HomeLab/ldap-user-manager
2
0
Fork 0
mirror of https://github.com/wheelybird/ldap-user-manager.git synced 2025-04-04 16:26:06 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity

Compare commits

base: HomeLab:v1.7
Branches Tags
HomeLab:master
HomeLab:next_release
HomeLab:docker_secrets
HomeLab:custom_emails
HomeLab:v1.11
HomeLab:v1.10
HomeLab:v1.9
HomeLab:v.18
HomeLab:v1.7
HomeLab:v1.6
HomeLab:v1.5
HomeLab:v1.4
HomeLab:v1.3
HomeLab:v1.2
HomeLab:v1.1
HomeLab:v1.0
...
compare: HomeLab:master
Branches Tags
HomeLab:master
HomeLab:next_release
HomeLab:docker_secrets
HomeLab:custom_emails
HomeLab:v1.11
HomeLab:v1.10
HomeLab:v1.9
HomeLab:v.18
HomeLab:v1.7
HomeLab:v1.6
HomeLab:v1.5
HomeLab:v1.4
HomeLab:v1.3
HomeLab:v1.2
HomeLab:v1.1
HomeLab:v1.0

32 Commits
v1.7 ... master

Author SHA1 Message Date
smartin77
ce92321285
Custom logo and styles (#68) 
* New user - Remove accents/diacritics from Username and Email while typing

* .gitignore added

* custom logo firts commit

* relative path to image

* relative path adjusted

* bootstrap update to v.4.3.1

* Revert "bootstrap update to v.4.3.1"

This reverts commit 62792e4136dabe357fab8f09defb13388f023bf6.

* modified header inline blocks

* span fix

* hardcoded logo

* hardcoded logo - style fix

* hardcoded logo - style fix #2

* IMG element

* modified IMG

* modified IMG #2

* modified IMG #3

* adding custom styles

* custom styles used

* Update README.md

Website logo and styles customisation

* Update README.md

typo...

---------

Co-authored-by: Martin Švec <martin.svec@slovenskoit.sk>
 2024-05-02 09:16:45 +01:00
Taehyung Lim
41c5ac3626
add smtp helo host (#220) 2024-05-02 09:15:18 +01:00
wheelybird
7d1897b171
Add ability to define which LDAP attribute is used to log in. (#212) 2023-07-20 16:23:52 +01:00
Alexander Borgardt
ce400b3287
README.md: add missing backslash (#198) 2023-04-25 14:38:03 +01:00
Dan Raper
ec4d468dcf
Header styling tweaks (#197) 
* Improve display of username in header

* Change colour to match other text
 2023-04-11 09:41:25 +01:00
Brian Lycett
ccc709e010 Fix deprecated variable interpolations 2023-03-27 10:29:07 +01:00
Boris Rybalkin
40ec4a151c
let user know that first and last name are required in the code (#190) 2023-02-27 13:36:28 +00:00
grissi-r
592869247d
fix string deprecation (#184) 2023-01-10 09:51:18 +00:00
Brian Lycett
bc2570da4c Version bump in README. 2022-11-24 14:24:05 +00:00
Brian Lycett
6b9290340c Updated README 2022-11-24 14:00:56 +00:00
dr-waterstorm
28b2d9673a
Feature/support modern password hashes (#182) 
* Added ARGON2 password hashing

* added missing ldap tag

Co-authored-by: Jens Rauch <jens.rauch@codenic.de>
 2022-11-24 13:58:13 +00:00
Brian Lycett
274fe69bb5 Bump version no in README. 2022-10-10 13:56:41 +01:00
Brian Lycett
318091fc35 Bugfixes including SHOW_POSIX_ATTRIBUTES not working for new accounts. 2022-10-10 13:55:14 +01:00
Shakespeare2000
591ba7629e
Added libldap-common to apt-get (#175) 
Signed-off-by: Shakespeare2000 <Shakespeare2000@users.noreply.github.com>
 2022-07-18 09:47:08 +01:00
Brian Lycett
d79e58346d
Issue 163 (#168) 
* Issue #163 - password reset warnings

* Fix errors showing when accounts don't have an email.  Fix errors when sending an email on password reset.  Prevent PHPMailer trying to use TLS when it's disabled.

Co-authored-by: Brian Lycett <brian.lycett.nonstaff@which.co.uk>
 2022-06-01 13:59:57 +01:00
Brian Lycett
1db9635bf1 Upgrade PHP Mailer as docker build fails trying to download the current version. 2022-04-29 09:16:16 +01:00
Ignacio Larrain
ec4e430112
Explicit float to int conversion (#153) 
Prevent "Implicit conversion from float (number) to int loses precision" errors.
 2022-04-29 09:11:33 +01:00
Brian Lycett
b6e5513d5e Fix issue adding members to a group. 2022-04-28 14:04:23 +01:00
Brian Lycett
57af7c4e9c
Next release (#151) 
* Custom email body (#51)

* get email body from ENV

* read subject from env

* html mail

* replace special string with username and password

* missing ;

* more str_replace

* utf8 in mail

* typo

* docs

* fix var

* count accounts

* fix print

* Add the ability to set the server path.  Get directed to the appropriate module when you log in.

* Fixes to allow overriding attribute labels properly

* Fix server_path in various places, update to cookies use 'samesite', include boostrap and queryjs files so LUM can run without internet access.

* Add support for consuming docker / kubernetes secrets passed as _FILE environment variables (#136)

* mod: condense Dockerfile

* add: _FILE feature
add: list of sensitive env_vars

* mod: sorted env_var list

* add: complete current env_var list

* fix: formatting

* mod: revert Dockerfile to prev. version

* mod: updated comment to be more descriptive
mod: rename variables to be more descriptive

* rem: list of env_var; no longer needed.
mod: env_file_replace function
^ search for all <env_var>_FILE variables and replace
^ <env_var> if the file exists and is not empty
mod: env_file_replace comment

Co-authored-by: pyunramura <jeremy.cummings@live.com>

* Update the README with information on using _FILE

* Change username regex variables

* Named server certs, as suggested by @huzvar

* Update LDAP filter method as suggested by @xgaia

* Feature/http header username (#120)

* Implement Remote Headers Auth

* Hide Logout on Remote Sessions

* Add Explanation for REMOTRE_HTTP_HEADERS_LOGIN settiing

Co-authored-by: Damian Galli <damian.galli@galli.site>

* Updated Readme, fixed random number generation for ARM systems, fixed JS to generate the username

* Fix issues #124 and #126

* Change badges to buttons for list counts

* Don't secretly set displayName

* Add Group Additional (#113)

* Add doku Group additional.

* Read Group additional configuration.

* New group add Additional objectclasses

* Allow for attributes that take multiple values.

* Updated README

* Formatting fixes, fix parsing params from account requests, initial code for the simple interface flag.

* Add attribute fields for groups and allow user-defined attributes to be displayed.  Move alert banner JS to a function.

* Update entries with any missing additional objectclasses when updating entries.  Update README to describe changes. Initial work to allow file uploads for attributes.

* Functionality to upload binary files and display them in the form it's a JPEG.  Added a new page to download existing binary content.

* Bugfixes for compatibility with older osixia/openldap versions.  Change SIMPLE_INTERFACE to SHOW_POSIX_ATTRIBUTES.

* Update version number in README.

Co-authored-by: Monsieur X <xgaia@gmx.com>
Co-authored-by: pyunramura <35285259+pyunramura@users.noreply.github.com>
Co-authored-by: pyunramura <jeremy.cummings@live.com>
Co-authored-by: Damian Galli <da.ga@live.de>
Co-authored-by: Damian Galli <damian.galli@galli.site>
Co-authored-by: huzvar <89766648+huzvar@users.noreply.github.com>
 2022-04-12 15:43:21 +01:00
Brian Lycett
1ae87b6582 Merge branch 'master' of github.com:wheelybird/ldap-user-manager 2022-03-09 14:29:23 +00:00
Gabriel A. Devenyi
71add491b2
Fix typo (#144) 2022-03-09 14:25:03 +00:00
huzvar
9c1a5d0faf
Fix change empty password with accept weak passwords. (#141) 2022-03-03 13:39:42 +00:00
santos-lucas
7af47448a9
Update README.md (#139) 
Just some missing word correction.
 2022-01-24 13:59:02 +00:00
Brian Lycett
228c813e71 Merge branch 'master' of github.com:wheelybird/ldap-user-manager 2021-12-17 09:56:25 +00:00
LordFelius
45f834ff2e
fixed LDAP_GROUP_MEMBERSHIP_USES_UID not working (#133) 
should use string == 'TRUE' instead of == TRUE , as getenv returns a string , which always considered equaling a bool TRUE .
 2021-12-17 09:55:22 +00:00
huzvar
37076f8704
Fix edit user style. (#118) 
Copy from edit group (show_group.php).
 2021-10-06 09:01:53 +01:00
huzvar
6a374c9624
Fix style description change password. (#114) 2021-10-05 15:11:26 +01:00
Brian Lycett
05d04448a1 Merge branch 'master' of github.com:wheelybird/ldap-user-manager 2021-10-05 15:03:30 +01:00
Brian Lycett
4420a78b31 Revert to old cookie code. 2021-10-05 15:03:24 +01:00
huzvar
08a37ee961
Add dynamic Group Attribute. (#119) 
* Add dynamic Group Attribute.

* Update ldap_functions.inc.php

* Update show_group.php

* Update run_checks.php
 2021-10-05 14:55:22 +01:00
Rickiewars
7753eb4a7b
Update web_functions.inc.php (#117) 
Fix for issue #115

Added typecast to int that fixes a fatal error telling that the second argument of rand() expects an int but a float is given on an ARMv7 architecture.
Problem seems to be introduced in PHP v8.
 2021-09-03 10:58:11 +01:00
huzvar
1f4ab9e1f0
Fix url. (#111) 2021-08-31 09:15:08 +01:00
23 changed files with 1660 additions and 893 deletions
Show Stats Expand all files Collapse all files

2
.gitignore vendored Normal file
View File

@ -0,0 +1,2 @@
.idea
ldap-user-manager.iml

8
Dockerfile
View File

@ -2,7 +2,7 @@ FROM php:8-apache
RUN apt-get update && \
apt-get install -y --no-install-recommends \
libldb-dev libldap2-dev \
libldb-dev libldap2-dev libldap-common \
libfreetype6-dev \
libjpeg-dev \
libpng-dev && \
@ -14,7 +14,7 @@ RUN docker-php-ext-configure gd --with-freetype && \
docker-php-ext-configure ldap --with-libdir=$libdir && \
docker-php-ext-install -j$(nproc) ldap
ADD https://github.com/PHPMailer/PHPMailer/archive/v6.2.0.tar.gz /tmp
ADD https://github.com/PHPMailer/PHPMailer/archive/refs/tags/v6.3.0.tar.gz /tmp
RUN a2enmod rewrite ssl && a2dissite 000-default default-ssl
@ -22,10 +22,10 @@ EXPOSE 80
EXPOSE 443
COPY www/ /opt/ldap_user_manager
RUN tar -xzf /tmp/v6.2.0.tar.gz -C /opt && mv /opt/PHPMailer-6.2.0 /opt/PHPMailer
RUN tar -xzf /tmp/v6.3.0.tar.gz -C /opt && mv /opt/PHPMailer-6.3.0 /opt/PHPMailer
COPY entrypoint /usr/local/bin/entrypoint
RUN chmod a+x /usr/local/bin/entrypoint
RUN chmod a+x /usr/local/bin/entrypoint && touch /etc/ldap/ldap.conf
CMD ["apache2-foreground"]
ENTRYPOINT ["/usr/local/bin/entrypoint"]

