From 73b3797b3053d99a1b7022e1843d2e68f032c974 Mon Sep 17 00:00:00 2001
From: Brian Lycett <brian@wheelybird.co.uk>
Date: Wed, 6 May 2020 17:19:20 +0100
Subject: [PATCH] Changes to allow this to work with both NIS and BIS schemas.

---
 README.md                           |  27 +++--
 www/account_manager/new_user.php    |  16 +--
 www/account_manager/show_group.php  |  17 +---
 www/includes/config.inc.php         |  18 +++-
 www/includes/ldap_functions.inc.php | 151 +++++++++++++++++-----------
 www/includes/web_functions.inc.php  |   9 +-
 www/setup/index.php                 |  23 ++---
 7 files changed, 150 insertions(+), 111 deletions(-)

diff --git a/README.md b/README.md
index 4253692..8299dda 100644
--- a/README.md
+++ b/README.md
@@ -60,10 +60,19 @@ Now go to https://lum.example.com/setup.
 Configuration
 ---
 
-Configuration is via environmental variables.
+Configuration is via environmental variables.  Please bear the following in mind:
+
+ * This tool needs to bind to LDAP as a user with permissions to modify everything under the base DN.
+ * This interface is designed to work with a fresh LDAP server and should be used with populated LDAP directories with caution and at your own risk.
+
+###When using **osixia/openldap**
+
+By default the user manager will expect that the LDAP server is using the **RFC2307BIS** schema.  Unfortunately by default the **osixia/openldap** image uses the old NIS schema.  The user manager will work with either, but RFC2307BIS is recommended as it allows you to use **memberOf** searches.  You can enable RFC2307BIS in **osixia/openldap** by setting `LDAP_RFC2307BIS_SCHEMA` to `true` during the initial setup.   
+
+If you prefer not to use RFC2307BIS then set `LDAP_USES_NIS_SCHEMA` to `TRUE`.  This will create groups solely as the **posixGroup** objectclass, and the default for `LDAP_GROUP_MEMBERSHIP_USES_UID` will `TRUE`.
+
+
 
-**Note**: This tool needs to bind to LDAP as a user with permissions to modify everything under the base DN.
-**WARNING**: This interface is designed to work with a fresh LDAP server and should be used with populated LDAP directories with caution and at your own risk.
 
 Mandatory:
 ----
@@ -82,9 +91,11 @@ Optional:
    
 * `LDAP_USER_OU` (default: *people*):  The name of the OU used to store user accounts (without the base DN appended).
    
+* `LDAP_USES_NIS_SCHEMA` (default: *FALSE*):  If you use the NIS schema instead of the (preferable) RFC2307BIS schema, set this to `TRUE`.  See [When using **osixia/openldap**](#When using **osixia/openldap**) for more information.
+   
 * `LDAP_GROUP_OU` (default: *groups*):  The name of the OU used to store groups (without the base DN appended).
-* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *uniqueMember*):  The attribute used when adding a user to a group.
-* `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *FALSE*): If *TRUE* then the entry for a member of a group will be just the username.  Otherwise it's the member's full DN.
+* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *memberUID* or *uniqueMember*):  The attribute used when adding a user to a group.  If `LDAP_USES_NIS_SCHEMA` is `TRUE` the default is `memberUID', otherwise it's `uniqueMember`.  Explicitly setting this variable will override the default.
+* `LDAP_GROUP_MEMBERSHIP_USES_UID`(default: *TRUE* or *FALSE*): If *TRUE* then the entry for a member of a group will be just the username.  Otherwise it's the member's full DN.  If `LDAP_USES_NIS_SCHEMA` is `TRUE` the default is `TRUE', otherwise it's `FALSE`.  Explicitly setting this variable will override the default.
    
 * `LDAP_REQUIRE_STARTTLS` (default: *TRUE*):  If *TRUE* then a TLS connection is required for this interface to work.  If set to *FALSE* then the interface will work without STARTTLS, but a warning will be displayed on the page.
    
