Update entries with any missing additional objectclasses when updating entries. Update README to describe changes. Initial work to allow file uploads for attributes.

This commit is contained in:
Brian Lycett 2022-04-05 14:42:14 +01:00
parent 9092a3a39b
commit e46e590c79
6 changed files with 156 additions and 98 deletions

View File

@ -106,12 +106,13 @@ For example, if you're using Docker Swarm and you've set the LDAP bind password
* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out. * `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out.
#### Organisation settings #### Interface customisation
* `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name. * `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name.
* `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management". * `SITE_NAME` (default: *`ORGANISATION_NAME` user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management".
* `SIMPLE_INTERFACE` (default: *FALSE*): If set to `TRUE` this will hide most **posixAccount** and **posixGroup** attributes from the account and group forms. This is useful if you won't use the LDAP accounts for server accounts. The Posix values are still set in the background using the default values. Enabling this won't prevent any `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` or `LDAP_GROUP_ADDITIONAL_ATTRIBUTES` from being displayed.
#### LDAP settings #### LDAP settings
@ -139,6 +140,10 @@ These settings should only be changed if you're trying to make the user manager
* `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` (no default): A comma-separated list of extra attributes to display when creating an account. See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information. * `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` (no default): A comma-separated list of extra attributes to display when creating an account. See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information.
* `GROUP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` (no default): A comma-separated list of additional objectClasses to use when creating a group. See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information.
* `GROUP_ACCOUNT_ADDITIONAL_ATTRIBUTES` (no default): A comma-separated list of extra attributes to display when creating a group. See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information.
* `LDAP_GROUP_MEMBERSHIP_USES_UID` (default: *TRUE* or *FALSE*): If *TRUE* then the entry for a member of a group will be just the username, otherwise it's the member's full DN. When the `groupOfMembers` objectClass is detected or `FORCE_RFC2307BIS` is `TRUE` it defaults to `FALSE`, otherwise it'll default to `TRUE`. Explicitly setting this variable will override the default. * `LDAP_GROUP_MEMBERSHIP_USES_UID` (default: *TRUE* or *FALSE*): If *TRUE* then the entry for a member of a group will be just the username, otherwise it's the member's full DN. When the `groupOfMembers` objectClass is detected or `FORCE_RFC2307BIS` is `TRUE` it defaults to `FALSE`, otherwise it'll default to `TRUE`. Explicitly setting this variable will override the default.
* `FORCE_RFC2307BIS` (default: *FALSE*): Set to *TRUE* if the auto-detection is failing to spot that the RFC2307BIS schema is available. When *FALSE* the user manager will use auto-detection. See [Using the RFC2307BIS schema](#using-the-rfc2307bis-schema) for more information. * `FORCE_RFC2307BIS` (default: *FALSE*): Set to *TRUE* if the auto-detection is failing to spot that the RFC2307BIS schema is available. When *FALSE* the user manager will use auto-detection. See [Using the RFC2307BIS schema](#using-the-rfc2307bis-schema) for more information.
@ -208,7 +213,6 @@ To send emails you'll need to use an existing SMTP server. Email sending will b
* `SMTP_LOG_LEVEL` (default: *0*): Set to between 1-4 to get SMTP logging information (0 disables SMTP debugging logs though it will still display errors). See https://github.com/PHPMailer/PHPMailer/wiki/SMTP-Debugging for details of the levels. * `SMTP_LOG_LEVEL` (default: *0*): Set to between 1-4 to get SMTP logging information (0 disables SMTP debugging logs though it will still display errors). See https://github.com/PHPMailer/PHPMailer/wiki/SMTP-Debugging for details of the levels.
*** ***
## Initial setup ## Initial setup
@ -264,7 +268,6 @@ If you don't want to use HTTPS certificates then set `NO_HTTPS` to **TRUE** to r
## Sending emails ## Sending emails
When you create an account you'll have an option to send an email to the person you created the account for. The email will give them their new username, password and a link to the self-service password change utility. When you create an account you'll have an option to send an email to the person you created the account for. The email will give them their new username, password and a link to the self-service password change utility.
