diff --git a/Dockerfile b/Dockerfile index 803eefb..0326936 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,6 +4,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends libldb-dev libl && ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so RUN docker-php-source extract && docker-php-ext-install -j$(nproc) ldap && docker-php-source delete +ADD https://github.com/PHPMailer/PHPMailer/archive/v6.2.0.tar.gz /tmp + RUN a2enmod rewrite ssl RUN a2dissite 000-default default-ssl @@ -11,6 +13,8 @@ EXPOSE 80 EXPOSE 443 COPY www/ /opt/ldap_user_manager +RUN tar -xzf /tmp/v6.2.0.tar.gz -C /opt && mv /opt/PHPMailer-6.2.0 /opt/PHPMailer + COPY entrypoint /usr/local/bin/entrypoint RUN chmod a+x /usr/local/bin/entrypoint diff --git a/README.md b/README.md index 083e665..2bbab30 100644 --- a/README.md +++ b/README.md @@ -12,6 +12,7 @@ Features * Setup wizard: this will create the necessary structure to allow you to add users and groups and will set up an initial admin user that can log into the user manager. * Group creation and management. * User account creation and management. + * Optionally send an email to the new user with their account credentials. * Secure password auto-generator: click the button to generate a secure password. * Password strength indicator. * Self-service password change: non-admin users can log in to change their password. @@ -35,12 +36,24 @@ Screenshots ![self_service_password_change](https://user-images.githubusercontent.com/17613683/59344258-9ffcab80-8d05-11e9-9dc2-27dfd373fcc8.png) -A note on your LDAP schema +A note on your LDAP schema - please read this! --- -By default this application will expect the LDAP server to be using the **RFC2307BIS** schema. OpenLDAP (including the **osixia/openldap** image) uses the old NIS schema as its default schema. The user manager will work with either, but RFC2307BIS is recommended as it allows you to use **memberOf** searches. You can enable RFC2307BIS in **osixia/openldap** by setting `LDAP_RFC2307BIS_SCHEMA` to `true` during the initial setup. The application is set to expect BIS by default for backwards-compatibility with older versions. +By default this application will expect the LDAP server to be using the **RFC2307BIS** schema. OpenLDAP (including the **osixia/openldap** image) uses the older NIS schema as its default schema. -If you prefer not to use RFC2307BIS then set `LDAP_USES_NIS_SCHEMA` to `TRUE`. This will create groups solely as the **posixGroup** objectclass, and the default for `LDAP_GROUP_MEMBERSHIP_USES_UID` will `TRUE`. +> :warning: If you haven't explicitly set up the **RFC2307BIS** schema on your LDAP server then you need to set `LDAP_USES_NIS_SCHEMA` to `TRUE` as shown in the Quick start example below. + +**Why should I use RFC2307BIS?** + +The user manager will work with either NIS or BIS, but BIS is recommended as it allows you to use **memberOf** searches. You can enable BIS in **osixia/openldap** by setting `LDAP_RFC2307BIS_SCHEMA` to `true` during the initial setup. + +**Why not make NIS the default?** + +The original versions of this application were set to expect BIS by default. This was before we used specific release versions, so we're expecting the BIS schemas as the default to keep backwards-compatibility for anyone using the `latest` tag. + +**I'm unable to use the BIS schema!** + +If you can't or prefer not to use RFC2307BIS then set `LDAP_USES_NIS_SCHEMA` to `TRUE`. This will create groups solely as the **posixGroup** objectclass, and the default for `LDAP_GROUP_MEMBERSHIP_USES_UID` will `TRUE`. Quick start @@ -60,8 +73,8 @@ docker run \ -e "LDAP_ADMIN_BIND_DN=cn=admin,dc=example,dc=com" \ -e "LDAP_ADMIN_BIND_PWD=secret"\ -e "LDAP_USES_NIS_SCHEMA=true" \ - -e "EMAIL_DOMAIN=example.com"\ - wheelybird/ldap-user-manager:v1.2 + -e "EMAIL_DOMAIN=ldapusermanager.org"\ + wheelybird/ldap-user-manager:v1.3 ``` Change the variable values to suit your environment. You might need to change `LDAP_USES_NIS_SCHEMA` if you're using the BIS schema. Now go to https://lum.example.com/setup. @@ -77,47 +90,93 @@ Configuration is via environmental variables. Please bear the following in mind Mandatory: ---- -* `LDAP_URI`: The URI of the LDAP server. e.g. ldap://ldap.example.com or ldaps://ldap.example.com -* `LDAP_BASE_DN`: The base DN for your organisation. e.g. `dc=example,dc=com` -* `LDAP_ADMIN_BIND_DN`: The DN for the user with permission to modify all records under `LDAP_BASE_DN`. e.g. `cn=admin,dc=example,dc=com` +* `LDAP_URI`: The URI of the LDAP server, e.g. `ldap://ldap.example.com` or `ldaps://ldap.example.com` + +* `LDAP_BASE_DN`: The base DN for your organisation, e.g. `dc=example,dc=com` + +* `LDAP_ADMIN_BIND_DN`: The DN for the user with permission to modify all records under `LDAP_BASE_DN`, e.g. `cn=admin,dc=example,dc=com` + * `LDAP_ADMIN_BIND_PWD`: The password for `LDAP_ADMIN_BIND_DN` + * `LDAP_ADMINS_GROUP`: The name of the group used to define accounts that can use this tool to manage LDAP accounts. e.g. `admins` Optional: ---- -* `SERVER_HOSTNAME` (default: *example.com*): The hostname that this interface will be served from. -* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. +**Organisation settings** + +* `SERVER_HOSTNAME` (default: *ldapusername.org*): The hostname that this interface will be served from. +* `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name. + +* `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management". + + +**LDAP settings** + * `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended). * `LDAP_USES_NIS_SCHEMA` (default: *FALSE*): If you use the NIS schema instead of the (preferable) RFC2307BIS schema, set this to `TRUE`. See [A note on your LDAP schema](#a-note-on-your-ldap-schema) for more information. * `LDAP_GROUP_OU` (default: *groups*): The name of the OU used to store groups (without the base DN appended). * `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *memberUID* or *uniqueMember*): The attribute used when adding a user to a group. If `LDAP_USES_NIS_SCHEMA` is `TRUE` the default is `memberUID`, otherwise it's `uniqueMember`. Explicitly setting this variable will override the default. -* `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *TRUE* or *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN. If `LDAP_USES_NIS_SCHEMA` is `TRUE` the default is `TRUE`, otherwise it's `FALSE`. Explicitly setting this variable will override the default. +* `LDAP_GROUP_MEMBERSHIP_USES_UID` (default: *TRUE* or *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN. If `LDAP_USES_NIS_SCHEMA` is `TRUE` the default is `TRUE`, otherwise it's `FALSE`. Explicitly setting this variable will override the default. * `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page. -* `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CACERT=$(
-

