From 769ff0f1b0f6dc65e740da47fd3ad4e4a3a1f862 Mon Sep 17 00:00:00 2001 From: Brian Lycett Date: Thu, 15 Apr 2021 15:43:53 +0100 Subject: [PATCH] Add the ability to set the server path. Get directed to the appropriate module when you log in. --- Dockerfile | 8 +--- README.md | 2 + entrypoint | 24 ++++++---- www/account_manager/groups.php | 6 +-- www/account_manager/index.php | 6 +-- www/account_manager/module_functions.inc.php | 2 +- www/account_manager/new_user.php | 21 ++++----- www/account_manager/show_group.php | 4 +- www/account_manager/show_user.php | 10 ++--- www/change_password/index.php | 17 ++++++-- www/includes/config.inc.php | 2 + www/includes/ldap_functions.inc.php | 46 +++++++++++--------- www/includes/mail_functions.inc.php | 2 +- www/includes/web_functions.inc.php | 36 ++++++++++----- www/log_in/index.php | 8 ++-- www/request_account/index.php | 10 ++--- www/setup/index.php | 6 +-- www/setup/run_checks.php | 6 +-- www/setup/setup_ldap.php | 8 ++-- 19 files changed, 132 insertions(+), 92 deletions(-) diff --git a/Dockerfile b/Dockerfile index 2774364..0bae810 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM php:7.0-apache +FROM php:8-apache RUN apt-get update && \ apt-get install -y --no-install-recommends \ @@ -8,11 +8,7 @@ RUN apt-get update && \ libpng-dev && \ rm -rf /var/lib/apt/lists/* -RUN docker-php-ext-configure gd \ - --enable-gd-native-ttf \ - --with-freetype-dir=/usr/include/freetype2 \ - --with-png-dir=/usr/include \ - --with-jpeg-dir=/usr/include && \ +RUN docker-php-ext-configure gd --with-freetype && \ docker-php-ext-install -j$(nproc) gd && \ libdir=$(find /usr -name "libldap.so*" | sed -e 's/\/usr\///' -e 's/\/libldap.so//') && \ docker-php-ext-configure ldap --with-libdir=$libdir && \ diff --git a/README.md b/README.md index 75a6828..b0faeb6 100644 --- a/README.md +++ b/README.md @@ -85,6 +85,8 @@ Configuration is via environmental variables. Please bear the following in mind * `SERVER_HOSTNAME` (default: *ldapusername.org*): The hostname that this interface will be served from. +* `SERVER_PATH` (default: */*): The path to the user manager on the webserver. Useful if running this behind a reverse proxy. + * `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name. * `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management". diff --git a/entrypoint b/entrypoint index 6ad7bf7..640424c 100644 --- a/entrypoint +++ b/entrypoint @@ -2,8 +2,15 @@ set -e ssl_dir="/opt/ssl" +php_dir="/opt/ldap_user_manager" -if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=ldapusermanager.org; fi +if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME="ldapusermanager.org"; fi +if [ ! "$SERVER_PATH" ]; then + export SERVER_PATH="/"; + apache_alias="" +else + apache_alias="Alias $SERVER_PATH $php_dir" +fi #If LDAP_TLS_CACERT is set then write it out as a file #and set up the LDAP client conf to use it. @@ -20,11 +27,11 @@ if [ "${NO_HTTPS,,}" == "true" ]; then ServerName $SERVER_HOSTNAME - DocumentRoot /opt/ldap_user_manager - + DocumentRoot $php_dir + $apache_alias DirectoryIndex index.php index.html - + Require all granted @@ -107,8 +114,6 @@ EoCertConf cat </etc/apache2/sites-enabled/lum.conf -Listen 443 - RewriteEngine On @@ -119,11 +124,12 @@ Listen 443 ServerName $SERVER_HOSTNAME - DocumentRoot /opt/ldap_user_manager + DocumentRoot $php_dir + $apache_alias DirectoryIndex index.php index.html - + Require all granted @@ -137,6 +143,8 @@ EoHTTPSC fi +cat /etc/apache2/sites-enabled/lum.conf + ######################## #Run Apache diff --git a/www/account_manager/groups.php b/www/account_manager/groups.php index 6e74254..1b0f23e 100644 --- a/www/account_manager/groups.php +++ b/www/account_manager/groups.php @@ -7,7 +7,7 @@ include_once "ldap_functions.inc.php"; include_once "module_functions.inc.php"; set_page_access("admin"); -render_header("LDAP manager"); +render_header("$ORGANISATION_NAME account manager"); render_submenu(); $ldap_connection = open_ldap_connection(); @@ -70,7 +70,7 @@ render_js_username_check();
-
+ /show_group.php" method="post"> @@ -86,7 +86,7 @@ render_js_username_check(); \n $group\n \n"; + print " \n $group\n \n"; } ?> diff --git a/www/account_manager/index.php b/www/account_manager/index.php index d6a3fcb..2b010ce 100644 --- a/www/account_manager/index.php +++ b/www/account_manager/index.php @@ -7,7 +7,7 @@ include_once "ldap_functions.inc.php"; include_once "module_functions.inc.php"; set_page_access("admin"); -render_header("LDAP manager"); +render_header("$ORGANISATION_NAME account manager"); render_submenu(); $ldap_connection = open_ldap_connection(); @@ -51,7 +51,7 @@ $people = ldap_get_user_list($ldap_connection); ?>