Emails are sent via SMTP, so you'll need to be able to connect to an SMTP server and pass in the settings for that server via environmental variables - see **Email sending** above. Emails are sent via SMTP, so you'll need to be able to connect to an SMTP server and pass in the settings for that server via environmental variables - see **Email sending** above.
@ -313,12 +316,14 @@ If `EMAIL_DOMAIN` is set then the email address field will be automatically upda
## Extra objectClasses and attributes ## Extra objectClasses and attributes
If you need to use this user manager with an existing LDAP directory and your account records need additional objectClasses and attributes then you can add them via `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` and `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES`. By default accounts are created with `person`, `inetOrgPerson` and `posixAccount` object classes. Groups are created with `posixGroup` - if [the RFC2307BIS schema](#using-the-rfc2307bis-schema) is available then `groupOfUniqueNames` is automatically added too.
`LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` is a comma-separated list of objectClasses to add when creating the account record. For example, `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=ldappublickey,couriermailaccount`. If you need to add additional objectClasses and attributes to accounts or groups then you can add them via `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES`, `LDAP_GROUP_ADDITIONAL_OBJECTCLASSES`, `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` and `LDAP_GROUP_ADDITIONAL_ATTRIBUTES`.
`LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` is a comma-separated list of attributes to be displayed as extra fields on the account management page. `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` and `LDAP_GROUP_ADDITIONAL_OBJECTCLASSES take a comma-separated list of objectClasses to add. For example, `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=ldappublickey,couriermailaccount`.
By default these fields will be empty, with the field named for the attribute, but you can set the field labels (and optionally the default values) by appending the attribute names with colon-separated values like so: `attribute_name:label:default_value`.
`LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` and `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` take a comma-separated list of attributes to be displayed as extra fields for the account or group.
By default these fields will be empty with the field named for the attribute, but you can set the field labels (and optionally the default values) by appending the attribute names with colon-separated values like so: `attribute_name:label:default_value`.
Multiple attributes are separated by commas, so you can define the label and default values for several attributes as follows: `attribute1:label1:default_value1,attribute2:label2:default_value2,attribute3:label3`. Multiple attributes are separated by commas, so you can define the label and default values for several attributes as follows: `attribute1:label1:default_value1,attribute2:label2:default_value2,attribute3:label3`.
As an example, to set a mailbox name and quota for the `couriermailaccount` schema you can pass these variables to the container: As an example, to set a mailbox name and quota for the `couriermailaccount` schema you can pass these variables to the container:
@ -329,7 +334,6 @@ LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES="mailbox:Mailbox:domain.com,quota:Mail quota:
_Note_: ObjectClasses often have attributes that _must_ have a value, so you should set a default value for these attributes, otherwise if you forget to add a value when filling in the form an error will be thrown on submission. _Note_: ObjectClasses often have attributes that _must_ have a value, so you should set a default value for these attributes, otherwise if you forget to add a value when filling in the form an error will be thrown on submission.
### Multi-value attributes ### Multi-value attributes
If you have an attribute that could have several values, you can add a `+` to end of the attribute name. This will modify the form so you can add or remove extra values for that attribute. For example, if you want to have multiple email aliases when using the _PostfixBookMailAccount_ schema then you can pass these variables to the container: If you have an attribute that could have several values, you can add a `+` to end of the attribute name. This will modify the form so you can add or remove extra values for that attribute. For example, if you want to have multiple email aliases when using the _PostfixBookMailAccount_ schema then you can pass these variables to the container:
@ -338,6 +342,14 @@ LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=PostfixBookMailAccount" \
LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=mailAlias+:Email aliases" LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=mailAlias+:Email aliases"
``` ```
### Binary attributes
If you have an attribute that stores the contents of a binary file (for example, a JPEG) then you can add a `^` to the end of the attribute name. This will modify the form so that this attribute has an upload button. If a file has already been uploaded then a link to view or download the file will be shown. For example, to allow you to set a user's photo:
```
LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=jpegPhoto^:Photograph"
```
### Caveat ### Caveat
These settings are advanced usage and the user manager doesn't attempt to validate any objectClasses, attributes, labels or default values you pass in. It's up to you to ensure that your LDAP server has the appropriate schemas and that the labels and values are sane. These settings are advanced usage and the user manager doesn't attempt to validate any objectClasses, attributes, labels or default values you pass in. It's up to you to ensure that your LDAP server has the appropriate schemas and that the labels and values are sane.