155
README.md
View File

@ -53,7 +53,7 @@ docker run \
-e "LDAP_ADMIN_BIND_PWD=secret"\
-e "LDAP_IGNORE_CERT_ERRORS=true" \
-e "EMAIL_DOMAIN=ldapusermanager.org" \
wheelybird/ldap-user-manager:v1.7
wheelybird/ldap-user-manager:v1.11
```
Change the variable values to suit your environment. Now go to https://lum.example.com/setup.
@ -66,6 +66,11 @@ Configuration is via environmental variables. Please bear the following in mind
* This tool needs to bind to LDAP as a user that has the permissions to modify everything under the base DN.
* This interface is designed to work with a fresh LDAP server and should only be against existing, populated LDAP directories with caution and at your own risk.
#### Containers: using files/secrets to set configuration variables
When running the user manager as a container you can append `_FILE` to any of the configuration variables and set the value to a filepath. Then when the container starts up it will set the appropriate configuration variable with the contents of the file.
For example, if you're using Docker Swarm and you've set the LDAP bind password as a Docker secret (`echo "myLDAPadminPassword" | docker secret create ldap_admin_bind_pwd -`) then you can set `LDAP_ADMIN_BIND_PWD_FILE=/run/secrets/ldap_admin_bind_pwd`. This will result in `LDAP_ADMIN_BIND_PWD` being set with the contents of `/run/secrets/ldap_admin_bind_pwd`.
### Mandatory:
@ -81,16 +86,24 @@ Configuration is via environmental variables. Please bear the following in mind
### Optional:
#### Organisation settings
#### Web server settings
* `SERVER_HOSTNAME` (default: *ldapusername.org*): The hostname that this interface will be served from.
* `SERVER_PATH` (default: */*): The path to the user manager on the webserver. Useful if running this behind a reverse proxy.
* `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name.
* `SERVER_PORT` (default: *80 or 80 & 443*): The port the webserver inside the container will listen on. If undefined then the internal webserver will listen on ports 80 and 443 (if `NO_HTTPS` is true it's just 80) and HTTP traffic is redirected to HTTPS. When set this will disable the redirection and the internal webserver will listen for HTTPS traffic on this port (or for HTTP traffic if `NO_HTTPS` is true). This is for use when the container's Docker network mode is set to `host`.
* `SITE_NAME` (default: *{ORGANISATION_NAME} user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management".
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. See [HTTPS certificates](#https-certificates)
* `SERVER_KEY_FILENAME`: (default *server.key*): The filename of the HTTPS server key file. See [HTTPS certificates](#https-certificates)
* `SERVER_CERT_FILENAME`: (default *server.crt*): The filename of the HTTPS certficate file. See [HTTPS certificates](#https-certificates)
* `CA_CERT_FILENAME`: (default *ca.crt*): The filename of the HTTPS server key file. See [HTTPS certificates](#https-certificates)
* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out.
#### LDAP settings
@ -102,26 +115,32 @@ Configuration is via environmental variables. Please bear the following in mind
* `LDAP_IGNORE_CERT_ERRORS` (default: *FALSE*): If *TRUE* then problems with the certificate presented by the LDAP server will be ignored (for example FQDN mismatches). Use this if your LDAP server is using a self-signed certificate and you don't have a CA certificate for it or you're connecting to a pool of different servers via round-robin DNS.
* `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CACERT="$(</path/to/ca.crt)"` (ensure you're using quotes or you'll get an "invalid reference format: repository name must be lowercase" error.
* `LDAP_TLS_CACERT` (no default): If you need to use a specific CA certificate for TLS connections to the LDAP server (when `LDAP_REQUIRE_STARTTLS` is set) then assign the contents of the CA certificate to this variable. e.g. `-e LDAP_TLS_CACERT="$(</path/to/ca.crt)"` (ensure you're using quotes or you'll get an "invalid reference format: repository name must be lowercase" error). Alternatively you can bind-mount a certificate into the container and use `LDAP_TLS_CACERT_FILE` to specify the path to the file.
#### Advanced LDAP settings
These settings should only be changed if you're trying to make the user manager work with an LDAP directory that's already populated and the defaults don't work.
* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*): The account attribute used as the account identifier. See [Account names](#account-names) for more information.
* `LDAP_ACCOUNT_ATTRIBUTE` (default: *uid*): The attribute used as the account identifier. See [Account names](#account-names) for more information.
* `LDAP_GROUP_ATTRIBUTE` (default: *cn*): The attribute used as the group identifier.
* `LDAP_GROUP_MEMBERSHIP_ATTRIBUTE` (default: *memberUID* or *uniqueMember*): The attribute used when adding a user's account to a group. When the `groupOfMembers` objectClass is detected `FORCE_RFC2307BIS` is `TRUE` it defaults to `uniqueMember`, otherwise it'll default to `memberUID`. Explicitly setting this variable will override any default.
* `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` (no default): A comma-separated list of additional objectClasses to use when creating an account. See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information.
* `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` (no default): A comma-separated list of extra attributes to display when creating an account. See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information.
* `GROUP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` (no default): A comma-separated list of additional objectClasses to use when creating a group. See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information.
* `GROUP_ACCOUNT_ADDITIONAL_ATTRIBUTES` (no default): A comma-separated list of extra attributes to display when creating a group. See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information.
* `LDAP_GROUP_MEMBERSHIP_USES_UID` (default: *TRUE* or *FALSE*): If *TRUE* then the entry for a member of a group will be just the username, otherwise it's the member's full DN. When the `groupOfMembers` objectClass is detected or `FORCE_RFC2307BIS` is `TRUE` it defaults to `FALSE`, otherwise it'll default to `TRUE`. Explicitly setting this variable will override the default.
* `FORCE_RFC2307BIS` (default: *FALSE*): Set to *TRUE* if the auto-detection is failing to spot that the RFC2307BIS schema is available. When *FALSE* the user manager will use auto-detection. See [Using the RFC2307BIS schema](#using-the-rfc2307bis-schema) for more information.
#### User account settings
#### User account creation settings
* `DEFAULT_USER_GROUP` (default: *everybody*): The group that new accounts are automatically added to when created. *NOTE*: If this group doesn't exist then a group is created with the same name as the username and the user is added to that group.
@ -134,11 +153,26 @@ These settings should only be changed if you're trying to make the user manager
* `USERNAME_FORMAT` (default: *{first_name}-{last_name}*): The template used to dynamically generate the usernames stored in the `uid` attribute. See [Username format](#username-format).
* `USERNAME_REGEX` (default: *^[a-z][a-zA-Z0-9\._-]{3,32}$*): The regular expression used to ensure account names and group names are safe to use on servers. See [Username format](#username-format).
* `PASSWORD_HASH` (no default): Select which hashing method which will be used to store passwords in LDAP. Options are (in order of precedence) `SHA512CRYPT`, `SHA256CRYPT`, `MD5CRYPT`, `SSHA`, `SHA`, `SMD5`, `MD5`, `CRYPT` & `CLEAR`. If your chosen method isn't available on your system then the strongest available method will be automatically selected - `SSHA` is the strongest method guaranteed to be available. Cleartext passwords should NEVER be used in any situation outside of a test.
* `PASSWORD_HASH` (no default): Select which hashing method which will be used to store passwords in LDAP. Options are (in order of precedence) `SHA512CRYPT`, `SHA256CRYPT`, `MD5CRYPT`, `SSHA`, `SHA`, `SMD5`, `MD5`, `ARGON2`, `CRYPT` & `CLEAR`. If your chosen method isn't available on your system then the strongest available method will be automatically selected - `SSHA` is the strongest method guaranteed to be available. (Note that for `ARGON2` to work your LDAP server will need to have the ARGON2 module enabled. If you don't the passwords will be saved but the user won't be able to authenticate.) Cleartext passwords should NEVER be used in any situation outside of a test.
* `ACCEPT_WEAK_PASSWORDS` (default: *FALSE*): Set this to *TRUE* to prevent a password being rejected for being too weak. The password strength indicators will still gauge the strength of the password. Don't enable this in a production environment.
#### Website appearance and behaviour settings
* `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name.
* `SITE_NAME` (default: *`ORGANISATION_NAME` user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management".
* `SITE_LOGIN_LDAP_ATTRIBUTE` (default: *`LDAP_ACCOUNT_ATTRIBUTE`*): The LDAP account attribute to use when logging into the user-manager. For example, set this to `mail` to use email addresses to log in. Use this with extreme caution. The value for this attribute needs to be unique for each account; if more than one result is found when searching for an account then you won't be able to log in.
* `SITE_LOGIN_FIELD_LABEL` (default: *Username*): This is the label that appears next to the username field on the login page. If you change `SITE_LOGIN_LDAP_ATTRIBUTE` then you might want to change this. For example, `SITE_LOGIN_FIELD_LABEL="Email address"`.
* `SHOW_POSIX_ATTRIBUTES` (default: *FALSE*): If set to `TRUE` this show extra attributes for **posixAccount** and **posixGroup** in the account and group forms. Leave this set to `FALSE` if you don't use LDAP accounts to log into servers etc., as it makes the interface much simpler. The Posix values are still set in the background using the default values. This setting doesn't hide any Posix attributes set via `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` or `LDAP_GROUP_ADDITIONAL_ATTRIBUTES`.
* `REMOTE_HTTP_HEADERS_LOGIN`(default: *FALSE*) Enables session managment from an external service like Authelia. _This setting will compromise your security if you're not using an Auth-Proxy in front of this application_.
#### Email sending settings
@ -148,20 +182,22 @@ To send emails you'll need to use an existing SMTP server. Email sending will b
* `SMTP_HOST_PORT` (default: *25*): The SMTP port on the SMTP server.
* `SMTP_HELO_HOST` (no default): The hostname to send with the HELO/EHLO command.
* `SMTP_USERNAME` (no default): The username to use when the SMTP server requires authentication.
* `SMTP_PASSWORD` (no default): The password to use when the SMTP server requires authentication.
* `SMTP_USE_TLS` (default: *FALSE*): Set to TRUE if the SMTP server requires TLS to be enabled. Overrides `SMTP_USE_TLS`.
* `SMTP_USE_TLS` (default: *FALSE*): Set to TRUE if the SMTP server requires TLS to be enabled. Overrides `SMTP_USE_SSL`.
* `SMTP_USE_SSL` (default: *FALSE*): Set to TRUE if the SMTP server requires SSL to be enabled. This will be unset if `SMTP_USE_TLS` is `TRUE`.
* `EMAIL_FROM_ADDRESS` (default: *admin@`EMAIL_DOMAIN`*): The FROM email address used when sending out emails. The default domain is taken from `EMAIL_DOMAIN` under **User account settings**.
* `EMAIL_FROM_NAME` (default: *`SITE_NAME`*): The FROM name used when sending out emails. The default name is taken from `SITE_NAME` under **Organisation settings**.
* `MAIL_SUBJECT` (default: *Your $ORGANISATION_NAME account has been created.*): The mail subject for new account emails.
* `MAIL_SUBJECT` (default: *Your `ORGANISATION_NAME` account has been created.*): The mail subject for new account emails.
* `NEW_ACCOUNT_EMAIL_SUBJECT`, `NEW_ACCOUNT_EMAIL_BODY`, `RESET_PASSWORD_EMAIL_SUBJECT` & `RESET_PASSWORD_EMAIL_BODY`: Change the email contents for emails sent to users when you create an account or reset a password. See [Sending emails](#sending_emails) for full details.
@ -169,17 +205,28 @@ To send emails you'll need to use an existing SMTP server. Email sending will b
#### Account request settings
* `ACCOUNT_REQUESTS_ENABLED` (default: *FALSE*): Set to TRUE in order to enable a form that people can fill in to request an account. This will send an email to `ACCOUNT_REQUESTS_EMAIL` with their details and a link to the account creation page where the details will be filled in automatically. You'll need to set up email sending (see **Email sending**, above) for this to work. If this is enabled but email sending isn't then requests will be disabled and an error message sent to the logs.
* `ACCOUNT_REQUESTS_ENABLED` (default: *FALSE*): Set to TRUE in order to enable a form that people can fill in to request an account. This will send an email to `ACCOUNT_REQUESTS_EMAIL` with their details and a link to the account creation page where the details will be filled in automatically. You'll need to set up email sending (see **Email sending**, above) for this to work. If this is enabled but email sending isn't then requests will be disabled and an error message sent to the logs.
* `ACCOUNT_REQUESTS_EMAIL` (default: *{EMAIL_FROM_ADDRESS}*): This is the email address that any requests for a new account are sent to.
**Site security settings**
#### Website security
#### Website customization
* `NO_HTTPS` (default: *FALSE*): If you set this to *TRUE* then the server will run in HTTP mode, without any encryption. This is insecure and should only be used for testing. See [HTTPS certificates](#https-certificates)
* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out.
* `$CUSTOM_LOGO` (default: *FALSE*)*: If this is defined with path to image file, then this image will be displayed in header. You need also mount volume with this file.
* `$CUSTOM_STYLES` (default: *FALSE*)*: If this is defined with path to css file, then this style will be used in header. Also helps vith logo positioninig. You need also mount volume with this file.
docker-compose.yml example:
```yaml
ldap-user-manager:
environment:
CUSTOM_LOGO: "../gfx/logo.svg"
CUSTOM_STYLES: "../css/custom.css"
volumes:
- '/opt/openldap/www/gfx:/opt/ldap_user_manager/gfx'
- '/opt/openldap/www/css:/opt/ldap_user_manager/css'
```
#### Debugging settings
@ -190,7 +237,6 @@ To send emails you'll need to use an existing SMTP server. Email sending will b
* `SESSION_DEBUG` (default: *FALSE*): Set to TRUE to increase the logging level for sessions and user authorisation. This will output cookie passkeys to the error log - don't enable this in a production environment.
* `SMTP_LOG_LEVEL` (default: *0*): Set to between 1-4 to get SMTP logging information (0 disables SMTP debugging logs though it will still display errors). See https://github.com/PHPMailer/PHPMailer/wiki/SMTP-Debugging for details of the levels.
***
@ -223,24 +269,30 @@ Other services or software might use the *Common Name* (`cn`) attribute, which i
The account identifier is what uniquely identifies the account, so you can't create multiple accounts where the account identifier is the same.
You should ensure your LDAP clients use the same account identifier attribute when authenticating users.
If you're using LDAP for server accounts then you'll find there are normally constraints on how many cahracters and the type of characters you're allowed to use. The user manager will validate user and group names against `USERNAME_REGEX`. If you don't need to be so strict then you can disable these checks by setting `ENFORCE_SAFE_SYSTEM_NAMES` to `FALSE`.
If you're using LDAP for server accounts then you'll find there are normally constraints on how many characters and the type of characters you're allowed to use. The user manager will validate user and group names against `USERNAME_REGEX`. If you don't need to be so strict then you can disable these checks by setting `ENFORCE_SAFE_SYSTEM_NAMES` to `FALSE`.
***
## HTTPS certificates
When `NO_HTTPS` is set to **FALSE** (the default), the user manager expects to find SSL files at `/opt/ssl/server.key` and `/opt/ssl/server.crt`. These certificates should match `SERVER_HOSTNAME`. If these files aren't found then the startup script will create self-signed certificates based on `SERVER_HOSTNAME`. To use your own key and certificate then you need to bind-mount a directory containing them to `/opt/ssl`. You can also add a certificate chain file (the Apache `SSLCertificateChainFile` option) if needed - name it `chain.pem` and place it in the same directory as `server.key` and `server.crt` .
The user manager runs in HTTPS mode by default and so uses HTTPS certificates. You can pass in your own certificates by bind-mounting a local path to `/opt/ssl` in the container and then specifying the names of the files via `SERVER_KEY_FILENAME`, `SERVER_CERT_FILENAME` and optionally `CA_CERT_FILENAME` (this will set Apache's `SSLCertificateChainFile` directive).
If the certificate and key files don't exist then a self-signed certificate will be created when the container starts.
For example, if your key and certificate files are in `/home/myaccount/ssl` you can bind-mount that folder by adding this line to the docker run example above, just after the last line starting with `-e`:
When using your own certificates, the certificate's common name (or one of the alternative names) need to match the value you set for `SERVER_HOSTNAME`.
For example, if your key and certificate files are in `/home/myaccount/ssl` you can bind-mount that folder by adding these lines to the `docker run` example above (place them above the final line):
```
-e "SERVER_KEY_FILENAME=lum.example.com.key" \
-e "SERVER_CERT_FILENAME=lum.example.com.crt" \
-e "CA_CERT_FILENAME=ca_bundle.pem" \
-v /home/myaccount/ssl:/opt/ssl \
```
If you don't want to use HTTPS certificates then set `NO_HTTPS` to **TRUE** to run in HTTP mode. It's advised that you only do this when testing.
***
## Sending emails
When you create an account you'll have an option to send an email to the person you created the account for. The email will give them their new username, password and a link to the self-service password change utility.
Emails are sent via SMTP, so you'll need to be able to connect to an SMTP server and pass in the settings for that server via environmental variables - see **Email sending** above.
@ -289,23 +341,50 @@ If `EMAIL_DOMAIN` is set then the email address field will be automatically upda
## Extra objectClasses and attributes
If you need to use this user manager with an existing LDAP directory and your account records need additional objectClasses and attributes then you can add them via `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` and `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES`.
By default accounts are created with `person`, `inetOrgPerson` and `posixAccount` object classes. Groups are created with `posixGroup` - if [the RFC2307BIS schema](#using-the-rfc2307bis-schema) is available then `groupOfUniqueNames` is automatically added too.
`LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` is a comma-separated list of objectClasses to add when creating the account record. For example, `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=ldappublickey,couriermailaccount`.
If you need to add additional objectClasses and attributes to accounts or groups then you can add them via `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES`, `LDAP_GROUP_ADDITIONAL_OBJECTCLASSES`, `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` and `LDAP_GROUP_ADDITIONAL_ATTRIBUTES`.
To add extra fields for new attributes you need to pass a comma-separated string of the attributes and optionally the label for the attribute (which will be shown on the user form) and a default value to `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` separated by colons (`:`).
The format for configuring an attribute is: `attribute1:label1,default_value1,attribute2:label2:default_value2`. If you don't supply a label then the form field will be labelled with the attribute name.
An example (for the couriermailaccount objectClass) would be: `mailbox:Mailbox:domain.com,quota:Mail quota:20`
