HomeLab/ldap-user-manager
2
0
Fork 0
mirror of https://github.com/wheelybird/ldap-user-manager.git synced 2025-01-18 15:32:54 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add send email, show full DN, fix TLS check at setup and add verbose LDAP debugging

Browse Source
This commit is contained in:
Brian Lycett 2020-11-28 18:00:01 +00:00
parent 7d5d6b89ad
commit 8dacee9c4e
11 changed files with 272 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@ -4,6 +4,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends libldb-dev libl
&& ln -s /usr/lib/x86_64-linux-gnu/liblber.so /usr/lib/liblber.so
RUN docker-php-source extract && docker-php-ext-install -j$(nproc) ldap && docker-php-source delete
ADD https://github.com/PHPMailer/PHPMailer/archive/v6.2.0.tar.gz /tmp
RUN a2enmod rewrite ssl
RUN a2dissite 000-default default-ssl
@ -11,6 +13,8 @@ EXPOSE 80
EXPOSE 443
COPY www/ /opt/ldap_user_manager
RUN tar -xzf /tmp/v6.2.0.tar.gz -C /opt && mv /opt/PHPMailer-6.2.0 /opt/PHPMailer
COPY entrypoint /usr/local/bin/entrypoint
RUN chmod a+x /usr/local/bin/entrypoint

97
README.md
View File

@ -12,6 +12,7 @@ Features
* Setup wizard: this will create the necessary structure to allow you to add users and groups and will set up an initial admin user that can log into the user manager.
* Group creation and management.
* User account creation and management.
* Optionally send an email to the new user with their account credentials.
* Secure password auto-generator: click the button to generate a secure password.
* Password strength indicator.
* Self-service password change: non-admin users can log in to change their password.
@ -35,12 +36,24 @@ Screenshots
![self_service_password_change](https://user-images.githubusercontent.com/17613683/59344258-9ffcab80-8d05-11e9-9dc2-27dfd373fcc8.png)
A note on your LDAP schema
A note on your LDAP schema - please read this!
---
By default this application will expect the LDAP server to be using the **RFC2307BIS** schema. OpenLDAP (including the **osixia/openldap** image) uses the old NIS schema as its default schema. The user manager will work with either, but RFC2307BIS is recommended as it allows you to use **memberOf** searches. You can enable RFC2307BIS in **osixia/openldap** by setting `LDAP_RFC2307BIS_SCHEMA` to `true` during the initial setup. The application is set to expect BIS by default for backwards-compatibility with older versions.
By default this application will expect the LDAP server to be using the **RFC2307BIS** schema. OpenLDAP (including the **osixia/openldap** image) uses the older NIS schema as its default schema.
If you prefer not to use RFC2307BIS then set `LDAP_USES_NIS_SCHEMA` to `TRUE`. This will create groups solely as the **posixGroup** objectclass, and the default for `LDAP_GROUP_MEMBERSHIP_USES_UID` will `TRUE`.
> :warning: If you haven't explicitly set up the **RFC2307BIS** schema on your LDAP server then you need to set `LDAP_USES_NIS_SCHEMA` to `TRUE` as shown in the Quick start example below.
**Why should I use RFC2307BIS?**
The user manager will work with either NIS or BIS, but BIS is recommended as it allows you to use **memberOf** searches. You can enable BIS in **osixia/openldap** by setting `LDAP_RFC2307BIS_SCHEMA` to `true` during the initial setup.
**Why not make NIS the default?**
The original versions of this application were set to expect BIS by default. This was before we used specific release versions, so we're expecting the BIS schemas as the default to keep backwards-compatibility for anyone using the `latest` tag.
**I'm unable to use the BIS schema!**
If you can't or prefer not to use RFC2307BIS then set `LDAP_USES_NIS_SCHEMA` to `TRUE`. This will create groups solely as the **posixGroup** objectclass, and the default for `LDAP_GROUP_MEMBERSHIP_USES_UID` will `TRUE`.
Quick start
@ -60,8 +73,8 @@ docker run \
-e "LDAP_ADMIN_BIND_DN=cn=admin,dc=example,dc=com" \
-e "LDAP_ADMIN_BIND_PWD=secret"\
-e "LDAP_USES_NIS_SCHEMA=true" \
-e "EMAIL_DOMAIN=example.com"\
wheelybird/ldap-user-manager:v1.2
-e "EMAIL_DOMAIN=ldapusermanager.org"\
wheelybird/ldap-user-manager:v1.3
```
Change the variable values to suit your environment. You might need to change `LDAP_USES_NIS_SCHEMA` if you're using the BIS schema. Now go to https://lum.example.com/setup.