@@ -148,9 +159,3 @@ Anything else in the `USERNAME_FORMAT` string is left as defined, but the userna
 
 If `EMAIL_DOMAIN` is set then the email address field will be automatically updated in the form of `username@email_domain`.  Entering anything manually in that field will stop the automatic update of the email field.
 
-
-Details on accounts and groups
----
-
-This interface will create POSIX user accounts and groups, which allows you to use your LDAP directory for Linux/Unix accounts.   The accounts created use `person`, `inetOrgPerson` & `posixAccount` objectClasses.  Usernames are defined via the `uid` attribute and groups are created as with `posixGroup` and `groupOfUniqueNames` objectClasses (the latter in case you want to use the `memberOf` LDAP module).
-
diff --git a/www/account_manager/new_user.php b/www/account_manager/new_user.php
index bf92e94..36edd61 100644
--- a/www/account_manager/new_user.php
+++ b/www/account_manager/new_user.php
@@ -197,50 +197,50 @@ render_js_email_generator('username','email');
      <div class="form-group">
       <label for="first_name" class="col-sm-3 control-label">First name</label>
       <div class="col-sm-6">
-       <input type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
+       <input tabindex="1" type="text" class="form-control" id="first_name" name="first_name" <?php if (isset($first_name)){ print " value='$first_name'"; } ?> onkeyup="update_username(); update_email();">
       </div>
      </div>
 
      <div class="form-group">
       <label for="last_name" class="col-sm-3 control-label">Last name</label>
       <div class="col-sm-6">
-       <input type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
+       <input tabindex="3" type="text" class="form-control" id="last_name" name="last_name" <?php if (isset($last_name)){ print " value='$last_name'"; } ?> onkeyup="update_username(); update_email();">
       </div>
      </div>
 
      <div class="form-group" id="username_div">
       <label for="username" class="col-sm-3 control-label">Username</label>
       <div class="col-sm-6">
-       <input type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
+       <input tabindex="3" type="text" class="form-control" id="username" name="username" <?php if (isset($username)){ print " value='$username'"; } ?> onkeyup="check_username_validity(document.getElementById('username').value); update_email();">
       </div>
      </div>
 
      <div class="form-group" id="email_div">
       <label for="username" class="col-sm-3 control-label">Email</label>
       <div class="col-sm-6">
-       <input type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
+       <input tabindex="4" type="text" class="form-control" id="email" name="email" <?php if (isset($email)){ print " value='$email'"; } ?> onkeyup="auto_email_update = false;">
       </div>
      </div>
 
      <div class="form-group" id="password_div">
       <label for="password" class="col-sm-3 control-label">Password</label>
       <div class="col-sm-6">
-       <input type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
+       <input tabindex="5" type="text" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm');">
       </div>
       <div class="col-sm-1">
-       <input type="button" class="btn btn-sm" id="password_generator" onclick="random_password();" value="Generate password">
+       <input tabindex="7" type="button" class="btn btn-sm" id="password_generator" onclick="random_password();" value="Generate password">
       </div>
      </div>
 
      <div class="form-group" id="confirm_div">
       <label for="confirm" class="col-sm-3 control-label">Confirm</label>
       <div class="col-sm-6">
-       <input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
+       <input tabindex="6" type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
       </div>
      </div>
 
      <div class="form-group">
-       <button type="submit" class="btn btn-warning">Create account</button>
+       <button tabindex="8" type="submit" class="btn btn-warning">Create account</button>
      </div>
 
     </form>
diff --git a/www/account_manager/show_group.php b/www/account_manager/show_group.php
index 64a3276..7ce751c 100644
--- a/www/account_manager/show_group.php
+++ b/www/account_manager/show_group.php
@@ -44,24 +44,11 @@ if (isset($_POST['new_group'])) {
 
 ######################################################################################
 
-$ldap_search_query="cn=" . ldap_escape($group_cn, "", LDAP_ESCAPE_FILTER);
-$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
-$result = ldap_get_entries($ldap_connection, $ldap_search);
-
-$current_members = array();
-
-if ($result["count"] == 1) {
-
- foreach ($result[0][$LDAP['group_membership_attribute']] as $key => $value) {
-  if ($key != 'count') {
-   $this_member = preg_replace("/^.*?=(.*?),.*/", "$1", $value);
-   array_push($current_members, $this_member);
-  }
- }
-}
 