ObjectClasses often have attributes that must have a value, so you should definitely set a default for those attributes.
`LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` and `LDAP_GROUP_ADDITIONAL_OBJECTCLASSES take a comma-separated list of objectClasses to add. For example, `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=ldappublickey,couriermailaccount`.
This is advanced stuff and the user manager doesn't attempt to validate any objectClasses or any attributes, labels or default values you pass in. It's up to you to ensure that your LDAP server has the appropriate schemas and that the labels and values are sane.
`LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` and `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` take a comma-separated list of attributes to be displayed as extra fields for the account or group.
By default these fields will be empty with the field named for the attribute, but you can set the field labels (and optionally the default values) by appending the attribute names with colon-separated values like so: `attribute_name:label:default_value`.
Multiple attributes are separated by commas, so you can define the label and default values for several attributes as follows: `attribute1:label1:default_value1,attribute2:label2:default_value2,attribute3:label3`.
As an example, to set a mailbox name and quota for the `couriermailaccount` schema you can pass these variables to the container:
```
LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=couriermailaccount
LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES="mailbox:Mailbox:domain.com,quota:Mail quota:20"
```
_Note_: ObjectClasses often have attributes that _must_ have a value, so you should set a default value for these attributes, otherwise if you forget to add a value when filling in the form an error will be thrown on submission.
### Multi-value attributes
If you have an attribute that could have several values, you can add a `+` to end of the attribute name. This will modify the form so you can add or remove extra values for that attribute. For example, if you want to have multiple email aliases when using the _PostfixBookMailAccount_ schema then you can pass these variables to the container:
```
LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES=PostfixBookMailAccount" \
LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=mailAlias+:Email aliases"
```
### Binary attributes
If you have an attribute that stores the contents of a binary file (for example, a JPEG) then you can add a `^` to the end of the attribute name. This will modify the form so that this attribute has an upload button. If a JPEG has already been uploaded then it will display the image. Otherwise the mime-type is displayed and there's a link for downloading the file. For example, to allow you to set a user's photo:
```
LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES=jpegPhoto^:Photograph"
```
The maximum filesize you can upload is 2MB.
### Caveat
These settings are advanced usage and the user manager doesn't attempt to validate any objectClasses, attributes, labels or default values you pass in. It's up to you to ensure that your LDAP server has the appropriate schemas and that the labels and values are sane.
***
## Using the RFC2307BIS schema
Using the **RFC2307BIS** will allow you to use `memberOf` in LDAP searches which gives you an easy way to check if a user is a member of a group. For example: `(&(objectClass=posixAccount)(memberof=cn=somegroup,ou=groups,dc=ldapusermanager,dc=org))`.
OpenLDAP will use the RFC2307 (NIS) schema by default; you'll need to configure your server to use the **RFC2307BIS** schema when setting up your directory. See [this guide](https://unofficialaciguide.com/2019/07/31/ldap-schemas-for-aci-administrators-rfc2307-vs-rfc2307bis/) for more information regarding RFC2307 vs RFC2307BIS.
@ -332,7 +411,7 @@ docker run \
-e "LDAP_RFC2307BIS_SCHEMA=true" \
-e "LDAP_REMOVE_CONFIG_AFTER_SETUP=true" \
-e "LDAP_TLS_VERIFY_CLIENT=never" \
-p 389:389
-p 389:389 \
--volume /opt/docker/openldap/var_lib_ldap:/var/lib/ldap \
--volume /opt/docker/openldap/etc_ldap_slapd.d:/etc/ldap/slapd.d \
osixia/openldap:latest

57
entrypoint
View File

@ -4,6 +4,17 @@ set -e
ssl_dir="/opt/ssl"
php_dir="/opt/ldap_user_manager"
env_file_replace() {
for env_file in $(env|grep _FILE=); do
read -a env <<< "$(echo "$env_file" | sed 's/\(.*\)_FILE=\(.*\)/\1 \2/')"
if [ -s "${env[1]}" ]; then
echo Setting "${env[0]}" from "${env[1]}"
export "${env[0]}"="$(cat "${env[1]}")"
else echo "${env[1]} does not exist or is empty. Leaving ${env[0]} unset"
fi
done
}
if [ ! "$SERVER_HOSTNAME" ]; then export SERVER_HOSTNAME="ldapusermanager.org"; fi
if [ ! "$SERVER_PATH" ]; then
export SERVER_PATH="/";
@ -17,6 +28,7 @@ fi
if [ "$LDAP_TLS_CACERT" ]; then
echo "$LDAP_TLS_CACERT" >/opt/ca.crt
mkdir -p /etc/ldap
sed -i "s/TLS_CACERT.*/TLS_CACERT \/opt\/ca.crt/" /etc/ldap/ldap.conf
fi
@ -24,7 +36,7 @@ if [ "${NO_HTTPS,,}" == "true" ]; then
cat <<EoHTTPC >/etc/apache2/sites-enabled/lum.conf
<VirtualHost *:80>
<VirtualHost *:${SERVER_PORT:-80}>
ServerName $SERVER_HOSTNAME
DocumentRoot $php_dir
@ -39,20 +51,22 @@ if [ "${NO_HTTPS,,}" == "true" ]; then
EoHTTPC
echo "Listen ${SERVER_PORT:-80}" > /etc/apache2/ports.conf
else
########################
#If there aren't any SSL certs then create a CA and then CA-signed certificate
if [ ! -f "${ssl_dir}/server.key" ] && [ ! -f "${ssl_dir}/server.crt" ]; then
if [ ! -f "${ssl_dir}/${SERVER_CERT_FILENAME:-server.crt}" ] && [ ! -f "${ssl_dir}/${SERVER_KEY_FILENAME:-server.key}" ]; then
mkdir -p $ssl_dir
confout="${ssl_dir}/conf"
keyout="${ssl_dir}/server.key"
certout="${ssl_dir}/server.crt"
cakey="${ssl_dir}/ca.key"
cacert="${ssl_dir}/ca.crt"
serialfile="${ssl_dir}/serial"
cakey="${ssl_dir}/.ca.key"
cacert="${ssl_dir}/.ca.crt"
serialfile="${ssl_dir}/.serial"
echo "Generating CA key"
openssl genrsa -out $cakey 2048
@ -72,7 +86,7 @@ else
echo "Generating openssl configuration"
cat <<EoCertConf>$confout
cat <<EoCertConf >$confout
subjectAltName = DNS:${SERVER_HOSTNAME},IP:127.0.0.1
extendedKeyUsage = serverAuth
EoCertConf
@ -110,9 +124,16 @@ EoCertConf
########################
#Create Apache config
if [ -f "${ssl_dir}/chain.pem" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/chain.pem"; fi
if [ -f "${ssl_dir}/${CA_CERT_FILENAME}" ]; then ssl_chain="SSLCertificateChainFile ${ssl_dir}/${CA_CERT_FILENAME}"; fi
cat <<EoHTTPSC >/etc/apache2/sites-enabled/lum.conf
echo > /etc/apache2/sites-enabled/lum.conf
echo > /etc/apache2/ports.conf
if [ ! "$SERVER_PORT" ]; then
echo "Listen 80" > /etc/apache2/ports.conf
cat <<EoHTTPrd >/etc/apache2/sites-enabled/lum.conf
<VirtualHost *:80>
@ -121,7 +142,15 @@ EoCertConf
</VirtualHost>
<VirtualHost _default_:443>
EoHTTPrd
fi
echo "Listen ${SERVER_PORT:-443}" >> /etc/apache2/ports.conf
cat <<EoHTTPSC >>/etc/apache2/sites-enabled/lum.conf
<VirtualHost _default_:${SERVER_PORT:-443}>
ServerName $SERVER_HOSTNAME
@ -134,8 +163,8 @@ EoCertConf
</Directory>
SSLEngine On
SSLCertificateFile /opt/ssl/server.crt
SSLCertificateKeyFile /opt/ssl/server.key
SSLCertificateFile ${ssl_dir}/${SERVER_CERT_FILENAME:-server.crt}
SSLCertificateKeyFile ${ssl_dir}/${SERVER_KEY_FILENAME:-server.key}
$ssl_chain
</VirtualHost>
@ -143,14 +172,16 @@ EoHTTPSC
fi
cat /etc/apache2/sites-enabled/lum.conf
########################
#If <env_var>_FILE is set, read and export env_var from the referenced file's contents
env_file_replace
########################
#Run Apache
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- apache2-foreground "$@"
set -- apache2-foreground "$@"
fi
exec "$@"

41
www/account_manager/download.php Normal file
View File

@ -0,0 +1,41 @@
<?php
set_include_path( ".:" . __DIR__ . "/../includes/");
include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
set_page_access("admin");
if (!isset($_GET['resource_identifier']) or !isset($_GET['attribute'])) {
exit(0);
}
else {
$this_resource=ldap_escape($_GET['resource_identifier'], "", LDAP_ESCAPE_FILTER);
$this_attribute=ldap_escape($_GET['attribute'], "", LDAP_ESCAPE_FILTER);
}
$exploded = ldap_explode_dn($this_resource,0);
$filter = $exploded[0];
$ldap_connection = open_ldap_connection();
$ldap_search_query="($filter)";
$ldap_search = ldap_search($ldap_connection, $this_resource, $ldap_search_query,array($this_attribute));
if ($ldap_search) {
$records = ldap_get_entries($ldap_connection, $ldap_search);
if ($records['count'] == 1) {
$this_record = $records[0];
if (isset($this_record[$this_attribute][0])) {
header("Content-Type: application/octet-stream");
header("Cache-Control: no-cache private");
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: attachment; filename='{$this_resource}.{$this_attribute}'");
header("Content-Length: ". strlen($this_record[$this_attribute][0]));
print $this_record[$this_attribute][0];
}
}
}
?>

43
www/account_manager/groups.php
View File

@ -14,37 +14,18 @@ $ldap_connection = open_ldap_connection();
if (isset($_POST['delete_group'])) {
?>
<script>
window.setTimeout(function() {
$(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
}, 4000);
</script>
<?php
$this_group = $_POST['delete_group'];
$this_group = urldecode($this_group);
$del_group = ldap_delete_group($ldap_connection,$this_group);
if ($del_group) {
?>
<div class="alert alert-success" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
<p class="text-center">Group <strong><?php print $this_group; ?> was deleted.</p>
</div>
<?php
render_alert_banner("Group <strong>$this_group</strong> was deleted.");
}
else {
?>
<div class="alert alert-danger" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
<p class="text-center">Group <strong><?php print $this_group; ?></strong> wasn't deleted.</p>
</div>
<?php
render_alert_banner("Group <strong>$this_group</strong> wasn't deleted. See the logs for more information.","danger",15000);
}
}
$groups = ldap_get_group_list($ldap_connection);
@ -70,23 +51,33 @@ render_js_username_check();
<div class="container">
<div class="form-inline" id="new_group_div">
<form action="<?php print "${THIS_MODULE_PATH}"; ?>/show_group.php" method="post">
<form action="<?php print "{$THIS_MODULE_PATH}"; ?>/show_group.php" method="post">
<input type="hidden" name="new_group">
<span class="badge badge-secondary" style="font-size:1.9rem;"><?php print count($groups);?> group<?php if (count($groups) != 1) { print "s"; }?></span> &nbsp; <button id="show_new_group" class="form-control btn btn-default" type="button" onclick="show_new_group_form();">New group</button>
<button type="button" class="btn btn-light"><?php print count($groups);?> group<?php if (count($groups) != 1) { print "s"; }?></button> &nbsp; <button id="show_new_group" class="form-control btn btn-default" type="button" onclick="show_new_group_form();">New group</button>
<input type="text" class="form-control invisible" name="group_name" id="group_name" placeholder="Group name" onkeyup="check_entity_name_validity(document.getElementById('group_name').value,'new_group_div');"><button id="add_group" class="form-control btn btn-primary btn-sm invisible" type="submit">Add</button>
</form>
</div>
<input class="form-control" id="search_input" type="text" placeholder="Search..">
<table class="table table-striped">
<thead>
<tr>
<th>Group name</th>
</tr>
</thead>
<tbody>
<tbody id="grouplist">
<script>
$(document).ready(function(){
$("#search_input").on("keyup", function() {
var value = $(this).val().toLowerCase();
$("#grouplist tr").filter(function() {
$(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
});
});
});
</script>
<?php
foreach ($groups as $group){
print " <tr>\n <td><a href='${THIS_MODULE_PATH}/show_group.php?group_name=" . urlencode($group) . "'>$group</a></td>\n </tr>\n";
print " <tr>\n <td><a href='{$THIS_MODULE_PATH}/show_group.php?group_name=" . urlencode($group) . "'>$group</a></td>\n </tr>\n";
}
?>
</tbody>

70
www/account_manager/index.php
View File

@ -14,46 +14,29 @@ $ldap_connection = open_ldap_connection();
if (isset($_POST['delete_user'])) {
?>
<script>
window.setTimeout(function() {
$(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
}, 4000);
</script>
<?php
$this_user = $_POST['delete_user'];
$this_user = urldecode($this_user);
$this_user = $_POST['delete_user'];
$this_user = urldecode($this_user);
$del_user = ldap_delete_account($ldap_connection,$this_user);
$del_user = ldap_delete_account($ldap_connection,$this_user);
if ($del_user) {
?>
<div class="alert alert-success" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
<p class="text-center">User <strong><?php print $this_user; ?> was deleted.</p>
</div>
<?php
}
else {
?>
<div class="alert alert-danger" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
<p class="text-center">User <strong><?php print $this_user; ?></strong> wasn't deleted.</p>
</div>
<?php
}
if ($del_user) {
render_alert_banner("User <strong>$this_user</strong> was deleted.");
}
else {
render_alert_banner("User <strong>$this_user</strong> wasn't deleted. See the logs for more information.","danger",15000);
}
}
#'
$people = ldap_get_user_list($ldap_connection);
?>
<div class="container">
<form action="<?php print $THIS_MODULE_PATH; ?>/new_user.php" method="post">
<span class="badge badge-secondary" style="font-size:1.9rem;"><?php print count($people);?> account<?php if (count($people) != 1) { print "s"; }?></span> &nbsp; <button id="add_group" class="btn btn-default" type="submit">New user</button>
</form>
<button type="button" class="btn btn-light"><?php print count($people);?> account<?php if (count($people) != 1) { print "s"; }?></button> &nbsp; <button id="add_group" class="btn btn-default" type="submit">New user</button>
</form>
<input class="form-control" id="search_input" type="text" placeholder="Search..">
<table class="table table-striped">
<thead>
<tr>
@ -64,18 +47,29 @@ $people = ldap_get_user_list($ldap_connection);
<th>Member of</th>
</tr>
</thead>
<tbody>
<tbody id="userlist">
<script>
$(document).ready(function(){
$("#search_input").on("keyup", function() {
var value = $(this).val().toLowerCase();
$("#userlist tr").filter(function() {
$(this).toggle($(this).text().toLowerCase().indexOf(value) > -1)
});
});
});
</script>
<?php
foreach ($people as $account_identifier => $attribs){
$group_membership = ldap_user_group_membership($ldap_connection,$account_identifier);
$group_membership = ldap_user_group_membership($ldap_connection,$account_identifier);
if (isset($people[$account_identifier]['mail'])) { $this_mail = $people[$account_identifier]['mail']; } else { $this_mail = ""; }
print " <tr>\n <td><a href='{$THIS_MODULE_PATH}/show_user.php?account_identifier=" . urlencode($account_identifier) . "'>$account_identifier</a></td>\n";
print " <td>" . $people[$account_identifier]['givenname'] . "</td>\n";
print " <td>" . $people[$account_identifier]['sn'] . "</td>\n";
print " <td>$this_mail</td>\n";
print " <td>" . implode(", ", $group_membership) . "</td>\n";
print " </tr>\n";
print " <tr>\n <td><a href='${THIS_MODULE_PATH}/show_user.php?account_identifier=" . urlencode($account_identifier) . "'>$account_identifier</a></td>\n";
print " <td>" . $people[$account_identifier]['givenname'] . "</td>\n";
print " <td>" . $people[$account_identifier]['sn'] . "</td>\n";
print " <td>" . $people[$account_identifier]['mail'] . "</td>\n";
print " <td>" . implode(", ", $group_membership) . "</td>\n";
print " </tr>\n";
}
?>
</tbody>

2
www/account_manager/module_functions.inc.php
View File

@ -24,7 +24,7 @@ function render_submenu() {
else {
print '<li>';
}
print "<a href='${THIS_MODULE_PATH}/{$path}'>" . ucwords($submodule) . "</a></li>\n";
print "<a href='{$THIS_MODULE_PATH}/{$path}'>" . ucwords($submodule) . "</a></li>\n";
}
?>

211
www/account_manager/new_user.php
View File

@ -6,29 +6,35 @@ include_once "web_functions.inc.php";
include_once "ldap_functions.inc.php";
include_once "module_functions.inc.php";
$attribute_map = ldap_complete_account_attribute_array();
$attribute_map = $LDAP['default_attribute_map'];
if (isset($LDAP['account_additional_attributes'])) { $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['account_additional_attributes']); }
if (! array_key_exists($LDAP['account_attribute'], $attribute_map)) {
$attribute_r = array_merge($attribute_map, array($LDAP['account_attribute'] => array("label" => "Account UID")));
}
if ( isset($_POST['setup_admin_account']) ) {
$admin_setup = TRUE;
validate_setup_cookie();
set_page_access("setup");
$admin_setup = TRUE;
$completed_action="${SERVER_PATH}/log_in";
$page_title="New administrator account";
validate_setup_cookie();
set_page_access("setup");
render_header("$ORGANISATION_NAME account manager - setup administrator account", FALSE);
$completed_action="{$SERVER_PATH}log_in";
$page_title="New administrator account";
render_header("$ORGANISATION_NAME account manager - setup administrator account", FALSE);
}
else {
set_page_access("admin");
set_page_access("admin");
$completed_action="${THIS_MODULE_PATH}/";
$page_title="New account";
$admin_setup = FALSE;
$completed_action="{$THIS_MODULE_PATH}/";
$page_title="New account";
$admin_setup = FALSE;
render_header("$ORGANISATION_NAME account manager");
render_submenu();
render_header("$ORGANISATION_NAME account manager");
render_submenu();
}
$invalid_password = FALSE;
@ -38,46 +44,77 @@ $weak_password = FALSE;
$invalid_email = FALSE;
$disabled_email_tickbox = TRUE;
$invalid_cn = FALSE;
$invalid_givenname = FALSE;
$invalid_sn = FALSE;
$invalid_account_identifier = FALSE;
$account_attribute = $LDAP['account_attribute'];
$new_account_r = array();
if ($SHOW_POSIX_ATTRIBUTES == TRUE) {
}
foreach ($attribute_map as $attribute => $attr_r) {
if (isset($_POST[$attribute])) {
$$attribute = filter_var($_POST[$attribute], FILTER_SANITIZE_STRING);
}
elseif (isset($attr_r['default'])) {
$$attribute = $attr_r['default'];
}
if (isset($$attribute)) { $new_account_r[$attribute] = $$attribute; }
if (isset($_FILES[$attribute]['size']) and $_FILES[$attribute]['size'] > 0) {
$this_attribute = array();
$this_attribute['count'] = 1;
$this_attribute[0] = file_get_contents($_FILES[$attribute]['tmp_name']);
$$attribute = $this_attribute;
$new_account_r[$attribute] = $this_attribute;
unset($new_account_r[$attribute]['count']);
}
if (isset($_POST[$attribute])) {
$this_attribute = array();
if (is_array($_POST[$attribute]) and count($_POST[$attribute]) > 0) {
foreach($_POST[$attribute] as $key => $value) {
if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); }
}
if (count($this_attribute) > 0) {
$this_attribute['count'] = count($this_attribute);
$$attribute = $this_attribute;
}
}
elseif ($_POST[$attribute] != "") {
$this_attribute['count'] = 1;
$this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$$attribute = $this_attribute;
}
}
if (!isset($$attribute) and isset($attr_r['default'])) {
$$attribute['count'] = 1;
$$attribute[0] = $attr_r['default'];
}
if (isset($$attribute)) {
$new_account_r[$attribute] = $$attribute;
unset($new_account_r[$attribute]['count']);
}
}
##
if (isset($_GET['account_request'])) {
$givenname=filter_var($_GET['first_name'], FILTER_SANITIZE_STRING);
$new_account_r['givenname'] = $givenname;
$givenname[0]=filter_var($_GET['first_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$new_account_r['givenname'] = $givenname[0];
$sn=filter_var($_GET['last_name'], FILTER_SANITIZE_STRING);
$new_account_r['sn'] = $sn;
$sn[0]=filter_var($_GET['last_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
$new_account_r['sn'] = $sn[0];
$uid = generate_username($givenname,$sn);
$new_account_r['uid'] = $uid;
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
$cn = "$givenname$sn";
}
else {
$cn = "$givenname $sn";
}
$new_account_r['cn'] = $cn;
$mail=filter_var($_GET['email'], FILTER_SANITIZE_EMAIL);
if ($mail == "") {
$mail[0]=filter_var($_GET['email'], FILTER_SANITIZE_EMAIL);
if ($mail[0] == "") {
if (isset($EMAIL_DOMAIN)) {
$mail = $uid . "@" . $EMAIL_DOMAIN;
$mail[0] = $uid . "@" . $EMAIL_DOMAIN;
$disabled_email_tickbox = FALSE;
}
}
@ -85,27 +122,58 @@ if (isset($_GET['account_request'])) {
$disabled_email_tickbox = FALSE;
}
$new_account_r['mail'] = $mail;
unset($new_account_r['mail']['count']);
}
if (isset($_GET['account_request']) or isset($_POST['create_account'])) {
if (!isset($uid[0])) {
$uid[0] = generate_username($givenname[0],$sn[0]);
$new_account_r['uid'] = $uid;
unset($new_account_r['uid']['count']);