@ -346,7 +358,6 @@ These settings are advanced usage and the user manager doesn't attempt to valida
## Using the RFC2307BIS schema ## Using the RFC2307BIS schema
Using the **RFC2307BIS** will allow you to use `memberOf` in LDAP searches which gives you an easy way to check if a user is a member of a group. For example: `(&(objectClass=posixAccount)(memberof=cn=somegroup,ou=groups,dc=ldapusermanager,dc=org))`. Using the **RFC2307BIS** will allow you to use `memberOf` in LDAP searches which gives you an easy way to check if a user is a member of a group. For example: `(&(objectClass=posixAccount)(memberof=cn=somegroup,ou=groups,dc=ldapusermanager,dc=org))`.
OpenLDAP will use the RFC2307 (NIS) schema by default; you'll need to configure your server to use the **RFC2307BIS** schema when setting up your directory. See [this guide](https://unofficialaciguide.com/2019/07/31/ldap-schemas-for-aci-administrators-rfc2307-vs-rfc2307bis/) for more information regarding RFC2307 vs RFC2307BIS. OpenLDAP will use the RFC2307 (NIS) schema by default; you'll need to configure your server to use the **RFC2307BIS** schema when setting up your directory. See [this guide](https://unofficialaciguide.com/2019/07/31/ldap-schemas-for-aci-administrators-rfc2307-vs-rfc2307bis/) for more information regarding RFC2307 vs RFC2307BIS.

View File

@ -92,19 +92,6 @@ if (isset($_GET['account_request'])) {
$new_account_r['sn'] = $sn; $new_account_r['sn'] = $sn;
unset($new_account_r['sn']['count']); unset($new_account_r['sn']['count']);
$uid[0] = generate_username($givenname[0],$sn[0]);
$new_account_r['uid'] = $uid;
unset($new_account_r['uid']['count']);
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
$cn[0] = $givenname[0] . $sn[0];
}
else {
$cn[0] = $givenname[0] . " " . $sn[0];
}
$new_account_r['cn'] = $cn;
unset($new_account_r['cn']['count']);
$mail[0]=filter_var($_GET['email'], FILTER_SANITIZE_EMAIL); $mail[0]=filter_var($_GET['email'], FILTER_SANITIZE_EMAIL);
if ($mail[0] == "") { if ($mail[0] == "") {
if (isset($EMAIL_DOMAIN)) { if (isset($EMAIL_DOMAIN)) {
@ -122,6 +109,23 @@ if (isset($_GET['account_request'])) {
if (isset($_POST['create_account'])) { if (isset($_POST['create_account'])) {
if (!isset($uid[0])) {
$uid[0] = generate_username($givenname[0],$sn[0]);
$new_account_r['uid'] = $uid;
unset($new_account_r['uid']['count']);
}
if (!isset($cn[0])) {
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
$cn[0] = $givenname[0] . $sn[0];
}
else {
$cn[0] = $givenname[0] . " " . $sn[0];
}
$new_account_r['cn'] = $cn;
unset($new_account_r['cn']['count']);
}
$password = $_POST['password']; $password = $_POST['password'];
$new_account_r['password'][0] = $password; $new_account_r['password'][0] = $password;
$account_identifier = $new_account_r[$account_attribute][0]; $account_identifier = $new_account_r[$account_attribute][0];

View File

@ -44,6 +44,7 @@ $attribute_map = $LDAP['default_group_attribute_map'];
if (isset($LDAP['group_additional_attributes'])) { if (isset($LDAP['group_additional_attributes'])) {
$attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['group_additional_attributes']); $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['group_additional_attributes']);
} }
$to_update = array(); $to_update = array();
$this_group = array(); $this_group = array();
@ -145,7 +146,15 @@ if (isset($_POST["update_members"])) {