@ -77,17 +90,29 @@ Configuration is via environmental variables. Please bear the following in mind
Mandatory:
----
* `LDAP_URI`: The URI of the LDAP server. e.g. ldap://ldap.example.com or ldaps://ldap.example.com
* `LDAP_BASE_DN`: The base DN for your organisation. e.g. `dc=example,dc=com`
* `LDAP_ADMIN_BIND_DN`: The DN for the user with permission to modify all records under `LDAP_BASE_DN`. e.g. `cn=admin,dc=example,dc=com`
* `LDAP_URI`: The URI of the LDAP server, e.g. `ldap://ldap.example.com` or `ldaps://ldap.example.com`
* `LDAP_BASE_DN`: The base DN for your organisation, e.g. `dc=example,dc=com`
* `LDAP_ADMIN_BIND_DN`: The DN for the user with permission to modify all records under `LDAP_BASE_DN`, e.g. `cn=admin,dc=example,dc=com`
* `LDAP_ADMIN_BIND_PWD`: The password for `LDAP_ADMIN_BIND_DN`
* `LDAP_ADMINS_GROUP`: The name of the group used to define accounts that can use this tool to manage LDAP accounts. e.g. `admins`
Optional:
----
* `SERVER_HOSTNAME` (default: *example.com*): The hostname that this interface will be served from.
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing.
**Organisation settings**
* `SERVER_HOSTNAME` (default: *ldapusername.org*): The hostname that this interface will be served from.
* `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name.
* `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management".
**LDAP settings**
* `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended).
@ -99,25 +124,59 @@ Optional:
* `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
* `LDAP_IGNORE_CERT_ERRORS` (default: *FALSE*): If *TRUE* then problems with the certificate presented by the LDAP server will be ignored (for example FQDN mismatches). Use this if your LDAP server is using a self-signed certificate and you don't have a CA certificate for it or you're connecting to a pool of different servers via round-robin DNS.
* `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CACERT=$(</path/to/ca.crt)`
**User account settings**
* `DEFAULT_USER_GROUP` (default: *everybody*): The group that new accounts are automatically added to when created. *NOTE*: If this group doesn't exist then a group is created with the same name as the username and the user is added to that group.
* `DEFAULT_USER_SHELL` (default: */bin/bash*): The shell that will be launched when the user logs into a server.
* `EMAIL_DOMAIN` (no default): If set then the email address field will be automatically populated in the form of `username@email_domain`.
* `USERNAME_FORMAT` (default: *{first_name}-{last_name}*): The template used to dynamically generate usernames. See [Username format](#username-format).
* `USERNAME_REGEX` (default: *^[a-z][a-zA-Z0-9\._-]{3,32}$*): The regular expression used to ensure a username (and group name) is valid. See [Username format](#username-format).
* `PASSWORD_HASH` (no default): Select which hashing method which will be used to store passwords in LDAP. Options are (in order of precedence) `SHA512CRYPT`, `SHA256CRYPT`, `MD5CRYPT`, `SSHA`, `SHA`, `SMD5`, `MD5`, `CRYPT` & `CLEAR`. If your chosen method isn't available on your system then the strongest available method will be automatically selected - `SSHA` is the strongest method guaranteed to be available. Cleartext passwords should NEVER be used in any situation outside of a test.
* `ACCEPT_WEAK_PASSWORDS` (default: *FALSE*): Set this to *TRUE* to prevent a password being rejected for being too weak. The password strength indicators will still gauge the strength of the password. Don't enable this in a production environment.
* `LOGIN_TIMEOUT_MINS` (default: 10 minutes): How long before an idle session will be timed out.
* `SITE_NAME` (default: *LDAP user manager*): Change this to replace the title in the menu. e.g. "My Company"
**Email settings**
* `SMTP_HOSTNAME` (no default): The hostname of an SMTP server - used to send emails when creating new accounts.
* `SMTP_HOST_PORT` (default: *25*): The SMTP port on the SMTP server.
* `SMTP_USERNAME` (no default): The username to use when the SMTP server requires authentication.
* `SMTP_PASSWORD` (no default): The password to use when the SMTP server requires authentication.