}
if (!isset($cn[0])) {
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
$cn[0] = $givenname[0] . $sn[0];
}
else {
$cn[0] = $givenname[0] . " " . $sn[0];
}
$new_account_r['cn'] = $cn;
unset($new_account_r['cn']['count']);
}
}
if (isset($_POST['create_account'])) {
$password = $_POST['password'];
$new_account_r['password'] = $password;
$account_identifier = $new_account_r[$LDAP["account_attribute"]];
$new_account_r['password'][0] = $password;
$account_identifier = $new_account_r[$account_attribute][0];
$this_cn=$cn[0];
$this_mail=$mail[0];
$this_givenname=$givenname[0];
$this_sn=$sn[0];
$this_password=$password[0];
if (!isset($cn) or $cn == "") { $invalid_cn = TRUE; }
if (!isset($this_cn) or $this_cn == "") { $invalid_cn = TRUE; }
if ((!isset($account_identifier) or $account_identifier == "") and $invalid_cn != TRUE) { $invalid_account_identifier = TRUE; }
if (!isset($this_givenname) or $this_givenname == "") { $invalid_givenname = TRUE; }
if (!isset($this_sn) or $this_sn == "") { $invalid_sn = TRUE; }
if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $weak_password = TRUE; }
if (isset($mail) and !is_valid_email($mail)) { $invalid_email = TRUE; }
if (isset($this_mail) and !is_valid_email($this_mail)) { $invalid_email = TRUE; }
if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
if ($password != $_POST['password_match']) { $mismatched_passwords = TRUE; }
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$POSIX_REGEX/",$account_identifier)) { $invalid_account_identifier = TRUE; }
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$account_identifier)) { $invalid_account_identifier = TRUE; }
if (isset($_POST['send_email']) and isset($mail) and $EMAIL_SENDING_ENABLED == TRUE) { $send_user_email = TRUE; }
if ( isset($givenname)
and isset($sn)
and isset($password)
if ( isset($this_givenname)
and isset($this_sn)
and isset($this_password)
and !$mismatched_passwords
and !$weak_password
and !$invalid_password
@ -124,13 +192,13 @@ if (isset($_POST['create_account'])) {
include_once "mail_functions.inc.php";
$mail_body = parse_mail_text($new_account_mail_body, $password, $account_identifier, $givenname, $sn);
$mail_subject = parse_mail_text($new_account_mail_subject, $password, $account_identifier, $givenname, $sn);
$mail_body = parse_mail_text($new_account_mail_body, $password, $account_identifier, $this_givenname, $this_sn);
$mail_subject = parse_mail_text($new_account_mail_subject, $password, $account_identifier, $this_givenname, $this_sn);
$sent_email = send_email($mail,"$givenname $sn",$mail_subject,$mail_body);
$sent_email = send_email($this_mail,"$this_givenname $this_sn",$mail_subject,$mail_body);
$creation_message = "The account was created";
if ($sent_email) {
$creation_message .= " and an email sent to $mail.";
$creation_message .= " and an email sent to $this_mail.";
}
else {
$creation_message .= " but unfortunately the email wasn't sent.<br>More information will be available in the logs.";
@ -189,7 +257,9 @@ if (isset($_POST['create_account'])) {
$errors="";
if ($invalid_cn) { $errors.="<li>The Common Name is required</li>\n"; }
if ($invalid_account_identifier) { $errors.="<li>The account identifier (" . $attribute_map[$LDAP['account_attribute']]['label'] . ") is invalid.</li>\n"; }
if ($invalid_givenname) { $errors.="<li>First Name is required</li>\n"; }
if ($invalid_sn) { $errors.="<li>Last Name is required</li>\n"; }
if ($invalid_account_identifier) { $errors.="<li>The account identifier (" . $attribute_map[$account_attribute]['label'] . ") is invalid.</li>\n"; }
if ($weak_password) { $errors.="<li>The password is too weak</li>\n"; }
if ($invalid_password) { $errors.="<li>The password contained invalid characters</li>\n"; }
if ($invalid_email) { $errors.="<li>The email address is invalid</li>\n"; }
@ -212,6 +282,7 @@ render_js_username_check();
render_js_username_generator('givenname','sn','uid','uid_div');
render_js_cn_generator('givenname','sn','cn','cn_div');
render_js_email_generator('uid','mail');
render_js_homedir_generator('uid','homedirectory');
$tabindex=1;
@ -273,37 +344,33 @@ $tabindex=1;
</script>
<?php render_dynamic_field_js(); ?>
<div class="container">
<div class="col-sm-8">
<div class="col-sm-8 col-md-offset-2">
<div class="panel panel-default">
<div class="panel-heading text-center"><?php print $page_title; ?></div>
<div class="panel-body text-center">
<form class="form-horizontal" action="" method="post">
<form class="form-horizontal" action="" enctype="multipart/form-data" method="post">
<?php if ($admin_setup == TRUE) { ?><input type="hidden" name="setup_admin_account" value="true"><?php } ?>
<input type="hidden" name="create_account">
<input type="hidden" id="pass_score" value="0" name="pass_score">
<?php
foreach ($attribute_map as $attribute => $attr_r) {
$label = $attr_r['label'];
if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
?>
<div class="form-group" id="<?php print $attribute; ?>_div">
<label for="<?php print $attribute; ?>" class="col-sm-3 control-label"><?php print $label; ?></label>
<div class="col-sm-6">
<input tabindex="<?php print $tabindex; ?>" type="text" class="form-control" id="<?php print $attribute; ?>" name="<?php print $attribute; ?>" value="<?php if (isset($$attribute)) { print $$attribute; } ?>" <?php
if (isset($attr_r['onkeyup'])) { print "onkeyup=\"${attr_r['onkeyup']};\""; } ?>>
</div>
</div>
<?php
$tabindex++;
}
?>
<?php
foreach ($attribute_map as $attribute => $attr_r) {
$label = $attr_r['label'];
if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $onkeyup = ""; }
if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
if (isset($attr_r['required']) and $attr_r['required'] == TRUE) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
if (isset($attr_r['inputtype'])) { $inputtype = $attr_r['inputtype']; } else { $inputtype = ""; }
render_attribute_fields($attribute,$label,$these_values,"",$onkeyup,$inputtype,$tabindex);
$tabindex++;
}
?>
<div class="form-group" id="password_div">
<label for="password" class="col-sm-3 control-label">Password</label>

431
www/account_manager/show_group.php
View File

@ -12,113 +12,226 @@ render_submenu();
$ldap_connection = open_ldap_connection();
if (!isset($_POST['group_name']) and !isset($_GET['group_name'])) {
?>
<div class="alert alert-danger">
<p class="text-center">The group name is missing.</p>
</div>
<?php
render_footer();
exit(0);
render_footer();
exit(0);
}
else {
$group_cn = (isset($_POST['group_name']) ? $_POST['group_name'] : $_GET['group_name']);
$group_cn = urldecode($group_cn);
$group_cn = (isset($_POST['group_name']) ? $_POST['group_name'] : $_GET['group_name']);
$group_cn = urldecode($group_cn);
}
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$POSIX_REGEX/",$group_cn)) {
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$group_cn)) {
?>
<div class="alert alert-danger">
<p class="text-center">The group name is invalid.</p>
</div>
<?php
render_footer();
exit(0);
render_footer();
exit(0);
}
######################################################################################
$initialise_group = FALSE;
$new_group = FALSE;
$group_exists = FALSE;
$create_group_message = "Add members to create the new group";
$current_members = array();
$full_dn = $create_group_message;
$has_been = "";
$attribute_map = $LDAP['default_group_attribute_map'];
if (isset($LDAP['group_additional_attributes'])) {
$attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['group_additional_attributes']);
}
$to_update = array();
$this_group = array();
if (isset($_POST['new_group'])) {
$new_group = TRUE;
$current_members = array();
$full_dn = "Add members to create the new group";
$has_been = "";
}
elseif (isset($_POST['initialise_group'])) {
$new_group = FALSE;
$initialise_group = TRUE;
$current_members = array();
$full_dn = "cn=$group_cn,${LDAP['group_dn']}";
$full_dn = "{$LDAP['group_attribute']}=$group_cn,{$LDAP['group_dn']}";
$has_been = "created";
}
else {
$new_group = FALSE;
$current_members = ldap_get_group_members($ldap_connection,$group_cn);
$full_dn = ldap_get_dn_of_group($ldap_connection,$group_cn);
$has_been = "updated";
$this_group = ldap_get_group_entry($ldap_connection,$group_cn);
if ($this_group) {
$current_members = ldap_get_group_members($ldap_connection,$group_cn);
$full_dn = $this_group[0]['dn'];
$has_been = "updated";
$group_exists = TRUE;
}
else {
$new_group = TRUE;
}
}
foreach ($attribute_map as $attribute => $attr_r) {
if (isset($this_group[0][$attribute]) and $this_group[0][$attribute]['count'] > 0) {
$$attribute = $this_group[0][$attribute];
}
else {
$$attribute = array();
}
if (isset($_FILES[$attribute]['size']) and $_FILES[$attribute]['size'] > 0) {
$this_attribute = array();
$this_attribute['count'] = 1;
$this_attribute[0] = file_get_contents($_FILES[$attribute]['tmp_name']);
$$attribute = $this_attribute;
$to_update[$attribute] = $this_attribute;
unset($to_update[$attribute]['count']);
}
if (isset($_POST[$attribute])) {
$this_attribute = array();
if (is_array($_POST[$attribute])) {
foreach($_POST[$attribute] as $key => $value) {
if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); }
}
$this_attribute['count'] = count($this_attribute);
}
elseif ($_POST[$attribute] != "") {
$this_attribute['count'] = 1;
$this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
if ($this_attribute != $$attribute) {
$$attribute = $this_attribute;
$to_update[$attribute] = $this_attribute;
unset($to_update[$attribute]['count']);
}
}
if (!isset($$attribute) and isset($attr_r['default'])) {
$$attribute['count'] = 1;
$$attribute[0] = $attr_r['default'];
}
}
if (!isset($gidnumber[0]) or !is_numeric($gidnumber[0])) {
$gidnumber[0]=ldap_get_highest_id($ldap_connection,$type="gid");
$gidnumber['count']=1;
}
######################################################################################
$all_accounts = ldap_get_user_list($ldap_connection);
$all_people = array();
foreach ($all_accounts as $this_person => $attrs) {
array_push($all_people, $this_person);
array_push($all_people, $this_person);
}
$non_members = array_diff($all_people,$current_members);
if (isset($_POST["update_members"])) {
$updated_membership = array();
$updated_membership = array();
foreach ($_POST as $index => $member) {
if (is_numeric($index)) {
array_push($updated_membership,$member);
foreach ($_POST['membership'] as $index => $member) {
if (is_numeric($index)) {
array_push($updated_membership,filter_var($member, FILTER_SANITIZE_FULL_SPECIAL_CHARS));
}
}
}
if ($group_cn == $LDAP['admins_group'] and !array_search($USER_ID, $updated_membership)){
array_push($updated_membership,$USER_ID);
}
if ($group_cn == $LDAP['admins_group'] and !array_search($USER_ID, $updated_membership)){
array_push($updated_membership,$USER_ID);
}
$members_to_del = array_diff($current_members,$updated_membership);
$members_to_add = array_diff($updated_membership,$current_members);
$members_to_del = array_diff($current_members,$updated_membership);
$members_to_add = array_diff($updated_membership,$current_members);
if ($initialise_group == TRUE) {
$initial_member = array_shift($members_to_add);
$group_add = ldap_new_group($ldap_connection,$group_cn,$initial_member);
}
foreach ($members_to_add as $this_member) {
ldap_add_member_to_group($ldap_connection,$group_cn,$this_member);
}
if ($initialise_group == TRUE) {
foreach ($members_to_del as $this_member) {
ldap_delete_member_from_group($ldap_connection,$group_cn,$this_member);
}
$initial_member = array_shift($members_to_add);
$group_add = ldap_new_group($ldap_connection,$group_cn,$initial_member,$to_update);
if (!$group_add) {
render_alert_banner("There was a problem creating the group. See the logs for more information.","danger",10000);
$group_exists = FALSE;
$new_group = TRUE;
}
else {
$group_exists = TRUE;
$new_group = FALSE;
}
$non_members = array_diff($all_people,$updated_membership);
$group_members = $updated_membership;
}
?>
<script>
window.setTimeout(function() {
$(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
}, 4000);
</script>
<div class="alert alert-success" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
<p class="text-center">The group has been <?php print $has_been; ?>.</p>
</div>
if ($group_exists == TRUE) {
<?php
if ($initialise_group != TRUE and count($to_update) > 0) {
if (isset($this_group[0]['objectclass'])) {
$existing_objectclasses = $this_group[0]['objectclass'];
unset($existing_objectclasses['count']);
if ($existing_objectclasses != $LDAP['group_objectclasses']) { $to_update['objectclass'] = $LDAP['group_objectclasses']; }
}
$updated_attr = ldap_update_group_attributes($ldap_connection,$group_cn,$to_update);
if ($updated_attr) {
render_alert_banner("The group attributes have been updated.");
}
else {
render_alert_banner("There was a problem updating the group attributes. See the logs for more information.","danger",15000);
}
}
foreach ($members_to_add as $this_member) {
ldap_add_member_to_group($ldap_connection,$group_cn,$this_member);
}
foreach ($members_to_del as $this_member) {
ldap_delete_member_from_group($ldap_connection,$group_cn,$this_member);
}
$non_members = array_diff($all_people,$updated_membership);
$group_members = $updated_membership;
$rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection);
if ($rfc2307bis_available == TRUE and count($group_members) == 0) {
$group_members = ldap_get_group_members($ldap_connection,$group_cn);
$non_members = array_diff($all_people,$group_members);
render_alert_banner("Groups can't be empty, so the final member hasn't been removed. You could try deleting the group","danger",15000);
}
else {
render_alert_banner("The group has been {$has_been}.");
}
}
else {
$group_members = array();
$non_members = $all_people;
}
}
else {
$group_members = $current_members;
$group_members = $current_members;
}
ldap_close($ldap_connection);
@ -146,7 +259,7 @@ ldap_close($ldap_connection);
for (var i = 0; i < member_list.length; ++i) {
var hidden = document.createElement("input");
hidden.type = "hidden";
hidden.name = i;
hidden.name = 'membership[]';
hidden.value = member_list[i]['textContent'];
members_form.appendChild(hidden);
@ -174,7 +287,10 @@ ldap_close($ldap_connection);
$('.list-right ul li.active').removeClass('active');
actives.remove();
}
$("#submit_members").prop("disabled", false);
if ($("#membership_list").length > 0) {
$("#submit_members").prop("disabled", false);
$("#submit_attributes").prop("disabled", false);
}
});
$('.dual-list .selector').click(function () {
var $checkBox = $(this);
@ -225,99 +341,130 @@ ldap_close($ldap_connection);
</style>
<div class="container">
<div class="col-md-12">
<div class="panel-group">
<div class="panel panel-default">
<div class="panel panel-default">
<div class="panel-heading clearfix">
<h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $group_cn; ?><?php if ($group_cn == $LDAP["admins_group"]) { print " <sup>(admin group)</sup>" ; } ?></h3>
<button class="btn btn-warning pull-right" onclick="show_delete_group_button();" <?php if ($group_cn == $LDAP["admins_group"]) { print "disabled"; } ?>>Delete group</button>
<form action="<?php print "${THIS_MODULE_PATH}"; ?>/groups.php" method="post"><input type="hidden" name="delete_group" value="<?php print $group_cn; ?>"><button class="btn btn-danger pull-right invisible" id="delete_group">Confirm deletion</button></form>
</div>
<ul class="list-group">
<li class="list-group-item"><?php print $full_dn; ?></li>
</li>
<div class="panel-body">
<div class="panel-heading clearfix">
<h3 class="panel-title pull-left" style="padding-top: 7.5px;"><?php print $group_cn; ?><?php if ($group_cn == $LDAP["admins_group"]) { print " <sup>(admin group)</sup>" ; } ?></h3>
<button class="btn btn-warning pull-right" onclick="show_delete_group_button();" <?php if ($group_cn == $LDAP["admins_group"]) { print "disabled"; } ?>>Delete group</button>
<form action="<?php print "{$THIS_MODULE_PATH}"; ?>/groups.php" method="post" enctype="multipart/form-data"><input type="hidden" name="delete_group" value="<?php print $group_cn; ?>"><button class="btn btn-danger pull-right invisible" id="delete_group">Confirm deletion</button></form>
</div>
<div class="row">
<ul class="list-group">
<li class="list-group-item"><?php print $full_dn; ?></li>
</li>
<div class="dual-list list-left col-md-5">
<strong>Members</strong>
<div class="well">
<div class="panel-body">
<div class="row">
<div class="col-md-10">
<div class="input-group">
<span class="input-group-addon glyphicon glyphicon-search"></span>
<input type="text" name="SearchDualList" class="form-control" placeholder="search" />
<div class="dual-list list-left col-md-5">
<strong>Members</strong>
<div class="well">
<div class="row">
<div class="col-md-10">
<div class="input-group">
<span class="input-group-addon glyphicon glyphicon-search"></span>
<input type="text" name="SearchDualList" class="form-control" placeholder="search" />
</div>
</div>
<div class="col-md-2">
<div class="btn-group">
<a class="btn btn-default selector" title="select all"><i class="glyphicon glyphicon-unchecked"></i></a>
</div>
</div>
</div>
<ul class="list-group" id="membership_list">
<?php
foreach ($group_members as $member) {
if ($group_cn == $LDAP['admins_group'] and $member == $USER_ID) {
print "<div class='list-group-item' style='opacity: 0.5; pointer-events:none;'>$member</div>\n";
}
else {
print "<li class='list-group-item'>$member</li>\n";
}
}
?>
</ul>
</div>
</div>
</div>
<div class="col-md-2">
<div class="btn-group">
<a class="btn btn-default selector" title="select all"><i class="glyphicon glyphicon-unchecked"></i></a>
<div class="list-arrows col-md-1 text-center">
<button class="btn btn-default btn-sm move-left">
<span class="glyphicon glyphicon-chevron-left"></span>
</button>
<button class="btn btn-default btn-sm move-right">
<span class="glyphicon glyphicon-chevron-right"></span>
</button>
<form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
<input type="hidden" name="update_members">
<input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
<?php if ($new_group == TRUE) { ?><input type="hidden" name="initialise_group"><?php } ?>
<button id="submit_members" class="btn btn-info" <?php if (count($group_members)==0) print 'disabled'; ?> type="submit" onclick="update_form_with_users()">Save</button>
</div>
<div class="dual-list list-right col-md-5">
<strong>Available accounts</strong>
<div class="well">
<div class="row">
<div class="col-md-2">
<div class="btn-group">
<a class="btn btn-default selector" title="select all"><i class="glyphicon glyphicon-unchecked"></i></a>
</div>
</div>
<div class="col-md-10">
<div class="input-group">
<input type="text" name="SearchDualList" class="form-control" placeholder="search" />
<span class="input-group-addon glyphicon glyphicon-search"></span>
</div>
</div>
</div>
<ul class="list-group">
<?php
foreach ($non_members as $nonmember) {
print "<li class='list-group-item'>$nonmember</li>\n";
}
?>
</ul>
</div>
</div>
</div>
</div>
<ul class="list-group" id="membership_list">
<?php
foreach ($group_members as $member) {
if ($group_cn == $LDAP['admins_group'] and $member == $USER_ID) {
print "<div class='list-group-item' style='opacity: 0.5; pointer-events:none;'>$member</div>\n";
}
else {
print "<li class='list-group-item'>$member</li>\n";
}
}
?>
</ul>
</div>
</div>
<div class="list-arrows col-md-1 text-center">
<button class="btn btn-default btn-sm move-left">
<span class="glyphicon glyphicon-chevron-left"></span>
</button>
<button class="btn btn-default btn-sm move-right">
<span class="glyphicon glyphicon-chevron-right"></span>
</button>
<form id="group_members" action="<?php print $CURRENT_PAGE; ?>" method="post">
<input type="hidden" name="update_members">
<input type="hidden" name="group_name" value="<?php print urlencode($group_cn); ?>">
<?php if ($new_group == TRUE) { ?><input type="hidden" name="initialise_group"><?php } ?>
</form>
<button id="submit_members" class="btn btn-info" disabled type="submit" onclick="update_form_with_users()">Save</button>
</div>
<div class="dual-list list-right col-md-5">
<strong>Available accounts</strong>
<div class="well">
<div class="row">
<div class="col-md-2">
<div class="btn-group">
<a class="btn btn-default selector" title="select all"><i class="glyphicon glyphicon-unchecked"></i></a>
</div>
</div>
<div class="col-md-10">
<div class="input-group">
<input type="text" name="SearchDualList" class="form-control" placeholder="search" />