$group_add = ldap_new_group($ldap_connection,$group_cn,$initial_member,$to_update); $group_add = ldap_new_group($ldap_connection,$group_cn,$initial_member,$to_update);
} }
elseif(count($to_update) > 0) { elseif(count($to_update) > 0) {
if (isset($this_group[0]['objectclass'])) {
$existing_objectclasses = $this_group[0]['objectclass'];
unset($existing_objectclasses['count']);
if ($existing_objectclasses != $LDAP['group_objectclasses']) { $to_update['objectclass'] = $LDAP['group_objectclasses']; }
}
$updated_attr = ldap_update_group_attributes($ldap_connection,$group_cn,$to_update); $updated_attr = ldap_update_group_attributes($ldap_connection,$group_cn,$to_update);
if ($updated_attr) { if ($updated_attr) {
render_alert_banner("The group attributes have been updated."); render_alert_banner("The group attributes have been updated.");
} }

View File

@ -111,6 +111,23 @@ if ($ldap_search) {
if (isset($_POST['update_account'])) { if (isset($_POST['update_account'])) {
if (!isset($uid[0])) {
$uid[0] = generate_username($givenname[0],$sn[0]);
$to_update['uid'] = $uid;
unset($to_update['uid']['count']);
}
if (!isset($cn[0])) {
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
$cn[0] = $givenname[0] . $sn[0];
}
else {
$cn[0] = $givenname[0] . " " . $sn[0];
}
$to_update['cn'] = $cn;
unset($to_update['cn']['count']);
}
if (isset($_POST['password']) and $_POST['password'] != "") { if (isset($_POST['password']) and $_POST['password'] != "") {
$password = $_POST['password']; $password = $_POST['password'];
@ -143,6 +160,10 @@ if ($ldap_search) {
} }
} }
$existing_objectclasses = $user[0]['objectclass'];
unset($existing_objectclasses['count']);
if ($existing_objectclasses != $LDAP['account_objectclasses']) { $to_update['objectclass'] = $LDAP['account_objectclasses']; }
$updated_account = @ ldap_mod_replace($ldap_connection, $dn, $to_update); $updated_account = @ ldap_mod_replace($ldap_connection, $dn, $to_update);
if (!$updated_account) { if (!$updated_account) {

View File

@ -1,9 +1,10 @@
<?php <?php
$log_prefix = ""; $log_prefix="";
#Fixed #Default attributes and objectclasses
$LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid');
$LDAP['account_objectclasses'] = array( 'person', 'inetOrgPerson', 'posixAccount' ); $LDAP['account_objectclasses'] = array( 'person', 'inetOrgPerson', 'posixAccount' );
$LDAP['default_attribute_map'] = array( "givenname" => array("label" => "First name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value);"), $LDAP['default_attribute_map'] = array( "givenname" => array("label" => "First name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value);"),
"sn" => array("label" => "Last name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value);"), "sn" => array("label" => "Last name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value);"),
@ -12,35 +13,46 @@
"mail" => array("label" => "Email", "onkeyup" => "auto_email_update = false; check_email_validity(document.getElementById('mail').value);") "mail" => array("label" => "Email", "onkeyup" => "auto_email_update = false; check_email_validity(document.getElementById('mail').value);")
); );
$LDAP['group_objectclasses'] = array( 'person', 'inetOrgPerson', 'posixAccount' ); $LDAP['group_attribute'] = (getenv('LDAP_GROUP_ATTRIBUTE') ? getenv('LDAP_GROUP_ATTRIBUTE') : 'cn');
$LDAP['group_objectclasses'] = array( 'top', 'posixGroup' ); #groupOfUniqueNames is added automatically if rfc2307bis is available.
