mirror of
https://github.com/wheelybird/ldap-user-manager.git
synced 2025-01-18 23:42:54 +01:00
Change username regex variables
This commit is contained in:
parent
b3b372d189
commit
9bbe0db8d5
29
README.md
29
README.md
@ -64,7 +64,7 @@ Change the variable values to suit your environment. Now go to https://lum.exam
|
|||||||
Configuration is via environmental variables. Please bear the following in mind:
|
Configuration is via environmental variables. Please bear the following in mind:
|
||||||
|
|
||||||
* This tool needs to bind to LDAP as a user that has the permissions to modify everything under the base DN.
|
* This tool needs to bind to LDAP as a user that has the permissions to modify everything under the base DN.
|
||||||
* This interface is designed to work with a fresh LDAP server and should only be used against existing populated LDAP directories with caution and at your own risk.
|
* This interface is designed to work with a fresh LDAP server and should only be against existing, populated LDAP directories with caution and at your own risk.
|
||||||
|
|
||||||
### Mandatory:
|
### Mandatory:
|
||||||
|
|
||||||
@ -92,6 +92,12 @@ Configuration is via environmental variables. Please bear the following in mind
|
|||||||
|
|
||||||
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. See [HTTPS certificates](#https-certificates)
|
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. See [HTTPS certificates](#https-certificates)
|
||||||
|
|
||||||
|
* `SERVER_KEY_FILENAME`: (default *server.key*): The filename of the HTTPS server key file. See [HTTPS certificates](#https-certificates)
|
||||||
|
|
||||||
|
* `SERVER_CERT_FILENAME`: (default *server.crt*): The filename of the HTTPS certficate file. See [HTTPS certificates](#https-certificates)
|
||||||
|
|
||||||
|
* `CA_CERT_FILENAME`: (default *ca.crt*): The filename of the HTTPS server key file. See [HTTPS certificates](#https-certificates)
|
||||||
|
|
||||||
* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out.
|
* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out.
|
||||||
|
|
||||||
|
|
||||||
@ -118,7 +124,9 @@ Configuration is via environmental variables. Please bear the following in mind
|
|||||||
|
|
||||||
These settings should only be changed if you're trying to make the user manager work with an LDAP directory that's already populated and the defaults don't work.
|
These settings should only be changed if you're trying to make the user manager work with an LDAP directory that's already populated and the defaults don't work.
|
||||||
|
|
||||||
* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*): The account attribute used as the account identifier. See [Account names](#account-names) for more information.
|
* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*): The attribute used as the account identifier. See [Account names](#account-names) for more information.
|
||||||
|
|
||||||
|
* `LDAP_GROUP_ATTRIBUTE` (default: *cn*): The attribute used as the group identifier.
|
||||||
|
|
||||||
* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *memberUID* or *uniqueMember*): The attribute used when adding a user's account to a group. When the `groupOfMembers` objectClass is detected `FORCE_RFC2307BIS` is `TRUE` it defaults to `uniqueMember`, otherwise it'll default to `memberUID`. Explicitly setting this variable will override any default.
|
* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *memberUID* or *uniqueMember*): The attribute used when adding a user's account to a group. When the `groupOfMembers` objectClass is detected `FORCE_RFC2307BIS` is `TRUE` it defaults to `uniqueMember`, otherwise it'll default to `memberUID`. Explicitly setting this variable will override any default.
|
||||||
|
|
||||||
@ -175,6 +183,8 @@ To send emails you'll need to use an existing SMTP server. Email sending will b
|
|||||||
* `NEW_ACCOUNT_EMAIL_SUBJECT`, `NEW_ACCOUNT_EMAIL_BODY`, `RESET_PASSWORD_EMAIL_SUBJECT` & `RESET_PASSWORD_EMAIL_BODY`: Change the email contents for emails sent to users when you create an account or reset a password. See [Sending emails](#sending_emails) for full details.
|
* `NEW_ACCOUNT_EMAIL_SUBJECT`, `NEW_ACCOUNT_EMAIL_BODY`, `RESET_PASSWORD_EMAIL_SUBJECT` & `RESET_PASSWORD_EMAIL_BODY`: Change the email contents for emails sent to users when you create an account or reset a password. See [Sending emails](#sending_emails) for full details.
|
||||||
|
|
||||||
|
|
||||||
|
**Account requests**
|
||||||
|
|
||||||
#### Account request settings
|
#### Account request settings
|
||||||
|
|
||||||
* `ACCOUNT_REQUESTS_ENABLED` (default: *FALSE*): Set to TRUE in order to enable a form that people can fill in to request an account. This will send an email to `ACCOUNT_REQUESTS_EMAIL` with their details and a link to the account creation page where the details will be filled in automatically. You'll need to set up email sending (see **Email sending**, above) for this to work. If this is enabled but email sending isn't then requests will be disabled and an error message sent to the logs.
