mirror of
https://github.com/wheelybird/ldap-user-manager.git
synced 2025-01-18 15:32:54 +01:00
Merge pull request #19 from wheelybird/nis_fixes
Changes to allow this to work with both NIS and BIS schemas.
This commit is contained in:
commit
9eb0836389
27
README.md
27
README.md
@ -60,10 +60,19 @@ Now go to https://lum.example.com/setup.
|
||||
Configuration
|
||||
---
|
||||
|
||||
Configuration is via environmental variables.
|
||||
Configuration is via environmental variables. Please bear the following in mind:
|
||||
|
||||
* This tool needs to bind to LDAP as a user with permissions to modify everything under the base DN.
|
||||
* This interface is designed to work with a fresh LDAP server and should be used with populated LDAP directories with caution and at your own risk.
|
||||
|
||||
###When using **osixia/openldap**
|
||||
|
||||
By default the user manager will expect that the LDAP server is using the **RFC2307BIS** schema. Unfortunately by default the **osixia/openldap** image uses the old NIS schema. The user manager will work with either, but RFC2307BIS is recommended as it allows you to use **memberOf** searches. You can enable RFC2307BIS in **osixia/openldap** by setting `LDAP_RFC2307BIS_SCHEMA` to `true` during the initial setup.
|
||||
|
||||
If you prefer not to use RFC2307BIS then set `LDAP_USES_NIS_SCHEMA` to `TRUE`. This will create groups solely as the **posixGroup** objectclass, and the default for `LDAP_GROUP_MEMBERSHIP_USES_UID` will `TRUE`.
|
||||
|
||||
|
||||
|
||||
**Note**: This tool needs to bind to LDAP as a user with permissions to modify everything under the base DN.
|
||||
**WARNING**: This interface is designed to work with a fresh LDAP server and should be used with populated LDAP directories with caution and at your own risk.
|
||||
|
||||
Mandatory:
|
||||
----
|
||||
@ -82,9 +91,11 @@ Optional:
|
||||
|
||||
* `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended).
|
||||
|
||||
* `LDAP_USES_NIS_SCHEMA` (default: *FALSE*): If you use the NIS schema instead of the (preferable) RFC2307BIS schema, set this to `TRUE`. See [When using **osixia/openldap**](#When using **osixia/openldap**) for more information.
|
||||
|
||||
* `LDAP_GROUP_OU` (default: *groups*): The name of the OU used to store groups (without the base DN appended).
|
||||
* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *uniqueMember*): The attribute used when adding a user to a group.
|
||||
* `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN.
|
||||
* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *memberUID* or *uniqueMember*): The attribute used when adding a user to a group. If `LDAP_USES_NIS_SCHEMA` is `TRUE` the default is `memberUID', otherwise it's `uniqueMember`. Explicitly setting this variable will override the default.
|
||||
* `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *TRUE* or *FALSE*): If *TRUE* then the entry for a member of a group will be just the username. Otherwise it's the member's full DN. If `LDAP_USES_NIS_SCHEMA` is `TRUE` the default is `TRUE', otherwise it's `FALSE`. Explicitly setting this variable will override the default.
|
||||
|
||||
* `LDAP_REQUIRE_STARTTLS` (default: *TRUE*): If *TRUE* then a TLS connection is required for this interface to work. If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
|
||||
|
||||
@ -148,9 +159,3 @@ Anything else in the `USERNAME_FORMAT` string is left as defined, but the userna
|
||||
|
||||
If `EMAIL_DOMAIN` is set then the email address field will be automatically updated in the form of `username@email_domain`. Entering anything manually in that field will stop the automatic update of the email field.
|
||||
|
||||
|
||||
Details on accounts and groups
|
||||
---
|
||||
|
||||
This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts. The accounts created use `person`, `inetOrgPerson` & `posixAccount` objectClasses. Usernames are defined via the `uid` attribute and groups are created as with `posixGroup` and `groupOfUniqueNames` objectClasses (the latter in case you want to use the `memberOf` LDAP module).