+$current_members = ldap_get_group_members($ldap_connection,$group_cn);
 $all_accounts = ldap_get_user_list($ldap_connection);
 $all_people = array();
+
 foreach ($all_accounts as $this_person => $attrs) {
  array_push($all_people, $this_person);
 }
diff --git a/www/includes/config.inc.php b/www/includes/config.inc.php
index abc7bc2..858b889 100644
--- a/www/includes/config.inc.php
+++ b/www/includes/config.inc.php
@@ -14,8 +14,19 @@
  $LDAP['group_ou'] = (getenv('LDAP_GROUP_OU') ? getenv('LDAP_GROUP_OU') : 'groups');
  $LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people');
 
- $LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : 'uniquemember');
- $LDAP['group_membership_uses_uid'] = ((strcasecmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : FALSE);
+ $LDAP['nis_schema'] = ((strcasecmp(getenv('LDAP_USES_NIS_SCHEMA'),'TRUE') == 0) ? TRUE : FALSE);
+
+ if ($LDAP['nis_schema'] == TRUE) {
+  $default_membership_attribute = 'memberuid';
+  $default_group_membership_uses_uid = TRUE;
+ }
+ else {
+  $default_membership_attribute = 'uniquemember';
+  $default_group_membership_uses_uid = FALSE;
+ }
+
+ $LDAP['group_membership_attribute'] = (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') ? getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE') : $default_membership_attribute);
+ $LDAP['group_membership_uses_uid'] = ((strcasecmp(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID'),'TRUE') == 0) ? TRUE : $default_group_membership_uses_uid);
 
  $LDAP['account_attribute'] = 'uid';
  $LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
@@ -41,6 +52,8 @@
 
  ###
 
+ $log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
+
  $errors = "";
 
  if (empty($LDAP['uri'])) {
@@ -70,5 +83,4 @@
  $min_uid = 2000;
  $min_gid = 2000;
 
-
 ?>
diff --git a/www/includes/ldap_functions.inc.php b/www/includes/ldap_functions.inc.php
index 0e31821..3ec35e5 100644
--- a/www/includes/ldap_functions.inc.php
+++ b/www/includes/ldap_functions.inc.php
@@ -1,6 +1,5 @@
 <?php
 
-$log_prefix = date('Y-m-d H:i:s') . " - LDAP manager - $USER_ID - ";
 $LDAP_CONNECTION_WARNING = FALSE;
 
 ###################################
@@ -25,7 +24,7 @@ function open_ldap_connection() {
 
   if ($tls_result != TRUE) {
 
-   error_log("$log_prefix Failed to start STARTTLS connection to ${LDAP['uri']}",0);
+   error_log("$log_prefix Failed to start STARTTLS connection to ${LDAP['uri']}: " . ldap_error($ldap_connection),0);
 
    if ($LDAP["require_starttls"] == TRUE) {
     print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-danger'>Fatal:  Couldn't create a secure connection to ${LDAP['uri']} and LDAP_REQUIRE_STARTTLS is TRUE.</div>";
@@ -50,9 +49,11 @@ function open_ldap_connection() {
  if ($bind_result != TRUE) {
 
    $this_error = "Failed to bind to ${LDAP['uri']} as ${LDAP['admin_bind_dn']}";
-   print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
    if ($LDAP_DEBUG == TRUE) { $this_error .= " with password ${LDAP['admin_bind_pwd']}"; }
+   $this_error .= ": " . ldap_error($ldap_connection);
+   print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
    error_log("$log_prefix $this_error",0);
+
    exit(1);
 
  }
@@ -75,12 +76,12 @@ function ldap_auth_username($ldap_connection,$username, $password) {
  global $log_prefix, $LDAP, $LDAP_DEBUG;
 
