Changes to allow this to work with both NIS and BIS schemas.

This commit is contained in:
Brian Lycett 2020-05-06 17:19:20 +01:00
parent f9edeb39b0
commit 73b3797b30
7 changed files with 150 additions and 111 deletions

View File

@ -60,10 +60,19 @@ Now go to https://lum.example.com/setup.
Configuration Configuration
--- ---
Configuration is via environmental variables. Configuration is via environmental variables. Please bear the following in mind:
* This tool needs to bind to LDAP as a user with permissions to modify everything under the base DN.
* This interface is designed to work with a fresh LDAP server and should be used with populated LDAP directories with caution and at your own risk.
###When using **osixia/openldap**
By default the user manager will expect that the LDAP server is using the **RFC2307BIS** schema. Unfortunately by default the **osixia/openldap** image uses the old NIS schema. The user manager will work with either, but RFC2307BIS is recommended as it allows you to use **memberOf** searches. You can enable RFC2307BIS in **osixia/openldap** by setting `LDAP_RFC2307BIS_SCHEMA` to `true` during the initial setup.
If you prefer not to use RFC2307BIS then set `LDAP_USES_NIS_SCHEMA` to `TRUE`. This will create groups solely as the **posixGroup** objectclass, and the default for `LDAP_GROUP_MEMBERSHIP_USES_UID` will `TRUE`.
**Note**: This tool needs to bind to LDAP as a user with permissions to modify everything under the base DN.
**WARNING**: This interface is designed to work with a fresh LDAP server and should be used with populated LDAP directories with caution and at your own risk.
Mandatory: Mandatory:
---- ----
@ -82,9 +91,11 @@ Optional:
* `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended). * `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended).
* `LDAP_USES_NIS_SCHEMA` (default: *FALSE*): If you use the NIS schema instead of the (preferable) RFC2307BIS schema, set this to `TRUE`. See [When using **osixia/openldap**](#When using **osixia/openldap**) for more information.
* `LDAP_GROUP_OU` (default: *groups*): The name of the OU used to store groups (without the base DN appended). * `LDAP_GROUP_OU` (default: *groups*): The name of the OU used to store groups (without the base DN appended).
* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *uniqueMember*): The attribute used when adding a user to a group. * `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *memberUID* or *uniqueMember*): The attribute used when adding a user to a group. If `LDAP_USES_NIS_SCHEMA` is `TRUE` the default is `memberUID', otherwise it's `uniqueMember`. Explicitly setting this variable will override the default.
* `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN. * `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *TRUE* or *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN. If `LDAP_USES_NIS_SCHEMA` is `TRUE` the default is `TRUE', otherwise it's `FALSE`. Explicitly setting this variable will override the default.
* `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page. * `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
@ -148,9 +159,3 @@ Anything else in the `USERNAME_FORMAT` string is left as defined, but the userna
If `EMAIL_DOMAIN` is set then the email address field will be automatically updated in the form of `username@email_domain`. Entering anything manually in that field will stop the automatic update of the email field. If `EMAIL_DOMAIN` is set then the email address field will be automatically updated in the form of `username@email_domain`. Entering anything manually in that field will stop the automatic update of the email field.
Details on accounts and groups
---
This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts. The accounts created use `person`, `inetOrgPerson` & `posixAccount` objectClasses. Usernames are defined via the `uid` attribute and groups are created as with `posixGroup` and `groupOfUniqueNames` objectClasses (the latter in case you want to use the `memberOf` LDAP module).