|
* `ACCOUNT_REQUESTS_ENABLED` (default: *FALSE*): Set to TRUE in order to enable a form that people can fill in to request an account. This will send an email to `ACCOUNT_REQUESTS_EMAIL` with their details and a link to the account creation page where the details will be filled in automatically. You'll need to set up email sending (see **Email sending**, above) for this to work. If this is enabled but email sending isn't then requests will be disabled and an error message sent to the logs.
|
||||||
@ -229,14 +239,21 @@ If you're using LDAP for server accounts then you'll find there are normally co
|
|||||||
***
|
***
|
||||||
|
|
||||||
## HTTPS certificates
|
## HTTPS certificates
|
||||||
When `NO_HTTPS` is set to **FALSE** (the default), the user manager expects to find SSL files at `/opt/ssl/server.key` and `/opt/ssl/server.crt`. These certificates should match `SERVER_HOSTNAME`. If these files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`. To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`. You can also add a certificate chain file (the Apache `SSLCertificateChainFile` option) if needed - name it `chain.pem` and place it in the same directory as `server.key` and `server.crt` .
|
The user manager runs in HTTPS mode by default and so uses HTTPS certificates. You can pass in your own certificates by bind-mounting a local path to `/opt/ssl` in the container and then specifying the names of the files via `SERVER_KEY_FILENAME`, `SERVER_CERT_FILENAME` and optionally `CA_CERT_FILENAME` (this will set Apache's `SSLCertificateChainFile` directive).
|
||||||
|
If the certificate and key files don't exist then a self-signed certificate will be created when the container starts.
|
||||||
|
|
||||||
For example, if your key and certificate files are in `/home/myaccount/ssl` you can bind-mount that folder by adding this line to the docker run example above, just after the last line starting with `-e`:
|
When using your own certificates, the certificate's common name (or one of the alternative names) need to match the value you set for `SERVER_HOSTNAME`.
|
||||||
|
|
||||||
|
For example, if your key and certificate files are in `/home/myaccount/ssl` you can bind-mount that folder by adding these lines to the `docker run` example above (place them above the final line):
|
||||||
```
|
```
|
||||||
|
-e "SERVER_KEY_FILENAME=lum.example.com.key" \
|
||||||
|
-e "SERVER_CERT_FILENAME=lum.example.com.crt" \
|
||||||
|
-e "CA_CERT_FILENAME=ca_bundle.pem" \
|
||||||
-v /home/myaccount/ssl:/opt/ssl \
|
-v /home/myaccount/ssl:/opt/ssl \
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
||||||
|
If you don't want to use HTTPS certificates then set `NO_HTTPS` to **TRUE** to run in HTTP mode. It's advised that you only do this when testing.
|
||||||
|
|
||||||
***
|
***
|
||||||
|
|
||||||
## Sending emails
|
## Sending emails
|
||||||
@ -295,7 +312,7 @@ If you need to use this user manager with an existing LDAP directory and your ac
|
|||||||
`LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` is a comma-separated list of objectClasses to add when creating the account record. For example, `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=ldappublickey,couriermailaccount`.
|
`LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` is a comma-separated list of objectClasses to add when creating the account record. For example, `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=ldappublickey,couriermailaccount`.
|
||||||
|
|
||||||
To add extra fields for new attributes you need to pass a comma-separated string of the attributes and optionally the label for the attribute (which will be shown on the user form) and a default value to `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` separated by colons (`:`).
|
To add extra fields for new attributes you need to pass a comma-separated string of the attributes and optionally the label for the attribute (which will be shown on the user form) and a default value to `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` separated by colons (`:`).
|
||||||
The format for configuring an attribute is: `attribute1:label1:default_value1,attribute2:label2:default_value2`. If you don't supply a label then the form field will be labelled with the attribute name.
|
The format for configuring an attribute is: `attribute1:label1,default_value1,attribute2:label2:default_value2`. If you don't supply a label then the form field will be labelled with the attribute name.
|
||||||
An example (for the couriermailaccount objectClass) would be: `mailbox:Mailbox:domain.com,quota:Mail quota:20`
|
An example (for the couriermailaccount objectClass) would be: `mailbox:Mailbox:domain.com,quota:Mail quota:20`
|
||||||
|
|
||||||
ObjectClasses often have attributes that must have a value, so you should definitely set a default for those attributes.
|
ObjectClasses often have attributes that must have a value, so you should definitely set a default for those attributes.