$LDAP['default_group_attribute_map'] = array( "gidnumber" => array("label" => "Group ID number") $LDAP['default_group_attribute_map'] = array( "gidnumber" => array("label" => "Group ID number")
); );
$SIMPLE_INTERFACE = ((strcasecmp(getenv('SIMPLE_INTERFACE'),'TRUE') == 0) ? TRUE : FALSE);
#Mandatory if ($SIMPLE_INTERFACE == TRUE) {
if ($LDAP['account_attribute'] == "uid") {
unset($LDAP['default_attribute_map']['cn']);
}
else {
unset($LDAP['default_attribute_map']['uid']);
}
}
## LDAP server
$LDAP['uri'] = getenv('LDAP_URI'); $LDAP['uri'] = getenv('LDAP_URI');
$LDAP['base_dn'] = getenv('LDAP_BASE_DN'); $LDAP['base_dn'] = getenv('LDAP_BASE_DN');
$LDAP['admins_group'] = getenv('LDAP_ADMINS_GROUP');
$LDAP['admin_bind_dn'] = getenv('LDAP_ADMIN_BIND_DN'); $LDAP['admin_bind_dn'] = getenv('LDAP_ADMIN_BIND_DN');
$LDAP['admin_bind_pwd'] = getenv('LDAP_ADMIN_BIND_PWD'); $LDAP['admin_bind_pwd'] = getenv('LDAP_ADMIN_BIND_PWD');
$LDAP['connection_type'] = "plain"; $LDAP['connection_type'] = "plain";
$LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP['ignore_cert_errors'] = ((strcasecmp(getenv('LDAP_IGNORE_CERT_ERRORS'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP['rfc2307bis_check_run'] = FALSE;
#Optional
$SIMPLE_INTERFACE = ((strcasecmp(getenv('SIMPLE_INTERFACE'),'TRUE') == 0) ? TRUE : FALSE); # Various advanced LDAP settings
$LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid'); $LDAP['admins_group'] = getenv('LDAP_ADMINS_GROUP');
$LDAP['group_attribute'] = (getenv('LDAP_GROUP_ATTRIBUTE') ? getenv('LDAP_GROUP_ATTRIBUTE') : 'cn');
$LDAP['group_ou'] = (getenv('LDAP_GROUP_OU') ? getenv('LDAP_GROUP_OU') : 'groups'); $LDAP['group_ou'] = (getenv('LDAP_GROUP_OU') ? getenv('LDAP_GROUP_OU') : 'groups');
$LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people'); $LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people');
$LDAP['forced_rfc2307bis'] = ((strcasecmp(getenv('FORCE_RFC2307BIS'),'TRUE') == 0) ? TRUE : FALSE); $LDAP['forced_rfc2307bis'] = ((strcasecmp(getenv('FORCE_RFC2307BIS'),'TRUE') == 0) ? TRUE : FALSE);
if (getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')) { $LDAP['account_additional_objectclasses'] = strtolower(getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')); } if (getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')) { $account_additional_objectclasses = strtolower(getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')); }
if (getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES')) { $LDAP['account_additional_attributes'] = getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES'); } if (getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES')) { $LDAP['account_additional_attributes'] = getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES'); }
if (getenv('LDAP_GROUP_ADDITIONAL_OBJECTCLASSES')) { $LDAP['group_additional_objectclasses'] = getenv('LDAP_GROUP_ADDITIONAL_OBJECTCLASSES'); } if (getenv('LDAP_GROUP_ADDITIONAL_OBJECTCLASSES')) { $group_additional_objectclasses = getenv('LDAP_GROUP_ADDITIONAL_OBJECTCLASSES'); }
if (getenv('LDAP_GROUP_ADDITIONAL_ATTRIBUTES')) { $LDAP['group_additional_attributes'] = getenv('LDAP_GROUP_ADDITIONAL_ATTRIBUTES'); } if (getenv('LDAP_GROUP_ADDITIONAL_ATTRIBUTES')) { $LDAP['group_additional_attributes'] = getenv('LDAP_GROUP_ADDITIONAL_ATTRIBUTES'); }
if (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE')) { $LDAP['group_membership_attribute'] = getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE'); } if (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE')) { $LDAP['group_membership_attribute'] = getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE'); }