* `SMTP_USE_TLS` (default: *FALSE*): Set to TRUE if the SMTP server requires TLS to be enabled.
* `EMAIL_FROM_ADDRESS` (default: *admin@{EMAIL_DOMAIN}*): The FROM email address used when sending out emails. The default domain is taken from `EMAIL_DOMAIN` under **User account settings**.
* `EMAIL_FROM_NAME` (default: *{SITE_NAME}*): The FROM name used when sending out emails. The default name is taken from `SITE_NAME` under **Organisation settings**.
**Site security settings**
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing.
* `LOGIN_TIMEOUT_MINS` (default: *10 minutes*): How long before an idle session will be timed out.
**Debug settings**
* `LDAP_DEBUG` (default: *FALSE*): Set to TRUE to increase the logging level for LDAP requests. This will output passwords to the error log - don't enable this in a production environment. This is for information on problems updating LDAP records and such. To debug problems connecting to the LDAP server in the first place use `LDAP_VERBOSE_CONNECTION_LOGS`.
* `LDAP_VERBOSE_CONNECTION_LOGS` (default: *FALSE*): Set to TRUE to enable detailed LDAP connection logs (PHP's LDAP_OPT_DEBUG_LEVEL 7). This will flood the logs with detailled LDAP connection information so disable this for production environments.
* `LDAP_DEBUG` (default: *FALSE*): Set to TRUE to increase the logging level for LDAP connections. This will output passwords to the error log - don't enable this in a production environment.
* `SESSION_DEBUG` (default: *FALSE*): Set to TRUE to increase the logging level for sessions and user authorisation. This will output cookie passkeys to the error log - don't enable this in a production environment.
* `SMTP_LOG_LEVEL` (default: *1*): Set to between 1-4 to get SMTP logging information (0 disables SMTP logs). See https://github.com/PHPMailer/PHPMailer/wiki/SMTP-Debugging for details of the levels.
Webserver SSL setup
---
@ -130,7 +189,7 @@ docker run \
--name=lum \
-p 80:80 \
-p 443:443 \
-e SERVER_HOSTNAME=lum.example.com \
-e SERVER_HOSTNAME=lum.ldapusermanager.org \
-v /your/ssl/cert/dir:/opt/ssl \
...
...
@ -146,6 +205,16 @@ The setup utility will create the user and account trees, records that store the
![initial_setup](https://user-images.githubusercontent.com/17613683/59344213-865b6400-8d05-11e9-9d86-381d59671530.png)
Sending emails
---
When you create an account you'll have an option to send an email to the person you created the account for. The email will give them their new username, password and a link to the self-service password change utility.
Emails are sent via SMTP, so you'll need to be able to connect to an SMTP server and pass in the settings for that server via environmental variables - see **Email settings** above.
If you haven't passed in those settings or if the account you've created has no (valid) email address then the option to send an email will be disabled.
Note that failures to deliver are silent. If people aren't receiving the emails then check the logs to see why not. You can increase the log level (`SMTP_LOG_LEVEL`) for more detailed logs.
Username format
---

2
entrypoint
View File

@ -3,7 +3,7 @@ set -e
ssl_dir="/opt/ssl"
if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=example.com; fi
if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME=ldapusermanager.org; fi
#If LDAP_TLS_CACERT is set then write it out as a file
#and set up the LDAP client conf to use it.

72
www/account_manager/new_user.php
View File

@ -34,6 +34,9 @@ $invalid_username = FALSE;
$weak_password = FALSE;
$invalid_email = FALSE;
if ($SMTP['host'] != "") { $can_send_email = TRUE; } else { $can_send_email = FALSE; }
if (isset($_POST['create_account'])) {
$ldap_connection = open_ldap_connection();
@ -45,12 +48,13 @@ if (isset($_POST['create_account'])) {
if ($_POST['email']) { $email = stripslashes($_POST['email']); }
if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $weak_password = TRUE; }
if (isset($email) and !is_valid_email($email)) { $invalid_email = TRUE; }
if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; }
if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = TRUE; }
if (isset($_POST['send_email']) and isset($email) and $can_send_email == TRUE) { $send_user_email = TRUE; }
if ( isset($first_name)
and isset($last_name)
@ -68,11 +72,35 @@ if (isset($_POST['create_account'])) {
if ($new_account) {
$creation_message = "The account was created.";
if (isset($send_user_email) and $send_user_email == TRUE) {
if ($NO_HTTPS == TRUE) { $protocol = 'http://'; } else { $protocol = 'https://'; }
if (in_array(strtolower($ORGANISATION_NAME[0]),array('a','e','i','o','u'))) { $org_prefix = "An "; } else { $org_prefix = "A "; }
$mail_subject = "$org_prefix $ORGANISATION_NAME account has been created for you.";
$mail_body = <<<EoT
You've been set up with an account for $ORGANISATION_NAME. Your credentials are:
Username: $username
Password: $password
You should change your password as soon as possible. Log into the account manager at ${protocol}${SITE_URL}/log_in using your credentials.
