Merge master

2025-01-18 23:42:54 +01:00 · 2022-03-09 15:15:31 +00:00 · 2022-03-09 15:15:31 +00:00 · b3b372d189
commit b3b372d189
parent d714b72cb0 1ae87b6582
10 changed files with 100 additions and 51 deletions
--- a/README.md
+++ b/README.md
@ -64,7 +64,7 @@ Change the variable values to suit your environment.  Now go to https://lum.exam
 Configuration is via environmental variables.  Please bear the following in mind:

 * This tool needs to bind to LDAP as a user that has the permissions to modify everything under the base DN.
- * This interface is designed to work with a fresh LDAP server and should only be against existing, populated LDAP directories with caution and at your own risk.
+ * This interface is designed to work with a fresh LDAP server and should only be used against existing populated LDAP directories with caution and at your own risk.

 ### Mandatory:

@ -81,12 +81,22 @@ Configuration is via environmental variables.  Please bear the following in mind

 ### Optional:

-#### Organisation settings
+
+#### Web server settings

 * `SERVER_HOSTNAME` (default: *ldapusername.org*):  The hostname that this interface will be served from.
   
 * `SERVER_PATH` (default: */*): The path to the user manager on the webserver.  Useful if running this behind a reverse proxy.
+
+* `SERVER_PORT` (default: *80 or 80+443*): The port the webserver inside the container will listen on.  If undefined then the internal webserver will listen on ports 80 and 443 (if `NO_HTTPS` is true it's just 80) and HTTP traffic is redirected to HTTPS.  When set this will disable the redirection and the internal webserver will listen for HTTPS traffic on this port (or for HTTP traffic if `NO_HTTPS` is true).  This is for use when the container's Docker network mode is set to `host`.
+
+* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption.  This is insecure and should only be used for testing.  See [HTTPS certificates](#https-certificates)
   
+* `SESSION_TIMEOUT` (default: *10 minutes*):  How long before an idle session will be timed out.
+
+
+#### Organisation settings
+
 * `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name.
   
 * `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*):  Change this to replace the title in the menu, e.g. "My Company Account Management".
@ -165,21 +175,12 @@ To send emails you'll need to use an existing SMTP server.  Email sending will b
 * `NEW_ACCOUNT_EMAIL_SUBJECT`, `NEW_ACCOUNT_EMAIL_BODY`, `RESET_PASSWORD_EMAIL_SUBJECT` & `RESET_PASSWORD_EMAIL_BODY`: Change the email contents for emails sent to users when you create an account or reset a password.  See [Sending emails](#sending_emails) for full details.


-**Account requests**
-
 #### Account request settings

 * `ACCOUNT_REQUESTS_ENABLED` (default: *FALSE*): Set to TRUE in order to enable a form that people can fill in to request an account.  This will send an email to `ACCOUNT_REQUESTS_EMAIL` with their details and a link to the account creation page where the details will be filled in automatically.  You'll need to set up email sending (see **Email sending**, above) for this to work.  If this is enabled but email sending isn't then requests will be disabled and an error message sent to the logs.  

 * `ACCOUNT_REQUESTS_EMAIL` (default: *{EMAIL_FROM_ADDRESS}*): This is the email address that any requests for a new account are sent to.

-**Site security settings**   
-
-#### Website security
-
-* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption.  This is insecure and should only be used for testing.  See [HTTPS certificates](#https-certificates)
-   
-* `SESSION_TIMEOUT` (default: *10 minutes*):  How long before an idle session will be timed out.

 #### Debugging settings

@ -294,7 +295,7 @@ If you need to use this user manager with an existing LDAP directory and your ac
 `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` is a comma-separated list of objectClasses to add when creating the account record.  For example, `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=ldappublickey,couriermailaccount`.   

 To add extra fields for new attributes you need to pass a comma-separated string of the attributes and optionally the label for the attribute (which will be shown on the user form) and a default value to `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` separated by colons (`:`).   
-The format for configuring an attribute is: `attribute1:label1,default_value1,attribute2:label2:default_value2`.   If you don't supply a label then the form field will be labelled with the attribute name.  
+The format for configuring an attribute is: `attribute1:label1:default_value1,attribute2:label2:default_value2`.   If you don't supply a label then the form field will be labelled with the attribute name.  
 An example (for the couriermailaccount objectClass) would be: `mailbox:Mailbox:domain.com,quota:Mail quota:20`   
   
 ObjectClasses often have attributes that must have a value, so you should definitely set a default for those attributes.   
--- a/26
+++ b/26
@ -17,6 +17,7 @@ fi

 if [ "$LDAP_TLS_CACERT" ]; then
  echo "$LDAP_TLS_CACERT" >/opt/ca.crt
+  mkdir -p /etc/ldap  
  sed -i "s/TLS_CACERT.*/TLS_CACERT \/opt\/ca.crt/" /etc/ldap/ldap.conf
 fi