|
||||
|
||||
|
@ -197,50 +197,50 @@ render_js_email_generator('username','email');
|
||||
<div class="form-group">
|
||||
<label for="first_name" class="col-sm-3 control-label">First name</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
|
||||
<input tabindex="1" type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<label for="last_name" class="col-sm-3 control-label">Last name</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
|
||||
<input tabindex="3" type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group" id="username_div">
|
||||
<label for="username" class="col-sm-3 control-label">Username</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
|
||||
<input tabindex="3" type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group" id="email_div">
|
||||
<label for="username" class="col-sm-3 control-label">Email</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
|
||||
<input tabindex="4" type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group" id="password_div">
|
||||
<label for="password" class="col-sm-3 control-label">Password</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
|
||||
<input tabindex="5" type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
|
||||
</div>
|
||||
<div class="col-sm-1">
|
||||
<input type="button" class="btn btn-sm" id="password_generator" onclick="random_password();" value="Generate password">
|
||||
<input tabindex="7" type="button" class="btn btn-sm" id="password_generator" onclick="random_password();" value="Generate password">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group" id="confirm_div">
|
||||
<label for="confirm" class="col-sm-3 control-label">Confirm</label>
|
||||
<div class="col-sm-6">
|
||||
<input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
|
||||
<input tabindex="6" type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<div class="form-group">
|
||||
<button type="submit" class="btn btn-warning">Create account</button>
|
||||
<button tabindex="8" type="submit" class="btn btn-warning">Create account</button>
|
||||
</div>
|
||||
|
||||
</form>
|
||||
|
@ -44,24 +44,11 @@ if (isset($_POST['new_group'])) {
|
||||
|
||||
######################################################################################
|
||||
|
||||
$ldap_search_query="cn=" . ldap_escape($group_cn, "", LDAP_ESCAPE_FILTER);
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
$current_members = array();
|
||||
|
||||
if ($result["count"] == 1) {
|
||||
|
||||
foreach ($result[0][$LDAP['group_membership_attribute']] as $key => $value) {
|
||||
if ($key != 'count') {
|
||||
$this_member = preg_replace("/^.*?=(.*?),.*/", "$1", $value);
|
||||
array_push($current_members, $this_member);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$current_members = ldap_get_group_members($ldap_connection,$group_cn);
|
||||
$all_accounts = ldap_get_user_list($ldap_connection);
|
||||
$all_people = array();
|
||||
|
||||
foreach ($all_accounts as $this_person => $attrs) {
|
||||
array_push($all_people, $this_person);
|
||||
}
|
||||
|
@ -14,8 +14,19 @@
|
||||
$LDAP['group_ou'] = (getenv('LDAP_GROUP_OU') ? getenv('LDAP_GROUP_OU') : 'groups');
|
||||
$LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people');
|
||||
|
||||
$LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : 'uniquemember');
|
||||
$LDAP['group_membership_uses_uid'] = ((strcasecmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : FALSE);
|
||||
$LDAP['nis_schema'] = ((strcasecmp(getenv('LDAP_USES_NIS_SCHEMA'),'TRUE') == 0) ? TRUE : FALSE);
|
||||
|
||||
if ($LDAP['nis_schema'] == TRUE) {
|
||||
$default_membership_attribute = 'memberuid';
|
||||
$default_group_membership_uses_uid = TRUE;
|
||||
}
|
||||
else {
|
||||
$default_membership_attribute = 'uniquemember';
|
||||
$default_group_membership_uses_uid = FALSE;
|
||||
}
|
||||
|
||||
$LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : $default_membership_attribute);
|
||||
$LDAP['group_membership_uses_uid'] = ((strcasecmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : $default_group_membership_uses_uid);
|
||||
|
||||
$LDAP['account_attribute'] = 'uid';
|
||||
$LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
|
||||
@ -41,6 +52,8 @@
|
||||
|
||||
###
|
||||
|
||||
$log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
|
||||
|
||||
$errors = "";
|
||||
|
||||
if (empty($LDAP['uri'])) {
|
||||
@ -70,5 +83,4 @@
|
||||
$min_uid = 2000;
|
||||
$min_gid = 2000;
|
||||
|
||||
|
||||
?>
|
||||
|
@ -1,6 +1,5 @@
|
||||
<?php
|
||||
|
||||