<span class="input-group-addon glyphicon glyphicon-search"></span>
</div>
</div>
</div>
<ul class="list-group">
<?php
foreach ($non_members as $nonmember) {
print "<li class='list-group-item'>$nonmember</li>\n";
}
?>
</ul>
</div>
</div>
</div>
</div>
</div>
<?php
render_footer();
?>
if (count($attribute_map) > 0) { ?>
<div class="panel panel-default">
<div class="panel-heading clearfix">
<h3 class="panel-title pull-left" style="padding-top: 7.5px;">Group attributes</h3>
</div>
<div class="panel-body">
<div class="col-md-8">
<?php
$tabindex=1;
foreach ($attribute_map as $attribute => $attr_r) {
$label = $attr_r['label'];
if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
print "<div class='row'>";
$dl_identifider = ($full_dn != $create_group_message) ? $full_dn : "";
if (isset($attr_r['inputtype'])) { $inputtype = $attr_r['inputtype']; } else { $inputtype=""; }
render_attribute_fields($attribute,$label,$these_values,$dl_identifider,"",$inputtype,$tabindex);
print "</div>";
$tabindex++;
}
?>
<div class="row">
<div class="col-md-4 col-md-offset-3">
<div class="form-group">
<button id="submit_attributes" class="btn btn-info" <?php if (count($group_members)==0) print 'disabled'; ?> type="submit" tabindex="<?php print $tabindex; ?>" onclick="update_form_with_users()">Save</button>
</div>
</div>
</div>
</div>
</div>
</div>
<?php } ?>
</form>
</div>
</div>
</div>
<?php render_footer(); ?>

277
www/account_manager/show_user.php
View File

@ -18,13 +18,13 @@ $to_update = array();
if ($SMTP['host'] != "") { $can_send_email = TRUE; } else { $can_send_email = FALSE; }
$LDAP['default_attribute_map']["uidnumber"] = array("label" => "UID");
$LDAP['default_attribute_map']["gidnumber"] = array("label" => "GID");
$LDAP['default_attribute_map']["loginshell"] = array("label" => "Login shell");
$LDAP['default_attribute_map']["homedirectory"] = array("label" => "Home directory");
$LDAP['default_attribute_map']["mail"] = array("label" => "Email", "onkeyup" => "check_if_we_should_enable_sending_email();");
$attribute_map = ldap_complete_account_attribute_array();
$attribute_map = $LDAP['default_attribute_map'];
if (isset($LDAP['account_additional_attributes'])) { $attribute_map = ldap_complete_attribute_array($attribute_map,$LDAP['account_additional_attributes']); }
if (! array_key_exists($LDAP['account_attribute'], $attribute_map)) {
$attribute_r = array_merge($attribute_map, array($LDAP['account_attribute'] => array("label" => "Account UID")));
}
if (!isset($_POST['account_identifier']) and !isset($_GET['account_identifier'])) {
?>
@ -41,33 +41,101 @@ else {
}
$ldap_connection = open_ldap_connection();
$ldap_search_query="(${LDAP['account_attribute']}=". ldap_escape($account_identifier, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search_query="({$LDAP['account_attribute']}=". ldap_escape($account_identifier, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = ldap_search( $ldap_connection, $LDAP['user_dn'], $ldap_search_query);
#########################
if ($ldap_search) {
$user = ldap_get_entries($ldap_connection, $ldap_search);
foreach ($attribute_map as $attribute => $attr_r) {
if ($user["count"] > 0) {
$$attribute = $user[0][$attribute][0];
foreach ($attribute_map as $attribute => $attr_r) {
if (isset($_POST['update_account']) and isset($_POST[$attribute]) and $_POST[$attribute] != $$attribute) {
$$attribute = filter_var($_POST[$attribute], FILTER_SANITIZE_STRING);
$to_update[$attribute] = $$attribute;
}
elseif (isset($attr_r['default'])) {
$$attribute = $attr_r['default'];
}
if (isset($user[0][$attribute]) and $user[0][$attribute]['count'] > 0) {
$$attribute = $user[0][$attribute];
}
else {
$$attribute = array();
}
if (isset($_FILES[$attribute]['size']) and $_FILES[$attribute]['size'] > 0) {
$this_attribute = array();
$this_attribute['count'] = 1;
$this_attribute[0] = file_get_contents($_FILES[$attribute]['tmp_name']);
$$attribute = $this_attribute;
$to_update[$attribute] = $this_attribute;
unset($to_update[$attribute]['count']);
}
if (isset($_POST['update_account']) and isset($_POST[$attribute])) {
$this_attribute = array();
if (is_array($_POST[$attribute])) {
foreach($_POST[$attribute] as $key => $value) {
if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); }
}
$this_attribute['count'] = count($this_attribute);
}
elseif ($_POST[$attribute] != "") {
$this_attribute['count'] = 1;
$this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
if ($this_attribute != $$attribute) {
$$attribute = $this_attribute;
$to_update[$attribute] = $this_attribute;
unset($to_update[$attribute]['count']);
}
}
if (!isset($$attribute) and isset($attr_r['default'])) {
$$attribute['count'] = 1;
$$attribute[0] = $attr_r['default'];
}
}
$dn = $user[0]['dn'];
}
$dn = $user[0]['dn'];
else {
?>
<div class="alert alert-danger">
<p class="text-center">This account doesn't exist.</p>
</div>
<?php
render_footer();
exit(0);
}
### Update values
if (isset($_POST['update_account'])) {
if (!isset($uid[0])) {
$uid[0] = generate_username($givenname[0],$sn[0]);
$to_update['uid'] = $uid;
unset($to_update['uid']['count']);
}
if (!isset($cn[0])) {
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
$cn[0] = $givenname[0] . $sn[0];
}
else {
$cn[0] = $givenname[0] . " " . $sn[0];
}
$to_update['cn'] = $cn;
unset($to_update['cn']['count']);
}
if (isset($_POST['password']) and $_POST['password'] != "") {
$password = $_POST['password'];
@ -81,27 +149,34 @@ if ($ldap_search) {
and !$weak_password
and !$invalid_password
) {
$to_update['userpassword'] = ldap_hashed_password($password);
$to_update['userpassword'][0] = ldap_hashed_password($password);
}
}
if (array_key_exists($LDAP['account_attribute'], $to_update)) {
$new_rdn = "${LDAP['account_attribute']}=${to_update[$LDAP['account_attribute']]}";
$account_attribute = $LDAP['account_attribute'];
$new_account_identifier = $to_update[$account_attribute][0];
$new_rdn = "{$account_attribute}={$new_account_identifier}";
$renamed_entry = ldap_rename($ldap_connection, $dn, $new_rdn, $LDAP['user_dn'], true);
if ($renamed_entry) {
$dn = "${new_rdn},${LDAP['user_dn']}";
$account_identifier = $to_update[$LDAP['account_attribute']];
$dn = "{$new_rdn},{$LDAP['user_dn']}";
$account_identifier = $new_account_identifier;
}
else {
ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $detailed_err);
error_log("$log_prefix Failed to rename the DN for ${account_identifier}: " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
error_log("$log_prefix Failed to rename the DN for {$account_identifier}: " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
}
}
$existing_objectclasses = $user[0]['objectclass'];
unset($existing_objectclasses['count']);
if ($existing_objectclasses != $LDAP['account_objectclasses']) { $to_update['objectclass'] = $LDAP['account_objectclasses']; }
$updated_account = @ ldap_mod_replace($ldap_connection, $dn, $to_update);
if (!$updated_account) {
ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $detailed_err);
error_log("$log_prefix Failed to modify account details for ${account_identifier}: " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
error_log("$log_prefix Failed to modify account details for {$account_identifier}: " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
}
$sent_email_message="";
@ -109,12 +184,12 @@ if ($ldap_search) {
include_once "mail_functions.inc.php";
$mail_body = parse_mail_text($new_account_mail_body, $password, $account_identifier, $givenname, $sn);
$mail_subject = parse_mail_text($new_account_mail_subject, $password, $account_identifier, $givenname, $sn);
$mail_body = parse_mail_text($new_account_mail_body, $password, $account_identifier, $givenname[0], $sn[0]);
$mail_subject = parse_mail_text($new_account_mail_subject, $password, $account_identifier, $givenname[0], $sn[0]);
$sent_email = send_email($mail,"$givenname $sn",$mail_subject,$mail_body);
$sent_email = send_email($mail[0],"{$givenname[0]} {$sn[0]}",$mail_subject,$mail_body);
if ($sent_email) {
$sent_email_message .= " An email sent to $mail.";
$sent_email_message .= " An email sent to {$mail[0]}.";
}
else {
$sent_email_message .= " Unfortunately the email wasn't sent; check the logs for more information.";
@ -122,30 +197,10 @@ if ($ldap_search) {
}
if ($updated_account) {
?>
<script>
window.setTimeout(function() {
$(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
}, 4000);
</script>
<div class="alert alert-success" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
<p class="text-center">The account has been updated.<?php print $sent_email_message; ?></p>
</div>
<?php
render_alert_banner("The account has been updated. $sent_email_message");
}
else {
?>
<script>
window.setTimeout(function() {
$(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
}, 4000);
</script>
<div class="alert alert-danger" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
<p class="text-center">There was a problem updating the account. Check the logs for more information.</p>
</div>
<?php
render_alert_banner("There was a problem updating the account. Check the logs for more information.","danger",15000);
}
}
@ -206,19 +261,7 @@ if ($ldap_search) {
$not_member_of = array_diff($all_groups,$updated_group_membership);
$member_of = $updated_group_membership;
?>
<script>
window.setTimeout(function() {
$(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
}, 4000);
</script>
<div class="alert alert-success" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
<p class="text-center">The group membership has been updated.</p>
</div>
<?php
render_alert_banner("The group membership has been updated.");
}
else {
@ -367,6 +410,32 @@ if ($ldap_search) {
</script>
<?php render_dynamic_field_js(); ?>
<style type='text/css'>
.dual-list .list-group {
margin-top: 8px;
}
.list-left li, .list-right li {
cursor: pointer;
}
.list-arrows {
padding-top: 100px;
}
.list-arrows button {
margin-bottom: 20px;
}
.right_button {
width: 200px;
float: right;
}
</style>
<div class="container">
<div class="col-sm-8 col-md-offset-2">
@ -374,67 +443,59 @@ if ($ldap_search) {
<div class="panel-heading clearfix">
<span class="panel-title pull-left"><h3><?php print $account_identifier; ?></h3></span>
<button class="btn btn-warning pull-right align-self-end" style="margin-top: auto;" onclick="show_delete_user_button();" <?php if ($account_identifier == $USER_ID) { print "disabled"; }?>>Delete account</button>
<form action="<?php print "${THIS_MODULE_PATH}"; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print urlencode($account_identifier); ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
<form action="<?php print "{$THIS_MODULE_PATH}"; ?>/index.php" method="post"><input type="hidden" name="delete_user" value="<?php print urlencode($account_identifier); ?>"><button class="btn btn-danger pull-right invisible" id="delete_user">Confirm deletion</button></form>
</div>
<ul class="list-group">
<li class="list-group-item"><?php print $dn; ?></li>
</li>
<div class="panel-body">
<form class="form-horizontal" action="" method="post">
<form class="form-horizontal" action="" enctype="multipart/form-data" method="post">
<input type="hidden" name="update_account">
<input type="hidden" id="pass_score" value="0" name="pass_score">
<input type="hidden" name="account_identifier" value="<?php print $account_identifier; ?>">
<?php
foreach ($attribute_map as $attribute => $attr_r) {
$label = $attr_r['label'];
if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $onkeyup = ""; }
if (isset($attr_r['inputtype'])) { $inputtype = $attr_r['inputtype']; } else { $inputtype = ""; }
if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); }
render_attribute_fields($attribute,$label,$these_values,$dn,$onkeyup,$inputtype);
}
?>
<?php
foreach ($attribute_map as $attribute => $attr_r) {
$label = $attr_r['label'];
if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $onkeyup = ""; }
if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
?>
<div class="form-group" id="<?php print $attribute; ?>_div">
<label for="<?php print $attribute; ?>" class="col-sm-3 control-label"><?php print $label; ?></label>
<div class="col-sm-6">
<input type="text" class="form-control" id="<?php print $attribute; ?>" name="<?php print $attribute; ?>" value="<?php if (isset($$attribute)) { print $$attribute; } ?>" <?php
if (isset($onkeyup)) { print "onkeyup=\"$onkeyup;\""; } ?>>
</div>
</div>
<?php
}
?>
<div class="form-group" id="password_div">
<label for="password" class="col-sm-3 control-label">Password</label>
<div class="col-sm-6">
<input type="password" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm'); check_if_we_should_enable_sending_email();">
</div>
<div class="col-sm-1">
<input type="button" class="btn btn-sm" id="password_generator" onclick="random_password(); check_if_we_should_enable_sending_email();" value="Generate password">
</div>
</div>
<div class="form-group" id="confirm_div">
<label for="confirm" class="col-sm-3 control-label">Confirm</label>
<div class="col-sm-6">
<input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
</div>
</div>
<?php if ($can_send_email == TRUE) { ?>
<div class="form-group" id="send_email_div">
<label for="send_email" class="col-sm-3 control-label"> </label>
<div class="form-group" id="password_div">
<label for="password" class="col-sm-3 control-label">Password</label>
<div class="col-sm-6">
<input type="checkbox" class="form-check-input" id="send_email_checkbox" name="send_email" disabled> Email the updated credentials to the user?
<input type="password" class="form-control" id="password" name="password" onkeyup="back_to_hidden('password','confirm'); check_if_we_should_enable_sending_email();">
</div>
<div class="col-sm-1">
<input type="button" class="btn btn-sm" id="password_generator" onclick="random_password(); check_if_we_should_enable_sending_email();" value="Generate password">
</div>
</div>
<div class="form-group" id="confirm_div">
<label for="confirm" class="col-sm-3 control-label">Confirm</label>
<div class="col-sm-6">
<input type="password" class="form-control" id="confirm" name="password_match" onkeyup="check_passwords_match()">
</div>
</div>
<?php if ($can_send_email == TRUE) { ?>
<div class="form-group" id="send_email_div">
<label for="send_email" class="col-sm-3 control-label"> </label>
<div class="col-sm-6">
<input type="checkbox" class="form-check-input" id="send_email_checkbox" name="send_email" disabled> Email the updated credentials to the user?
</div>
</div>
<?php } ?>
<div class="form-group">
<p align='center'><button type="submit" class="btn btn-default">Update account details</button></p>
</div>
<div class="form-group">
<p align='center'><button type="submit" class="btn btn-default">Update account details</button></p>
</div>
</form>
@ -481,7 +542,7 @@ if ($ldap_search) {
<?php
foreach ($member_of as $group) {
if ($group == $LDAP["admins_group"] and $USER_ID == $account_identifier) {
print "<div class='list-group-item' style='opacity: 0.5; pointer-events:none;'>${group}</div>\n";
print "<div class='list-group-item' style='opacity: 0.5; pointer-events:none;'>{$group}</div>\n";
}
else {
print "<li class='list-group-item'>$group</li>\n";
@ -499,7 +560,7 @@ if ($ldap_search) {
<button class="btn btn-default btn-sm move-right">
<span class="glyphicon glyphicon-chevron-right"></span>
</button>
<form id="update_with_groups" action="<?php print $CURRENT_PAGE; ?>" method="post">
<form id="update_with_groups" action="<?php print $CURRENT_PAGE ?>" method="post">
<input type="hidden" name="update_member_of">
<input type="hidden" name="account_identifier" value="<?php print $account_identifier; ?>">
</form>

29
www/change_password/index.php
View File

@ -9,6 +9,7 @@ set_page_access("user");
if (isset($_POST['change_password'])) {
if (!$_POST['password']) { $not_strong_enough = 1; }
if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $not_strong_enough = 1; }
if (preg_match("/\"|'/",$_POST['password'])) { $invalid_chars = 1; }
if ($_POST['password'] != $_POST['password_match']) { $mismatched = 1; }
@ -20,8 +21,15 @@ if (isset($_POST['change_password'])) {
render_header("$ORGANISATION_NAME account manager - password changed");
?>
<div class="alert alert-success">
<p class="text-center">Your password has been changed.</p>
<div class="container">
<div class="col-sm-6 col-sm-offset-3">
<div class="panel panel-success">
<div class="panel-heading">Success</div>
<div class="panel-body">
Your password has been updated.
</div>
</div>
</div>
</div>
<?php
render_footer();
@ -57,19 +65,16 @@ if (isset($mismatched)) { ?>
<script type="text/javascript">$(document).ready(function(){ $("#StrengthProgressBar").zxcvbnProgressBar({ passwordInput: "#password" });});</script>
<div class="container">
<div class="col-sm-6">
<div class="panel panel-default">
<p>Use this form to change your <?php print $ORGANISATION_NAME; ?> password. When you start typing your new password the gauge at the bottom will show its security strength.
Enter your password again in the <b>confirm</b> field. If the passwords don't match then both fields will be bordered with red.</p>
</div>
</div>
</div>
<div class="container">
<div class="col-sm-6">
<div class="col-sm-6 col-sm-offset-3">
<div class="panel panel-default">
<div class="panel-heading text-center">Change your password</div>
<ul class="list-group">
<li class="list-group-item">Use this form to change your <?php print $ORGANISATION_NAME; ?> password. When you start typing your new password the gauge at the bottom will show its security strength.
Enter your password again in the <b>confirm</b> field. If the passwords don't match then both fields will be bordered with red.</li>
</ul>
<div class="panel-body text-center">
<form class="form-horizontal" action='' method='post'>

177
www/includes/config.inc.php
View File

@ -1,89 +1,144 @@
<?php
$log_prefix = "";
$log_prefix="";
#Fixed
# User account defaults
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
$DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash');
$ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE);
$USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
$USERNAME_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$'); #We use the username regex for groups too.
if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }
$ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE);
$min_uid = 2000;
$min_gid = 2000;
#Default attributes and objectclasses
$LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid');
$LDAP['account_objectclasses'] = array( 'person', 'inetOrgPerson', 'posixAccount' );
$LDAP['default_attribute_map'] = array( "givenname" => array("label" => "First name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value)"),
"sn" => array("label" => "Last name", "onkeyup" => "update_username(); update_email(); update_cn(); check_email_validity(document.getElementById('mail').value)"),
"uid" => array("label" => "System username", "onkeyup" => "check_entity_name_validity(document.getElementById('uid').value,'uid_div'); update_email(); check_email_validity(document.getElementById('mail').value)"),
"cn" => array("label" => "Common Name", "onkeyup" => "auto_cn_update = false;"),
"mail" => array("label" => "Email", "onkeyup" => "auto_email_update = false; check_email_validity(document.getElementById('mail').value)")
);
$LDAP['default_attribute_map'] = array(
"givenname" => array(
"label" => "First name",
"onkeyup" => "update_username(); update_email(); update_cn(); update_homedir(); check_email_validity(document.getElementById('mail').value);",
"required" => TRUE,
),
"sn" => array(
"label" => "Last name",
"onkeyup" => "update_username(); update_email(); update_cn(); update_homedir(); check_email_validity(document.getElementById('mail').value);",
"required" => TRUE,
),
"uid" => array(
"label" => "System username",
"onkeyup" => "check_entity_name_validity(document.getElementById('uid').value,'uid_div'); update_email(); update_homedir(); check_email_validity(document.getElementById('mail').value);",
),
"cn" => array(
"label" => "Common name",
"onkeyup" => "auto_cn_update = false;",
),
"mail" => array(
"label" => "Email",
"onkeyup" => "auto_email_update = false; check_email_validity(document.getElementById('mail').value);",
)
);
#Mandatory
$LDAP['group_attribute'] = (getenv('LDAP_GROUP_ATTRIBUTE') ? getenv('LDAP_GROUP_ATTRIBUTE') : 'cn');
$LDAP['group_objectclasses'] = array( 'top', 'posixGroup' ); #groupOfUniqueNames is added automatically if rfc2307bis is available.