@ -24,7 +25,7 @@ if [ "${NO_HTTPS,,}" == "true" ]; then

  cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf

-<VirtualHost *:80>
+<VirtualHost *:${SERVER_PORT:-80}>

 ServerName $SERVER_HOSTNAME
 DocumentRoot $php_dir
@ -39,6 +40,8 @@ if [ "${NO_HTTPS,,}" == "true" ]; then
 EoHTTPC


+  echo "Listen ${SERVER_PORT:-80}" > /etc/apache2/ports.conf
+
 else

  ########################
@ -112,7 +115,14 @@ EoCertConf

  if [ -f "${ssl_dir}/chain.pem" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/chain.pem"; fi

-  cat <<EoHTTPSC >/etc/apache2/sites-enabled/lum.conf
+  echo  > /etc/apache2/sites-enabled/lum.conf
+  echo  > /etc/apache2/ports.conf
+
+  if [ ! "$SERVER_PORT" ]; then
+
+    echo "Listen 80" > /etc/apache2/ports.conf
+
+    cat <<EoHTTPrd >/etc/apache2/sites-enabled/lum.conf

 <VirtualHost *:80>

@ -121,7 +131,15 @@ EoCertConf

 </VirtualHost>

-<VirtualHost _default_:443>
+EoHTTPrd
+
+  fi
+
+  echo "Listen ${SERVER_PORT:-443}" >> /etc/apache2/ports.conf
+  
+  cat <<EoHTTPSC >>/etc/apache2/sites-enabled/lum.conf
+
+<VirtualHost _default_:${SERVER_PORT:-443}>

 ServerName $SERVER_HOSTNAME

@ -143,8 +161,6 @@ EoHTTPSC

 fi

-cat /etc/apache2/sites-enabled/lum.conf
-
 ########################
 #Run Apache

--- a/www/account_manager/new_user.php
+++ b/www/account_manager/new_user.php
@ -14,7 +14,7 @@ if ( isset($_POST['setup_admin_account']) ) {
 validate_setup_cookie();
 set_page_access("setup");

- $completed_action="${SERVER_PATH}/log_in";
+ $completed_action="${SERVER_PATH}log_in";
 $page_title="New administrator account";

 render_header("$ORGANISATION_NAME account manager - setup administrator account", FALSE);
@ -291,6 +291,7 @@ $tabindex=1;

  foreach ($attribute_map as $attribute => $attr_r) {
    $label   = $attr_r['label'];
+    $onkeyup = $attr_r['onkeyup'];
    if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
  ?>
     <div class="form-group" id="<?php print $attribute; ?>_div">
--- a/www/account_manager/show_group.php
+++ b/www/account_manager/show_group.php
@ -50,17 +50,23 @@ elseif (isset($_POST['initialise_group'])) {
  $new_group = FALSE;
  $initialise_group = TRUE;
  $current_members = array();
-  $full_dn = "cn=$group_cn,${LDAP['group_dn']}";
+  $full_dn = "${LDAP['group_attribute']}=$group_cn,${LDAP['group_dn']}";
  $has_been = "created";
 }
 else {
  $new_group = FALSE;
+  $initialise_group = TRUE;
  $current_members = ldap_get_group_members($ldap_connection,$group_cn);
  $full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn);
  $has_been = "updated";
 }


+######################################################################################
+
+
+$current_members = ldap_get_group_members($ldap_connection,$group_cn);
+$full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn);
 $all_accounts = ldap_get_user_list($ldap_connection);
 $all_people = array();

--- a/www/account_manager/show_user.php
+++ b/www/account_manager/show_user.php
@ -366,6 +366,29 @@ if ($ldap_search) {
 }

 </script>
+<style type='text/css'>
+  .dual-list .list-group {
+      margin-top: 8px;
+  }
+
+  .list-left li, .list-right li {
+      cursor: pointer;
+  }
+
+  .list-arrows {
+      padding-top: 100px;
+  }
+
+  .list-arrows button {
+          margin-bottom: 20px;
+  }
+
+  .right_button {
+    width: 200px;
+    float: right;
+  }
+</style>
+