$log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
|
||||
$LDAP_CONNECTION_WARNING = FALSE;
|
||||
|
||||
###################################
|
||||
@ -25,7 +24,7 @@ function open_ldap_connection() {
|
||||
|
||||
if ($tls_result != TRUE) {
|
||||
|
||||
error_log("$log_prefix Failed to start STARTTLS connection to ${LDAP['uri']}",0);
|
||||
error_log("$log_prefix Failed to start STARTTLS connection to ${LDAP['uri']}: " . ldap_error($ldap_connection),0);
|
||||
|
||||
if ($LDAP["require_starttls"] == TRUE) {
|
||||
print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-danger'>Fatal: Couldn't create a secure connection to ${LDAP['uri']} and LDAP_REQUIRE_STARTTLS is TRUE.</div>";
|
||||
@ -50,9 +49,11 @@ function open_ldap_connection() {
|
||||
if ($bind_result != TRUE) {
|
||||
|
||||
$this_error = "Failed to bind to ${LDAP['uri']} as ${LDAP['admin_bind_dn']}";
|
||||
print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
|
||||
if ($LDAP_DEBUG == TRUE) { $this_error .= " with password ${LDAP['admin_bind_pwd']}"; }
|
||||
$this_error .= ": " . ldap_error($ldap_connection);
|
||||
print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
|
||||
error_log("$log_prefix $this_error",0);
|
||||
|
||||
exit(1);
|
||||
|
||||
}
|
||||
@ -75,12 +76,12 @@ function ldap_auth_username($ldap_connection,$username, $password) {
|
||||
global $log_prefix, $LDAP, $LDAP_DEBUG;
|
||||
|
||||
$ldap_search_query="${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
|
||||
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query );
|
||||
$ldap_search = @ ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query );
|
||||
|
||||
if ($LDAP_DEBUG == TRUE) { "$log_prefix Running LDAP search: $ldap_search_query"; }
|
||||
|
||||
if (!$ldap_search) {
|
||||
error_log("$log_prefix Couldn't search for $username",0);
|
||||
error_log("$log_prefix Couldn't search for ${username}: " . ldap_error($ldap_connection),0);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -100,7 +101,7 @@ function ldap_auth_username($ldap_connection,$username, $password) {
|
||||
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Able to bind as $username",0); }
|
||||
}
|
||||
else {
|
||||
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Unable to bind as $username",0); }
|
||||
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Unable to bind as ${username}: " . ldap_error($ldap_connection),0); }
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -129,7 +130,8 @@ function ldap_setup_auth($ldap_connection, $password) {
|
||||
else {
|
||||
$this_error="Initial setup: Unable to authenticate as ${LDAP['admin_bind_dn']}";
|
||||
if ($LDAP_DEBUG == TRUE) { $this_error .= " with password $password"; }
|
||||
$this_error .= ". The password used to authenticate for /setup should be the same as set by LDAP_ADMIN_BIND_PWD.";
|
||||
$this_error .= ". The password used to authenticate for /setup should be the same as set by LDAP_ADMIN_BIND_PWD. ";
|
||||
$this_error .= ldap_error($ldap_connection);
|
||||
error_log("$log_prefix $this_error",0);
|
||||
return FALSE;
|
||||
}
|
||||
@ -162,8 +164,8 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
|
||||
|
||||
$this_filter = "(&(${LDAP['account_attribute']}=*)$filters)";
|
||||
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $this_filter, $fields);
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $this_filter, $fields);
|
||||
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
|
||||
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} users for ${LDAP['user_dn']} when using this filter: $this_filter",0); }
|
||||
|
||||
$records = array();
|
||||
@ -173,7 +175,7 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
|
||||
|
||||
$add_these = array();
|
||||
foreach($fields as $this_attr) {
|
||||
if ($this_attr != $sort_key) { $add_these[$this_attr] = $record[$this_attr][0]; }
|
||||
if ($this_attr !== $sort_key) { $add_these[$this_attr] = $record[$this_attr][0]; }
|
||||
}
|
||||
|
||||
$records[$record[$sort_key][0]] = $add_these;
|
||||
@ -248,7 +250,7 @@ function ldap_get_group_list($ldap_connection,$start=0,$entries=NULL,$sort="asc"
|
||||
$this_filter = "(&(objectclass=*)$filters)";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $this_filter);
|
||||
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
|
||||
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} groups for ${LDAP['group_dn']} when using this filter: $this_filter",0); }
|
||||
|
||||
$records = array();
|
||||
@ -276,23 +278,40 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