$LDAP['default_group_attribute_map'] = array( "description" => array("label" => "Description"));
$SHOW_POSIX_ATTRIBUTES = ((strcasecmp(getenv('SHOW_POSIX_ATTRIBUTES'),'TRUE') == 0) ? TRUE : FALSE);
if ($SHOW_POSIX_ATTRIBUTES != TRUE) {
if ($LDAP['account_attribute'] == "uid") {
unset($LDAP['default_attribute_map']['cn']);
}
else {
unset($LDAP['default_attribute_map']['uid']);
}
}
else {
$LDAP['default_attribute_map']["uidnumber"] = array("label" => "UID");
$LDAP['default_attribute_map']["gidnumber"] = array("label" => "GID");
$LDAP['default_attribute_map']["homedirectory"] = array("label" => "Home directory", "onkeyup" => "auto_homedir_update = false;");
$LDAP['default_attribute_map']["loginshell"] = array("label" => "Shell", "default" => $DEFAULT_USER_SHELL);
$LDAP['default_group_attribute_map']["gidnumber"] = array("label" => "Group ID number");
}
## LDAP server
$LDAP['uri'] = getenv('LDAP_URI');
$LDAP['base_dn'] = getenv('LDAP_BASE_DN');
$LDAP['admins_group'] = getenv('LDAP_ADMINS_GROUP');
$LDAP['admin_bind_dn'] = getenv('LDAP_ADMIN_BIND_DN');
$LDAP['admin_bind_pwd'] = getenv('LDAP_ADMIN_BIND_PWD');
$LDAP['connection_type'] = "plain";
#Optional
$LDAP['account_attribute'] = (getenv('LDAP_ACCOUNT_ATTRIBUTE') ? getenv('LDAP_ACCOUNT_ATTRIBUTE') : 'uid');
$LDAP['group_ou'] = (getenv('LDAP_GROUP_OU') ? getenv('LDAP_GROUP_OU') : 'groups');
$LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people');
$LDAP['forced_rfc2307bis'] = ((strcasecmp(getenv('FORCE_RFC2307BIS'),'TRUE') == 0) ? TRUE : FALSE);
if (getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')) { $LDAP['account_additional_objectclasses'] = strtolower(getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')); }
if (getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES')) { $LDAP['account_additional_attributes'] = getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES'); }
if (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE')) { $LDAP['group_membership_attribute'] = getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE'); }
if (getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) {
if (strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == TRUE ) { $LDAP['group_membership_uses_uid'] = TRUE; }
if (strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == FALSE ) { $LDAP['group_membership_uses_uid'] = FALSE; }
}
$LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP['ignore_cert_errors'] = ((strcasecmp(getenv('LDAP_IGNORE_CERT_ERRORS'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP['rfc2307bis_check_run'] = FALSE;
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
$DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash');
# Various advanced LDAP settings
$LDAP['admins_group'] = getenv('LDAP_ADMINS_GROUP');
$LDAP['group_ou'] = (getenv('LDAP_GROUP_OU') ? getenv('LDAP_GROUP_OU') : 'groups');
$LDAP['user_ou'] = (getenv('LDAP_USER_OU') ? getenv('LDAP_USER_OU') : 'people');
$LDAP['forced_rfc2307bis'] = ((strcasecmp(getenv('FORCE_RFC2307BIS'),'TRUE') == 0) ? TRUE : FALSE);
if (getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')) { $account_additional_objectclasses = strtolower(getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')); }
if (getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES')) { $LDAP['account_additional_attributes'] = getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES'); }
if (getenv('LDAP_GROUP_ADDITIONAL_OBJECTCLASSES')) { $group_additional_objectclasses = getenv('LDAP_GROUP_ADDITIONAL_OBJECTCLASSES'); }
if (getenv('LDAP_GROUP_ADDITIONAL_ATTRIBUTES')) { $LDAP['group_additional_attributes'] = getenv('LDAP_GROUP_ADDITIONAL_ATTRIBUTES'); }
if (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE')) { $LDAP['group_membership_attribute'] = getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE'); }
if (getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) {
if (strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == 'TRUE' ) { $LDAP['group_membership_uses_uid'] = TRUE; }
if (strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == 'FALSE' ) { $LDAP['group_membership_uses_uid'] = FALSE; }
}
$LDAP['group_dn'] = "ou={$LDAP['group_ou']},{$LDAP['base_dn']}";
$LDAP['user_dn'] = "ou={$LDAP['user_ou']},{$LDAP['base_dn']}";
if (isset($account_additional_objectclasses) and $account_additional_objectclasses != "") {
$LDAP['account_objectclasses'] = array_merge($LDAP['account_objectclasses'], explode(",", $account_additional_objectclasses));
}
if (isset($group_additional_objectclasses) and $group_additional_objectclasses != "") {
$LDAP['group_objectclasses'] = array_merge($LDAP['group_objectclasses'], explode(",", $group_additional_objectclasses));
}
# Interface customisation
$ORGANISATION_NAME = (getenv('ORGANISATION_NAME') ? getenv('ORGANISATION_NAME') : 'LDAP');
$SITE_NAME = (getenv('SITE_NAME') ? getenv('SITE_NAME') : "$ORGANISATION_NAME user manager");
$SITE_LOGIN_LDAP_ATTRIBUTE = (getenv('SITE_LOGIN_LDAP_ATTRIBUTE') ? getenv('SITE_LOGIN_LDAP_ATTRIBUTE') : $LDAP['account_attribute'] );
$SITE_LOGIN_FIELD_LABEL = (getenv('SITE_LOGIN_FIELD_LABEL') ? getenv('SITE_LOGIN_FIELD_LABEL') : "Username" );
$SERVER_HOSTNAME = (getenv('SERVER_HOSTNAME') ? getenv('SERVER_HOSTNAME') : "ldapusermanager.org");
$SERVER_PATH = (getenv('SERVER_PATH') ? getenv('SERVER_PATH') : "/");
$ENFORCE_SAFE_SYSTEM_NAMES = ((strcasecmp(getenv('ENFORCE_SAFE_SYSTEM_NAMES'),'FALSE') == 0) ? FALSE : TRUE);
$POSIX_USERNAME_FORMAT = (getenv('USERNAME_FORMAT') ? getenv('USERNAME_FORMAT') : '{first_name}-{last_name}');
$POSIX_REGEX = (getenv('USERNAME_REGEX') ? getenv('USERNAME_REGEX') : '^[a-z][a-zA-Z0-9\._-]{3,32}$');
#We'll use the username regex for groups too.
if (getenv('PASSWORD_HASH')) { $PASSWORD_HASH = strtoupper(getenv('PASSWORD_HASH')); }
$ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE);
$SESSION_TIMEOUT = (getenv('SESSION_TIMEOUT') ? getenv('SESSION_TIMEOUT') : 10);
$LDAP_DEBUG = ((strcasecmp(getenv('LDAP_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP_VERBOSE_CONNECTION_LOGS = ((strcasecmp(getenv('LDAP_VERBOSE_CONNECTION_LOGS'),'TRUE') == 0) ? TRUE : FALSE);
$NO_HTTPS = ((strcasecmp(getenv('NO_HTTPS'),'TRUE') == 0) ? TRUE : FALSE);
$SESSION_DEBUG = ((strcasecmp(getenv('SESSION_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
$REMOTE_HTTP_HEADERS_LOGIN = ((strcasecmp(getenv('REMOTE_HTTP_HEADERS_LOGIN'),'TRUE') == 0) ? TRUE : FALSE);
###
$LDAP['group_dn'] = "ou=${LDAP['group_ou']},${LDAP['base_dn']}";
$LDAP['user_dn'] = "ou=${LDAP['user_ou']},${LDAP['base_dn']}";
###
# Sending email
$SMTP['host'] = getenv('SMTP_HOSTNAME');
$SMTP['user'] = (getenv('SMTP_USERNAME') ? getenv('SMTP_USERNAME') : NULL);
$SMTP['pass'] = (getenv('SMTP_PASSWORD') ? getenv('SMTP_PASSWORD') : NULL);
$SMTP['port'] = (getenv('SMTP_HOST_PORT') ? getenv('SMTP_HOST_PORT') : 25);
$SMTP['ssl'] = ((strcasecmp(getenv('SMTP_USE_SSL'),'TRUE') == 0) ? TRUE : FALSE);
$SMTP['helo'] = (getenv('SMTP_HELO_HOST') ? getenv('SMTP_HELO_HOST') : NULL);
$SMTP['ssl'] = ((strcasecmp(getenv('SMTP_USE_SSL'),'TRUE') == 0) ? TRUE : FALSE);
$SMTP['tls'] = ((strcasecmp(getenv('SMTP_USE_TLS'),'TRUE') == 0) ? TRUE : FALSE);
if ($SMTP['tls'] == TRUE) { $SMTP['ssl'] = FALSE; }
$SMTP['debug_level'] = getenv('SMTP_LOG_LEVEL');
if (!is_numeric($SMTP['debug_level']) or $SMTP['debug_level'] >4 or $SMTP['debug_level'] <0) { $SMTP['debug_level'] = 0; }
$EMAIL_DOMAIN = (getenv('EMAIL_DOMAIN') ? getenv('EMAIL_DOMAIN') : Null);
$default_email_from_domain = ($EMAIL_DOMAIN ? $EMAIL_DOMAIN : 'ldapusermanger.org');
@ -93,7 +148,7 @@
if ($SMTP['host'] != "") { $EMAIL_SENDING_ENABLED = TRUE; } else { $EMAIL_SENDING_ENABLED = FALSE; }
###
# Account requests
$ACCOUNT_REQUESTS_ENABLED = ((strcasecmp(getenv('ACCOUNT_REQUESTS_ENABLED'),'TRUE') == 0) ? TRUE : FALSE);
if (($EMAIL_SENDING_ENABLED == FALSE) && ($ACCOUNT_REQUESTS_ENABLED == TRUE)) {
@ -103,11 +158,19 @@
$ACCOUNT_REQUESTS_EMAIL = (getenv('ACCOUNT_REQUESTS_EMAIL') ? getenv('ACCOUNT_REQUESTS_EMAIL') : $EMAIL['from_address']);
###
$NO_HTTPS = ((strcasecmp(getenv('NO_HTTPS'),'TRUE') == 0) ? TRUE : FALSE);
# Debugging
###
$LDAP_DEBUG = ((strcasecmp(getenv('LDAP_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP_VERBOSE_CONNECTION_LOGS = ((strcasecmp(getenv('LDAP_VERBOSE_CONNECTION_LOGS'),'TRUE') == 0) ? TRUE : FALSE);
$SESSION_DEBUG = ((strcasecmp(getenv('SESSION_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
$SMTP['debug_level'] = getenv('SMTP_LOG_LEVEL');
if (!is_numeric($SMTP['debug_level']) or $SMTP['debug_level'] >4 or $SMTP['debug_level'] <0) { $SMTP['debug_level'] = 0; }
# Sanity checking
$CUSTOM_LOGO = (getenv('CUSTOM_LOGO') ? getenv('CUSTOM_LOGO') : FALSE);
$CUSTOM_STYLES = (getenv('CUSTOM_STYLES') ? getenv('CUSTOM_STYLES') : FALSE);
$errors = "";
@ -134,8 +197,6 @@
exit(1);
}
#POSIX accounts
$min_uid = 2000;
$min_gid = 2000;
?>

553
www/includes/ldap_functions.inc.php
View File

@ -10,8 +10,8 @@ function open_ldap_connection($ldap_bind=TRUE) {
$ldap_connection = @ ldap_connect($LDAP['uri']);
if (!$ldap_connection) {
print "Problem: Can't connect to the LDAP server at ${LDAP['uri']}";
die("Can't connect to the LDAP server at ${LDAP['uri']}");
print "Problem: Can't connect to the LDAP server at {$LDAP['uri']}";
die("Can't connect to the LDAP server at {$LDAP['uri']}");
exit(1);
}
@ -24,15 +24,15 @@ function open_ldap_connection($ldap_bind=TRUE) {
if ($tls_result != TRUE) {
error_log("$log_prefix Failed to start STARTTLS connection to ${LDAP['uri']}: " . ldap_error($ldap_connection),0);
if (!preg_match('/^ldap:\/\/127\.0\.0\.([0-9]+)(:[0-9]+)$/', $LDAP['uri'])) { error_log("$log_prefix Failed to start STARTTLS connection to {$LDAP['uri']}: " . ldap_error($ldap_connection),0); }
if ($LDAP["require_starttls"] == TRUE) {
print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-danger'>Fatal: Couldn't create a secure connection to ${LDAP['uri']} and LDAP_REQUIRE_STARTTLS is TRUE.</div>";
print "<div style='position: fixed;bottom: 0;width: 100%;' class='alert alert-danger'>Fatal: Couldn't create a secure connection to {$LDAP['uri']} and LDAP_REQUIRE_STARTTLS is TRUE.</div>";
exit(0);
}
else {
if ($SENT_HEADERS == TRUE and !preg_match('/^ldap:\/\/localhost(:[0-9]+)?$/', $LDAP['uri']) and !preg_match('/^ldap:\/\/127\.0\.0\.([0-9]+)(:[0-9]+)$/', $LDAP['uri'])) {
print "<div style='position: fixed;bottom: 0px;width: 100%;height: 20px;border-bottom:solid 20px yellow;'>WARNING: Insecure LDAP connection to ${LDAP['uri']}</div>";
print "<div style='position: fixed;bottom: 0px;width: 100%;height: 20px;border-bottom:solid 20px yellow;'>WARNING: Insecure LDAP connection to {$LDAP['uri']}</div>";
}
ldap_close($ldap_connection);
$ldap_connection = @ ldap_connect($LDAP['uri']);
@ -41,7 +41,7 @@ function open_ldap_connection($ldap_bind=TRUE) {
}
else {
if ($LDAP_DEBUG == TRUE) {
error_log("$log_prefix Start STARTTLS connection to ${LDAP['uri']}",0);
error_log("$log_prefix Start STARTTLS connection to {$LDAP['uri']}",0);
}
$LDAP['connection_type'] = "StartTLS";
}
@ -49,29 +49,29 @@ function open_ldap_connection($ldap_bind=TRUE) {
}
else {
if ($LDAP_DEBUG == TRUE) {
error_log("$log_prefix Using an LDAPS encrypted connection to ${LDAP['uri']}",0);
error_log("$log_prefix Using an LDAPS encrypted connection to {$LDAP['uri']}",0);
}
$LDAP['connection_type'] = 'LDAPS';
}
if ($ldap_bind == TRUE) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Attempting to bind to ${LDAP['uri']} as ${LDAP['admin_bind_dn']}",0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Attempting to bind to {$LDAP['uri']} as {$LDAP['admin_bind_dn']}",0); }
$bind_result = @ ldap_bind( $ldap_connection, $LDAP['admin_bind_dn'], $LDAP['admin_bind_pwd']);
if ($bind_result != TRUE) {
$this_error = "Failed to bind to ${LDAP['uri']} as ${LDAP['admin_bind_dn']}";
if ($LDAP_DEBUG == TRUE) { $this_error .= " with password ${LDAP['admin_bind_pwd']}"; }
$this_error = "Failed to bind to {$LDAP['uri']} as {$LDAP['admin_bind_dn']}";
if ($LDAP_DEBUG == TRUE) { $this_error .= " with password {$LDAP['admin_bind_pwd']}"; }
$this_error .= ": " . ldap_error($ldap_connection);
print "Problem: Failed to bind as ${LDAP['admin_bind_dn']}";
print "Problem: Failed to bind as {$LDAP['admin_bind_dn']}";
error_log("$log_prefix $this_error",0);
exit(1);
}
elseif ($LDAP_DEBUG == TRUE) {
error_log("$log_prefix Bound successfully as ${LDAP['admin_bind_dn']}",0);
error_log("$log_prefix Bound successfully as {$LDAP['admin_bind_dn']}",0);
}
}
@ -83,14 +83,14 @@ function open_ldap_connection($ldap_bind=TRUE) {
###################################
function ldap_auth_username($ldap_connection,$username, $password) {
function ldap_auth_username($ldap_connection, $username, $password) {
# Search for the DN for the given username. If found, try binding with the DN and user's password.
# If the binding succeeds, return the DN.
global $log_prefix, $LDAP, $LDAP_DEBUG;
global $log_prefix, $LDAP, $SITE_LOGIN_LDAP_ATTRIBUTE, $LDAP_DEBUG;
$ldap_search_query="${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search_query="{$SITE_LOGIN_LDAP_ATTRIBUTE}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Running LDAP search for: $ldap_search_query"); }
$ldap_search = @ ldap_search( $ldap_connection, $LDAP['user_dn'], $ldap_search_query );
@ -102,38 +102,39 @@ function ldap_auth_username($ldap_connection,$username, $password) {
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
if (!$result) {
error_log("$log_prefix Couldn't get LDAP entries for ${username}: " . ldap_error($ldap_connection),0);
error_log("$log_prefix Couldn't get LDAP entries for {$username}: " . ldap_error($ldap_connection),0);
return FALSE;
}
if ($LDAP_DEBUG == TRUE) {
error_log("$log_prefix LDAP search returned " . $result["count"] . " records for $ldap_search_query",0);
for ($i=1; $i==$result["count"]; $i++) {
error_log("$log_prefix ". "Entry ${i}: " . $result[$i-1]['dn'], 0);
error_log("$log_prefix ". "Entry {$i}: " . $result[$i-1]['dn'], 0);
}
}
if ($result["count"] == 1) {
$this_dn = $result[0]['dn'];
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Attempting authenticate as $username by binding with ${this_dn} ",0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Attempting authenticate as $username by binding with {$this_dn} ",0); }
$auth_ldap_connection = open_ldap_connection(FALSE);
$can_bind = @ ldap_bind( $auth_ldap_connection, $result[0]['dn'], $password);
$can_bind = @ ldap_bind($auth_ldap_connection, $result[0]['dn'], $password);
if ($can_bind) {
preg_match("/{$LDAP['account_attribute']}=(.*?),/",$result[0]['dn'],$dn_match);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Able to bind as ${username}",0); }
$account_id=$dn_match[1];
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Able to bind as {$username}: dn is {$result[0]['dn']} and account ID is {$account_id}",0); }
ldap_close($auth_ldap_connection);
return $dn_match[1];
return $account_id;
}
else {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Unable to bind as ${username}: " . ldap_error($auth_ldap_connection),0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Unable to bind as {$username}: " . ldap_error($auth_ldap_connection),0); }
ldap_close($auth_ldap_connection);
return FALSE;
}
}
elseif ($result["count"] > 1) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix There was more than one entry for ${ldap_search_query} so it wasn't possible to determine which user to log in as."); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix There was more than one entry for {$ldap_search_query} so it wasn't possible to determine which user to log in as."); }
}
}
@ -147,16 +148,16 @@ function ldap_setup_auth($ldap_connection, $password) {
#credentials as passed in ADMIN_BIND_*
global $log_prefix, $LDAP, $LDAP_DEBUG;
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Initial setup: opening another LDAP connection to test authentication as ${LDAP['admin_bind_dn']}.",0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Initial setup: opening another LDAP connection to test authentication as {$LDAP['admin_bind_dn']}.",0); }
$auth_ldap_connection = open_ldap_connection();
$can_bind = @ldap_bind($auth_ldap_connection, $LDAP['admin_bind_dn'], $password);
ldap_close($auth_ldap_connection);
if ($can_bind) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Initial setup: able to authenticate as ${LDAP['admin_bind_dn']}.",0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Initial setup: able to authenticate as {$LDAP['admin_bind_dn']}.",0); }
return TRUE;
}
else {
$this_error="Initial setup: Unable to authenticate as ${LDAP['admin_bind_dn']}";
$this_error="Initial setup: Unable to authenticate as {$LDAP['admin_bind_dn']}";
if ($LDAP_DEBUG == TRUE) { $this_error .= " with password $password"; }
$this_error .= ". The password used to authenticate for /setup should be the same as set by LDAP_ADMIN_BIND_PWD. ";
$this_error .= ldap_error($ldap_connection);
@ -174,7 +175,7 @@ function generate_salt($length) {
$permitted_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ./';
mt_srand((double)microtime() * 1000000);
mt_srand(intval(microtime()) * 1000000);
$salt = '';
while (strlen($salt) < $length) {
@ -205,6 +206,7 @@ function ldap_hashed_password($password) {
"SHA",
"SMD5",
"MD5",
"ARGON2",
"CRYPT",
"CLEAR"
);
@ -216,7 +218,7 @@ function ldap_hashed_password($password) {
array_push($available_algos, $algo_name);
}
else {
error_log("$log_prefix password hashing - the system doesn't support ${algo_name}",0);
error_log("$log_prefix password hashing - the system doesn't support {$algo_name}",0);
}
}
$available_algos = array_merge($available_algos, $remaining_algos);
@ -233,7 +235,7 @@ function ldap_hashed_password($password) {
else {
$hash_algo = $available_algos[0];
}
error_log("$log_prefix LDAP password: using '${hash_algo}' as the hashing method",0);
error_log("$log_prefix LDAP password: using '{$hash_algo}' as the hashing method",0);
switch ($hash_algo) {
@ -276,6 +278,10 @@ function ldap_hashed_password($password) {
$hashed_pwd = '{SSHA}' . base64_encode(sha1($password . $salt, TRUE) . $salt);
break;
case 'ARGON2':
$hashed_pwd = '{ARGON2}' . password_hash($password, PASSWORD_ARGON2ID, ['memory_cost' => 2048, 'time_cost' => 4, 'threads' => 3]);
break;
case 'CRYPT':
$salt = generate_salt(2);
$hashed_pwd = '{CRYPT}' . crypt($password, $salt);
@ -303,15 +309,15 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
global $log_prefix, $LDAP, $LDAP_DEBUG;
if (!isset($fields)) { $fields = array_unique( array("${LDAP['account_attribute']}", "givenname", "sn", "mail")); }
if (!isset($fields)) { $fields = array_unique( array("{$LDAP['account_attribute']}", "givenname", "sn", "mail")); }
if (!isset($sort_key)) { $sort_key = $LDAP['account_attribute']; }
$this_filter = "(&(${LDAP['account_attribute']}=*)$filters)";
$this_filter = "(&({$LDAP['account_attribute']}=*)$filters)";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $this_filter, $fields);
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['user_dn']}", $this_filter, $fields);
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP returned ${result['count']} users for ${LDAP['user_dn']} when using this filter: $this_filter",0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP returned {$result['count']} users for {$LDAP['user_dn']} when using this filter: $this_filter",0); }
$records = array();
foreach ($result as $record) {
@ -320,7 +326,7 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
$add_these = array();
foreach($fields as $this_attr) {
if ($this_attr !== $sort_key) { $add_these[$this_attr] = $record[$this_attr][0]; }
if ($this_attr !== $sort_key and isset($record[$this_attr])) { $add_these[$this_attr] = $record[$this_attr][0]; }
}
$records[$record[$sort_key][0]] = $add_these;
@ -342,8 +348,8 @@ function fetch_id_stored_in_ldap($ldap_connection,$type="uid") {
global $log_prefix, $LDAP, $LDAP_DEBUG;
$filter = "(&(objectclass=device)(cn=last${type}))";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['base_dn']}", $filter, array('serialNumber'));
$filter = "(&(objectclass=device)(cn=last{$type}))";
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['base_dn']}", $filter, array('serialNumber'));
$result = ldap_get_entries($ldap_connection, $ldap_search);
if (isset($result[0]['serialnumber'][0]) and is_numeric($result[0]['serialnumber'][0])){
@ -366,7 +372,7 @@ function ldap_get_highest_id($ldap_connection,$type="uid") {
if ($type == "uid") {