Once logged in you can change your password at ${protocol}${SITE_URL}/change_password/
EoT;
include_once "mail_functions.inc.php";
send_email($email,"$first_name $last_name",$mail_subject,$mail_body);
$creation_message = "The account was created and an email sent to $email.";
}
if ($admin_setup == TRUE) {
$member_add = ldap_add_member_to_group($ldap_connection, $LDAP['admins_group'], $username);
if (!$member_add) { ?>
<div class="alert alert-warning">
<p class="text-center">The account was created but adding it to the admin group failed.</p>
<p class="text-center"><?php print $creation_message; ?>. Unfortunately adding it to the admin group failed.</p>
</div>
<?php
}
@ -80,7 +108,7 @@ if (isset($_POST['create_account'])) {
?>
<div class="alert alert-success">
<p class="text-center">Account created.</p>
<p class="text-center"><?php print $creation_message; ?></p>
</div>
<form action='<?php print $completed_action; ?>'>
<p align="center">
@ -181,6 +209,25 @@ render_js_email_generator('username','email');
</script>
<script>
function check_email_validity(email) {
var check_regex = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/;
if (! check_regex.test(email) ) {
document.getElementById("email_div").classList.add("has-error");
<?php if ($can_send_email == TRUE) { ?>document.getElementById("send_email_checkbox").disabled = true;<?php } ?>
}
else {
document.getElementById("email_div").classList.remove("has-error");
<?php if ($can_send_email == TRUE) { ?>document.getElementById("send_email_checkbox").disabled = false;<?php } ?>
}
}
</script>
<div class="container">
<div class="col-sm-8">
@ -197,28 +244,28 @@ render_js_email_generator('username','email');
<div class="form-group">
<label for="first_name" class="col-sm-3 control-label">First name</label>
<div class="col-sm-6">
<input tabindex="1" type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
<input tabindex="1" type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email(); check_email_validity(document.getElementById('email').value)">
</div>
</div>
<div class="form-group">
<label for="last_name" class="col-sm-3 control-label">Last name</label>
<div class="col-sm-6">
<input tabindex="3" type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
<input tabindex="3" type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email(); check_email_validity(document.getElementById('email').value)">
</div>
</div>
<div class="form-group" id="username_div">
<label for="username" class="col-sm-3 control-label">Username</label>
<div class="col-sm-6">
<input tabindex="3" type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_entity_name_validity(document.getElementById('username').value,'username_div'); update_email();">
<input tabindex="3" type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_entity_name_validity(document.getElementById('username').value,'username_div'); update_email(); check_email_validity(document.getElementById('email').value)">
</div>
</div>
<div class="form-group" id="email_div">
<label for="username" class="col-sm-3 control-label">Email</label>
<div class="col-sm-6">
<input tabindex="4" type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
<input tabindex="4" type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false; check_email_validity(document.getElementById('email').value)">
</div>
</div>
@ -239,8 +286,17 @@ render_js_email_generator('username','email');
</div>
</div>
<?php if ($can_send_email == TRUE and $admin_setup != TRUE) { ?>
<div class="form-group" id="send_email_div">
<label for="send_email" class="col-sm-3 control-label"> </label>
<div class="col-sm-6">
<input tabindex="8" type="checkbox" class="form-check-input" id="send_email_checkbox" name="send_email" disabled> Email these credentials to the user?