|
||||
global $log_prefix, $LDAP, $LDAP_DEBUG;
|
||||
|
||||
$ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
|
||||
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
|
||||
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} members of ${group_name} when using this search: $ldap_search_query",0); }
|
||||
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
|
||||
$result_count = $result[0]['count'];
|
||||
|
||||
$records = array();
|
||||
foreach ($result[0][$LDAP['group_membership_attribute']] as $record => $value) {
|
||||
|
||||
if ($record != 'count' and isset($value)) {
|
||||
array_push($records, $value);
|
||||
if ($result_count > 0) {
|
||||
|
||||
foreach ($result[0][$LDAP['group_membership_attribute']] as $key => $value) {
|
||||
|
||||
if ($key !== 'count' and !empty($value)) {
|
||||
$this_member = preg_replace("/^.*?=(.*?),.*/", "$1", $value);
|
||||
array_push($records, $this_member);
|
||||
if ($LDAP_DEBUG == TRUE) { error_log("${value} is a member",0); }
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
$actual_result_count = count($records);
|
||||
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned $actual_result_count members of ${group_name} when using this search: $ldap_search_query and this filter: ${LDAP['group_membership_attribute']}",0); }
|
||||
|
||||
if ($actual_result_count > 0) {
|
||||
if ($sort == "asc") { sort($records); } else { rsort($records); }
|
||||
return(array_slice($records,$start,$entries));
|
||||
}
|
||||
else {
|
||||
return array();
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
return array();
|
||||
}
|
||||
|
||||
if ($sort == "asc") { sort($records); } else { rsort($records); }
|
||||
|
||||
return(array_slice($records,$start,$entries));
|
||||
|
||||
|
||||
}
|
||||
|
||||
@ -330,32 +349,46 @@ function ldap_new_group($ldap_connection,$group_name) {
|
||||
if (isset($group_name)) {
|
||||
|
||||
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']})";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
|
||||
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
if ($result['count'] == 0) {
|
||||
|
||||
$highest_gid = ldap_get_highest_id($ldap_connection,'gid');
|
||||
$new_gid = $highest_gid + 1;
|
||||
$highest_gid = ldap_get_highest_id($ldap_connection,'gid');
|
||||
$new_gid = $highest_gid + 1;
|
||||
|
||||
$add_group = ldap_add($ldap_connection,
|
||||
"cn=$group_name,${LDAP['group_dn']}",
|
||||
array( 'objectClass' => array( 'top', 'groupOfUniqueNames', 'posixGroup' ),
|
||||
'cn' => $group_name,
|
||||
'gidNumber' => $new_gid,
|
||||
$LDAP['group_membership_attribute'] => ''
|
||||
)
|
||||
);
|
||||
if ($LDAP['nis_schema'] == TRUE) {
|
||||
$new_group_array=array( 'objectClass' => array('top','posixGroup'),
|
||||
'cn' => $group_name,
|
||||
'gidNumber' => $new_gid
|
||||
);
|
||||
}
|
||||
else {
|
||||
$new_group_array=array( 'objectClass' => array('top','groupOfUniqueNames','posixGroup'),
|
||||
'cn' => $group_name,
|
||||
'gidNumber' => $new_gid,
|
||||
$LDAP['group_membership_attribute'] => ''
|
||||
);
|
||||
}
|
||||
|
||||
if ($add_group) {
|
||||
$group_dn="cn=$group_name,${LDAP['group_dn']}";
|
||||
|
||||
$add_group = @ ldap_add($ldap_connection, $group_dn, $new_group_array);
|
||||
|
||||
if (! $add_group ) {
|
||||
$this_error="$log_prefix LDAP: unable to add new group (${group_dn}): " . ldap_error($ldap_connection);
|
||||
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix: DEBUG add_group array: ". print_r($new_group_array,true)); }
|
||||
error_log($this_error,0);
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Added new group $group_name",0);
|
||||
$update_gid = ldap_mod_replace($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", array( 'serialNumber' => $new_gid ));
|
||||
$update_gid = @ ldap_mod_replace($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", array( 'serialNumber' => $new_gid ));
|
||||
if ($update_gid) {
|
||||
error_log("$log_prefix Updated cn=lastGID with $new_gid",0);
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Failed to update cn=lastGID",0);
|
||||
error_log("$log_prefix Failed to update cn=lastGID: " . ldap_error($ldap_connection) ,0);
|
||||
}
|
||||
}
|
||||
|
||||
@ -382,14 +415,14 @@ function ldap_delete_group($ldap_connection,$group_name) {
|
||||
if (isset($group_name)) {
|
||||
|
||||
$delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
|
||||
$delete = ldap_delete($ldap_connection, $delete_query);
|
||||
$delete = @ ldap_delete($ldap_connection, $delete_query);
|
||||
|
||||
if ($delete) {
|
