7 +124,7 @@ EoCertConf ######################## #Create Apache config - if [ -f "${ssl_dir}/{$CA_CERT_FILENAME}" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/{$CA_CERT_FILENAME}"; fi + if [ -f "${ssl_dir}/${CA_CERT_FILENAME}" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/${CA_CERT_FILENAME}"; fi echo > /etc/apache2/sites-enabled/lum.conf echo > /etc/apache2/ports.conf @@ -163,8 +163,8 @@ EoHTTPrd SSLEngine On - SSLCertificateFile ${ssl_dir}/{$SERVER_CERT_FILENAME:-server.crt} - SSLCertificateKeyFile ${ssl_dir}/{$SERVER_KEY_FILENAME:-server.key} + SSLCertificateFile ${ssl_dir}/${SERVER_CERT_FILENAME:-server.crt} + SSLCertificateKeyFile ${ssl_dir}/${SERVER_KEY_FILENAME:-server.key} $ssl_chain diff --git a/www/account_manager/new_user.php b/www/account_manager/new_user.php index 6ea5502..7a8e4eb 100644 --- a/www/account_manager/new_user.php +++ b/www/account_manager/new_user.php @@ -8,6 +8,9 @@ include_once "module_functions.inc.php"; $attribute_map = $LDAP['default_attribute_map']; if (isset($LDAP['account_additional_attributes'])) { $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['account_additional_attributes']); } +unset($attribute_map['uidnumber']); +unset($attribute_map['gidnumber']); + if (! array_key_exists($LDAP['account_attribute'], $attribute_map)) { $attribute_r = array_merge($attribute_map, array($LDAP['account_attribute'] => array("label" => "Account UID"))); } @@ -65,19 +68,21 @@ foreach ($attribute_map as $attribute => $attr_r) { $this_attribute = array(); - if (is_array($_POST[$attribute])) { - $this_attribute['count'] = count($_POST[$attribute]); + if (is_array($_POST[$attribute]) and count($_POST[$attribute]) > 0) { foreach($_POST[$attribute] as $key => $value) { - $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); + if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); } + } + if (count($this_attribute) > 0) { + $this_attribute['count'] = count($this_attribute); + $$attribute = $this_attribute; } } - else { + elseif ($_POST[$attribute] != "") { $this_attribute['count'] = 1; $this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS); + $$attribute = $this_attribute; } - $$attribute = $this_attribute; - } if (!isset($$attribute) and isset($attr_r['default'])) { @@ -119,7 +124,8 @@ if (isset($_GET['account_request'])) { } -if (isset($_POST['create_account'])) { + +if (isset($_GET['account_request']) or isset($_POST['create_account'])) { if (!isset($uid[0])) { $uid[0] = generate_username($givenname[0],$sn[0]); @@ -138,6 +144,11 @@ if (isset($_POST['create_account'])) { unset($new_account_r['cn']['count']); } +} + + +if (isset($_POST['create_account'])) { + $password = $_POST['password']; $new_account_r['password'][0] = $password; $account_identifier = $new_account_r[$account_attribute][0]; @@ -265,6 +276,7 @@ render_js_username_check(); render_js_username_generator('givenname','sn','uid','uid_div'); render_js_cn_generator('givenname','sn','cn','cn_div'); render_js_email_generator('uid','mail'); +render_js_homedir_generator('uid','homedirectory'); $tabindex=1; diff --git a/www/account_manager/show_group.php b/www/account_manager/show_group.php index 3bf63d1..08a05f4 100644 --- a/www/account_manager/show_group.php +++ b/www/account_manager/show_group.php @@ -40,7 +40,13 @@ if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$grou ###################################################################################### $initialise_group = FALSE; +$new_group = FALSE; +$group_exists = FALSE; + $create_group_message = "Add members to create the new group"; +$current_members = array(); +$full_dn = $create_group_message; +$has_been = ""; $attribute_map = $LDAP['default_group_attribute_map']; if (isset($LDAP['group_additional_attributes'])) { @@ -52,23 +58,22 @@ $this_group = array(); if (isset($_POST['new_group'])) { $new_group = TRUE; - $current_members = array(); - $full_dn = $create_group_message; - $has_been = ""; } elseif (isset($_POST['initialise_group'])) { - $new_group = FALSE; $initialise_group = TRUE; - $current_members = array(); $full_dn = "${LDAP['group_attribute']}=$group_cn,${LDAP['group_dn']}"; $has_been = "created"; } else { - $new_group = FALSE; - $current_members = ldap_get_group_members($ldap_connection,$group_cn); $this_group = ldap_get_group_entry($ldap_connection,$group_cn); - $full_dn = $this_group[0]['dn']; - $has_been = "updated"; + if ($this_group) { + $current_members = ldap_get_group_members($ldap_connection,$group_cn); + $full_dn = $this_group[0]['dn']; + $has_been = "updated"; + } + else { + $new_group = TRUE; + } } foreach ($attribute_map as $attribute => $attr_r) { @@ -96,12 +101,12 @@ foreach ($attribute_map as $attribute => $attr_r) { $this_attribute = array(); if (is_array($_POST[$attribute])) { - $this_attribute['count'] = count($_POST[$attribute]); foreach($_POST[$attribute] as $key => $value) { - $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); + if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); } } + $this_attribute['count'] = count($this_attribute); } - else { + elseif ($_POST[$attribute] != "") { $this_attribute['count'] = 1; $this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS); } @@ -155,52 +160,77 @@ if (isset($_POST["update_members"])) { $members_to_add = array_diff($updated_membership,$current_members); if ($initialise_group == TRUE) { + $initial_member = array_shift($members_to_add); $group_add = ldap_new_group($ldap_connection,$group_cn,$initial_member,$to_update); - } - elseif(count($to_update) > 0) { - - if (isset($this_group[0]['objectclass'])) { - $existing_objectclasses = $this_group[0]['objectclass']; - unset($existing_objectclasses['count']); - if ($existing_objectclasses != $LDAP['group_objectclasses']) { $to_update['objectclass'] = $LDAP['group_objectclasses']; } - } - - $updated_attr = ldap_update_group_attributes($ldap_connection,$group_cn,$to_update); - - if ($updated_attr) { - render_alert_banner("The group attributes have been updated."); + if (!$group_add) { + render_alert_banner("There was a problem creating the group. See the logs for more information.","danger",10000); + $group_exists = FALSE; + $new_group = TRUE; } else { - render_alert_banner("There was a problem updating the group attributes. See the logs for more information.","danger",15000); + $group_exists = TRUE; + $new_group = FALSE; } + } - foreach ($members_to_add as $this_member) { - ldap_add_member_to_group($ldap_connection,$group_cn,$this_member); - } + if ($group_exists == TRUE) { - foreach ($members_to_del as $this_member) { - ldap_delete_member_from_group($ldap_connection,$group_cn,$this_member); - } + if ($initialise_group != TRUE and count($to_update) > 0) { - $non_members = array_diff($all_people,$updated_membership); - $group_members = $updated_membership; + if (isset($this_group[0]['objectclass'])) { + $existing_objectclasses = $this_group[0]['objectclass']; + unset($existing_objectclasses['count']); + if ($existing_objectclasses != $LDAP['group_objectclasses']) { $to_update['objectclass'] = $LDAP['group_objectclasses']; } + } - $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); - if ($rfc2307bis_available == TRUE and count($group_members) == 0) { + $updated_attr = ldap_update_group_attributes($ldap_connection,$group_cn,$to_update); + + if ($updated_attr) { + render_alert_banner("The group attributes have been updated."); + } + else { + render_alert_banner("There was a problem updating the group attributes. See the logs for more information.","danger",15000); + } + + } + + foreach ($members_to_add as $this_member) { + ldap_add_member_to_group($ldap_connection,$group_cn,$this_member); + } + + foreach ($members_to_del as $this_member) { + ldap_delete_member_from_group($ldap_connection,$group_cn,$this_member); + } + + $non_members = array_diff($all_people,$updated_membership); + $group_members = $updated_membership; + + $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); + if ($rfc2307bis_available == TRUE and count($group_members) == 0) { + + $group_members = ldap_get_group_members($ldap_connection,$group_cn); + $non_members = array_diff($all_people,$group_members); + render_alert_banner("Groups can't be empty, so the final member hasn't been removed. You could try deleting the group","danger",15000); + } + else { + render_alert_banner("The group has been ${has_been}."); + } - $group_members = ldap_get_group_members($ldap_connection,$group_cn); - $non_members = array_diff($all_people,$group_members); - render_alert_banner("Groups can't be empty, so the final member hasn't been removed. You could try deleting the group","danger",15000); } else { - render_alert_banner("The group has been ${has_been}."); + + $group_members = array(); + $non_members = $all_people; + } } else { + $group_members = $current_members; + } ldap_close($ldap_connection); @@ -401,10 +431,6 @@ ldap_close($ldap_connection); 0) { ?>
@@ -419,7 +445,8 @@ if (count($attribute_map) > 0) { ?> if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); } print "