  $ldap_search_query="${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
- $ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query );
+ $ldap_search = @ ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query );
 
  if ($LDAP_DEBUG == TRUE) { "$log_prefix Running LDAP search: $ldap_search_query"; }
 
  if (!$ldap_search) {
-  error_log("$log_prefix Couldn't search for $username",0);
+  error_log("$log_prefix Couldn't search for ${username}: " . ldap_error($ldap_connection),0);
   return FALSE;
  }
 
@@ -100,7 +101,7 @@ function ldap_auth_username($ldap_connection,$username, $password) {
    if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Able to bind as $username",0); }
   }
   else {
-   if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Unable to bind as $username",0); }
+   if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Unable to bind as ${username}: " . ldap_error($ldap_connection),0); }
    return FALSE;
   }
 
@@ -129,7 +130,8 @@ function ldap_setup_auth($ldap_connection, $password) {
   else {
     $this_error="Initial setup: Unable to authenticate as ${LDAP['admin_bind_dn']}";
     if ($LDAP_DEBUG == TRUE) { $this_error .= " with password $password"; }
-    $this_error .= ". The password used to authenticate for /setup should be the same as set by LDAP_ADMIN_BIND_PWD.";
+    $this_error .= ". The password used to authenticate for /setup should be the same as set by LDAP_ADMIN_BIND_PWD. ";
+    $this_error .= ldap_error($ldap_connection);
     error_log("$log_prefix $this_error",0);
     return FALSE;
   }
@@ -162,8 +164,8 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
 
  $this_filter = "(&(${LDAP['account_attribute']}=*)$filters)";
 
- $ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $this_filter, $fields);
- $result = ldap_get_entries($ldap_connection, $ldap_search);
+ $ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $this_filter, $fields);
+ $result = @ ldap_get_entries($ldap_connection, $ldap_search);
  if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} users for ${LDAP['user_dn']} when using this filter: $this_filter",0); }
 
  $records = array();
@@ -173,7 +175,7 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
 
    $add_these = array();
    foreach($fields as $this_attr) {
-    if ($this_attr != $sort_key) { $add_these[$this_attr] = $record[$this_attr][0]; }
+    if ($this_attr !== $sort_key) { $add_these[$this_attr] = $record[$this_attr][0]; }
    }
 
    $records[$record[$sort_key][0]] = $add_these;
@@ -248,7 +250,7 @@ function ldap_get_group_list($ldap_connection,$start=0,$entries=NULL,$sort="asc"
  $this_filter = "(&(objectclass=*)$filters)";
  $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $this_filter);
 
- $result = ldap_get_entries($ldap_connection, $ldap_search);
+ $result = @ ldap_get_entries($ldap_connection, $ldap_search);
  if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} groups for ${LDAP['group_dn']} when using this filter: $this_filter",0); }
 
  $records = array();
@@ -276,23 +278,40 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
  global $log_prefix, $LDAP, $LDAP_DEBUG;
 
  $ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
- $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
+ $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
 
- $result = ldap_get_entries($ldap_connection, $ldap_search);
- if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} members of ${group_name} when using this search: $ldap_search_query",0); }
+ $result = @ ldap_get_entries($ldap_connection, $ldap_search);
+ $result_count = $result[0]['count'];
 
  $records = array();
- foreach ($result[0][$LDAP['group_membership_attribute']] as $record => $value) {
 
-  if ($record != 'count' and isset($value)) {
-   array_push($records, $value);
+ if ($result_count > 0) {
+
+  foreach ($result[0][$LDAP['group_membership_attribute']] as $key => $value) {
+
+   if ($key !== 'count' and !empty($value)) {
+    $this_member = preg_replace("/^.*?=(.*?),.*/", "$1", $value);
+    array_push($records, $this_member);
+    if ($LDAP_DEBUG == TRUE) { error_log("${value} is a member",0); }
+   }
+
   }
+
+  $actual_result_count = count($records);
+  if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned $actual_result_count members of ${group_name} when using this search: $ldap_search_query and this filter: ${LDAP['group_membership_attribute']}",0); }
+
+  if ($actual_result_count > 0) {
+   if ($sort == "asc") { sort($records); } else { rsort($records); }
+   return(array_slice($records,$start,$entries));
+  }
+  else {
+   return array();
+  }
+
+ }
+ else {
+  return array();
  }
-
- if ($sort == "asc") { sort($records); } else { rsort($records); }
-
- return(array_slice($records,$start,$entries));
-
 