View File

@ -197,50 +197,50 @@ render_js_email_generator('username','email');
<div class="form-group"> <div class="form-group">
<label for="first_name" class="col-sm-3 control-label">First name</label> <label for="first_name" class="col-sm-3 control-label">First name</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();"> <input tabindex="1" type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
</div> </div>
</div> </div>
<div class="form-group"> <div class="form-group">
<label for="last_name" class="col-sm-3 control-label">Last name</label> <label for="last_name" class="col-sm-3 control-label">Last name</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();"> <input tabindex="3" type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
</div> </div>
</div> </div>
<div class="form-group" id="username_div"> <div class="form-group" id="username_div">
<label for="username" class="col-sm-3 control-label">Username</label> <label for="username" class="col-sm-3 control-label">Username</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();"> <input tabindex="3" type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
</div> </div>
</div> </div>
<div class="form-group" id="email_div"> <div class="form-group" id="email_div">
<label for="username" class="col-sm-3 control-label">Email</label> <label for="username" class="col-sm-3 control-label">Email</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;"> <input tabindex="4" type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
</div> </div>
</div> </div>
<div class="form-group" id="password_div"> <div class="form-group" id="password_div">
<label for="password" class="col-sm-3 control-label">Password</label> <label for="password" class="col-sm-3 control-label">Password</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');"> <input tabindex="5" type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
</div> </div>
<div class="col-sm-1"> <div class="col-sm-1">
<input type="button" class="btn btn-sm" id="password_generator" onclick="random_password();" value="Generate password"> <input tabindex="7" type="button" class="btn btn-sm" id="password_generator" onclick="random_password();" value="Generate password">
</div> </div>
</div> </div>
<div class="form-group" id="confirm_div"> <div class="form-group" id="confirm_div">
<label for="confirm" class="col-sm-3 control-label">Confirm</label> <label for="confirm" class="col-sm-3 control-label">Confirm</label>
<div class="col-sm-6"> <div class="col-sm-6">
<input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()"> <input tabindex="6" type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
</div> </div>
</div> </div>
<div class="form-group"> <div class="form-group">
<button type="submit" class="btn btn-warning">Create account</button> <button tabindex="8" type="submit" class="btn btn-warning">Create account</button>
</div> </div>
</form> </form>

View File

@ -44,24 +44,11 @@ if (isset($_POST['new_group'])) {
###################################################################################### ######################################################################################
$ldap_search_query="cn=" . ldap_escape($group_cn, "", LDAP_ESCAPE_FILTER);
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search);
$current_members = array();
if ($result["count"] == 1) {
foreach ($result[0][$LDAP['group_membership_attribute']] as $key => $value) {
if ($key != 'count') {
$this_member = preg_replace("/^.*?=(.*?),.*/", "$1", $value);
array_push($current_members, $this_member);
}
}
}
$current_members = ldap_get_group_members($ldap_connection,$group_cn);
$all_accounts = ldap_get_user_list($ldap_connection); $all_accounts = ldap_get_user_list($ldap_connection);
$all_people = array(); $all_people = array();
foreach ($all_accounts as $this_person => $attrs) { foreach ($all_accounts as $this_person => $attrs) {
array_push($all_people, $this_person); array_push($all_people, $this_person);
} }

View File

@ -14,8 +14,19 @@
$LDAP['group_ou'] = (getenv('LDAP_GROUP_OU') ? getenv('LDAP_GROUP_OU') : 'groups'); $LDAP['group_ou'] = (getenv('LDAP_GROUP_OU') ? getenv('LDAP_GROUP_OU') : 'groups');
$LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people'); $LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people');
$LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : 'uniquemember'); $LDAP['nis_schema'] = ((strcasecmp(getenv('LDAP_USES_NIS_SCHEMA'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP['group_membership_uses_uid'] = ((strcasecmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : FALSE);
if ($LDAP['nis_schema'] == TRUE) {
$default_membership_attribute = 'memberuid';
$default_group_membership_uses_uid = TRUE;
}
else {
$default_membership_attribute = 'uniquemember';
$default_group_membership_uses_uid = FALSE;
}
$LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : $default_membership_attribute);
$LDAP['group_membership_uses_uid'] = ((strcasecmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : $default_group_membership_uses_uid);
$LDAP['account_attribute'] = 'uid'; $LDAP['account_attribute'] = 'uid';
$LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE); $LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
@ -41,6 +52,8 @@
### ###
$log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
$errors = ""; $errors = "";
if (empty($LDAP['uri'])) { if (empty($LDAP['uri'])) {
@ -70,5 +83,4 @@
$min_uid = 2000; $min_uid = 2000;
$min_gid = 2000; $min_gid = 2000;
?> ?>