"; $dl_identifider = ($full_dn != $create_group_message) ? $full_dn : ""; - render_attribute_fields($attribute,$label,$these_values,$dl_identifider,"",$attr_r['inputtype'],$tabindex); + if (isset($attr_r['inputtype'])) { $inputtype = $attr_r['inputtype']; } else { $inputtype=""; } + render_attribute_fields($attribute,$label,$these_values,$dl_identifider,"",$inputtype,$tabindex); print "
"; $tabindex++; } diff --git a/www/account_manager/show_user.php b/www/account_manager/show_user.php index d4be6b0..8ea59d2 100644 --- a/www/account_manager/show_user.php +++ b/www/account_manager/show_user.php @@ -18,10 +18,6 @@ $to_update = array(); if ($SMTP['host'] != "") { $can_send_email = TRUE; } else { $can_send_email = FALSE; } -if ($SIMPLE_INTERFACE == FALSE) { - $LDAP['default_attribute_map']["uidnumber"] = array("label" => "UID"); - $LDAP['default_attribute_map']["gidnumber"] = array("label" => "GID"); -} $LDAP['default_attribute_map']["mail"] = array("label" => "Email", "onkeyup" => "check_if_we_should_enable_sending_email();"); $attribute_map = $LDAP['default_attribute_map']; @@ -82,12 +78,12 @@ if ($ldap_search) { $this_attribute = array(); if (is_array($_POST[$attribute])) { - $this_attribute['count'] = count($_POST[$attribute]); foreach($_POST[$attribute] as $key => $value) { - $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); + if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); } } + $this_attribute['count'] = count($this_attribute); } - else { + elseif ($_POST[$attribute] != "") { $this_attribute['count'] = 1; $this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS); } diff --git a/www/includes/config.inc.php b/www/includes/config.inc.php index c3d58f8..0031493 100644 --- a/www/includes/config.inc.php +++ b/www/includes/config.inc.php @@ -2,25 +2,40 @@ $log_prefix=""; + # User account defaults + + $DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody'); + $DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash'); + $ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE); + $USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}'); + $USERNAME_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$'); #We use the username regex for groups too. + + if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); } + $ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE); + + $min_uid = 2000; + $min_gid = 2000; + + #Default attributes and objectclasses $LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid'); $LDAP['account_objectclasses'] = array( 'person', 'inetOrgPerson', 'posixAccount' ); - $LDAP['default_attribute_map'] = array( "givenname" => array("label" => "First name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value);"), - "sn" => array("label" => "Last name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value);"), - "uid" => array("label" => "System username", "onkeyup" => "check_entity_name_validity(document.getElementById('uid').value,'uid_div'); update_email(); check_email_validity(document.getElementById('mail').value);"), + $LDAP['default_attribute_map'] = array( "givenname" => array("label" => "First name", "onkeyup" => "update_username(); update_email(); update_cn(); update_homedir(); check_email_validity(document.getElementById('mail').value);"), + "sn" => array("label" => "Last name", "onkeyup" => "update_username(); update_email(); update_cn(); update_homedir(); check_email_validity(document.getElementById('mail').value);"), + "uid" => array("label" => "System username", "onkeyup" => "check_entity_name_validity(document.getElementById('uid').value,'uid_div'); update_email(); update_homedir(); check_email_validity(document.getElementById('mail').value);"), "cn" => array("label" => "Common name", "onkeyup" => "auto_cn_update = false;"), "mail" => array("label" => "Email", "onkeyup" => "auto_email_update = false; check_email_validity(document.getElementById('mail').value);") ); $LDAP['group_attribute'] = (getenv('LDAP_GROUP_ATTRIBUTE') ? getenv('LDAP_GROUP_ATTRIBUTE') : 'cn'); $LDAP['group_objectclasses'] = array( 'top', 'posixGroup' ); #groupOfUniqueNames is added automatically if rfc2307bis is available. - $LDAP['default_group_attribute_map'] = array( "gidnumber" => array("label" => "Group ID number") - ); - $SIMPLE_INTERFACE = ((strcasecmp(getenv('SIMPLE_INTERFACE'),'TRUE') == 0) ? TRUE : FALSE); + $LDAP['default_group_attribute_map'] = array( "description" => array("label" => "Description")); - if ($SIMPLE_INTERFACE == TRUE) { + $SHOW_POSIX_ATTRIBUTES = ((strcasecmp(getenv('SHOW_POSIX_ATTRIBUTES'),'TRUE') == 0) ? TRUE : FALSE); + + if ($SHOW_POSIX_ATTRIBUTES != TRUE) { if ($LDAP['account_attribute'] == "uid") { unset($LDAP['default_attribute_map']['cn']); } @@ -28,6 +43,13 @@ unset($LDAP['default_attribute_map']['uid']); } } + else { + $LDAP['default_attribute_map']["uidnumber"] = array("label" => "UID"); + $LDAP['default_attribute_map']["gidnumber"] = array("label" => "GID"); + $LDAP['default_attribute_map']["homedirectory"] = array("label" => "Home directory", "onkeyup" => "auto_homedir_update = false;"); + $LDAP['default_attribute_map']["loginshell"] = array("label" => "Shell", "default" => $DEFAULT_USER_SHELL); + $LDAP['default_group_attribute_map']["gidnumber"] = array("label" => "Group ID number"); + } ## LDAP server @@ -85,21 +107,6 @@ $REMOTE_HTTP_HEADERS_LOGIN = ((strcasecmp(getenv('REMOTE_HTTP_HEADERS_LOGIN'),'TRUE') == 0) ? TRUE : FALSE); - - # User account defaults - - $DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody'); - $DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash'); - $ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE); - $USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}'); - $USERNAME_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$'); #We use the username regex for groups too. - - if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); } - $ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE); - - $min_uid = 2000; - $min_gid = 2000; - # Sending email $SMTP['host'] = getenv('SMTP_HOSTNAME'); diff --git a/www/includes/ldap_functions.inc.php b/www/includes/ldap_functions.inc.php index a091512..c255929 100644 --- a/www/includes/ldap_functions.inc.php +++ b/www/includes/ldap_functions.inc.php @@ -448,7 +448,12 @@ function ldap_get_group_entry($ldap_connection,$group_name) { $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query); $result = @ ldap_get_entries($ldap_connection, $ldap_search); - return $result; + if ($result['count'] > 0) { + return $result; + } + else { + return FALSE; + } } @@ -468,7 +473,7 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute'])); $result = @ ldap_get_entries($ldap_connection, $ldap_search); - $result_count = $result[0]['count']; + if ($result) { $result_count = $result['count']; } else { $result_count = 0; } $records = array(); @@ -605,7 +610,7 @@ function ldap_new_group($ldap_connection,$group_name,$initial_member="",$extra_a if (! $add_group ) { $this_error="$log_prefix LDAP: unable to add new group (${group_dn}): " . ldap_error($ldap_connection); - if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG add_group array: ". print_r($new_group_array,true),0); } + if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG add_group array: ". strip_tags(print_r($new_group_array,true)),0); } error_log($this_error,0); } else { @@ -622,8 +627,8 @@ function ldap_new_group($ldap_connection,$group_name,$initial_member="",$extra_a error_log("$log_prefix Unable to update cn=lastGID to $new_gid - this could cause groups to share the same GID.",0); } } - return TRUE; } + return TRUE; } } @@ -824,9 +829,8 @@ function ldap_new_account($ldap_connection,$account_r) { } } - if (empty($account_attributes['loginshell'])) { $account_attributes['loginshell'] = $DEFAULT_USER_SHELL; } - if (empty($account_attributes['homedirectory'])) { $account_attributes['homedirectory'] = "/home/${account_identifier}"; } + if (empty($account_attributes['homedirectory'])) { $account_attributes['homedirectory'] = "/home/" . $account_r['uid'][0]; } $add_account = @ ldap_add($ldap_connection, "${LDAP['account_attribute']}=$account_identifier,${LDAP['user_dn']}", diff --git a/www/includes/web_functions.inc.php b/www/includes/web_functions.inc.php index ed578a2..dc606b1 100644 --- a/www/includes/web_functions.inc.php +++ b/www/includes/web_functions.inc.php @@ -113,7 +113,6 @@ function validate_passkey_cookie() { $this_time=time(); $VALIDATED = FALSE; - unset($USER_ID); $IS_ADMIN = FALSE; if (isset($_COOKIE['orf_cookie'])) { @@ -569,6 +568,29 @@ EoRenderEmailJS; } +###################################################### + +function render_js_homedir_generator($username_field_id,$homedir_field_id) { + + print << + + var auto_homedir_update = true; + + function update_homedir() { + + if ( auto_homedir_update == true ) { + var username = document.getElementById('$username_field_id').value; + document.getElementById('$homedir_field_id').value = "/home/" + username; + } + + } + + +EoRenderHomedirJS; + +} + ###################################################### function render_dynamic_field_js() { @@ -637,7 +659,8 @@ function render_attribute_fields($attribute,$label,$values_r,$resource_identifie
0) { - $remaining_values = array_slice($values_r, 2); + unset($values_r['count']); + $remaining_values = array_slice($values_r, 1); print "";