$this_id = $min_uid;
$record_base_dn = $LDAP['user_dn'];
$record_filter = "(${LDAP['account_attribute']}=*)";
$record_filter = "({$LDAP['account_attribute']}=*)";
$record_attribute = "uidnumber";
}
else {
@ -412,17 +418,17 @@ function ldap_get_group_list($ldap_connection,$start=0,$entries=NULL,$sort="asc"
global $log_prefix, $LDAP, $LDAP_DEBUG;
$this_filter = "(&(objectclass=*)$filters)";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $this_filter);
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['group_dn']}", $this_filter);
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP returned ${result['count']} groups for ${LDAP['group_dn']} when using this filter: $this_filter",0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP returned {$result['count']} groups for {$LDAP['group_dn']} when using this filter: $this_filter",0); }
$records = array();
foreach ($result as $record) {
if (isset($record['cn'][0])) {
if (isset($record[$LDAP['group_attribute']][0])) {
array_push($records, $record['cn'][0]);
array_push($records, $record[$LDAP['group_attribute']][0]);
}
}
@ -438,18 +444,21 @@ function ldap_get_group_list($ldap_connection,$start=0,$entries=NULL,$sort="asc"
##################################
function ldap_get_dn_of_group($ldap_connection,$group_name) {
function ldap_get_group_entry($ldap_connection,$group_name) {
global $log_prefix, $LDAP, $LDAP_DEBUG;
if (isset($group_name)) {
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("dn"));
$ldap_search_query = "({$LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['group_dn']}", $ldap_search_query);
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
if (isset($result[0]['dn'])) {
return $result[0]['dn'];
if ($result['count'] > 0) {
return $result;
}
else {
return FALSE;
}
}
@ -464,13 +473,13 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
global $log_prefix, $LDAP, $LDAP_DEBUG;
if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }
$rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection);
$ldap_search_query = "(cn=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
$ldap_search_query = "({$LDAP['group_attribute']}=". ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_membership_attribute']));
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
$result_count = $result[0]['count'];
if ($result) { $result_count = $result['count']; } else { $result_count = 0; }
$records = array();
@ -481,13 +490,13 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
if ($key !== 'count' and !empty($value)) {
$this_member = preg_replace("/^.*?=(.*?),.*/", "$1", $value);
array_push($records, $this_member);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix ${value} is a member",0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix {$value} is a member",0); }
}
}
$actual_result_count = count($records);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP returned $actual_result_count members of ${group_name} when using this search: $ldap_search_query and this filter: ${LDAP['group_membership_attribute']}",0); }
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP returned $actual_result_count members of {$group_name} when using this search: $ldap_search_query and this filter: {$LDAP['group_membership_attribute']}",0); }
if ($actual_result_count > 0) {
if ($sort == "asc") { sort($records); } else { rsort($records); }
@ -511,19 +520,19 @@ function ldap_is_group_member($ldap_connection,$group_name,$username) {
global $log_prefix, $LDAP, $LDAP_DEBUG;
if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }
$rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection);
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$ldap_search_query = "({$LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['group_dn']}", $ldap_search_query);
if ($ldap_search) {
$result = ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP['group_membership_uses_uid'] == FALSE) {
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
$username = "{$LDAP['account_attribute']}=$username,{$LDAP['user_dn']}";
}
if (preg_grep ("/^${username}$/i", $result[0][$LDAP['group_membership_attribute']])) {
if (preg_grep ("/^{$username}$/i", $result[0][$LDAP['group_membership_attribute']])) {
return TRUE;
}
else {
@ -531,7 +540,7 @@ function ldap_is_group_member($ldap_connection,$group_name,$username) {
}
}
else {
return FALSE;
return FALSE;
}
}
@ -543,20 +552,20 @@ function ldap_user_group_membership($ldap_connection,$username) {
global $log_prefix, $LDAP, $LDAP_DEBUG;
if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }
$rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection);
if ($LDAP['group_membership_uses_uid'] == FALSE) {
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
$username = "{$LDAP['account_attribute']}=$username,{$LDAP['user_dn']}";
}
$ldap_search_query = "(&(objectClass=posixGroup)(${LDAP['group_membership_attribute']}=${username}))";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query, array('cn'));
$ldap_search_query = "(&(objectClass=posixGroup)({$LDAP['group_membership_attribute']}={$username}))";
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['group_dn']}", $ldap_search_query, array($LDAP['group_attribute']));
$result = ldap_get_entries($ldap_connection, $ldap_search);
$groups = array();
foreach ($result as $record) {
if (isset($record['cn'][0])) {
array_push($groups, $record['cn'][0]);
if (isset($record[$LDAP['group_attribute']][0])) {
array_push($groups, $record[$LDAP['group_attribute']][0]);
}
}
sort($groups);
@ -567,67 +576,74 @@ function ldap_user_group_membership($ldap_connection,$username) {
##################################
function ldap_new_group($ldap_connection,$group_name,$initial_member="") {
function ldap_new_group($ldap_connection,$group_name,$initial_member="",$extra_attributes=array()) {
global $log_prefix, $LDAP, $LDAP_DEBUG;
if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }
$rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection);
if (isset($group_name)) {
$new_group = ldap_escape($group_name, "", LDAP_ESCAPE_FILTER);
$initial_member = ldap_escape($initial_member, "", LDAP_ESCAPE_FILTER);
$new_group = ldap_escape($group_name, "", LDAP_ESCAPE_FILTER);
$initial_member = ldap_escape($initial_member, "", LDAP_ESCAPE_FILTER);
$update_gid_store=FALSE;
$ldap_search_query = "(cn=$new_group,${LDAP['group_dn']})";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query);
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
$ldap_search_query = "({$LDAP['group_attribute']}=$new_group,{$LDAP['group_dn']})";
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['group_dn']}", $ldap_search_query);
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($result['count'] == 0) {
if ($result['count'] == 0) {
$highest_gid = ldap_get_highest_id($ldap_connection,'gid');
$new_gid = $highest_gid + 1;
if ($LDAP['group_membership_uses_uid'] == FALSE and $initial_member != "") { $initial_member = "{$LDAP['account_attribute']}=$initial_member,{$LDAP['user_dn']}"; }
if ($rfc2307bis_available == FALSE) { $objectclasses = array('top','posixGroup'); } else { $objectclasses = array('top','groupOfUniqueNames','posixGroup'); }
if ($LDAP['group_membership_uses_uid'] == FALSE and $initial_member != "") { $initial_member = "${LDAP['account_attribute']}=$initial_member,${LDAP['user_dn']}"; }
$new_group_array=array( 'objectClass' => $LDAP['group_objectclasses'],
'cn' => $new_group,
$LDAP['group_membership_attribute'] => $initial_member
);
$new_group_array=array( 'objectClass' => $objectclasses,
'cn' => $new_group,
'gidNumber' => $new_gid,
$LDAP['group_membership_attribute'] => $initial_member
);
$new_group_array = array_merge($new_group_array,$extra_attributes);
$group_dn="cn=$new_group,${LDAP['group_dn']}";
if (!isset($new_group_array["gidnumber"][0]) or !is_numeric($new_group_array["gidnumber"][0])) {
$highest_gid = ldap_get_highest_id($ldap_connection,'gid');
$new_gid = $highest_gid + 1;
$new_group_array["gidnumber"] = $new_gid;
$update_gid_store=TRUE;
}
$add_group = @ ldap_add($ldap_connection, $group_dn, $new_group_array);
$group_dn="cn=$new_group,{$LDAP['group_dn']}";
if (! $add_group ) {
$this_error="$log_prefix LDAP: unable to add new group (${group_dn}): " . ldap_error($ldap_connection);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG add_group array: ". print_r($new_group_array,true),0); }
error_log($this_error,0);
}
else {
error_log("$log_prefix Added new group $group_name",0);
$add_group = @ ldap_add($ldap_connection, $group_dn, $new_group_array);
$this_gid = fetch_id_stored_in_ldap($ldap_connection,"gid");
if ($this_gid != FALSE) {
$update_gid = @ ldap_mod_replace($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", array( 'serialNumber' => $new_gid ));
if ($update_gid) {
error_log("$log_prefix Updated cn=lastGID with $new_gid",0);
if (! $add_group ) {
$this_error="$log_prefix LDAP: unable to add new group ({$group_dn}): " . ldap_error($ldap_connection);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG add_group array: ". strip_tags(print_r($new_group_array,true)),0); }
error_log($this_error,0);
}
else {
error_log("$log_prefix Unable to update cn=lastGID to $new_gid - this could cause groups to share the same GID.",0);
}
}
return TRUE;
}
error_log("$log_prefix Added new group $group_name",0);
}
else {
error_log("$log_prefix Create group; group $group_name already exists.",0);
}
if ($update_gid_store == TRUE) {
$this_gid = fetch_id_stored_in_ldap($ldap_connection,"gid");
if ($this_gid != FALSE) {
$update_gid = @ ldap_mod_replace($ldap_connection, "cn=lastGID,{$LDAP['base_dn']}", array( 'serialNumber' => $new_gid ));
if ($update_gid) {
error_log("$log_prefix Updated cn=lastGID with $new_gid",0);
}
else {
error_log("$log_prefix Unable to update cn=lastGID to $new_gid - this could cause groups to share the same GID.",0);
}
}
}
return TRUE;
}
}
else {
error_log("$log_prefix Create group; group $group_name already exists.",0);
}
}
else {
error_log("$log_prefix Create group; group name wasn't set.",0);
error_log("$log_prefix Create group; group name wasn't set.",0);
}
return FALSE;
@ -635,6 +651,37 @@ function ldap_new_group($ldap_connection,$group_name,$initial_member="") {
}
##################################
function ldap_update_group_attributes($ldap_connection,$group_name,$extra_attributes) {
global $log_prefix, $LDAP, $LDAP_DEBUG;
if (isset($group_name) and (count($extra_attributes) > 0)) {
$group_name = ldap_escape($group_name, "", LDAP_ESCAPE_FILTER);
$group_dn = "{$LDAP['group_attribute']}=$group_name,{$LDAP['group_dn']}";
$update_group = @ ldap_mod_replace($ldap_connection, $group_dn, $extra_attributes);
if (!$update_group ) {
$this_error="$log_prefix LDAP: unable to update group attributes for group ({$group_dn}): " . ldap_error($ldap_connection);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix DEBUG update group attributes array: ". print_r($extra_attributes,true),0); }
error_log($this_error,0);
return FALSE;
}
else {
error_log("$log_prefix Updated group attributes for $group_name",0);
return TRUE;
}
}
else {
error_log("$log_prefix Update group attributes; group name wasn't set.",0);
return FALSE;
}
}
##################################
function ldap_delete_group($ldap_connection,$group_name) {
@ -643,7 +690,7 @@ function ldap_delete_group($ldap_connection,$group_name) {
if (isset($group_name)) {
$delete_query = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
$delete_query = "{$LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",{$LDAP['group_dn']}";
$delete = @ ldap_delete($ldap_connection, $delete_query);
if ($delete) {
@ -668,8 +715,8 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
if (isset($group_name)) {
$ldap_search_query = "(cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
$ldap_search_query = "({$LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['group_dn']}", $ldap_search_query , array("gidNumber"));
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
if (isset($result[0]['gidnumber'][0]) and is_numeric($result[0]['gidnumber'][0])) {
@ -685,50 +732,79 @@ function ldap_get_gid_of_group($ldap_connection,$group_name) {
##################################
function ldap_complete_account_attribute_array() {
function ldap_get_group_name_from_gid($ldap_connection,$gid) {
global $LDAP;
global $log_prefix, $LDAP, $LDAP_DEBUG;
$attribute_r = $LDAP['default_attribute_map'];
$additional_attributes_r = array();
if (isset($gid)) {
if (isset($LDAP['account_additional_attributes'])) {
$ldap_search_query = "(gidnumber=" . ldap_escape($gid, "", LDAP_ESCAPE_FILTER) . ")";
$ldap_search = @ ldap_search($ldap_connection, "{$LDAP['group_dn']}", $ldap_search_query , array("cn"));
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
$user_attribute_r = explode(",", $LDAP['account_additional_attributes']);
foreach ($user_attribute_r as $this_attr) {
$this_r = array();
$kv = explode(":", $this_attr);
$attr_name = strtolower(filter_var($kv[0], FILTER_SANITIZE_STRING));
if (preg_match('/^[a-zA-Z0-9\-]+$/', $attr_name) == 1) {
if (isset($kv[1]) and $kv[1] != "") {
$this_r['label'] = filter_var($kv[1], FILTER_SANITIZE_STRING);
}
else {
$this_r['label'] = $attr_name;
}
if (isset($kv[2]) and $kv[2] != "") {
$this_r['default'] = filter_var($kv[2], FILTER_SANITIZE_STRING);
}
$additional_attributes_r[$attr_name] = $this_r;
}
if (isset($result[0]['cn'][0])) {
return $result[0]['cn'][0];
}
$attribute_r = array_merge($attribute_r, $additional_attributes_r);
}
if (! array_key_exists($LDAP['account_attribute'], $attribute_r)) {
$attribute_r = array_merge($attribute_r, array($LDAP['account_attribute'] => array("label" => "Account UID")));
}
return FALSE;
return($attribute_r);
}
##################################
function ldap_complete_attribute_array($default_attributes,$additional_attributes) {
if (isset($additional_attributes)) {
$user_attribute_r = explode(",", $additional_attributes);
$to_merge = array();
foreach ($user_attribute_r as $this_attr) {
$this_r = array();
$kv = explode(":", $this_attr);
$attr_name = strtolower(filter_var($kv[0], FILTER_SANITIZE_FULL_SPECIAL_CHARS));
$this_r['inputtype'] = "singleinput";
if (substr($attr_name, -1) == '+') {
$this_r['inputtype'] = "multipleinput";
$attr_name = rtrim($attr_name, '+');
}
if (substr($attr_name, -1) == '^') {
$this_r['inputtype'] = "binary";
$attr_name = rtrim($attr_name, '^');
}
if (preg_match('/^[a-zA-Z0-9\-]+$/', $attr_name) == 1) {
if (isset($kv[1]) and $kv[1] != "") {
$this_r['label'] = filter_var($kv[1], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
else {
$this_r['label'] = $attr_name;
}
if (isset($kv[2]) and $kv[2] != "") {
$this_r['default'] = filter_var($kv[2], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
$to_merge[$attr_name] = $this_r;
}
}
$attribute_r = array_merge($default_attributes, $to_merge);
return($attribute_r);
}
else {
return($default_attributes);
}
}
@ -739,27 +815,25 @@ function ldap_new_account($ldap_connection,$account_r) {
global $log_prefix, $LDAP, $LDAP_DEBUG, $DEFAULT_USER_SHELL, $DEFAULT_USER_GROUP;
if ( isset($account_r['givenname'])
and isset($account_r['sn'])
and isset($account_r['cn'])
and isset($account_r['uid'])
if ( isset($account_r['givenname'][0])
and isset($account_r['sn'][0])
and isset($account_r['cn'][0])
and isset($account_r['uid'][0])
and isset($account_r[$LDAP['account_attribute']])
and isset($account_r['password'])) {
and isset($account_r['password'][0])) {
$account_identifier = $account_r[$LDAP['account_attribute']];
$ldap_search_query = "(${LDAP['account_attribute']}=" . ldap_escape($account_identifier, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']})";
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $ldap_search_query);
$account_identifier = $account_r[$LDAP['account_attribute']][0];
$user_dn=$LDAP['user_dn'];
$ldap_search_query = "({$LDAP['account_attribute']}=" . ldap_escape($account_identifier, "", LDAP_ESCAPE_FILTER) . ",$user_dn)";
$ldap_search = @ ldap_search($ldap_connection, $user_dn, $ldap_search_query);
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($result['count'] == 0) {
$hashed_pass = ldap_hashed_password($account_r['password']);
$hashed_pass = ldap_hashed_password($account_r['password'][0]);
unset($account_r['password']);
$objectclasses = $LDAP['account_objectclasses'];
if (isset($LDAP['account_additional_objectclasses']) and $LDAP['account_additional_objectclasses'] != "") {
$objectclasses = array_merge($objectclasses, explode(",", $LDAP['account_additional_objectclasses']));
}
$account_attributes = array('objectclass' => $objectclasses,
'userpassword' => $hashed_pass,
@ -767,29 +841,32 @@ function ldap_new_account($ldap_connection,$account_r) {
$account_attributes = array_merge($account_r, $account_attributes);
if (!isset($account_attributes['uidnumber']) or !is_numeric($account_attributes['uidnumber'])) {
if (!isset($account_attributes['uidnumber'][0]) or !is_numeric($account_attributes['uidnumber'][0])) {
$highest_uid = ldap_get_highest_id($ldap_connection,'uid');
$account_attributes['uidnumber'] = $highest_uid + 1;
$account_attributes['uidnumber'][0] = $highest_uid + 1;
}
if (!isset($account_attributes['gidnumber']) or !is_numeric($account_attributes['gidnumber'])) {
if (!isset($account_attributes['gidnumber'][0]) or !is_numeric($account_attributes['gidnumber'][0])) {
$default_gid = ldap_get_gid_of_group($ldap_connection,$DEFAULT_USER_GROUP);
if (!is_numeric($default_gid)) {
$group_add = ldap_new_group($ldap_connection,$account_identifier,$account_identifier);
$account_attributes['gidnumber'] = ldap_get_gid_of_group($ldap_connection,$account_identifier);
$account_attributes['gidnumber'][0] = ldap_get_gid_of_group($ldap_connection,$account_identifier);
}
else {
$account_attributes['gidnumber'] = $default_gid;
$account_attributes['gidnumber'][0] = $default_gid;
$add_to_group = $DEFAULT_USER_GROUP;
}
}
else {
$add_to_group = ldap_get_group_name_from_gid($ldap_connection,$account_attributes['gidnumber'][0]);
if (!$add_to_group) { $add_to_group = $DEFAULT_USER_GROUP; }
}
if (empty($account_attributes['displayname'])) { $account_attributes['displayname'] = $account_attributes['givenname'] . " " . $account_attributes['sn']; }
if (empty($account_attributes['loginshell'])) { $account_attributes['loginshell'] = $DEFAULT_USER_SHELL; }
if (empty($account_attributes['homedirectory'])) { $account_attributes['homedirectory'] = "/home/${account_identifier}"; }
if (empty($account_attributes['homedirectory'])) { $account_attributes['homedirectory'] = "/home/" . $account_r['uid'][0]; }
$add_account = @ ldap_add($ldap_connection,
"${LDAP['account_attribute']}=$account_identifier,${LDAP['user_dn']}",
"{$LDAP['account_attribute']}=$account_identifier,{$LDAP['user_dn']}",
$account_attributes
);
@ -798,10 +875,10 @@ function ldap_new_account($ldap_connection,$account_r) {
ldap_add_member_to_group($ldap_connection,$add_to_group,$account_identifier);
$this_uid = fetch_id_stored_in_ldap($ldap_connection,"uid");
$new_uid = $account_attributes['uidnumber'];
$new_uid = $account_attributes['uidnumber'][0];
if ($this_uid != FALSE) {
$update_uid = @ ldap_mod_replace($ldap_connection, "cn=lastUID,${LDAP['base_dn']}", array( 'serialNumber' => $new_uid ));
$update_uid = @ ldap_mod_replace($ldap_connection, "cn=lastUID,{$LDAP['base_dn']}", array( 'serialNumber' => $new_uid ));
if ($update_uid) {
error_log("$log_prefix Create account; Updated cn=lastUID with $new_uid",0);
}
@ -811,15 +888,15 @@ function ldap_new_account($ldap_connection,$account_r) {
}
return TRUE;
}
else {
ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $detailed_err);
error_log("$log_prefix Create account; couldn't create the account for ${account_identifier}: " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
error_log("$log_prefix Create account; couldn't create the account for {$account_identifier}: " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
}
}
else {
error_log("$log_prefix Create account; Account for ${account_identifier} already exists",0);
error_log("$log_prefix Create account; Account for {$account_identifier} already exists",0);
}
}
@ -840,7 +917,7 @@ function ldap_delete_account($ldap_connection,$username) {
if (isset($username)) {
$delete_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",${LDAP['user_dn']}";
$delete_query = "{$LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER) . ",{$LDAP['user_dn']}";
$delete = @ ldap_delete($ldap_connection, $delete_query);