View File

@ -1,6 +1,5 @@
<?php <?php
$log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
$LDAP_CONNECTION_WARNING = FALSE; $LDAP_CONNECTION_WARNING = FALSE;
################################### ###################################
@ -25,7 +24,7 @@ function open_ldap_connection() {
if ($tls_result != TRUE) { if ($tls_result != TRUE) {
error_log("$log_prefix Failed to start STARTTLS connection to ${LDAP['uri']}",0); error_log("$log_prefix Failed to start STARTTLS connection to ${LDAP['uri']}: " . ldap_error($ldap_connection),0);
if ($LDAP["require_starttls"] == TRUE) { if ($LDAP["require_starttls"] == TRUE) {
print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-danger'>Fatal: Couldn't create a secure connection to ${LDAP['uri']} and LDAP_REQUIRE_STARTTLS is TRUE.</div>"; print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-danger'>Fatal: Couldn't create a secure connection to ${LDAP['uri']} and LDAP_REQUIRE_STARTTLS is TRUE.</div>";
@ -50,9 +49,11 @@ function open_ldap_connection() {
if ($bind_result != TRUE) { if ($bind_result != TRUE) {
$this_error = "Failed to bind to ${LDAP['uri']} as ${LDAP['admin_bind_dn']}"; $this_error = "Failed to bind to ${LDAP['uri']} as ${LDAP['admin_bind_dn']}";
print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
if ($LDAP_DEBUG == TRUE) { $this_error .= " with password ${LDAP['admin_bind_pwd']}"; } if ($LDAP_DEBUG == TRUE) { $this_error .= " with password ${LDAP['admin_bind_pwd']}"; }
$this_error .= ": " . ldap_error($ldap_connection);
print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
error_log("$log_prefix $this_error",0); error_log("$log_prefix $this_error",0);
exit(1); exit(1);
} }
@ -75,12 +76,12 @@ function ldap_auth_username($ldap_connection,$username, $password) {
global $log_prefix, $LDAP, $LDAP_DEBUG; global $log_prefix, $LDAP, $LDAP_DEBUG;
$ldap_search_query="${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER); $ldap_search_query="${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query ); $ldap_search = @ ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query );
if ($LDAP_DEBUG == TRUE) { "$log_prefix Running LDAP search: $ldap_search_query"; } if ($LDAP_DEBUG == TRUE) { "$log_prefix Running LDAP search: $ldap_search_query"; }
if (!$ldap_search) { if (!$ldap_search) {
error_log("$log_prefix Couldn't search for $username",0); error_log("$log_prefix Couldn't search for ${username}: " . ldap_error($ldap_connection),0);
return FALSE; return FALSE;
} }
@ -100,7 +101,7 @@ function ldap_auth_username($ldap_connection,$username, $password) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Able to bind as $username",0); } if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Able to bind as $username",0); }
} }
else { else {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Unable to bind as $username",0); } if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Unable to bind as ${username}: " . ldap_error($ldap_connection),0); }
return FALSE; return FALSE;
} }
@ -129,7 +130,8 @@ function ldap_setup_auth($ldap_connection, $password) {
else { else {
$this_error="Initial setup: Unable to authenticate as ${LDAP['admin_bind_dn']}"; $this_error="Initial setup: Unable to authenticate as ${LDAP['admin_bind_dn']}";
if ($LDAP_DEBUG == TRUE) { $this_error .= " with password $password"; } if ($LDAP_DEBUG == TRUE) { $this_error .= " with password $password"; }
$this_error .= ". The password used to authenticate for /setup should be the same as set by LDAP_ADMIN_BIND_PWD."; $this_error .= ". The password used to authenticate for /setup should be the same as set by LDAP_ADMIN_BIND_PWD. ";
$this_error .= ldap_error($ldap_connection);
error_log("$log_prefix $this_error",0); error_log("$log_prefix $this_error",0);
return FALSE; return FALSE;
} }
@ -162,8 +164,8 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
$this_filter = "(&(${LDAP['account_attribute']}=*)$filters)"; $this_filter = "(&(${LDAP['account_attribute']}=*)$filters)";
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $this_filter, $fields); $ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $this_filter, $fields);
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} users for ${LDAP['user_dn']} when using this filter: $this_filter",0); } if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} users for ${LDAP['user_dn']} when using this filter: $this_filter",0); }
$records = array(); $records = array();
@ -173,7 +175,7 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
$add_these = array(); $add_these = array();
foreach($fields as $this_attr) { foreach($fields as $this_attr) {
if ($this_attr != $sort_key) { $add_these[$this_attr] = $record[$this_attr][0]; } if ($this_attr !== $sort_key) { $add_these[$this_attr] = $record[$this_attr][0]; }
} }
$records[$record[$sort_key][0]] = $add_these; $records[$record[$sort_key][0]] = $add_these;
@ -248,7 +250,7 @@ function ldap_get_group_list($ldap_connection,$start=0,$entries=NULL,$sort="asc"
$this_filter = "(&(objectclass=*)$filters)"; $this_filter = "(&(objectclass=*)$filters)";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $this_filter); $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $this_filter);
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} groups for ${LDAP['group_dn']} when using this filter: $this_filter",0); } if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} groups for ${LDAP['group_dn']} when using this filter: $this_filter",0); }
$records = array(); $records = array();
@ -276,23 +278,40 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
global $log_prefix, $LDAP, $LDAP_DEBUG; global $log_prefix, $LDAP, $LDAP_DEBUG;
$ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")"; $ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute'])); $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} members of ${group_name} when using this search: $ldap_search_query",0); } $result_count = $result[0]['count'];
$records = array(); $records = array();
foreach ($result[0][$LDAP['group_membership_attribute']] as $record => $value) {
if ($record != 'count' and isset($value)) { if ($result_count > 0) {
array_push($records, $value);
foreach ($result[0][$LDAP['group_membership_attribute']] as $key => $value) {
if ($key !== 'count' and !empty($value)) {
$this_member = preg_replace("/^.*?=(.*?),.*/", "$1", $value);
array_push($records, $this_member);
if ($LDAP_DEBUG == TRUE) { error_log("${value} is a member",0); }
}
} }
$actual_result_count = count($records);
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned $actual_result_count members of ${group_name} when using this search: $ldap_search_query and this filter: ${LDAP['group_membership_attribute']}",0); }
if ($actual_result_count > 0) {
if ($sort == "asc") { sort($records); } else { rsort($records); }
return(array_slice($records,$start,$entries));
}
else {
return array();
}
}
else {
return array();
} }
if ($sort == "asc") { sort($records); } else { rsort($records); }
return(array_slice($records,$start,$entries));
} }
@ -330,32 +349,46 @@ function ldap_new_group($ldap_connection,$group_name) {
if (isset($group_name)) { if (isset($group_name)) {
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']})"; $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']})";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query); $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($result['count'] == 0) { if ($result['count'] == 0) {
$highest_gid = ldap_get_highest_id($ldap_connection,'gid'); $highest_gid = ldap_get_highest_id($ldap_connection,'gid');
$new_gid = $highest_gid + 1; $new_gid = $highest_gid + 1;
$add_group = ldap_add($ldap_connection, if ($LDAP['nis_schema'] == TRUE) {
"cn=$group_name,${LDAP['group_dn']}", $new_group_array=array( 'objectClass' => array('top','posixGroup'),
array( 'objectClass' => array( 'top', 'groupOfUniqueNames', 'posixGroup' ), 'cn' => $group_name,
'cn' => $group_name, 'gidNumber' => $new_gid
'gidNumber' => $new_gid, );
$LDAP['group_membership_attribute'] => '' }
) else {
); $new_group_array=array( 'objectClass' => array('top','groupOfUniqueNames','posixGroup'),
'cn' => $group_name,
'gidNumber' => $new_gid,
$LDAP['group_membership_attribute'] => ''
);
}
if ($add_group) { $group_dn="cn=$group_name,${LDAP['group_dn']}";
$add_group = @ ldap_add($ldap_connection, $group_dn, $new_group_array);
if (! $add_group ) {
$this_error="$log_prefix LDAP: unable to add new group (${group_dn}): " . ldap_error($ldap_connection);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix: DEBUG add_group array: ". print_r($new_group_array,true)); }
error_log($this_error,0);
}
else {
error_log("$log_prefix Added new group $group_name",0); error_log("$log_prefix Added new group $group_name",0);
$update_gid = ldap_mod_replace($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", array( 'serialNumber' => $new_gid )); $update_gid = @ ldap_mod_replace($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", array( 'serialNumber' => $new_gid ));
if ($update_gid) { if ($update_gid) {
error_log("$log_prefix Updated cn=lastGID with $new_gid",0); error_log("$log_prefix Updated cn=lastGID with $new_gid",0);
return TRUE; return TRUE;
} }
else { else {
error_log("$log_prefix Failed to update cn=lastGID",0); error_log("$log_prefix Failed to update cn=lastGID: " . ldap_error($ldap_connection) ,0);
} }
} }
@ -382,14 +415,14 @@ function ldap_delete_group($ldap_connection,$group_name) {
if (isset($group_name)) { if (isset($group_name)) {
$delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}"; $delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
$delete = ldap_delete($ldap_connection, $delete_query); $delete = @ ldap_delete($ldap_connection, $delete_query);
if ($delete) { if ($delete) {
error_log("$log_prefix Deleted group $group_name",0); error_log("$log_prefix Deleted group $group_name",0);
return TRUE; return TRUE;
} }
else { else {
error_log("$log_prefix Couldn't delete group $group_name",0); error_log("$log_prefix Couldn't delete group $group_name" . ldap_error($ldap_connection) ,0);
return FALSE; return FALSE;
} }
@ -407,8 +440,8 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
if (isset($group_name)) { if (isset($group_name)) {
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")"; $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber")); $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = @ ldap_get_entries($ldap_connection, $ldap_search);
if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) { if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) {
return $result[0]['gidnumber'][0]; return $result[0]['gidnumber'][0];
@ -430,8 +463,8 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
if (isset($first_name) and isset($last_name) and isset($username) and isset($password)) { if (isset($first_name) and isset($last_name) and isset($username) and isset($password)) {
$ldap_search_query = "(${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']})"; $ldap_search_query = "(${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']})";
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query); $ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($result['count'] == 0) { if ($result['count'] == 0) {