 <div class="container">
 <div class="col-sm-8 col-md-offset-2">
@ -499,7 +522,7 @@ if ($ldap_search) {
          <button class="btn btn-default btn-sm move-right">
           <span class="glyphicon glyphicon-chevron-right"></span>
          </button>
-          <form id="update_with_groups" action="<?php print $CURRENT_PAGE; ?>" method="post">
+          <form id="update_with_groups" action="<?php print "${THIS_MODULE_PATH}"; ?>/show_user.php" method="post">
           <input type="hidden" name="update_member_of">
           <input type="hidden" name="account_identifier" value="<?php print $account_identifier; ?>">
          </form>
--- a/www/change_password/index.php
+++ b/www/change_password/index.php
@ -9,6 +9,7 @@ set_page_access("user");

 if (isset($_POST['change_password'])) {

+ if (!$_POST['password']) { $not_strong_enough = 1; }
 if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $not_strong_enough = 1; }
 if (preg_match("/\"|'/",$_POST['password'])) { $invalid_chars = 1; }
 if ($_POST['password'] != $_POST['password_match']) { $mismatched = 1; }
@ -56,20 +57,17 @@ if (isset($mismatched)) {  ?>
 <script type="text/javascript" src="<?php print $SERVER_PATH; ?>js/zxcvbn-bootstrap-strength-meter.js"></script>
 <script type="text/javascript">$(document).ready(function(){	$("#StrengthProgressBar").zxcvbnProgressBar({ passwordInput: "#password" });});</script>

-<div class="container">
- <div class="col-sm-6">
-   <div class="panel panel-default">
-    <p>Use this form to change your <?php print $ORGANISATION_NAME; ?> password.  When you start typing your new password the gauge at the bottom will show its security strength.
-    Enter your password again in the <b>confirm</b> field.  If the passwords don't match then both fields will be bordered with red.</p>
-   </div>
- </div>
-</div>
-
 <div class="container">
 <div class="col-sm-6">

  <div class="panel panel-default">
   <div class="panel-heading text-center">Change your password</div>
+
+   <ul class="list-group">
+    <li class="list-group-item">Use this form to change your <?php print $ORGANISATION_NAME; ?> password.  When you start typing your new password the gauge at the bottom will show its security strength.
+    Enter your password again in the <b>confirm</b> field.  If the passwords don't match then both fields will be bordered with red.</li>
+   </ul>
+
   <div class="panel-body text-center">
   
    <form class="form-horizontal" action='' method='post'>
--- a/www/includes/config.inc.php
+++ b/www/includes/config.inc.php
@ -24,6 +24,7 @@
 #Optional

 $LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid');
+ $LDAP['group_attribute'] = (getenv('LDAP_GROUP_ATTRIBUTE') ? getenv('LDAP_GROUP_ATTRIBUTE') : 'cn');
 $LDAP['group_ou'] = (getenv('LDAP_GROUP_OU') ? getenv('LDAP_GROUP_OU') : 'groups');
 $LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people');

@ -33,7 +34,10 @@
 if (getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES')) { $LDAP['account_additional_attributes'] = getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES'); }

 if (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE')) { $LDAP['group_membership_attribute'] = getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE'); }
- if (getenv('LDAP_GROUP_MEMBERSHIP_USES_UID') and strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == TRUE )  { $LDAP['group_membership_uses_uid']  = TRUE; }
+ if (getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) {
+   if (strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == 'TRUE' )   { $LDAP['group_membership_uses_uid']  = TRUE;  }
+   if (strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == 'FALSE' )  { $LDAP['group_membership_uses_uid']  = FALSE; }
+ }

 $LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
 $LDAP['ignore_cert_errors'] = ((strcasecmp(getenv('LDAP_IGNORE_CERT_ERRORS'),'TRUE') == 0) ? TRUE : FALSE);
--- a/www/includes/ldap_functions.inc.php
+++ b/www/includes/ldap_functions.inc.php
@ -420,9 +420,9 @@ function ldap_get_group_list($ldap_connection,$start=0,$entries=NULL,$sort="asc"
 $records = array();
 foreach ($result as $record) {

-  if (isset($record['cn'][0])) {
+  if (isset($record[$LDAP['group_attribute']][0])) {

-   array_push($records, $record['cn'][0]);
+   array_push($records, $record[$LDAP['group_attribute']][0]);

  }
 }
@ -444,7 +444,7 @@ function ldap_get_dn_of_group($ldap_connection,$group_name) {

 if (isset($group_name)) {

-  $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
+  $ldap_search_query = "(${LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("dn"));
  $result = @ ldap_get_entries($ldap_connection, $ldap_search);

@ -466,7 +466,7 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N

 if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }

- $ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
+ $ldap_search_query = "(${LDAP['group_attribute']}=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
 $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));

 $result = @ ldap_get_entries($ldap_connection, $ldap_search);
@ -513,7 +513,7 @@ function ldap_is_group_member($ldap_connection,$group_name,$username) {

 if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }

- $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
+ $ldap_search_query = "(${LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
 $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);

 if ($ldap_search) {
@ -531,7 +531,7 @@ function ldap_is_group_member($ldap_connection,$group_name,$username) {
   }
 }
 else {
-   return FALSE;
+  return FALSE;
 }