- + /new_user.php" method="post"> @@ -70,7 +70,7 @@ foreach ($people as $account_identifier => $attribs){ $group_membership = ldap_user_group_membership($ldap_connection,$account_identifier); - print " \n \n"; + print " \n \n"; print " \n"; print " \n"; print " \n"; diff --git a/www/account_manager/module_functions.inc.php b/www/account_manager/module_functions.inc.php index 8bda566..0eef4c6 100644 --- a/www/account_manager/module_functions.inc.php +++ b/www/account_manager/module_functions.inc.php @@ -24,7 +24,7 @@ function render_submenu() { else { print '
  • '; } - print "" . ucwords($submodule) . "
    • \n"; + print "" . ucwords($submodule) . "\n"; } ?> diff --git a/www/account_manager/new_user.php b/www/account_manager/new_user.php index b9694d9..11f214a 100644 --- a/www/account_manager/new_user.php +++ b/www/account_manager/new_user.php @@ -8,25 +8,26 @@ include_once "module_functions.inc.php"; $attribute_map = ldap_complete_account_attribute_array(); -if ( $_POST['setup_admin_account'] ) { +if ( isset($_POST['setup_admin_account']) ) { $admin_setup = TRUE; validate_setup_cookie(); set_page_access("setup"); - $completed_action="/log_in"; + $completed_action="${SERVER_PATH}/log_in"; $page_title="New administrator account"; - render_header("Setup administrator account", FALSE); + render_header("$ORGANISATION_NAME account manager - setup administrator account", FALSE); } else { set_page_access("admin"); - $completed_action="/$THIS_MODULE_PATH/"; + $completed_action="${THIS_MODULE_PATH}/"; $page_title="New account"; + $admin_setup = FALSE; - render_header(); + render_header("$ORGANISATION_NAME account manager"); render_submenu(); } @@ -37,7 +38,7 @@ $weak_password = FALSE; $invalid_email = FALSE; $disabled_email_tickbox = TRUE; $invalid_cn = FALSE; -$invalid_account_attribute = FALSE; +$invalid_account_identifier = FALSE; $new_account_r = array(); @@ -48,7 +49,7 @@ foreach ($attribute_map as $attribute => $attr_r) { elseif (isset($attr_r['default'])) { $$attribute = $attr_r['default']; } - $new_account_r[$attribute] = $$attribute; + if (isset($$attribute)) { $new_account_r[$attribute] = $$attribute; } } ## @@ -61,7 +62,7 @@ if (isset($_GET['account_request'])) { $sn=filter_var($_GET['last_name'], FILTER_SANITIZE_STRING); $new_account_r['sn'] = $sn; - $uid = generate_username($first_name,$last_name); + $uid = generate_username($givenname,$sn); $new_account_r['uid'] = $uid; if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) { @@ -92,7 +93,7 @@ if (isset($_POST['create_account'])) { $password = $_POST['password']; $new_account_r['password'] = $password; $account_identifier = $new_account_r[$LDAP["account_attribute"]]; - + if (!isset($cn) or $cn == "") { $invalid_cn = TRUE; } if ((!isset($account_identifier) or $account_identifier == "") and $invalid_cn != TRUE) { $invalid_account_identifier = TRUE; } if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $weak_password = TRUE; } @@ -129,7 +130,7 @@ You've been set up with an account for $ORGANISATION_NAME. Your credentials are Username: $account_identifier Password: $password -You should change your password as soon as possible. Go to ${SITE_PROTOCOL}${SERVER_HOSTNAME}/change_password and log in using your new credentials. This will take you to a page where you can change your password. +You should change your password as soon as possible. Go to ${SITE_PROTOCOL}${SERVER_HOSTNAME}${SERVER_PATH}change_password and log in using your new credentials. This will take you to a page where you can change your password. EoT; include_once "mail_functions.inc.php"; diff --git a/www/account_manager/show_group.php b/www/account_manager/show_group.php index 2b6fa15..c391b20 100644 --- a/www/account_manager/show_group.php +++ b/www/account_manager/show_group.php @@ -7,7 +7,7 @@ include_once "ldap_functions.inc.php"; include_once "module_functions.inc.php"; set_page_access("admin"); -render_header("LDAP manager"); +render_header("$ORGANISATION_NAME account manager"); render_submenu(); $ldap_connection = open_ldap_connection(); @@ -213,7 +213,7 @@ ldap_close($ldap_connection);