@ -466,7 +499,7 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
'mail' => $email 'mail' => $email
); );
$add_account = ldap_add($ldap_connection, $add_account = @ ldap_add($ldap_connection,
"${LDAP['account_attribute']}=$username,${LDAP['user_dn']}", "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}",
$user_info $user_info
); );
@ -474,18 +507,18 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
if ($add_account) { if ($add_account) {
error_log("$log_prefix Created new account: $username",0); error_log("$log_prefix Created new account: $username",0);
ldap_add_member_to_group($ldap_connection,$add_to_group,$username); ldap_add_member_to_group($ldap_connection,$add_to_group,$username);
$update_uid = ldap_mod_replace($ldap_connection, "cn=lastUID,${LDAP['base_dn']}", array( 'serialNumber' => $new_uid )); $update_uid = @ ldap_mod_replace($ldap_connection, "cn=lastUID,${LDAP['base_dn']}", array( 'serialNumber' => $new_uid ));
if ($update_uid) { if ($update_uid) {
error_log("$log_prefix Create account; Updated cn=lastUID with $new_uid",0); error_log("$log_prefix Create account; Updated cn=lastUID with $new_uid",0);
return TRUE; return TRUE;
} }
else { else {
error_log("$log_prefix Create account; Failed to update cn=lastUID",0); error_log("$log_prefix Create account; Failed to update cn=lastUID: " . ldap_error($ldap_connection),0);
} }
} }
else { else {
error_log("$log_prefix Create account; couldn't create the account for $username",0); error_log("$log_prefix Create account; couldn't create the account for ${username}: " . ldap_error($ldap_connection),0);
} }
} }
@ -513,14 +546,14 @@ function ldap_delete_account($ldap_connection,$username) {
if (isset($username)) { if (isset($username)) {
$delete_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']}"; $delete_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']}";
$delete = ldap_delete($ldap_connection, $delete_query); $delete = @ ldap_delete($ldap_connection, $delete_query);
if ($delete) { if ($delete) {
error_log("$log_prefix Deleted account for $username",0); error_log("$log_prefix Deleted account for $username",0);
return TRUE; return TRUE;
} }
else { else {
error_log("$log_prefix Couldn't delete account for $username",0); error_log("$log_prefix Couldn't delete account for ${username}: " . ldap_error($ldap_connection),0);
return FALSE; return FALSE;
} }
@ -542,14 +575,14 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {
} }
$group_update = array($LDAP['group_membership_attribute'] => $username); $group_update = array($LDAP['group_membership_attribute'] => $username);
$update = ldap_mod_add($ldap_connection,$group_dn,$group_update); $update = @ ldap_mod_add($ldap_connection,$group_dn,$group_update);
if ($update) { if ($update) {
error_log("$log_prefix Added $username to $group_name",0); error_log("$log_prefix Added $username to $group_name",0);
return TRUE; return TRUE;
} }
else { else {
error_log("$log_prefix Couldn't add $username to $group_name",0); error_log("$log_prefix Couldn't add $username to ${group_name}: " . ldap_error($ldap_connection),0);
return FALSE; return FALSE;
} }
@ -569,14 +602,14 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
} }
$group_update = array($LDAP['group_membership_attribute'] => $username); $group_update = array($LDAP['group_membership_attribute'] => $username);
$update = ldap_mod_del($ldap_connection,$group_dn,$group_update); $update = @ ldap_mod_del($ldap_connection,$group_dn,$group_update);
if ($update) { if ($update) {
error_log("$log_prefix Removed $username from $group_name",0); error_log("$log_prefix Removed $username from $group_name",0);
return TRUE; return TRUE;
} }
else { else {
error_log("$log_prefix Couldn't remove $username from $group_name",0); error_log("$log_prefix Couldn't remove $username from ${group_name}: " . ldap_error($ldap_connection),0);
return FALSE; return FALSE;
} }
@ -592,9 +625,9 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
#Find DN of user #Find DN of user
$ldap_search_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER); $ldap_search_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query); $ldap_search = @ ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
if ($ldap_search) { if ($ldap_search) {
$result = ldap_get_entries($ldap_connection, $ldap_search); $result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($result["count"] == 1) { if ($result["count"] == 1) {
$this_dn=$result[0]['dn']; $this_dn=$result[0]['dn'];
} }
@ -604,7 +637,7 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
} }
} }
else { else {
error_log("$log_prefix Couldn't perform an LDAP search for ${LDAP['account_attribute']}=${username}",0); error_log("$log_prefix Couldn't perform an LDAP search for ${LDAP['account_attribute']}=${username}: " . ldap_error($ldap_connection),0);
return FALSE; return FALSE;
} }
@ -613,14 +646,14 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
$hashed_pass = ldap_hashed_password($new_password); $hashed_pass = ldap_hashed_password($new_password);
$entries["userPassword"] = $new_password; $entries["userPassword"] = $new_password;
$update = ldap_mod_replace($ldap_connection, $this_dn, $entries); $update = @ ldap_mod_replace($ldap_connection, $this_dn, $entries);
if ($update) { if ($update) {
error_log("$log_prefix Updated the password for $username"); error_log("$log_prefix Updated the password for $username",0);
return TRUE; return TRUE;
} }
else { else {
error_log("$log_prefix Couldn't update the password for $username"); error_log("$log_prefix Couldn't update the password for ${username}: " . ldap_error($ldap_connection),0);
return TRUE; return TRUE;
} }