@ -49,12 +61,17 @@
if (strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == 'FALSE' ) { $LDAP['group_membership_uses_uid'] = FALSE; } if (strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == 'FALSE' ) { $LDAP['group_membership_uses_uid'] = FALSE; }
} }
$LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE); $LDAP['group_dn'] = "ou=${LDAP['group_ou']},${LDAP['base_dn']}";
$LDAP['ignore_cert_errors'] = ((strcasecmp(getenv('LDAP_IGNORE_CERT_ERRORS'),'TRUE') == 0) ? TRUE : FALSE); $LDAP['user_dn'] = "ou=${LDAP['user_ou']},${LDAP['base_dn']}";
$LDAP['rfc2307bis_check_run'] = FALSE;
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody'); if (isset($account_additional_objectclasses) and $account_additional_objectclasses != "") {
$DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash'); $LDAP['account_objectclasses'] = array_merge($LDAP['account_objectclasses'], explode(",", $account_additional_objectclasses));
}
if (isset($group_additional_objectclasses) and $group_additional_objectclasses != "") {
$LDAP['group_objectclasses'] = array_merge($LDAP['group_objectclasses'], explode(",", $group_additional_objectclasses));
}
# Interface customisation
$ORGANISATION_NAME = (getenv('ORGANISATION_NAME') ? getenv('ORGANISATION_NAME') : 'LDAP'); $ORGANISATION_NAME = (getenv('ORGANISATION_NAME') ? getenv('ORGANISATION_NAME') : 'LDAP');
$SITE_NAME = (getenv('SITE_NAME') ? getenv('SITE_NAME') : "$ORGANISATION_NAME user manager"); $SITE_NAME = (getenv('SITE_NAME') ? getenv('SITE_NAME') : "$ORGANISATION_NAME user manager");
@ -62,27 +79,28 @@
$SERVER_HOSTNAME = (getenv('SERVER_HOSTNAME') ? getenv('SERVER_HOSTNAME') : "ldapusermanager.org"); $SERVER_HOSTNAME = (getenv('SERVER_HOSTNAME') ? getenv('SERVER_HOSTNAME') : "ldapusermanager.org");
$SERVER_PATH = (getenv('SERVER_PATH') ? getenv('SERVER_PATH') : "/"); $SERVER_PATH = (getenv('SERVER_PATH') ? getenv('SERVER_PATH') : "/");
$ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE);
$USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
$USERNAME_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$');
#We'll use the username regex for groups too.
if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }
$ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE);
$SESSION_TIMEOUT = (getenv('SESSION_TIMEOUT') ? getenv('SESSION_TIMEOUT') : 10); $SESSION_TIMEOUT = (getenv('SESSION_TIMEOUT') ? getenv('SESSION_TIMEOUT') : 10);
$LDAP_DEBUG = ((strcasecmp(getenv('LDAP_DEBUG'),'TRUE') == 0) ? TRUE : FALSE); $NO_HTTPS = ((strcasecmp(getenv('NO_HTTPS'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP_VERBOSE_CONNECTION_LOGS = ((strcasecmp(getenv('LDAP_VERBOSE_CONNECTION_LOGS'),'TRUE') == 0) ? TRUE : FALSE);
$SESSION_DEBUG = ((strcasecmp(getenv('SESSION_DEBUG'),'TRUE') == 0) ? TRUE : FALSE); $REMOTE_HTTP_HEADERS_LOGIN = ((strcasecmp(getenv('REMOTE_HTTP_HEADERS_LOGIN'),'TRUE') == 0) ? TRUE : FALSE);
###
$LDAP['group_dn'] = "ou=${LDAP['group_ou']},${LDAP['base_dn']}"; # User account defaults
$LDAP['user_dn'] = "ou=${LDAP['user_ou']},${LDAP['base_dn']}";
### $DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
$DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash');
$ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE);
$USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
$USERNAME_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$'); #We use the username regex for groups too.