 }
 
@@ -330,32 +349,46 @@ function ldap_new_group($ldap_connection,$group_name) {
  if (isset($group_name)) {
 
   $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']})";
-  $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
-  $result = ldap_get_entries($ldap_connection, $ldap_search);
+  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
+  $result = @ ldap_get_entries($ldap_connection, $ldap_search);
 
   if ($result['count'] == 0) {
 
-    $highest_gid = ldap_get_highest_id($ldap_connection,'gid');
-    $new_gid = $highest_gid + 1;
+   $highest_gid = ldap_get_highest_id($ldap_connection,'gid');
+   $new_gid = $highest_gid + 1;
 
-    $add_group = ldap_add($ldap_connection,
-                          "cn=$group_name,${LDAP['group_dn']}",
-                          array(  'objectClass' => array( 'top', 'groupOfUniqueNames', 'posixGroup' ),
-                                  'cn' => $group_name,
-                                  'gidNumber' => $new_gid,
-                                  $LDAP['group_membership_attribute'] => ''
-                               )
-                         );
+   if ($LDAP['nis_schema'] == TRUE) {
+    $new_group_array=array( 'objectClass' => array('top','posixGroup'),
+                            'cn' => $group_name,
+                            'gidNumber' => $new_gid
+                          );
+   }
+   else {
+    $new_group_array=array( 'objectClass' => array('top','groupOfUniqueNames','posixGroup'),
+                            'cn' => $group_name,
+                            'gidNumber' => $new_gid,
+                            $LDAP['group_membership_attribute'] => ''
+                          );
+   }
 
-   if ($add_group) {
+   $group_dn="cn=$group_name,${LDAP['group_dn']}";
+
+   $add_group = @ ldap_add($ldap_connection, $group_dn, $new_group_array);
+
+   if (! $add_group ) {
+    $this_error="$log_prefix LDAP: unable to add new group (${group_dn}): " . ldap_error($ldap_connection);
+    if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix: DEBUG add_group array: ". print_r($new_group_array,true)); }
+    error_log($this_error,0);
+   }
+   else {
     error_log("$log_prefix Added new group $group_name",0);
-    $update_gid = ldap_mod_replace($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", array( 'serialNumber' => $new_gid ));
+    $update_gid = @ ldap_mod_replace($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", array( 'serialNumber' => $new_gid ));
     if ($update_gid) {
      error_log("$log_prefix Updated cn=lastGID with $new_gid",0);
      return TRUE;
     }
     else {
-     error_log("$log_prefix Failed to update cn=lastGID",0);
+     error_log("$log_prefix Failed to update cn=lastGID: " . ldap_error($ldap_connection) ,0);
     }
    }
 
@@ -382,14 +415,14 @@ function ldap_delete_group($ldap_connection,$group_name) {
  if (isset($group_name)) {
 
   $delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
-  $delete = ldap_delete($ldap_connection, $delete_query);
+  $delete = @ ldap_delete($ldap_connection, $delete_query);
 
   if ($delete) {
    error_log("$log_prefix Deleted group $group_name",0);
    return TRUE;
   }
   else {
-   error_log("$log_prefix Couldn't delete group $group_name",0);
+   error_log("$log_prefix Couldn't delete group $group_name" . ldap_error($ldap_connection) ,0);
    return FALSE;
   }
 
@@ -407,8 +440,8 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
  if (isset($group_name)) {
 
   $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
-  $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
-  $result = ldap_get_entries($ldap_connection, $ldap_search);
+  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
+  $result = @ ldap_get_entries($ldap_connection, $ldap_search);
 
   if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) {
     return $result[0]['gidnumber'][0];
@@ -430,8 +463,8 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
  if (isset($first_name) and isset($last_name) and isset($username) and isset($password)) {
 
