HomeLab/ldap-user-manager
2
0
Fork 0
mirror of https://github.com/wheelybird/ldap-user-manager.git synced 2025-01-18 23:42:54 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Bugfixes for compatibility with older osixia/openldap versions. Change SIMPLE_INTERFACE to SHOW_POSIX_ATTRIBUTES.

Browse Source
This commit is contained in:
Brian Lycett 2022-04-12 15:39:40 +01:00
parent 529303f22c
commit 624cd497e1
8 changed files with 163 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
README.md
View File

@ -112,7 +112,7 @@ For example, if you're using Docker Swarm and you've set the LDAP bind password
* `SITE_NAME` (default: *`ORGANISATION_NAME` user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management".
* `SIMPLE_INTERFACE` (default: *FALSE*): If set to `TRUE` this will hide most **posixAccount** and **posixGroup** attributes from the account and group forms. This is useful if you won't use the LDAP accounts for server accounts. The Posix values are still set in the background using the default values. Enabling this won't prevent any `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` or `LDAP_GROUP_ADDITIONAL_ATTRIBUTES` from being displayed.
* `SHOW_POSIX_ATTRIBUTES` (default: *FALSE*): If set to `TRUE` this show extra attributes for **posixAccount** and **posixGroup** in the account and group forms. Leave this set to `FALSE` if you don't use LDAP accounts to log into servers etc., as it makes the interface much simpler. The Posix values are still set in the background using the default values. This setting doesn't hide any Posix attributes set via `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` or `LDAP_GROUP_ADDITIONAL_ATTRIBUTES`.
#### LDAP settings

8
entrypoint
View File

@ -58,7 +58,7 @@ else
########################
#If there aren't any SSL certs then create a CA and then CA-signed certificate
if [ ! -f "${ssl_dir}/{$SERVER_CERT_FILENAME:-server.crt}" ] && [ ! -f "${ssl_dir}/{$SERVER_KEY_FILENAME:-server.key}" ]; then
if [ ! -f "${ssl_dir}/${SERVER_CERT_FILENAME:-server.crt}" ] && [ ! -f "${ssl_dir}/${SERVER_KEY_FILENAME:-server.key}" ]; then
mkdir -p $ssl_dir
confout="${ssl_dir}/conf"
@ -124,7 +124,7 @@ EoCertConf
########################
#Create Apache config
if [ -f "${ssl_dir}/{$CA_CERT_FILENAME}" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/{$CA_CERT_FILENAME}"; fi
if [ -f "${ssl_dir}/${CA_CERT_FILENAME}" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/${CA_CERT_FILENAME}"; fi
echo > /etc/apache2/sites-enabled/lum.conf
echo > /etc/apache2/ports.conf
@ -163,8 +163,8 @@ EoHTTPrd
</Directory>
SSLEngine On
SSLCertificateFile ${ssl_dir}/{$SERVER_CERT_FILENAME:-server.crt}
SSLCertificateKeyFile ${ssl_dir}/{$SERVER_KEY_FILENAME:-server.key}
SSLCertificateFile ${ssl_dir}/${SERVER_CERT_FILENAME:-server.crt}
SSLCertificateKeyFile ${ssl_dir}/${SERVER_KEY_FILENAME:-server.key}
$ssl_chain
</VirtualHost>

26
www/account_manager/new_user.php
View File

@ -8,6 +8,9 @@ include_once "module_functions.inc.php";
$attribute_map = $LDAP['default_attribute_map'];
if (isset($LDAP['account_additional_attributes'])) { $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['account_additional_attributes']); }
unset($attribute_map['uidnumber']);
unset($attribute_map['gidnumber']);
if (! array_key_exists($LDAP['account_attribute'], $attribute_map)) {
$attribute_r = array_merge($attribute_map, array($LDAP['account_attribute'] => array("label" => "Account UID")));
}
@ -65,18 +68,20 @@ foreach ($attribute_map as $attribute => $attr_r) {
$this_attribute = array();
if (is_array($_POST[$attribute])) {
$this_attribute['count'] = count($_POST[$attribute]);
if (is_array($_POST[$attribute]) and count($_POST[$attribute]) > 0) {
foreach($_POST[$attribute] as $key => $value) {
$this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); }
}
if (count($this_attribute) > 0) {
$this_attribute['count'] = count($this_attribute);
$$attribute = $this_attribute;
}
}
else {
elseif ($_POST[$attribute] != "") {
$this_attribute['count'] = 1;
$this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
$$attribute = $this_attribute;
}
}
@ -119,7 +124,8 @@ if (isset($_GET['account_request'])) {
}
if (isset($_POST['create_account'])) {
if (isset($_GET['account_request']) or isset($_POST['create_account'])) {
if (!isset($uid[0])) {
$uid[0] = generate_username($givenname[0],$sn[0]);
@ -138,6 +144,11 @@ if (isset($_POST['create_account'])) {
unset($new_account_r['cn']['count']);
}
}
if (isset($_POST['create_account'])) {
$password = $_POST['password'];
$new_account_r['password'][0] = $password;
$account_identifier = $new_account_r[$account_attribute][0];
@ -265,6 +276,7 @@ render_js_username_check();
render_js_username_generator('givenname','sn','uid','uid_div');
render_js_cn_generator('givenname','sn','cn','cn_div');
render_js_email_generator('uid','mail');
render_js_homedir_generator('uid','homedirectory');
$tabindex=1;