|
||||||
|
@ -100,7 +100,7 @@ if (isset($_POST['create_account'])) {
|
|||||||
if (isset($mail) and !is_valid_email($mail)) { $invalid_email = TRUE; }
|
if (isset($mail) and !is_valid_email($mail)) { $invalid_email = TRUE; }
|
||||||
if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
|
if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
|
||||||
if ($password != $_POST['password_match']) { $mismatched_passwords = TRUE; }
|
if ($password != $_POST['password_match']) { $mismatched_passwords = TRUE; }
|
||||||
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$POSIX_REGEX/",$account_identifier)) { $invalid_account_identifier = TRUE; }
|
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$account_identifier)) { $invalid_account_identifier = TRUE; }
|
||||||
if (isset($_POST['send_email']) and isset($mail) and $EMAIL_SENDING_ENABLED == TRUE) { $send_user_email = TRUE; }
|
if (isset($_POST['send_email']) and isset($mail) and $EMAIL_SENDING_ENABLED == TRUE) { $send_user_email = TRUE; }
|
||||||
|
|
||||||
if ( isset($givenname)
|
if ( isset($givenname)
|
||||||
|
@ -27,7 +27,7 @@ else {
|
|||||||
$group_cn = urldecode($group_cn);
|
$group_cn = urldecode($group_cn);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$POSIX_REGEX/",$group_cn)) {
|
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$group_cn)) {
|
||||||
?>
|
?>
|
||||||
<div class="alert alert-danger">
|
<div class="alert alert-danger">
|
||||||
<p class="text-center">The group name is invalid.</p>
|
<p class="text-center">The group name is invalid.</p>
|
||||||
|
@ -53,8 +53,8 @@
|
|||||||
$SERVER_PATH = (getenv('SERVER_PATH') ? getenv('SERVER_PATH') : "/");
|
$SERVER_PATH = (getenv('SERVER_PATH') ? getenv('SERVER_PATH') : "/");
|
||||||
|
|
||||||
$ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE);
|
$ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE);
|
||||||
$POSIX_USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
|
$USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
|
||||||
$POSIX_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$');
|
$USERNAME_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$');
|
||||||
#We'll use the username regex for groups too.
|
#We'll use the username regex for groups too.
|
||||||
|
|
||||||
if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }
|
if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }
|
||||||
|
@ -397,7 +397,7 @@ function is_valid_email($email) {
|
|||||||
|
|
||||||
function render_js_username_check(){
|
function render_js_username_check(){
|
||||||
|
|
||||||
global $POSIX_REGEX, $ENFORCE_SAFE_SYSTEM_NAMES;
|
global $USERNAME_REGEX, $ENFORCE_SAFE_SYSTEM_NAMES;
|
||||||
|
|
||||||
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
|
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
|
||||||
|
|
||||||
@ -406,7 +406,7 @@ function render_js_username_check(){
|
|||||||
|
|
||||||
function check_entity_name_validity(name,div_id) {
|
function check_entity_name_validity(name,div_id) {
|
||||||
|
|
||||||
var check_regex = /$POSIX_REGEX/;
|
var check_regex = /$USERNAME_REGEX/;
|
||||||
|
|
||||||
if (! check_regex.test(name) ) {
|
if (! check_regex.test(name) ) {
|
||||||
document.getElementById(div_id).classList.add("has-error");
|
document.getElementById(div_id).classList.add("has-error");
|
||||||
@ -431,9 +431,9 @@ EoCheckJS;
|
|||||||
|
|
||||||
function generate_username($fn,$ln) {
|
function generate_username($fn,$ln) {
|
||||||
|
|
||||||
global $POSIX_USERNAME_FORMAT;
|
global $USERNAME_FORMAT;
|
||||||
|
|
||||||
$username = $POSIX_USERNAME_FORMAT;
|
$username = $USERNAME_FORMAT;
|
||||||
$username = str_replace('{first_name}',strtolower($fn), $username);
|
$username = str_replace('{first_name}',strtolower($fn), $username);
|
||||||
$username = str_replace('{first_name_initial}',strtolower($fn[0]), $username);
|
$username = str_replace('{first_name_initial}',strtolower($fn[0]), $username);
|
||||||
$username = str_replace('{last_name}',strtolower($ln), $username);
|
$username = str_replace('{last_name}',strtolower($ln), $username);
|
||||||
@ -450,7 +450,7 @@ function render_js_username_generator($firstname_field_id,$lastname_field_id,$us
|
|||||||
#Parameters are the IDs of the input fields and username name div in the account creation form.
|
#Parameters are the IDs of the input fields and username name div in the account creation form.
|
||||||
#The div will be set to warning if the username is invalid.
|
#The div will be set to warning if the username is invalid.
|
||||||
|
|
||||||
global $POSIX_USERNAME_FORMAT, $ENFORCE_SAFE_SYSTEM_NAMES;
|
global $USERNAME_FORMAT, $ENFORCE_SAFE_SYSTEM_NAMES;
|
||||||
|
|
||||||
$remove_accents="";
|
$remove_accents="";
|
||||||
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) { $remove_accents = ".normalize('NFD').replace(/[\u0300-\u036f]/g, '')"; }
|
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) { $remove_accents = ".normalize('NFD').replace(/[\u0300-\u036f]/g, '')"; }
|
||||||
@ -462,7 +462,7 @@ function render_js_username_generator($firstname_field_id,$lastname_field_id,$us
|
|||||||
|
|
||||||
var first_name = document.getElementById('$firstname_field_id').value;
|
var first_name = document.getElementById('$firstname_field_id').value;
|
||||||
var last_name = document.getElementById('$lastname_field_id').value;
|
var last_name = document.getElementById('$lastname_field_id').value;
|
||||||
var template = '$POSIX_USERNAME_FORMAT';
|
var template = '$USERNAME_FORMAT';
|
||||||
|
|
||||||
var actual_username = template;
|
var actual_username = template;
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user