   $ldap_search_query = "(${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']})";
-  $ldap_search = ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
-  $result = ldap_get_entries($ldap_connection, $ldap_search);
+  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
+  $result = @ ldap_get_entries($ldap_connection, $ldap_search);
 
   if ($result['count'] == 0) {
 
@@ -466,7 +499,7 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
                          'mail' => $email
                       );
 
-      $add_account = ldap_add($ldap_connection,
+      $add_account = @ ldap_add($ldap_connection,
                           "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}",
                           $user_info
                          );
@@ -474,18 +507,18 @@ function ldap_new_account($ldap_connection,$first_name,$last_name,$username,$pas
    if ($add_account) {
     error_log("$log_prefix Created new account: $username",0);
     ldap_add_member_to_group($ldap_connection,$add_to_group,$username);
-    $update_uid = ldap_mod_replace($ldap_connection, "cn=lastUID,${LDAP['base_dn']}", array( 'serialNumber' => $new_uid ));
+    $update_uid = @ ldap_mod_replace($ldap_connection, "cn=lastUID,${LDAP['base_dn']}", array( 'serialNumber' => $new_uid ));
     if ($update_uid) {
      error_log("$log_prefix Create account; Updated cn=lastUID with $new_uid",0);
      return TRUE;
     }
     else {
-     error_log("$log_prefix Create account; Failed to update cn=lastUID",0);
+     error_log("$log_prefix Create account; Failed to update cn=lastUID: " . ldap_error($ldap_connection),0);
     }
 
    }
    else {
-    error_log("$log_prefix Create account; couldn't create the account for $username",0);
+    error_log("$log_prefix Create account; couldn't create the account for ${username}: " . ldap_error($ldap_connection),0);
    }
 
   }
@@ -513,14 +546,14 @@ function ldap_delete_account($ldap_connection,$username) {
  if (isset($username)) {
 
   $delete_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']}";
-  $delete = ldap_delete($ldap_connection, $delete_query);
+  $delete = @ ldap_delete($ldap_connection, $delete_query);
 
   if ($delete) {
    error_log("$log_prefix Deleted account for $username",0);
    return TRUE;
   }
   else {
-   error_log("$log_prefix Couldn't delete account for $username",0);
+   error_log("$log_prefix Couldn't delete account for ${username}: " . ldap_error($ldap_connection),0);
    return FALSE;
   }
 
@@ -542,14 +575,14 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {
   }
 
   $group_update = array($LDAP['group_membership_attribute'] => $username);
-  $update = ldap_mod_add($ldap_connection,$group_dn,$group_update);
+  $update = @ ldap_mod_add($ldap_connection,$group_dn,$group_update);
 
   if ($update) {
    error_log("$log_prefix Added $username to $group_name",0);
    return TRUE;
   }
   else {
-   error_log("$log_prefix Couldn't add $username to $group_name",0);
+   error_log("$log_prefix Couldn't add $username to ${group_name}: " . ldap_error($ldap_connection),0);
    return FALSE;
   }
 
@@ -569,14 +602,14 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
   }
 
   $group_update = array($LDAP['group_membership_attribute'] => $username);
-  $update = ldap_mod_del($ldap_connection,$group_dn,$group_update);
+  $update = @ ldap_mod_del($ldap_connection,$group_dn,$group_update);
 
   if ($update) {
    error_log("$log_prefix Removed $username from $group_name",0);
    return TRUE;
   }
   else {
-   error_log("$log_prefix Couldn't remove $username from $group_name",0);
+   error_log("$log_prefix Couldn't remove $username from ${group_name}: " . ldap_error($ldap_connection),0);
    return FALSE;
   }
 
@@ -592,9 +625,9 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
  #Find DN of user
 
  $ldap_search_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
- $ldap_search = ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
+ $ldap_search = @ ldap_search( $ldap_connection, $LDAP['base_dn'], $ldap_search_query);
  if ($ldap_search) {
-  $result = ldap_get_entries($ldap_connection, $ldap_search);
+  $result = @ ldap_get_entries($ldap_connection, $ldap_search);
   if ($result["count"] == 1) {
   $this_dn=$result[0]['dn'];
   }
@@ -604,7 +637,7 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
   }
  }
  else {
-  error_log("$log_prefix Couldn't perform an LDAP search for ${LDAP['account_attribute']}=${username}",0);
+  error_log("$log_prefix Couldn't perform an LDAP search for ${LDAP['account_attribute']}=${username}: " . ldap_error($ldap_connection),0);
   return FALSE;
  }
 