    (admin group)" ; } ?>

    -
    +
    /groups.php" method="post">
      • diff --git a/www/account_manager/show_user.php b/www/account_manager/show_user.php index 2cec14f..73a3bed 100644 --- a/www/account_manager/show_user.php +++ b/www/account_manager/show_user.php @@ -7,7 +7,7 @@ include_once "ldap_functions.inc.php"; include_once "module_functions.inc.php"; set_page_access("admin"); -render_header(); +render_header("$ORGANISATION_NAME account manager"); render_submenu(); $invalid_password = FALSE; @@ -115,7 +115,7 @@ Your password for $ORGANISATION_NAME has been reset. Your new credentials are: Username: $account_identifier Password: $password -You should change your password as soon as possible. Go to ${SITE_PROTOCOL}${SERVER_HOSTNAME}/change_password and log in using your new credentials. This will take you to a page where you can change your password. +You should change your password as soon as possible. Go to ${SITE_PROTOCOL}${SERVER_HOSTNAME}${SERVER_PATH}change_password and log in using your new credentials. This will take you to a page where you can change your password. EoT; include_once "mail_functions.inc.php"; @@ -381,7 +381,7 @@ EoT;

      -
      +
      /index.php" method="post">
        • @@ -397,8 +397,8 @@ EoT; $attr_r) { - $label = $attr_r['label']; - $onkeyup = $attr_r['onkeyup']; + if (isset($attr_r['label'])) { $label = $attr_r['label']; } else { $label = ""; } + if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $label = ""; } if ($attribute == $LDAP['account_attribute']) { $label = "$label*"; } ?>
        diff --git a/www/change_password/index.php b/www/change_password/index.php index 5d44493..9ad655a 100644 --- a/www/change_password/index.php +++ b/www/change_password/index.php @@ -18,7 +18,7 @@ if (isset($_POST['change_password'])) { $ldap_connection = open_ldap_connection(); ldap_change_password($ldap_connection,$USER_ID,$_POST['password']) or die("change_ldap_password() failed."); - render_header("Password changed"); + render_header("$ORGANISATION_NAME account manager - password changed"); ?>

        Your password has been changed.

        @@ -30,7 +30,7 @@ if (isset($_POST['change_password'])) { } -render_header('Change your LDAP password'); +render_header("Change your $ORGANISATION_NAME password"); if (isset($not_strong_enough)) { ?>
        @@ -58,9 +58,18 @@ if (isset($mismatched)) { ?>
        +
        +

        Use this form to change your password. When you start typing your new password the gauge at the bottom will show its security strength. +
        Enter your password again in the confirm field. If the passwords don't match then both fields will be bordered with red.