59
www/account_manager/show_group.php
View File

@ -40,7 +40,13 @@ if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$grou
######################################################################################
$initialise_group = FALSE;
$new_group = FALSE;
$group_exists = FALSE;
$create_group_message = "Add members to create the new group";
$current_members = array();
$full_dn = $create_group_message;
$has_been = "";
$attribute_map = $LDAP['default_group_attribute_map'];
if (isset($LDAP['group_additional_attributes'])) {
@ -52,24 +58,23 @@ $this_group = array();
if (isset($_POST['new_group'])) {
$new_group = TRUE;
$current_members = array();
$full_dn = $create_group_message;
$has_been = "";
}
elseif (isset($_POST['initialise_group'])) {
$new_group = FALSE;
$initialise_group = TRUE;
$current_members = array();
$full_dn = "${LDAP['group_attribute']}=$group_cn,${LDAP['group_dn']}";
$has_been = "created";
}
else {
$new_group = FALSE;
$current_members = ldap_get_group_members($ldap_connection,$group_cn);
$this_group = ldap_get_group_entry($ldap_connection,$group_cn);
if ($this_group) {
$current_members = ldap_get_group_members($ldap_connection,$group_cn);
$full_dn = $this_group[0]['dn'];
$has_been = "updated";
}
else {
$new_group = TRUE;
}
}
foreach ($attribute_map as $attribute => $attr_r) {
@ -96,12 +101,12 @@ foreach ($attribute_map as $attribute => $attr_r) {
$this_attribute = array();
if (is_array($_POST[$attribute])) {
$this_attribute['count'] = count($_POST[$attribute]);
foreach($_POST[$attribute] as $key => $value) {
$this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); }
}
$this_attribute['count'] = count($this_attribute);
}
else {
elseif ($_POST[$attribute] != "") {
$this_attribute['count'] = 1;
$this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
@ -155,10 +160,24 @@ if (isset($_POST["update_members"])) {
$members_to_add = array_diff($updated_membership,$current_members);
if ($initialise_group == TRUE) {
$initial_member = array_shift($members_to_add);
$group_add = ldap_new_group($ldap_connection,$group_cn,$initial_member,$to_update);
if (!$group_add) {
render_alert_banner("There was a problem creating the group. See the logs for more information.","danger",10000);
$group_exists = FALSE;
$new_group = TRUE;
}
elseif(count($to_update) > 0) {
else {
$group_exists = TRUE;
$new_group = FALSE;
}
}
if ($group_exists == TRUE) {
if ($initialise_group != TRUE and count($to_update) > 0) {
if (isset($this_group[0]['objectclass'])) {
$existing_objectclasses = $this_group[0]['objectclass'];
@ -174,6 +193,7 @@ if (isset($_POST["update_members"])) {
else {
render_alert_banner("There was a problem updating the group attributes. See the logs for more information.","danger",15000);
}
}
foreach ($members_to_add as $this_member) {
@ -200,7 +220,17 @@ if (isset($_POST["update_members"])) {
}
else {
$group_members = array();
$non_members = $all_people;
}
}
else {
$group_members = $current_members;
}
ldap_close($ldap_connection);
@ -401,10 +431,6 @@ ldap_close($ldap_connection);
</div>
<?php
if ($SIMPLE_INTERFACE == TRUE) {
unset($attribute_map['gidnumber']);
}
if (count($attribute_map) > 0) { ?>
<div class="panel panel-default">
<div class="panel-heading clearfix">
@ -419,7 +445,8 @@ if (count($attribute_map) > 0) { ?>
if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
print "<div class='row'>";
$dl_identifider = ($full_dn != $create_group_message) ? $full_dn : "";
render_attribute_fields($attribute,$label,$these_values,$dl_identifider,"",$attr_r['inputtype'],$tabindex);
if (isset($attr_r['inputtype'])) { $inputtype = $attr_r['inputtype']; } else { $inputtype=""; }
render_attribute_fields($attribute,$label,$these_values,$dl_identifider,"",$inputtype,$tabindex);
print "</div>";
$tabindex++;
}