View File

@ -53,7 +53,8 @@ function set_passkey_cookie($user_id,$is_admin) {
} }
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id); $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time"); file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time");
setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]); # setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', '', '', TRUE);
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); } if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); }
$VALIDATED = TRUE; $VALIDATED = TRUE;
@ -118,7 +119,8 @@ function set_setup_cookie() {
$IS_SETUP_ADMIN = TRUE; $IS_SETUP_ADMIN = TRUE;
file_put_contents("/tmp/ldap_setup","$passkey:$this_time"); file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]); # setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', '', '', TRUE);
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); } if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); }
} }
@ -169,7 +171,8 @@ function log_out($method='normal') {
global $USER_ID; global $USER_ID;
setcookie('orf_cookie', "", time()-20000 , "/", $_SERVER["HTTP_HOST"], 0); #setcookie('orf_cookie', "", time()-20000 , "/", $_SERVER["HTTP_HOST"], 0);
setcookie('orf_cookie', "", time()-20000, '/', '', '', TRUE);
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID); $filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID);
unlink("/tmp/$filename"); unlink("/tmp/$filename");

View File

@ -10,7 +10,7 @@ if (isset($_POST["admin_password"])) {
$ldap_connection = open_ldap_connection(); $ldap_connection = open_ldap_connection();
$user_auth = ldap_setup_auth($ldap_connection,$_POST["admin_password"]); $user_auth = ldap_setup_auth($ldap_connection,$_POST["admin_password"]);
ldap_close($ldap_connection); ldap_close($ldap_connection);
if ($user_auth != FALSE) { if ($user_auth != FALSE) {
set_setup_cookie($user_auth); set_setup_cookie($user_auth);
header("Location: //${_SERVER["HTTP_HOST"]}/${THIS_MODULE_PATH}/run_checks.php\n\n"); header("Location: //${_SERVER["HTTP_HOST"]}/${THIS_MODULE_PATH}/run_checks.php\n\n");
@ -33,18 +33,17 @@ else {
} }
?> ?>
<div class="container"> <div class="container">
<div class="panel panel-default"> <div class="panel panel-default">
<div class="panel-heading text-center">Password for <?php print $LDAP['admin_bind_dn']; ?></div> <div class="panel-heading text-center">Password for <?php print $LDAP['admin_bind_dn']; ?></div>
<div class="panel-body text-center"> <div class="panel-body text-center">
<form class="form-inline" action='' method='post'> <form class="form-inline" action='' method='post'>
<div class="form-group"> <div class="form-group">
<input type='password' class="form-control" name='admin_password'> <input type='password' class="form-control" name='admin_password'>
</div> </div>
<div class="form-group"> <div class="form-group">
<input type='submit' class="btn btn-default" value='Log in'> <input type='submit' class="btn btn-default" value='Log in'>
</div> </div>
</form> </form>
</div>
</div> </div>
</div> </div>
</div> </div>