        +
        +
        +
        -
        -
        Change password
        +
        +
        + +
        +
        Change your password
        diff --git a/www/includes/config.inc.php b/www/includes/config.inc.php index 942e22b..ae04fd8 100644 --- a/www/includes/config.inc.php +++ b/www/includes/config.inc.php @@ -44,7 +44,9 @@ $ORGANISATION_NAME = (getenv('ORGANISATION_NAME') ? getenv('ORGANISATION_NAME') : 'LDAP'); $SITE_NAME = (getenv('SITE_NAME') ? getenv('SITE_NAME') : "$ORGANISATION_NAME user manager"); + $SERVER_HOSTNAME = (getenv('SERVER_HOSTNAME') ? getenv('SERVER_HOSTNAME') : "ldapusermanager.org"); + $SERVER_PATH = (getenv('SERVER_PATH') ? getenv('SERVER_PATH') : "/"); $ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE); $POSIX_USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}'); diff --git a/www/includes/ldap_functions.inc.php b/www/includes/ldap_functions.inc.php index 4de172a..0065382 100644 --- a/www/includes/ldap_functions.inc.php +++ b/www/includes/ldap_functions.inc.php @@ -216,7 +216,7 @@ function ldap_hashed_password($password) { array_push($available_algos, $algo_name); } else { - error_log("$log_prefix password hashing - the system doesn't support ${algo_name}"); + error_log("$log_prefix password hashing - the system doesn't support ${algo_name}",0); } } $available_algos = array_merge($available_algos, $remaining_algos); @@ -224,7 +224,7 @@ function ldap_hashed_password($password) { if (isset($PASSWORD_HASH)) { if (!in_array($PASSWORD_HASH, $available_algos)) { $hash_algo = $available_algos[0]; - error_log("$log_prefix LDAP password: the chosen hash method ($PASSWORD_HASH) wasn't available"); + error_log("$log_prefix LDAP password: the chosen hash method ($PASSWORD_HASH) wasn't available",0); } else { $hash_algo = $PASSWORD_HASH; @@ -233,7 +233,7 @@ function ldap_hashed_password($password) { else { $hash_algo = $available_algos[0]; } - error_log("$log_prefix LDAP password: using '${hash_algo}' as the hashing method"); + error_log("$log_prefix LDAP password: using '${hash_algo}' as the hashing method",0); switch ($hash_algo) { @@ -282,14 +282,14 @@ function ldap_hashed_password($password) { break; case 'CLEAR': - error_log("$log_prefix password hashing - WARNING - Saving password in cleartext. This is extremely bad practice and should never ever be done in a production environment."); + error_log("$log_prefix password hashing - WARNING - Saving password in cleartext. This is extremely bad practice and should never ever be done in a production environment.",0); $hashed_pwd = $password; break; } - error_log("$log_prefix password update - algo $hash_algo | pwd $hashed_pwd"); + error_log("$log_prefix password update - algo $hash_algo | pwd $hashed_pwd",0); return $hashed_pwd; @@ -346,10 +346,8 @@ function fetch_id_stored_in_ldap($ldap_connection,$type="uid") { $ldap_search = @ ldap_search($ldap_connection, "${LDAP['base_dn']}", $filter, array('serialNumber')); $result = ldap_get_entries($ldap_connection, $ldap_search); - $fetched_id = $result[0]['serialnumber'][0]; - - if (isset($fetched_id) and is_numeric($fetched_id)){ - return $fetched_id; + if (isset($result[0]['serialnumber'][0]) and is_numeric($result[0]['serialnumber'][0])){ + return $result[0]['serialnumber'][0]; } else { return FALSE; @@ -517,17 +515,23 @@ function ldap_is_group_member($ldap_connection,$group_name,$username) { $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")"; $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query); - $result = ldap_get_entries($ldap_connection, $ldap_search); - if ($LDAP['group_membership_uses_uid'] == FALSE) { - $username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}"; - } + if ($ldap_search) { + $result = ldap_get_entries($ldap_connection, $ldap_search); - if (preg_grep ("/^${username}$/i", $result[0][$LDAP['group_membership_attribute']])) { - return TRUE; + if ($LDAP['group_membership_uses_uid'] == FALSE) { + $username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}"; + } + + if (preg_grep ("/^${username}$/i", $result[0][$LDAP['group_membership_attribute']])) { + return TRUE; + } + else { + return FALSE; + } } else { - return FALSE; + return FALSE; } } @@ -600,7 +604,7 @@ function ldap_new_group($ldap_connection,$group_name) { if (! $add_group ) { $this_error="$log_prefix LDAP: unable to add new group (${group_dn}): " . ldap_error($ldap_connection); - if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix: DEBUG add_group array: ". print_r($new_group_array,true)); } + if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix: DEBUG add_group array: ". print_r($new_group_array,true),0); } error_log($this_error,0); } else { @@ -965,7 +969,7 @@ function ldap_detect_rfc2307bis($ldap_connection) { $bis_available = FALSE; if ($LDAP['forced_rfc2307bis'] == TRUE) { - if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - skipping autodetection because FORCE_RFC2307BIS is TRUE"); } + if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - skipping autodetection because FORCE_RFC2307BIS is TRUE",0); } $bis_available = TRUE; } else { @@ -973,8 +977,8 @@ function ldap_detect_rfc2307bis($ldap_connection) { $schema_base_query = @ ldap_read($ldap_connection,"","subschemaSubentry=*",array('subschemaSubentry')); if (!$schema_base_query) { - error_log("$log_prefix LDAP RFC2307BIS detection - unable to query LDAP for objectClasses under ${schema_base_dn}:" . ldap_error($ldap_connection)); - error_log("$log_prefix LDAP RFC2307BIS detection - we'll assume that the RFC2307BIS schema isn't available. Set FORCE_RFC2307BIS to TRUE if you DO use RFC2307BIS."); + error_log("$log_prefix LDAP RFC2307BIS detection - unable to query LDAP for objectClasses under ${schema_base_dn}:" . ldap_error($ldap_connection),0); + error_log("$log_prefix LDAP RFC2307BIS detection - we'll assume that the RFC2307BIS schema isn't available. Set FORCE_RFC2307BIS to TRUE if you DO use RFC2307BIS.",0); } else { $schema_base_results = @ ldap_get_entries($ldap_connection, $schema_base_query); @@ -986,7 +990,7 @@ function ldap_detect_rfc2307bis($ldap_connection) { $objclass_query = @ ldap_read($ldap_connection,$schema_base_dn,"(objectClasses=*)",array('objectClasses')); if (!$objclass_query) { - error_log("$log_prefix LDAP RFC2307BIS detection - unable to query LDAP for objectClasses under ${schema_base_dn}:" . ldap_error($ldap_connection)); + error_log("$log_prefix LDAP RFC2307BIS detection - unable to query LDAP for objectClasses under ${schema_base_dn}:" . ldap_error($ldap_connection),0); } else { $objclass_results = @ ldap_get_entries($ldap_connection, $objclass_query); diff --git a/www/includes/mail_functions.inc.php b/www/includes/mail_functions.inc.php index 312f422..ea8ac22 100644 --- a/www/includes/mail_functions.inc.php +++ b/www/includes/mail_functions.inc.php @@ -23,7 +23,7 @@ function send_email($recipient_email,$recipient_name,$subject,$body) { $mail->Password = $SMTP['pass']; } - if ($MAIL['tls'] == TRUE) { $mail->SMTPSecure = "tls"; } + if ($EMAIL['tls'] == TRUE) { $mail->SMTPSecure = "tls"; } $mail->setFrom($EMAIL['from_address'], $EMAIL['from_name']); $mail->addAddress($recipient_email, $recipient_name); diff --git a/www/includes/web_functions.inc.php b/www/includes/web_functions.inc.php index 1cdda64..92117b7 100644 --- a/www/includes/web_functions.inc.php +++ b/www/includes/web_functions.inc.php @@ -12,7 +12,7 @@ $SENT_HEADERS = FALSE; $SESSION_TIMED_OUT = FALSE; $paths=explode('/',getcwd()); -$THIS_MODULE_PATH=end($paths); +$THIS_MODULE=end($paths); $GOOD_ICON = "☑"; $WARN_ICON = "⚠"; @@ -33,6 +33,9 @@ else { include ("config.inc.php"); # get local settings include ("modules.inc.php"); # module definitions +if (substr($SERVER_PATH, -1) != "/") { $SERVER_PATH .= "/"; } +$THIS_MODULE_PATH="${SERVER_PATH}${THIS_MODULE}"; + validate_passkey_cookie(); ###################################################### @@ -191,7 +194,7 @@ function log_out($method='normal') { # Delete the passkey from the database and the passkey cookie - global $USER_ID; + global $USER_ID, $SERVER_PATH; setcookie('orf_cookie', "", time()-20000, '/', '', '', TRUE); setcookie('sessto_cookie', "", time()-20000, '/', '', '', TRUE); @@ -200,7 +203,7 @@ function log_out($method='normal') { @ unlink("/tmp/$filename"); if ($method == 'auto') { $options = "?logged_out"; } else { $options = ""; } - header("Location: //${_SERVER["HTTP_HOST"]}/index.php$options\n\n"); + header("Location: //${_SERVER["HTTP_HOST"]}${SERVER_PATH}index.php$options\n\n"); } @@ -232,6 +235,19 @@ function render_header($title="",$menu=TRUE) { render_menu(); } + if (isset($_GET['logged_in'])) { + + ?> + +
        + +

        You've logged in successfully.

        +
        +
    $account_identifier
    $account_identifier" . $people[$account_identifier]['givenname'] . "" . $people[$account_identifier]['sn'] . "" . $people[$account_identifier]['mail'] . "