10
www/account_manager/show_user.php
View File

@ -18,10 +18,6 @@ $to_update = array();
if ($SMTP['host'] != "") { $can_send_email = TRUE; } else { $can_send_email = FALSE; }
if ($SIMPLE_INTERFACE == FALSE) {
$LDAP['default_attribute_map']["uidnumber"] = array("label" => "UID");
$LDAP['default_attribute_map']["gidnumber"] = array("label" => "GID");
}
$LDAP['default_attribute_map']["mail"] = array("label" => "Email", "onkeyup" => "check_if_we_should_enable_sending_email();");
$attribute_map = $LDAP['default_attribute_map'];
@ -82,12 +78,12 @@ if ($ldap_search) {
$this_attribute = array();
if (is_array($_POST[$attribute])) {
$this_attribute['count'] = count($_POST[$attribute]);
foreach($_POST[$attribute] as $key => $value) {
$this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS);
if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); }
}
$this_attribute['count'] = count($this_attribute);
}
else {
elseif ($_POST[$attribute] != "") {
$this_attribute['count'] = 1;
$this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}

51
www/includes/config.inc.php
View File

@ -2,25 +2,40 @@
$log_prefix="";
# User account defaults
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
$DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash');
$ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE);
$USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
$USERNAME_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$'); #We use the username regex for groups too.
if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }
$ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE);
$min_uid = 2000;
$min_gid = 2000;
#Default attributes and objectclasses
$LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid');
$LDAP['account_objectclasses'] = array( 'person', 'inetOrgPerson', 'posixAccount' );
$LDAP['default_attribute_map'] = array( "givenname" => array("label" => "First name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value);"),
"sn" => array("label" => "Last name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value);"),
"uid" => array("label" => "System username", "onkeyup" => "check_entity_name_validity(document.getElementById('uid').value,'uid_div'); update_email(); check_email_validity(document.getElementById('mail').value);"),
$LDAP['default_attribute_map'] = array( "givenname" => array("label" => "First name", "onkeyup" => "update_username(); update_email(); update_cn(); update_homedir(); check_email_validity(document.getElementById('mail').value);"),
"sn" => array("label" => "Last name", "onkeyup" => "update_username(); update_email(); update_cn(); update_homedir(); check_email_validity(document.getElementById('mail').value);"),
"uid" => array("label" => "System username", "onkeyup" => "check_entity_name_validity(document.getElementById('uid').value,'uid_div'); update_email(); update_homedir(); check_email_validity(document.getElementById('mail').value);"),
"cn" => array("label" => "Common name", "onkeyup" => "auto_cn_update = false;"),
"mail" => array("label" => "Email", "onkeyup" => "auto_email_update = false; check_email_validity(document.getElementById('mail').value);")
);
$LDAP['group_attribute'] = (getenv('LDAP_GROUP_ATTRIBUTE') ? getenv('LDAP_GROUP_ATTRIBUTE') : 'cn');
$LDAP['group_objectclasses'] = array( 'top', 'posixGroup' ); #groupOfUniqueNames is added automatically if rfc2307bis is available.
$LDAP['default_group_attribute_map'] = array( "gidnumber" => array("label" => "Group ID number")
);
$SIMPLE_INTERFACE = ((strcasecmp(getenv('SIMPLE_INTERFACE'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP['default_group_attribute_map'] = array( "description" => array("label" => "Description"));
if ($SIMPLE_INTERFACE == TRUE) {
$SHOW_POSIX_ATTRIBUTES = ((strcasecmp(getenv('SHOW_POSIX_ATTRIBUTES'),'TRUE') == 0) ? TRUE : FALSE);
if ($SHOW_POSIX_ATTRIBUTES != TRUE) {
if ($LDAP['account_attribute'] == "uid") {
unset($LDAP['default_attribute_map']['cn']);
}
@ -28,6 +43,13 @@
unset($LDAP['default_attribute_map']['uid']);
}
}
else {
$LDAP['default_attribute_map']["uidnumber"] = array("label" => "UID");
$LDAP['default_attribute_map']["gidnumber"] = array("label" => "GID");
$LDAP['default_attribute_map']["homedirectory"] = array("label" => "Home directory", "onkeyup" => "auto_homedir_update = false;");
$LDAP['default_attribute_map']["loginshell"] = array("label" => "Shell", "default" => $DEFAULT_USER_SHELL);
$LDAP['default_group_attribute_map']["gidnumber"] = array("label" => "Group ID number");
}
## LDAP server
@ -85,21 +107,6 @@
$REMOTE_HTTP_HEADERS_LOGIN = ((strcasecmp(getenv('REMOTE_HTTP_HEADERS_LOGIN'),'TRUE') == 0) ? TRUE : FALSE);
# User account defaults
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
$DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash');
$ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE);
$USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
$USERNAME_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$'); #We use the username regex for groups too.
if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }
$ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE);
$min_uid = 2000;
$min_gid = 2000;
# Sending email
$SMTP['host'] = getenv('SMTP_HOSTNAME');