if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }
$ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE);
$min_uid = 2000;
$min_gid = 2000;
# Sending email
$SMTP['host'] = getenv('SMTP_HOSTNAME'); $SMTP['host'] = getenv('SMTP_HOSTNAME');
$SMTP['user'] = (getenv('SMTP_USERNAME') ? getenv('SMTP_USERNAME') : NULL); $SMTP['user'] = (getenv('SMTP_USERNAME') ? getenv('SMTP_USERNAME') : NULL);
@ -92,9 +110,6 @@
$SMTP['tls'] = ((strcasecmp(getenv('SMTP_USE_TLS'),'TRUE') == 0) ? TRUE : FALSE); $SMTP['tls'] = ((strcasecmp(getenv('SMTP_USE_TLS'),'TRUE') == 0) ? TRUE : FALSE);
if ($SMTP['tls'] == TRUE) { $SMTP['ssl'] = FALSE; } if ($SMTP['tls'] == TRUE) { $SMTP['ssl'] = FALSE; }
$SMTP['debug_level'] = getenv('SMTP_LOG_LEVEL');
if (!is_numeric($SMTP['debug_level']) or $SMTP['debug_level'] >4 or $SMTP['debug_level'] <0) { $SMTP['debug_level'] = 0; }
$EMAIL_DOMAIN = (getenv('EMAIL_DOMAIN') ? getenv('EMAIL_DOMAIN') : Null); $EMAIL_DOMAIN = (getenv('EMAIL_DOMAIN') ? getenv('EMAIL_DOMAIN') : Null);
$default_email_from_domain = ($EMAIL_DOMAIN ? $EMAIL_DOMAIN : 'ldapusermanger.org'); $default_email_from_domain = ($EMAIL_DOMAIN ? $EMAIL_DOMAIN : 'ldapusermanger.org');
@ -104,7 +119,7 @@
if ($SMTP['host'] != "") { $EMAIL_SENDING_ENABLED = TRUE; } else { $EMAIL_SENDING_ENABLED = FALSE; } if ($SMTP['host'] != "") { $EMAIL_SENDING_ENABLED = TRUE; } else { $EMAIL_SENDING_ENABLED = FALSE; }
### # Account requests
$ACCOUNT_REQUESTS_ENABLED = ((strcasecmp(getenv('ACCOUNT_REQUESTS_ENABLED'),'TRUE') == 0) ? TRUE : FALSE); $ACCOUNT_REQUESTS_ENABLED = ((strcasecmp(getenv('ACCOUNT_REQUESTS_ENABLED'),'TRUE') == 0) ? TRUE : FALSE);
if (($EMAIL_SENDING_ENABLED == FALSE) && ($ACCOUNT_REQUESTS_ENABLED == TRUE)) { if (($EMAIL_SENDING_ENABLED == FALSE) && ($ACCOUNT_REQUESTS_ENABLED == TRUE)) {
@ -114,17 +129,16 @@
$ACCOUNT_REQUESTS_EMAIL = (getenv('ACCOUNT_REQUESTS_EMAIL') ? getenv('ACCOUNT_REQUESTS_EMAIL') : $EMAIL['from_address']); $ACCOUNT_REQUESTS_EMAIL = (getenv('ACCOUNT_REQUESTS_EMAIL') ? getenv('ACCOUNT_REQUESTS_EMAIL') : $EMAIL['from_address']);
###
$NO_HTTPS = ((strcasecmp(getenv('NO_HTTPS'),'TRUE') == 0) ? TRUE : FALSE); # Debugging
### $LDAP_DEBUG = ((strcasecmp(getenv('LDAP_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP_VERBOSE_CONNECTION_LOGS = ((strcasecmp(getenv('LDAP_VERBOSE_CONNECTION_LOGS'),'TRUE') == 0) ? TRUE : FALSE);
$SESSION_DEBUG = ((strcasecmp(getenv('SESSION_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
$SMTP['debug_level'] = getenv('SMTP_LOG_LEVEL');
if (!is_numeric($SMTP['debug_level']) or $SMTP['debug_level'] >4 or $SMTP['debug_level'] <0) { $SMTP['debug_level'] = 0; }
### # Sanity checking
$REMOTE_HTTP_HEADERS_LOGIN = ((strcasecmp(getenv('REMOTE_HTTP_HEADERS_LOGIN'),'TRUE') == 0) ? TRUE : FALSE);
###
$errors = ""; $errors = "";
@ -151,8 +165,6 @@
exit(1); exit(1);
} }
#POSIX accounts
$min_uid = 2000;
$min_gid = 2000;
?> ?>

View File

@ -583,13 +583,9 @@ function ldap_new_group($ldap_connection,$group_name,$initial_member="",$extra_a
if ($result['count'] == 0) { if ($result['count'] == 0) {
if ($rfc2307bis_available == FALSE) { $objectclasses = array('top','posixGroup'); } else { $objectclasses = array('top','groupOfUniqueNames','posixGroup'); }
if (isset($LDAP['group_additional_objectclasses']) and $LDAP['group_additional_objectclasses'] != "") {
$objectclasses = array_merge($objectclasses, explode(",", $LDAP['group_additional_objectclasses']));
}