</div>
</div>
<?php } ?>
<div class="form-group">
<button tabindex="8" type="submit" class="btn btn-warning">Create account</button>
<button tabindex="9" type="submit" class="btn btn-warning">Create account</button>
</div>
</form>

5
www/account_manager/show_group.php
View File

@ -46,6 +46,7 @@ if (isset($_POST['new_group'])) {
$current_members = ldap_get_group_members($ldap_connection,$group_cn);
$full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn);
$all_accounts = ldap_get_user_list($ldap_connection);
$all_people = array();
@ -210,9 +211,11 @@ ldap_close($ldap_connection);
<button class="btn btn-warning pull-right" onclick="show_delete_group_button();">Delete group</button>
<form action="/<?php print $THIS_MODULE_PATH; ?>/groups.php" method="post"><input type="hidden" name="delete_group" value="<?php print $group_cn; ?>"><button class="btn btn-danger pull-right invisible" id="delete_group">Confirm deletion</button></form>
</div>
<ul class="list-group">
<li class="list-group-item"><?php print $full_dn; ?></li>
</li>
<div class="panel-body">
<div class="row">
<div class="dual-list list-left col-md-5">

11
www/account_manager/show_user.php
View File

@ -206,6 +206,9 @@ if ($ldap_search) {
$member_of = $currently_member_of;
}
$account_name = $user[0]['uid'][0];
$full_dn = $user[0]['dn'];
################
@ -320,16 +323,18 @@ if ($ldap_search) {
</script>
<div class="container">
<div class="col-sm-7">
<div class="panel panel-default">
<div class="panel-heading clearfix">
<h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $user[0]['uid'][0]; ?></h3>
<button class="btn btn-warning pull-right" onclick="show_delete_user_button();">Delete account</button>
<span class="panel-title pull-left"><h3><?php print $account_name; ?></h3></span>
<button class="btn btn-warning pull-right align-self-end" style="margin-top: auto;" onclick="show_delete_user_button();">Delete account</button>
<form action="/<?php print $THIS_MODULE_PATH; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print urlencode($username); ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
</div>
<ul class="list-group">
<li class="list-group-item"><?php print $full_dn; ?></li>
</li>
<div class="panel-body">
<form class="form-horizontal" action="" method="post">

34
www/includes/config.inc.php
View File

@ -30,14 +30,13 @@
$LDAP['account_attribute'] = 'uid';
$LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP['ignore_cert_errors'] = ((strcasecmp(getenv('LDAP_IGNORE_CERT_ERRORS'),'TRUE') == 0) ? TRUE : FALSE);
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
$DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash');
$EMAIL_DOMAIN = (getenv('EMAIL_DOMAIN') ? getenv('EMAIL_DOMAIN') : Null);
$LOGIN_TIMEOUT_MINS = (getenv('SESSION_TIMEOUT') ? getenv('SESSION_TIMEOUT') : 10);
$SITE_NAME = (getenv('SITE_NAME') ? getenv('SITE_NAME') : 'LDAP user manager');
$ORGANISATION_NAME = (getenv('ORGANISATION_NAME') ? getenv('ORGANISATION_NAME') : 'LDAP');
$SITE_NAME = (getenv('SITE_NAME') ? getenv('SITE_NAME') : "$ORGANISATION_NAME user manager");
$USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
$USERNAME_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$');
@ -46,8 +45,11 @@
if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }
$ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE);
$LOGIN_TIMEOUT_MINS = (getenv('SESSION_TIMEOUT') ? getenv('SESSION_TIMEOUT') : 10);
$LDAP_DEBUG = ((strcasecmp(getenv('LDAP_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP_VERBOSE_CONNECTION_LOGS = ((strcasecmp(getenv('LDAP_VERBOSE_CONNECTION_LOGS'),'TRUE') == 0) ? TRUE : FALSE);
$SESSION_DEBUG = ((strcasecmp(getenv('SESSION_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
###
@ -57,7 +59,29 @@
###
$log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
$SMTP['host'] = getenv('SMTP_HOSTNAME');
$SMTP['user'] = getenv('SMTP_USERNAME');
$SMTP['pass'] = getenv('SMTP_PASSWORD');
$SMTP['port'] = (getenv('SMTP_HOST_PORT') ? getenv('SMTP_HOST_PORT') : 25);