@@ -613,14 +646,14 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
  $hashed_pass = ldap_hashed_password($new_password);
 
  $entries["userPassword"] = $new_password;
- $update = ldap_mod_replace($ldap_connection, $this_dn, $entries);
+ $update = @ ldap_mod_replace($ldap_connection, $this_dn, $entries);
 
  if ($update) {
-  error_log("$log_prefix Updated the password for $username");
+  error_log("$log_prefix Updated the password for $username",0);
   return TRUE;
  }
  else {
-  error_log("$log_prefix Couldn't update the password for $username");
+  error_log("$log_prefix Couldn't update the password for ${username}: " . ldap_error($ldap_connection),0);
   return TRUE;
  }
 
diff --git a/www/includes/web_functions.inc.php b/www/includes/web_functions.inc.php
index 8691bde..e811e8f 100644
--- a/www/includes/web_functions.inc.php
+++ b/www/includes/web_functions.inc.php
@@ -53,7 +53,8 @@ function set_passkey_cookie($user_id,$is_admin) {
  }
  $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
  file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time");
- setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
+# setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
+ setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', '', '', TRUE);
  if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); }
  $VALIDATED = TRUE;
 
@@ -118,7 +119,8 @@ function set_setup_cookie() {
  $IS_SETUP_ADMIN = TRUE;
 
  file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
- setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
+# setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
+ setcookie('setup_cookie', "$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', '', '', TRUE);
  if ( $SESSION_DEBUG == TRUE) {  error_log("$log_prefix Setup session: sent setup_cookie to the client.",0); }
 
 }
@@ -169,7 +171,8 @@ function log_out($method='normal') {
 
  global $USER_ID;
 
- setcookie('orf_cookie', "", time()-20000 , "/", $_SERVER["HTTP_HOST"], 0);
+#setcookie('orf_cookie', "", time()-20000 , "/", $_SERVER["HTTP_HOST"], 0);
+ setcookie('orf_cookie', "", time()-20000, '/', '', '', TRUE);
 
  $filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID);
  unlink("/tmp/$filename");
diff --git a/www/setup/index.php b/www/setup/index.php
index c4d9a21..68f3dd9 100644
--- a/www/setup/index.php
+++ b/www/setup/index.php
@@ -10,7 +10,7 @@ if (isset($_POST["admin_password"])) {
  $ldap_connection = open_ldap_connection();
  $user_auth = ldap_setup_auth($ldap_connection,$_POST["admin_password"]);
  ldap_close($ldap_connection);
- 
+
  if ($user_auth != FALSE) {
   set_setup_cookie($user_auth);
   header("Location: //${_SERVER["HTTP_HOST"]}/${THIS_MODULE_PATH}/run_checks.php\n\n");
@@ -33,18 +33,17 @@ else {
  }
  ?>
  <div class="container">
-  <div class="panel panel-default"> 
+  <div class="panel panel-default">
    <div class="panel-heading text-center">Password for <?php print $LDAP['admin_bind_dn']; ?></div>
-    <div class="panel-body text-center">
-     <form class="form-inline" action='' method='post'>
-      <div class="form-group"> 
-       <input type='password' class="form-control" name='admin_password'>
-      </div>
-      <div class="form-group"> 
-       <input type='submit' class="btn btn-default" value='Log in'>
-      </div>
-     </form>
-    </div>
+   <div class="panel-body text-center">
+    <form class="form-inline" action='' method='post'>
+     <div class="form-group">
+      <input type='password' class="form-control" name='admin_password'>
+     </div>
+     <div class="form-group">
+      <input type='submit' class="btn btn-default" value='Log in'>
+     </div>
+    </form>
    </div>
   </div>
  </div>