Change username regex variables

README.md

@@ -64,7 +64,7 @@ Change the variable values to suit your environment.  Now go to https://lum.exam
 Configuration is via environmental variables.  Please bear the following in mind:
 
  * This tool needs to bind to LDAP as a user that has the permissions to modify everything under the base DN.
- * This interface is designed to work with a fresh LDAP server and should only be used against existing populated LDAP directories with caution and at your own risk.
+ * This interface is designed to work with a fresh LDAP server and should only be against existing, populated LDAP directories with caution and at your own risk.
 
 ### Mandatory:
 
@@ -92,6 +92,12 @@ Configuration is via environmental variables.  Please bear the following in mind
 
 * `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption.  This is insecure and should only be used for testing.  See [HTTPS certificates](#https-certificates)
 
+* `SERVER_KEY_FILENAME`: (default *server.key*): The filename of the HTTPS server key file. See [HTTPS certificates](#https-certificates)
+
+* `SERVER_CERT_FILENAME`: (default *server.crt*): The filename of the HTTPS certficate file. See [HTTPS certificates](#https-certificates)
+
+* `CA_CERT_FILENAME`: (default *ca.crt*): The filename of the HTTPS server key file. See [HTTPS certificates](#https-certificates)
+
 * `SESSION_TIMEOUT` (default: *10 minutes*):  How long before an idle session will be timed out.
 
 
@@ -118,7 +124,9 @@ Configuration is via environmental variables.  Please bear the following in mind
 
 These settings should only be changed if you're trying to make the user manager work with an LDAP directory that's already populated and the defaults don't work.
    
-* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*):  The account attribute used as the account identifier.  See [Account names](#account-names) for more information.
+* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*):  The attribute used as the account identifier.  See [Account names](#account-names) for more information.
+   
+* `LDAP_GROUP_ATTRIBUTE` (default: *cn*):  The attribute used as the group identifier.
    
 * `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *memberUID* or *uniqueMember*):  The attribute used when adding a user's account to a group.  When the `groupOfMembers` objectClass is detected `FORCE_RFC2307BIS` is `TRUE` it defaults to `uniqueMember`, otherwise it'll default to `memberUID`. Explicitly setting this variable will override any default.
    
@@ -175,6 +183,8 @@ To send emails you'll need to use an existing SMTP server.  Email sending will b
 * `NEW_ACCOUNT_EMAIL_SUBJECT`, `NEW_ACCOUNT_EMAIL_BODY`, `RESET_PASSWORD_EMAIL_SUBJECT` & `RESET_PASSWORD_EMAIL_BODY`: Change the email contents for emails sent to users when you create an account or reset a password.  See [Sending emails](#sending_emails) for full details.
 
 
+**Account requests**
+
 #### Account request settings
 
 * `ACCOUNT_REQUESTS_ENABLED` (default: *FALSE*): Set to TRUE in order to enable a form that people can fill in to request an account.  This will send an email to `ACCOUNT_REQUESTS_EMAIL` with their details and a link to the account creation page where the details will be filled in automatically.  You'll need to set up email sending (see **Email sending**, above) for this to work.  If this is enabled but email sending isn't then requests will be disabled and an error message sent to the logs.  
@@ -229,14 +239,21 @@ If you're using LDAP for server accounts then you'll find there are  normally co
 ***
 
 ## HTTPS certificates
-When `NO_HTTPS` is set to **FALSE** (the default), the user manager expects to find SSL files at `/opt/ssl/server.key` and `/opt/ssl/server.crt`.  These certificates should match `SERVER_HOSTNAME`.  If these files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`.  To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`.  You can also add a certificate chain file (the Apache `SSLCertificateChainFile` option) if needed - name it `chain.pem` and place it in the same directory as `server.key` and `server.crt` .
+The user manager runs in HTTPS mode by default and so uses HTTPS certificates.  You can pass in your own certificates by bind-mounting a local path to `/opt/ssl` in the container and then  specifying the names of the files via `SERVER_KEY_FILENAME`, `SERVER_CERT_FILENAME` and optionally `CA_CERT_FILENAME` (this will set Apache's `SSLCertificateChainFile` directive).   
+If the certificate and key files don't exist then a self-signed certificate will be created when the container starts.
 
-For example, if your key and certificate files are in `/home/myaccount/ssl` you can bind-mount that folder by adding this line to the docker run example above, just after the last line starting with `-e`:
+When using your own certificates, the certificate's common name (or one of the alternative names) need to match the value you set for `SERVER_HOSTNAME`.
+   
+For example, if your key and certificate files are in `/home/myaccount/ssl` you can bind-mount that folder by adding these lines to the `docker run` example above (place them above the final line):
 ```
+-e "SERVER_KEY_FILENAME=lum.example.com.key" \
+-e "SERVER_CERT_FILENAME=lum.example.com.crt" \
+-e "CA_CERT_FILENAME=ca_bundle.pem" \
 -v /home/myaccount/ssl:/opt/ssl \
-
 ```
 
+If you don't want to use HTTPS certificates then set `NO_HTTPS` to **TRUE** to run in HTTP mode.  It's advised that you only do this when testing.
+
 ***
 
 ## Sending emails
@@ -295,7 +312,7 @@ If you need to use this user manager with an existing LDAP directory and your ac
 `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` is a comma-separated list of objectClasses to add when creating the account record.  For example, `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=ldappublickey,couriermailaccount`.   
 