||||
error_log("$log_prefix Deleted group $group_name",0);
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Couldn't delete group $group_name",0);
|
||||
error_log("$log_prefix Couldn't delete group $group_name" . ldap_error($ldap_connection) ,0);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -407,8 +440,8 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
|
||||
if (isset($group_name)) {
|
||||
|
||||
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
|
||||
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) {
|
||||
return $result[0]['gidnumber'][0];
|
||||
@ -430,8 +463,8 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
|
||||
if (isset($first_name) and isset($last_name) and isset($username) and isset($password)) {
|
||||
|
||||
$ldap_search_query = "(${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']})";
|
||||
$ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
|
||||
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
|
||||
|
||||
if ($result['count'] == 0) {
|
||||
|
||||
@ -466,7 +499,7 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
|
||||
'mail' => $email
|
||||
);
|
||||
|
||||
$add_account = ldap_add($ldap_connection,
|
||||
$add_account = @ ldap_add($ldap_connection,
|
||||
"${LDAP['account_attribute']}=$username,${LDAP['user_dn']}",
|
||||
$user_info
|
||||
);
|
||||
@ -474,18 +507,18 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
|
||||
if ($add_account) {
|
||||
error_log("$log_prefix Created new account: $username",0);
|
||||
ldap_add_member_to_group($ldap_connection,$add_to_group,$username);
|
||||
$update_uid = ldap_mod_replace($ldap_connection, "cn=lastUID,${LDAP['base_dn']}", array( 'serialNumber' => $new_uid ));
|
||||
$update_uid = @ ldap_mod_replace($ldap_connection, "cn=lastUID,${LDAP['base_dn']}", array( 'serialNumber' => $new_uid ));
|
||||
if ($update_uid) {
|
||||
error_log("$log_prefix Create account; Updated cn=lastUID with $new_uid",0);
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Create account; Failed to update cn=lastUID",0);
|
||||
error_log("$log_prefix Create account; Failed to update cn=lastUID: " . ldap_error($ldap_connection),0);
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Create account; couldn't create the account for $username",0);
|
||||
error_log("$log_prefix Create account; couldn't create the account for ${username}: " . ldap_error($ldap_connection),0);
|
||||
}
|
||||
|
||||
}
|
||||
@ -513,14 +546,14 @@ function ldap_delete_account($ldap_connection,$username) {
|
||||
if (isset($username)) {
|
||||
|
||||
$delete_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']}";
|
||||
$delete = ldap_delete($ldap_connection, $delete_query);
|
||||
$delete = @ ldap_delete($ldap_connection, $delete_query);
|
||||
|
||||
if ($delete) {
|
||||
error_log("$log_prefix Deleted account for $username",0);
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Couldn't delete account for $username",0);
|
||||
error_log("$log_prefix Couldn't delete account for ${username}: " . ldap_error($ldap_connection),0);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -542,14 +575,14 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {
|
||||
}
|
||||
|
||||
$group_update = array($LDAP['group_membership_attribute'] => $username);
|
||||
$update = ldap_mod_add($ldap_connection,$group_dn,$group_update);
|
||||
$update = @ ldap_mod_add($ldap_connection,$group_dn,$group_update);
|
||||
|
||||
if ($update) {
|
||||
error_log("$log_prefix Added $username to $group_name",0);
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Couldn't add $username to $group_name",0);
|
||||
error_log("$log_prefix Couldn't add $username to ${group_name}: " . ldap_error($ldap_connection),0);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -569,14 +602,14 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
|
||||
}
|
||||
|
||||
$group_update = array($LDAP['group_membership_attribute'] => $username);
|
||||
$update = ldap_mod_del($ldap_connection,$group_dn,$group_update);
|
||||
$update = @ ldap_mod_del($ldap_connection,$group_dn,$group_update);
|
||||
|
||||
if ($update) {
|
||||
error_log("$log_prefix Removed $username from $group_name",0);
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Couldn't remove $username from $group_name",0);
|
||||
error_log("$log_prefix Couldn't remove $username from ${group_name}: " . ldap_error($ldap_connection),0);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -592,9 +625,9 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
|
||||
#Find DN of user
|
||||
|