The account was created but adding it to the admin group failed.

+

. Unfortunately adding it to the admin group failed.

-

Account created.

+

@@ -181,6 +209,25 @@ render_js_email_generator('username','email'); + +

@@ -197,28 +244,28 @@ render_js_email_generator('username','email');
- onkeyup="update_username(); update_email();"> + onkeyup="update_username(); update_email(); check_email_validity(document.getElementById('email').value)">
- onkeyup="update_username(); update_email();"> + onkeyup="update_username(); update_email(); check_email_validity(document.getElementById('email').value)">
- onkeyup="check_entity_name_validity(document.getElementById('username').value,'username_div'); update_email();"> + onkeyup="check_entity_name_validity(document.getElementById('username').value,'username_div'); update_email(); check_email_validity(document.getElementById('email').value)">
- onkeyup="auto_email_update = false;"> + onkeyup="auto_email_update = false; check_email_validity(document.getElementById('email').value)">
@@ -239,8 +286,17 @@ render_js_email_generator('username','email');
+ +
+ +
+ Email these credentials to the user? +
+
+ +
- +
diff --git a/www/account_manager/show_group.php b/www/account_manager/show_group.php index 7ce751c..fd800e1 100644 --- a/www/account_manager/show_group.php +++ b/www/account_manager/show_group.php @@ -46,6 +46,7 @@ if (isset($_POST['new_group'])) { $current_members = ldap_get_group_members($ldap_connection,$group_cn); +$full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn); $all_accounts = ldap_get_user_list($ldap_connection); $all_people = array(); @@ -210,8 +211,10 @@ ldap_close($ldap_connection);
+