14
www/includes/ldap_functions.inc.php
View File

@ -448,7 +448,12 @@ function ldap_get_group_entry($ldap_connection,$group_name) {
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($result['count'] > 0) {
return $result;
}
else {
return FALSE;
}
}
@ -468,7 +473,7 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
$result_count = $result[0]['count'];
if ($result) { $result_count = $result['count']; } else { $result_count = 0; }
$records = array();
@ -605,7 +610,7 @@ function ldap_new_group($ldap_connection,$group_name,$initial_member="",$extra_a
if (! $add_group ) {
$this_error="$log_prefix LDAP: unable to add new group (${group_dn}): " . ldap_error($ldap_connection);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG add_group array: ". print_r($new_group_array,true),0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG add_group array: ". strip_tags(print_r($new_group_array,true)),0); }
error_log($this_error,0);
}
else {
@ -622,8 +627,8 @@ function ldap_new_group($ldap_connection,$group_name,$initial_member="",$extra_a
error_log("$log_prefix Unable to update cn=lastGID to $new_gid - this could cause groups to share the same GID.",0);
}
}
return TRUE;
}
return TRUE;
}
}
@ -824,9 +829,8 @@ function ldap_new_account($ldap_connection,$account_r) {
}
}
if (empty($account_attributes['loginshell'])) { $account_attributes['loginshell'] = $DEFAULT_USER_SHELL; }
if (empty($account_attributes['homedirectory'])) { $account_attributes['homedirectory'] = "/home/${account_identifier}"; }
if (empty($account_attributes['homedirectory'])) { $account_attributes['homedirectory'] = "/home/" . $account_r['uid'][0]; }
$add_account = @ ldap_add($ldap_connection,
"${LDAP['account_attribute']}=$account_identifier,${LDAP['user_dn']}",

27
www/includes/web_functions.inc.php
View File

@ -113,7 +113,6 @@ function validate_passkey_cookie() {
$this_time=time();
$VALIDATED = FALSE;
unset($USER_ID);
$IS_ADMIN = FALSE;
if (isset($_COOKIE['orf_cookie'])) {
@ -569,6 +568,29 @@ EoRenderEmailJS;
}
######################################################
function render_js_homedir_generator($username_field_id,$homedir_field_id) {
print <<<EoRenderHomedirJS
<script>
var auto_homedir_update = true;
function update_homedir() {
if ( auto_homedir_update == true ) {
var username = document.getElementById('$username_field_id').value;
document.getElementById('$homedir_field_id').value = "/home/" + username;
}
}
</script>
EoRenderHomedirJS;
}
######################################################
function render_dynamic_field_js() {
@ -637,7 +659,8 @@ function render_attribute_fields($attribute,$label,$values_r,$resource_identifie
</div>
<?php
if (isset($values_r['count']) and $values_r['count'] > 0) {
$remaining_values = array_slice($values_r, 2);
unset($values_r['count']);
$remaining_values = array_slice($values_r, 1);
print "<script>";
foreach($remaining_values as $this_value) { print "add_field_to('$attribute','$this_value');"; }
print "</script>";