||||
$ldap_search_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
|
||||
$ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
|
||||
$ldap_search = @ ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
|
||||
if ($ldap_search) {
|
||||
$result = ldap_get_entries($ldap_connection, $ldap_search);
|
||||
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
|
||||
if ($result["count"] == 1) {
|
||||
$this_dn=$result[0]['dn'];
|
||||
}
|
||||
@ -604,7 +637,7 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
|
||||
}
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Couldn't perform an LDAP search for ${LDAP['account_attribute']}=${username}",0);
|
||||
error_log("$log_prefix Couldn't perform an LDAP search for ${LDAP['account_attribute']}=${username}: " . ldap_error($ldap_connection),0);
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
@ -613,14 +646,14 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
|
||||
$hashed_pass = ldap_hashed_password($new_password);
|
||||
|
||||
$entries["userPassword"] = $new_password;
|
||||
$update = ldap_mod_replace($ldap_connection, $this_dn, $entries);
|
||||
$update = @ ldap_mod_replace($ldap_connection, $this_dn, $entries);
|
||||
|
||||
if ($update) {
|
||||
error_log("$log_prefix Updated the password for $username");
|
||||
error_log("$log_prefix Updated the password for $username",0);
|
||||
return TRUE;
|
||||
}
|
||||
else {
|
||||
error_log("$log_prefix Couldn't update the password for $username");
|
||||
error_log("$log_prefix Couldn't update the password for ${username}: " . ldap_error($ldap_connection),0);
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
|
@ -53,7 +53,8 @@ function set_passkey_cookie($user_id,$is_admin) {
|
||||
}
|
||||
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
|
||||
file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time");
|
||||
setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
|
||||
# setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
|
||||
setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', '', '', TRUE);
|
||||
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); }
|
||||
$VALIDATED = TRUE;
|
||||
|
||||
@ -118,7 +119,8 @@ function set_setup_cookie() {
|
||||
$IS_SETUP_ADMIN = TRUE;
|
||||
|
||||
file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
|
||||
setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
|
||||
# setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
|
||||
setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', '', '', TRUE);
|
||||
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); }
|
||||
|
||||
}
|
||||
@ -169,7 +171,8 @@ function log_out($method='normal') {
|
||||
|
||||
global $USER_ID;
|
||||
|
||||
setcookie('orf_cookie', "", time()-20000 , "/", $_SERVER["HTTP_HOST"], 0);
|
||||
#setcookie('orf_cookie', "", time()-20000 , "/", $_SERVER["HTTP_HOST"], 0);
|
||||
setcookie('orf_cookie', "", time()-20000, '/', '', '', TRUE);
|
||||
|
||||
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID);
|
||||
unlink("/tmp/$filename");
|
||||
|
@ -10,7 +10,7 @@ if (isset($_POST["admin_password"])) {
|
||||
$ldap_connection = open_ldap_connection();
|
||||
$user_auth = ldap_setup_auth($ldap_connection,$_POST["admin_password"]);
|
||||
ldap_close($ldap_connection);
|
||||
|
||||
|
||||
if ($user_auth != FALSE) {
|
||||
set_setup_cookie($user_auth);
|
||||
header("Location: //${_SERVER["HTTP_HOST"]}/${THIS_MODULE_PATH}/run_checks.php\n\n");
|
||||
@ -33,18 +33,17 @@ else {
|
||||
}
|
||||
?>
|
||||
<div class="container">
|
||||
<div class="panel panel-default">
|
||||
<div class="panel panel-default">
|
||||
<div class="panel-heading text-center">Password for <?php print $LDAP['admin_bind_dn']; ?></div>
|
||||
<div class="panel-body text-center">
|
||||
<form class="form-inline" action='' method='post'>
|
||||
<div class="form-group">
|
||||
<input type='password' class="form-control" name='admin_password'>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<input type='submit' class="btn btn-default" value='Log in'>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
<div class="panel-body text-center">
|
||||
<form class="form-inline" action='' method='post'>
|
||||
<div class="form-group">
|
||||
<input type='password' class="form-control" name='admin_password'>
|
||||
</div>
|
||||
<div class="form-group">
|
||||
<input type='submit' class="btn btn-default" value='Log in'>
|
||||
</div>
|
||||
</form>
|
||||
</div>
|
||||
</div>
|
||||
</div>
|
||||
|
Loading…
x
Reference in New Issue
Block a user