$SMTP['tls'] = ((strcasecmp(getenv('SMTP_USE_TLS'),'TRUE') == 0) ? TRUE : FALSE);
$SMTP['debug_level'] = getenv('SMTP_LOG_LEVEL');
if (!is_numeric($SMTP['debug_level']) or $SMTP['debug_level'] >4 or $SMTP['debug_level'] <0) { $SMTP['debug_level'] = 1; }
$EMAIL_DOMAIN = (getenv('EMAIL_DOMAIN') ? getenv('EMAIL_DOMAIN') : Null);
$default_email_from_domain = ($EMAIL_DOMAIN ? $EMAIL_DOMAIN : 'ldapusermanger.org');
$EMAIL['from_address'] = (getenv('EMAIL_FROM_ADDRESS') ? getenv('EMAIL_FROM_ADDRESS') : "admin@" . $default_email_from_domain );
$EMAIL['from_name'] = (getenv('EMAIL_FROM_NAME') ? getenv('EMAIL_FROM_NAME') : $SITE_NAME );
$NO_HTTPS = ((strcasecmp(getenv('NO_HTTPS'),'TRUE') == 0) ? TRUE : FALSE);
###
$log_prefix = "";
###
$errors = "";

35
www/includes/ldap_functions.inc.php
View File

@ -1,13 +1,14 @@
<?php
$LDAP_CONNECTION_WARNING = FALSE;
$LDAP_IS_SECURE = FALSE;
###################################
function open_ldap_connection() {
global $log_prefix, $LDAP, $SENT_HEADERS, $LDAP_DEBUG;
global $log_prefix, $LDAP, $SENT_HEADERS, $LDAP_DEBUG, $LDAP_IS_SECURE;
if ($LDAP['ignore_cert_errors'] == TRUE) { putenv('LDAPTLS_REQCERT=never'); }
$ldap_connection = @ ldap_connect($LDAP['uri']);
if (!$ldap_connection) {
@ -17,6 +18,7 @@ function open_ldap_connection() {
}
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
if ($LDAP_VERBOSE_CONNECTION_LOGS == TRUE) { ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7); }
if (!preg_match("/^ldaps:/", $LDAP['uri'])) {
@ -39,9 +41,13 @@ function open_ldap_connection() {
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
}
}
elseif ($LDAP_DEBUG == TRUE) {
else {
if ($LDAP_DEBUG == TRUE) {
error_log("$log_prefix Start STARTTLS connection to ${LDAP['uri']}",0);
}
$LDAP_IS_SECURE = TRUE;
}
}
$bind_result = @ ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
@ -388,6 +394,29 @@ function ldap_get_group_list($ldap_connection,$start=0,$entries=NULL,$sort="asc"
}
##################################
function ldap_get_dn_of_group($ldap_connection,$group_name) {
global $log_prefix, $LDAP, $LDAP_DEBUG;
if (isset($group_name)) {
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("dn"));
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
if (isset($result[0]['dn'])) {
return $result[0]['dn'];
}
}
return FALSE;
}
##################################
function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=NULL,$sort="asc") {

36
www/includes/mail_functions.inc.php Normal file
View File

@ -0,0 +1,36 @@
<?php
require_once "/opt/PHPMailer/src/PHPMailer.php";
require_once "/opt/PHPMailer/src/SMTP.php";
require_once "/opt/PHPMailer/src/Exception.php";
function send_email($recipient_email,$recipient_name,$subject,$body) {
global $EMAIL, $SMTP, $SITE_URL, $log_prefix;
$mail = new PHPMailer\PHPMailer\PHPMailer();
$mail->isSMTP();
$mail->SMTPDebug = $SMTP['debug_level'];
$mail->Debugoutput = function($message, $level) { error_log("$log_prefix SMTP (level $level): $message"); };
$mail->Host = $SMTP['host'];
$mail->Port = $SMTP['port'];
if (isset($MAIL['username'])) {
$mail->SMTPAuth = true;
$mail->Username = $SMTP['user'];
$mail->Password = $SMTP['pass'];
}
if ($MAIL['tls'] == TRUE) { $mail->SMTPSecure = "tls"; }
$mail->setFrom($EMAIL['from_address'], $EMAIL['from_name']);
$mail->addAddress($recipient_email, $recipient_name);
$mail->Subject = $subject;
$mail->Body = $body;
$mail->send();
}
?>

2
www/includes/web_functions.inc.php
View File

@ -331,6 +331,8 @@ function is_valid_email($email) {
}
######################################################
function render_js_username_check(){
global $USERNAME_REGEX;

2
www/setup/run_checks.php
View File

@ -38,7 +38,7 @@ $ldap_connection = open_ldap_connection();
print "$li_good Connected to ${LDAP['uri']}</li>\n";
#TLS?
if ($LDAP['starttls'] && $ENCRYPTED == TRUE) {
if ($LDAP_IS_SECURE == TRUE) {
print "$li_good Encrypted connection to ${LDAP['uri']} via STARTTLS</li>\n";
}
else {