if ($LDAP['group_membership_uses_uid'] == FALSE and $initial_member != "") { $initial_member = "${LDAP['account_attribute']}=$initial_member,${LDAP['user_dn']}"; } if ($LDAP['group_membership_uses_uid'] == FALSE and $initial_member != "") { $initial_member = "${LDAP['account_attribute']}=$initial_member,${LDAP['user_dn']}"; }
$new_group_array=array( 'objectClass' => $objectclasses, $new_group_array=array( 'objectClass' => $LDAP['group_objectclasses'],
'cn' => $new_group, 'cn' => $new_group,
$LDAP['group_membership_attribute'] => $initial_member $LDAP['group_membership_attribute'] => $initial_member
); );
@ -727,9 +723,7 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
function ldap_complete_attribute_array($default_attributes,$additional_attributes) { function ldap_complete_attribute_array($default_attributes,$additional_attributes) {
global $LDAP; if (isset($additional_attributes)) {
if (is_array($additional_attributes) and count($additional_attributes > 0)) {
$user_attribute_r = explode(",", $additional_attributes); $user_attribute_r = explode(",", $additional_attributes);
$to_merge = array(); $to_merge = array();
@ -739,6 +733,7 @@ function ldap_complete_attribute_array($default_attributes,$additional_attribute
$this_r = array(); $this_r = array();
$kv = explode(":", $this_attr); $kv = explode(":", $this_attr);
$attr_name = strtolower(filter_var($kv[0], FILTER_SANITIZE_FULL_SPECIAL_CHARS)); $attr_name = strtolower(filter_var($kv[0], FILTER_SANITIZE_FULL_SPECIAL_CHARS));
if (substr($attr_name, -1) == '+') { if (substr($attr_name, -1) == '+') {
$this_r['multiple'] = TRUE; $this_r['multiple'] = TRUE;
$attr_name = rtrim($attr_name, '+'); $attr_name = rtrim($attr_name, '+');
@ -747,6 +742,14 @@ function ldap_complete_attribute_array($default_attributes,$additional_attribute
$this_r['multiple'] = FALSE; $this_r['multiple'] = FALSE;
} }
if (substr($attr_name, -1) == '^') {
$this_r['binary'] = TRUE;
$attr_name = rtrim($attr_name, '^');
}
else {
$this_r['binary'] = FALSE;
}
if (preg_match('/^[a-zA-Z0-9\-]+$/', $attr_name) == 1) { if (preg_match('/^[a-zA-Z0-9\-]+$/', $attr_name) == 1) {
if (isset($kv[1]) and $kv[1] != "") { if (isset($kv[1]) and $kv[1] != "") {
@ -802,9 +805,6 @@ function ldap_new_account($ldap_connection,$account_r) {
unset($account_r['password']); unset($account_r['password']);
$objectclasses = $LDAP['account_objectclasses']; $objectclasses = $LDAP['account_objectclasses'];
if (isset($LDAP['account_additional_objectclasses']) and $LDAP['account_additional_objectclasses'] != "") {
$objectclasses = array_merge($objectclasses, explode(",", $LDAP['account_additional_objectclasses']));
}
$account_attributes = array('objectclass' => $objectclasses, $account_attributes = array('objectclass' => $objectclasses,
'userpassword' => $hashed_pass, 'userpassword' => $hashed_pass,
@ -1071,6 +1071,7 @@ function ldap_detect_rfc2307bis($ldap_connection) {
if ($LDAP['rfc2307bis_available'] == TRUE) { if ($LDAP['rfc2307bis_available'] == TRUE) {
if (!isset($LDAP['group_membership_attribute'])) { $LDAP['group_membership_attribute'] = 'uniquemember'; } if (!isset($LDAP['group_membership_attribute'])) { $LDAP['group_membership_attribute'] = 'uniquemember'; }
if (!isset($LDAP['group_membership_uses_uid'])) { $LDAP['group_membership_uses_uid'] = FALSE; } if (!isset($LDAP['group_membership_uses_uid'])) { $LDAP['group_membership_uses_uid'] = FALSE; }
if (!in_array('groupOfUniqueNames',$LDAP['group_objectclasses'])) { array_push($LDAP['group_objectclasses'], 'groupOfUniqueNames'); }
return TRUE; return TRUE;
} }
else { else {