 To add extra fields for new attributes you need to pass a comma-separated string of the attributes and optionally the label for the attribute (which will be shown on the user form) and a default value to `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` separated by colons (`:`).   
-The format for configuring an attribute is: `attribute1:label1:default_value1,attribute2:label2:default_value2`.   If you don't supply a label then the form field will be labelled with the attribute name.  
+The format for configuring an attribute is: `attribute1:label1,default_value1,attribute2:label2:default_value2`.   If you don't supply a label then the form field will be labelled with the attribute name.  
 An example (for the couriermailaccount objectClass) would be: `mailbox:Mailbox:domain.com,quota:Mail quota:20`   
    
 ObjectClasses often have attributes that must have a value, so you should definitely set a default for those attributes.   

www/account_manager/new_user.php

@@ -100,7 +100,7 @@ if (isset($_POST['create_account'])) {
  if (isset($mail) and !is_valid_email($mail)) { $invalid_email = TRUE; }
  if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
  if ($password != $_POST['password_match']) { $mismatched_passwords = TRUE; }
- if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$POSIX_REGEX/",$account_identifier)) { $invalid_account_identifier = TRUE; }
+ if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$account_identifier)) { $invalid_account_identifier = TRUE; }
  if (isset($_POST['send_email']) and isset($mail) and $EMAIL_SENDING_ENABLED == TRUE) { $send_user_email = TRUE; }
 
  if (     isset($givenname)

www/account_manager/show_group.php

@@ -27,7 +27,7 @@ else {
  $group_cn = urldecode($group_cn);
 }
 
-if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$POSIX_REGEX/",$group_cn)) {
+if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$group_cn)) {
 ?>
  <div class="alert alert-danger">
   <p class="text-center">The group name is invalid.</p>

www/includes/config.inc.php

@@ -53,8 +53,8 @@
  $SERVER_PATH = (getenv('SERVER_PATH') ? getenv('SERVER_PATH') : "/");
 
  $ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE);
- $POSIX_USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
- $POSIX_REGEX  = (getenv('USERNAME_REGEX')  ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$');
+ $USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
+ $USERNAME_REGEX  = (getenv('USERNAME_REGEX')  ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$');
  #We'll use the username regex for groups too.
 
  if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }

www/includes/web_functions.inc.php

@@ -397,7 +397,7 @@ function is_valid_email($email) {
 
 function render_js_username_check(){
 
- global $POSIX_REGEX, $ENFORCE_SAFE_SYSTEM_NAMES;
+ global $USERNAME_REGEX, $ENFORCE_SAFE_SYSTEM_NAMES;
 
  if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
 
@@ -406,7 +406,7 @@ function render_js_username_check(){
 
  function check_entity_name_validity(name,div_id) {
 
-  var check_regex = /$POSIX_REGEX/;
+  var check_regex = /$USERNAME_REGEX/;
 
   if (! check_regex.test(name) ) {
    document.getElementById(div_id).classList.add("has-error");
@@ -431,9 +431,9 @@ EoCheckJS;
 
 function generate_username($fn,$ln) {
 
-  global $POSIX_USERNAME_FORMAT;
+  global $USERNAME_FORMAT;
 
-  $username = $POSIX_USERNAME_FORMAT;
+  $username = $USERNAME_FORMAT;
   $username = str_replace('{first_name}',strtolower($fn), $username);
   $username = str_replace('{first_name_initial}',strtolower($fn[0]), $username);
   $username = str_replace('{last_name}',strtolower($ln), $username);
@@ -450,7 +450,7 @@ function render_js_username_generator($firstname_field_id,$lastname_field_id,$us
  #Parameters are the IDs of the input fields and username name div in the account creation form.
  #The div will be set to warning if the username is invalid.
 
- global $POSIX_USERNAME_FORMAT, $ENFORCE_SAFE_SYSTEM_NAMES;
+ global $USERNAME_FORMAT, $ENFORCE_SAFE_SYSTEM_NAMES;
 
   $remove_accents="";
   if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) { $remove_accents = ".normalize('NFD').replace(/[\u0300-\u036f]/g, '')"; }
@@ -462,7 +462,7 @@ function render_js_username_generator($firstname_field_id,$lastname_field_id,$us
 
   var first_name = document.getElementById('$firstname_field_id').value;
   var last_name  = document.getElementById('$lastname_field_id').value;
-  var template = '$POSIX_USERNAME_FORMAT';
+  var template = '$USERNAME_FORMAT';
 
   var actual_username = template;