 }
@ -550,13 +550,13 @@ function ldap_user_group_membership($ldap_connection,$username) {
 }

 $ldap_search_query = "(&(objectClass=posixGroup)(${LDAP['group_membership_attribute']}=${username}))";
- $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array('cn'));
+ $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_attribute']));
 $result = ldap_get_entries($ldap_connection, $ldap_search);

 $groups = array();
 foreach ($result as $record) {
-  if (isset($record['cn'][0])) {
-   array_push($groups, $record['cn'][0]);
+  if (isset($record[$LDAP['group_attribute']][0])) {
+   array_push($groups, $record[$LDAP['group_attribute']][0]);
  }
 }
 sort($groups);
@ -578,7 +578,7 @@ function ldap_new_group($ldap_connection,$group_name,$initial_member="") {
  $new_group = ldap_escape($group_name, "", LDAP_ESCAPE_FILTER);
  $initial_member = ldap_escape($initial_member, "", LDAP_ESCAPE_FILTER);

-  $ldap_search_query = "(cn=$new_group,${LDAP['group_dn']})";
+  $ldap_search_query = "(${LDAP['group_attribute']}=$new_group,${LDAP['group_dn']})";
  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
  $result = @ ldap_get_entries($ldap_connection, $ldap_search);

@ -643,7 +643,7 @@ function ldap_delete_group($ldap_connection,$group_name) {

 if (isset($group_name)) {

-  $delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
+  $delete_query = "${LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
  $delete = @ ldap_delete($ldap_connection, $delete_query);

  if ($delete) {
@ -668,7 +668,7 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {

 if (isset($group_name)) {

-  $ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
+  $ldap_search_query = "(${LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
  $ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
  $result = @ ldap_get_entries($ldap_connection, $ldap_search);

@ -811,13 +811,13 @@ function ldap_new_account($ldap_connection,$account_r) {
       }
       return TRUE;
     }
-
     else {
       ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $detailed_err);
       error_log("$log_prefix Create account; couldn't create the account for ${account_identifier}: " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
     }

   }
+
   else {
     error_log("$log_prefix Create account; Account for ${account_identifier} already exists",0);
   }
@ -865,7 +865,7 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {

  if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }

-  $group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
+  $group_dn = "${LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";

  if ($LDAP['group_membership_uses_uid'] == FALSE) {
   $username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
@ -900,7 +900,7 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
  else {
    if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }

-    $group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
+    $group_dn = "${LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";

    if ($LDAP['group_membership_uses_uid'] == FALSE and $username != "") {
      $username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
--- a/www/includes/web_functions.inc.php
+++ b/www/includes/web_functions.inc.php
@ -49,9 +49,9 @@ validate_passkey_cookie();

 function generate_passkey() {

- $rnd1 = rand(10000000,100000000000);
- $rnd2 = rand(10000000,100000000000);
- $rnd3 = rand(10000000,100000000000);
+ $rnd1 = rand(10000000, (int)100000000000);
+ $rnd2 = rand(10000000, (int)100000000000);
+ $rnd3 = rand(10000000, (int)100000000000);
 return sprintf("%0x",$rnd1) . sprintf("%0x",$rnd2) . sprintf("%0x",$rnd3);

 }
@ -153,7 +153,7 @@ function set_setup_cookie() {

 $IS_SETUP_ADMIN = TRUE;

- file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
+ @ file_put_contents("/tmp/ldap_setup","$passkey:$this_time");

 setcookie('setup_cookie', $passkey, $DEFAULT_COOKIE_OPTIONS);

--- a/www/setup/run_checks.php
+++ b/www/setup/run_checks.php
@ -187,7 +187,7 @@ else {
 }


-$defgroup_filter  = "(&(objectclass=posixGroup)(cn=${DEFAULT_USER_GROUP}))";
+$defgroup_filter  = "(&(objectclass=posixGroup)(${LDAP['group_attribute']}=${DEFAULT_USER_GROUP}))";
 $ldap_defgroup_search = ldap_search($ldap_connection, "${LDAP['base_dn']}", $defgroup_filter);
 $defgroup_result = ldap_get_entries($ldap_connection, $ldap_defgroup_search);

@ -207,7 +207,7 @@ else {
 }


-$adminsgroup_filter  = "(&(objectclass=posixGroup)(cn=${LDAP['admins_group']}))";
+$adminsgroup_filter  = "(&(objectclass=posixGroup)(${LDAP['group_attribute']}=${LDAP['admins_group']}))";
 $ldap_adminsgroup_search = ldap_search($ldap_connection, "${LDAP['base_dn']}", $adminsgroup_filter);
 $adminsgroup_result = ldap_get_entries($ldap_connection, $ldap_adminsgroup_search);