if ($delete) {
@ -848,7 +925,7 @@ function ldap_delete_account($ldap_connection,$username) {
return TRUE;
}
else {
error_log("$log_prefix Couldn't delete account for ${username}: " . ldap_error($ldap_connection),0);
error_log("$log_prefix Couldn't delete account for {$username}: " . ldap_error($ldap_connection),0);
return FALSE;
}
@ -863,12 +940,12 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {
global $log_prefix, $LDAP, $LDAP_DEBUG;
if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }
$rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection);
$group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
$group_dn = "{$LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",{$LDAP['group_dn']}";
if ($LDAP['group_membership_uses_uid'] == FALSE) {
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
$username = "{$LDAP['account_attribute']}=$username,{$LDAP['user_dn']}";
}
$group_update = array($LDAP['group_membership_attribute'] => $username);
@ -880,7 +957,7 @@ function ldap_add_member_to_group($ldap_connection,$group_name,$username) {
}
else {
ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $detailed_err);
error_log("$log_prefix Couldn't add $username to group '${group_name}': " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
error_log("$log_prefix Couldn't add $username to group '{$group_name}': " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
return FALSE;
}
@ -894,16 +971,16 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
global $log_prefix, $LDAP, $LDAP_DEBUG, $USER_ID;
if ($group_name == $LDAP['admins_group'] and $username == $USER_ID) {
error_log("$log_prefix Won't remove ${username} from ${group_name} because you're logged in as ${username} and ${group_name} is the admin group.",0);
error_log("$log_prefix Won't remove {$username} from {$group_name} because you're logged in as {$username} and {$group_name} is the admin group.",0);
return FALSE;
}
else {
if ($LDAP['rfc2307bis_check_run'] != TRUE) { $rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection); }
$rfc2307bis_available = ldap_detect_rfc2307bis($ldap_connection);
$group_dn = "cn=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",${LDAP['group_dn']}";
$group_dn = "{$LDAP['group_attribute']}=" . ldap_escape($group_name, "", LDAP_ESCAPE_FILTER) . ",{$LDAP['group_dn']}";
if ($LDAP['group_membership_uses_uid'] == FALSE and $username != "") {
$username = "${LDAP['account_attribute']}=$username,${LDAP['user_dn']}";
$username = "{$LDAP['account_attribute']}=$username,{$LDAP['user_dn']}";
}
$group_update = array($LDAP['group_membership_attribute'] => $username);
@ -914,7 +991,7 @@ function ldap_delete_member_from_group($ldap_connection,$group_name,$username) {
return TRUE;
}
else {
error_log("$log_prefix Couldn't remove '$username' from ${group_name}: " . ldap_error($ldap_connection),0);
error_log("$log_prefix Couldn't remove '$username' from {$group_name}: " . ldap_error($ldap_connection),0);
return FALSE;
}
}
@ -929,7 +1006,7 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
#Find DN of user
$ldap_search_query = "${LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search_query = "{$LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search = @ ldap_search( $ldap_connection, $LDAP['user_dn'], $ldap_search_query);
if ($ldap_search) {
$result = @ ldap_get_entries($ldap_connection, $ldap_search);
@ -942,7 +1019,7 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
}
}
else {
error_log("$log_prefix Couldn't perform an LDAP search for ${LDAP['account_attribute']}=${username}: " . ldap_error($ldap_connection),0);
error_log("$log_prefix Couldn't perform an LDAP search for {$LDAP['account_attribute']}={$username}: " . ldap_error($ldap_connection),0);
return FALSE;
}
@ -954,7 +1031,7 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
return TRUE;
}
else {
error_log("$log_prefix Couldn't update the password for ${username}: " . ldap_error($ldap_connection),0);
error_log("$log_prefix Couldn't update the password for {$username}: " . ldap_error($ldap_connection),0);
return TRUE;
}
@ -965,71 +1042,77 @@ function ldap_change_password($ldap_connection,$username,$new_password) {
function ldap_detect_rfc2307bis($ldap_connection) {
global $log_prefix, $LDAP, $LDAP_DEBUG;
global $log_prefix, $LDAP, $LDAP_DEBUG;
$bis_available = FALSE;
if ($LDAP['forced_rfc2307bis'] == TRUE) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - skipping autodetection because FORCE_RFC2307BIS is TRUE",0); }
$bis_available = TRUE;
}
else {
$schema_base_query = @ ldap_read($ldap_connection,"","subschemaSubentry=*",array('subschemaSubentry'));
if (!$schema_base_query) {
error_log("$log_prefix LDAP RFC2307BIS detection - unable to query LDAP for objectClasses under ${schema_base_dn}:" . ldap_error($ldap_connection),0);
error_log("$log_prefix LDAP RFC2307BIS detection - we'll assume that the RFC2307BIS schema isn't available. Set FORCE_RFC2307BIS to TRUE if you DO use RFC2307BIS.",0);
if (isset($LDAP['rfc2307bis_available'])) {
return $LDAP['rfc2307bis_available'];
}
else {
$schema_base_results = @ ldap_get_entries($ldap_connection, $schema_base_query);
if ($schema_base_results) {
$LDAP['rfc2307bis_available'] = FALSE;
$schema_base_dn = $schema_base_results[0]['subschemasubentry'][0];
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - found that the 'subschemaSubentry' base DN is '$schema_base_dn'",0); }
$objclass_query = @ ldap_read($ldap_connection,$schema_base_dn,"(objectClasses=*)",array('objectClasses'));
if (!$objclass_query) {
error_log("$log_prefix LDAP RFC2307BIS detection - unable to query LDAP for objectClasses under ${schema_base_dn}:" . ldap_error($ldap_connection),0);
if ($LDAP['forced_rfc2307bis'] == TRUE) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - skipping autodetection because FORCE_RFC2307BIS is TRUE",0); }
$LDAP['rfc2307bis_available'] = TRUE;
}
else {
$objclass_results = @ ldap_get_entries($ldap_connection, $objclass_query);
$this_count = $objclass_results[0]['objectclasses']['count'];
if ($this_count > 0) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - found $this_count objectClasses under $schema_base_dn" ,0); }
$posixgroup_search = preg_grep("/NAME 'posixGroup'.*AUXILIARY/",$objclass_results[0]['objectclasses']);
if (count($posixgroup_search) > 0) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - found AUXILIARY in posixGroup definition which suggests we're using the RFC2307BIS schema" ,0); }
$bis_available = TRUE;
$schema_base_query = @ ldap_read($ldap_connection,"","subschemaSubentry=*",array('subschemaSubentry'));
if (!$schema_base_query) {
error_log("$log_prefix LDAP RFC2307BIS detection - unable to query LDAP for objectClasses under {$schema_base_dn}:" . ldap_error($ldap_connection),0);
error_log("$log_prefix LDAP RFC2307BIS detection - we'll assume that the RFC2307BIS schema isn't available. Set FORCE_RFC2307BIS to TRUE if you DO use RFC2307BIS.",0);
}
else {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - couldn't find AUXILIARY in the posixGroup definition which suggests we're not using the RFC2307BIS schema. Set FORCE_RFC2307BIS to TRUE if you DO use RFC2307BIS. " ,0); }
$schema_base_results = @ ldap_get_entries($ldap_connection, $schema_base_query);
if ($schema_base_results) {
$schema_base_dn = $schema_base_results[0]['subschemasubentry'][0];
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - found that the 'subschemaSubentry' base DN is '$schema_base_dn'",0); }
$objclass_query = @ ldap_read($ldap_connection,$schema_base_dn,"(objectClasses=*)",array('objectClasses'));
if (!$objclass_query) {
error_log("$log_prefix LDAP RFC2307BIS detection - unable to query LDAP for objectClasses under {$schema_base_dn}:" . ldap_error($ldap_connection),0);
}
else {
$objclass_results = @ ldap_get_entries($ldap_connection, $objclass_query);
$this_count = $objclass_results[0]['objectclasses']['count'];
if ($this_count > 0) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - found $this_count objectClasses under $schema_base_dn" ,0); }
$posixgroup_search = preg_grep("/NAME 'posixGroup'.*AUXILIARY/",$objclass_results[0]['objectclasses']);
if (count($posixgroup_search) > 0) {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - found AUXILIARY in posixGroup definition which suggests we're using the RFC2307BIS schema" ,0); }
$LDAP['rfc2307bis_available'] = TRUE;
}
else {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - couldn't find AUXILIARY in the posixGroup definition which suggests we're not using the RFC2307BIS schema. Set FORCE_RFC2307BIS to TRUE if you DO use RFC2307BIS. " ,0); }
}
}
else {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - no objectClasses were returned when searching under $schema_base_dn" ,0); }
}
}
}
else {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - unable to detect the subschemaSubentry base DN" ,0); }
}
}
}
else {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - no objectClasses were returned when searching under $schema_base_dn" ,0); }
}
}
}
else {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix LDAP RFC2307BIS detection - unable to detect the subschemaSubentry base DN" ,0); }
}
if ($LDAP['rfc2307bis_available'] == TRUE) {
if (!isset($LDAP['group_membership_attribute'])) { $LDAP['group_membership_attribute'] = 'uniquemember'; }
if (!isset($LDAP['group_membership_uses_uid'])) { $LDAP['group_membership_uses_uid'] = FALSE; }
if (!in_array('groupOfUniqueNames',$LDAP['group_objectclasses'])) { array_push($LDAP['group_objectclasses'], 'groupOfUniqueNames'); }
return TRUE;
}
else {
if (!isset($LDAP['group_membership_attribute'])) { $LDAP['group_membership_attribute'] = 'memberuid'; }
if (!isset($LDAP['group_membership_uses_uid'])) { $LDAP['group_membership_uses_uid'] = TRUE; }
return FALSE;
}
}
}
$LDAP['rfc2307bis_check_run'] == TRUE;
if ($bis_available == TRUE) {
if (!isset($LDAP['group_membership_attribute'])) { $LDAP['group_membership_attribute'] = 'uniquemember'; }
if (!isset($LDAP['group_membership_uses_uid'])) { $LDAP['group_membership_uses_uid'] = FALSE; }
return TRUE;
}
else {
if (!isset($LDAP['group_membership_attribute'])) { $LDAP['group_membership_attribute'] = 'memberuid'; }
if (!isset($LDAP['group_membership_uses_uid'])) { $LDAP['group_membership_uses_uid'] = TRUE; }
return FALSE;
}
}

9
www/includes/mail_functions.inc.php
View File

@ -34,8 +34,8 @@ function parse_mail_text($template,$password,$login,$first_name,$last_name) {
$template = str_replace("{last_name}", $last_name, $template);
$template = str_replace("{organisation}", $ORGANISATION_NAME, $template);
$template = str_replace("{site_url}", "${SITE_PROTOCOL}${SERVER_HOSTNAME}${SERVER_PATH}", $template);
$template = str_replace("{change_password_url}", "${SITE_PROTOCOL}${SERVER_HOSTNAME}${SERVER_PATH}change_password", $template);
$template = str_replace("{site_url}", "{$SITE_PROTOCOL}{$SERVER_HOSTNAME}{$SERVER_PATH}", $template);
$template = str_replace("{change_password_url}", "{$SITE_PROTOCOL}{$SERVER_HOSTNAME}{$SERVER_PATH}change_password", $template);
return $template;
@ -55,6 +55,10 @@ function send_email($recipient_email,$recipient_name,$subject,$body) {
$mail->Host = $SMTP['host'];
$mail->Port = $SMTP['port'];
if (isset($SMTP['helo'])) {
$mail->Helo = $SMTP['helo'];
}
if (isset($SMTP['user'])) {
$mail->SMTPAuth = true;
$mail->Username = $SMTP['user'];
@ -64,6 +68,7 @@ function send_email($recipient_email,$recipient_name,$subject,$body) {
if ($SMTP['tls'] == TRUE) { $mail->SMTPSecure = 'tls'; }
if ($SMTP['ssl'] == TRUE) { $mail->SMTPSecure = 'ssl'; }
$mail->SMTPAutoTLS = false;
$mail->setFrom($EMAIL['from_address'], $EMAIL['from_name']);
$mail->addAddress($recipient_email, $recipient_name);
$mail->Subject = $subject;

4
www/includes/modules.inc.php
View File

@ -11,11 +11,13 @@
'log_in' => 'hidden_on_login',
'change_password' => 'auth',
'account_manager' => 'admin',
'log_out' => 'auth'
);
if ($ACCOUNT_REQUESTS_ENABLED == TRUE) {
$MODULES['request_account'] = 'hidden_on_login';
}
if (!$REMOTE_HTTP_HEADERS_LOGIN) {
$MODULES['log_out'] = 'auth';
}
?>

332
www/includes/web_functions.inc.php
View File

@ -1,5 +1,4 @@
<?php
#Security level vars
$VALIDATED = FALSE;
@ -34,24 +33,29 @@ include ("config.inc.php"); # get local settings
include ("modules.inc.php"); # module definitions
if (substr($SERVER_PATH, -1) != "/") { $SERVER_PATH .= "/"; }
$THIS_MODULE_PATH="${SERVER_PATH}${THIS_MODULE}";
$THIS_MODULE_PATH="{$SERVER_PATH}{$THIS_MODULE}";
$DEFAULT_COOKIE_OPTIONS = array( 'expires' => time()+(60 * $SESSION_TIMEOUT),
'path' => $SERVER_PATH,
'domain' => '',
'secure' => TRUE,
'secure' => $NO_HTTPS ? FALSE : TRUE,
'samesite' => 'strict'
);
validate_passkey_cookie();
if ($REMOTE_HTTP_HEADERS_LOGIN) {
login_via_headers();
} else {
validate_passkey_cookie();
}
######################################################
function generate_passkey() {
$rnd1 = rand(10000000,100000000000);
$rnd2 = rand(10000000,100000000000);
$rnd3 = rand(10000000,100000000000);
$rnd1 = mt_rand(10000000, mt_getrandmax());
$rnd2 = mt_rand(10000000, mt_getrandmax());
$rnd3 = mt_rand(10000000, mt_getrandmax());
return sprintf("%0x",$rnd1) . sprintf("%0x",$rnd2) . sprintf("%0x",$rnd3);
}
@ -80,63 +84,77 @@ function set_passkey_cookie($user_id,$is_admin) {
$sessto_cookie_opts = $DEFAULT_COOKIE_OPTIONS;
$sessto_cookie_opts['expires'] = $this_time+7200;
setcookie('sessto_cookie', $this_time+(60 * $SESSION_TIMEOUT), $sessto_cookie_opts);
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); }
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN={$IS_ADMIN}), sent orf_cookie to the browser.",0); }
$VALIDATED = TRUE;
}
######################################################
function login_via_headers() {
global $IS_ADMIN, $USER_ID, $VALIDATED, $LDAP;
//['admins_group'];
$USER_ID = $_SERVER['HTTP_REMOTE_USER'];
$remote_groups = explode(',',$_SERVER['HTTP_REMOTE_GROUPS']);
$IS_ADMIN = in_array($LDAP['admins_group'],$remote_groups);
// users are always validated as we assume, that the auth server does this
$VALIDATED = true;
}
######################################################
function validate_passkey_cookie() {
global $SESSION_TIMEOUT, $IS_ADMIN, $USER_ID, $VALIDATED, $log_prefix, $SESSION_TIMED_OUT, $SESSION_DEBUG;
global $SESSION_TIMEOUT, $IS_ADMIN, $USER_ID, $VALIDATED, $log_prefix, $SESSION_TIMED_OUT, $SESSION_DEBUG;
$this_time=time();
$this_time=time();
$VALIDATED = FALSE;
$IS_ADMIN = FALSE;
if (isset($_COOKIE['orf_cookie'])) {
if (isset($_COOKIE['orf_cookie'])) {
list($user_id,$c_passkey) = explode(":",$_COOKIE['orf_cookie']);
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
$session_file = @ file_get_contents("/tmp/$filename");
if (!$session_file) {
if ($SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: orf_cookie was sent by the client but the session file wasn't found at /tmp/$filename",0); }
}
else {
list($f_passkey,$f_is_admin,$f_time) = explode(":",$session_file);
if (!empty($c_passkey) and $f_passkey == $c_passkey and $this_time < $f_time+(60 * $SESSION_TIMEOUT)) {
if ($f_is_admin == 1) { $IS_ADMIN = TRUE; }
$VALIDATED = TRUE;
$USER_ID=$user_id;
if ($SESSION_DEBUG == TRUE) { error_log("$log_prefix Setup session: Cookie and session file values match for user {$user_id} - VALIDATED (ADMIN = {$IS_ADMIN})",0); }
set_passkey_cookie($USER_ID,$IS_ADMIN);
}
else {
if ($SESSION_DEBUG == TRUE) {
$this_error="$log_prefix Session: orf_cookie was sent by the client and the session file was found at /tmp/$filename, but";
if (empty($c_passkey)) { $this_error .= " the cookie passkey wasn't set;"; }
if ($c_passkey != $f_passkey) { $this_error .= " the session file passkey didn't match the cookie passkey;"; }
$this_error.=" Cookie: {$_COOKIE['orf_cookie']} - Session file contents: $session_file";
error_log($this_error,0);
}
}
}
list($user_id,$c_passkey) = explode(":",$_COOKIE['orf_cookie']);
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
$session_file = @ file_get_contents("/tmp/$filename");
if (!$session_file) {
$VALIDATED = FALSE;
unset($USER_ID);
$IS_ADMIN = FALSE;
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: orf_cookie was sent by the client but the session file wasn't found at /tmp/$filename",0); }
}
else {
list($f_passkey,$f_is_admin,$f_time) = explode(":",$session_file);
if (!empty($c_passkey) and $f_passkey == $c_passkey and $this_time < $f_time+(60 * $SESSION_TIMEOUT)) {
if ($f_is_admin == 1) { $IS_ADMIN = TRUE; }
$VALIDATED = TRUE;
$USER_ID=$user_id;
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Setup session: Cookie and session file values match for user ${user_id} - VALIDATED (ADMIN = ${IS_ADMIN})",0); }
set_passkey_cookie($USER_ID,$IS_ADMIN);
}
else {
if ( $SESSION_DEBUG == TRUE ) {
$this_error="$log_prefix Session: orf_cookie was sent by the client and the session file was found at /tmp/$filename, but";
if (empty($c_passkey)) { $this_error .= " the cookie passkey wasn't set;"; }
if ($c_passkey != $f_passkey) { $this_error .= " the session file passkey didn't match the cookie passkey;"; }
$this_error += " Cookie: ${_COOKIE['orf_cookie']} - Session file contents: $session_file";
error_log($this_error,0);
if ($SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: orf_cookie wasn't sent by the client.",0); }
if (isset($_COOKIE['sessto_cookie'])) {
$this_session_timeout = $_COOKIE['sessto_cookie'];
if ($this_time >= $this_session_timeout) {
$SESSION_TIMED_OUT = TRUE;
if ($SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: The session had timed-out (over $SESSION_TIMEOUT mins idle).",0); }
}
}
}
}
}
else {
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: orf_cookie wasn't sent by the client.",0); }
if (isset($_COOKIE['sessto_cookie'])) {
$this_session_timeout = $_COOKIE['sessto_cookie'];
if ($this_time >= $this_session_timeout) {
$SESSION_TIMED_OUT = TRUE;
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: The session had timed-out (over $SESSION_TIMEOUT mins idle).",0); }
}
}
}
}
@ -153,7 +171,7 @@ function set_setup_cookie() {
$IS_SETUP_ADMIN = TRUE;
file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
@ file_put_contents("/tmp/ldap_setup","$passkey:$this_time");
setcookie('setup_cookie', $passkey, $DEFAULT_COOKIE_OPTIONS);
@ -187,7 +205,7 @@ function validate_setup_cookie() {
$this_error="$log_prefix Setup session: setup_cookie was sent by the client and the session file was found at /tmp/ldap_setup, but";
if (empty($c_passkey)) { $this_error .= " the cookie passkey wasn't set;"; }
if ($c_passkey != $f_passkey) { $this_error .= " the session file passkey didn't match the cookie passkey;"; }
$this_error += " Cookie: ${_COOKIE['setup_cookie']} - Session file contents: $session_file";
$this_error += " Cookie: {$_COOKIE['setup_cookie']} - Session file contents: $session_file";
error_log($this_error,0);
}
}
@ -220,7 +238,7 @@ function log_out($method='normal') {
@ unlink("/tmp/$filename");
if ($method == 'auto') { $options = "?logged_out"; } else { $options = ""; }
header("Location: //${_SERVER["HTTP_HOST"]}${SERVER_PATH}index.php$options\n\n");
header("Location: //{$_SERVER["HTTP_HOST"]}{$SERVER_PATH}index.php$options\n\n");
}
@ -229,7 +247,7 @@ function log_out($method='normal') {
function render_header($title="",$menu=TRUE) {
global $SITE_NAME, $IS_ADMIN, $SENT_HEADERS, $SERVER_PATH;
global $SITE_NAME, $IS_ADMIN, $SENT_HEADERS, $SERVER_PATH, $CUSTOM_STYLES;
if (empty($title)) { $title = $SITE_NAME; }
@ -242,6 +260,7 @@ function render_header($title="",$menu=TRUE) {
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="stylesheet" href="<?php print $SERVER_PATH; ?>bootstrap/css/bootstrap.min.css">
<?php if ($CUSTOM_STYLES) echo '<link rel="stylesheet" href="'.$CUSTOM_STYLES.'">' ?>
<script src="<?php print $SERVER_PATH; ?>js/jquery-3.6.0.min.js"></script>
<script src="<?php print $SERVER_PATH; ?>bootstrap/js/bootstrap.min.js"></script>
</HEAD>
@ -277,14 +296,15 @@ function render_menu() {
#Render the navigation menu.
#The menu is dynamically rendered the $MODULES hash
global $SITE_NAME, $MODULES, $THIS_MODULE, $VALIDATED, $IS_ADMIN, $USER_ID, $SERVER_PATH;
global $SITE_NAME, $MODULES, $THIS_MODULE, $VALIDATED, $IS_ADMIN, $USER_ID, $SERVER_PATH, $CUSTOM_LOGO;
?>
<nav class="navbar navbar-default">
<div class="container-fluid">
<div class="navbar-header">
<a class="navbar-brand" href="#"><?php print $SITE_NAME ?></a>
</div>
<div class="navbar-header"><?php
if ($CUSTOM_LOGO) echo '<span class="navbar-brand"><img src="'.$CUSTOM_LOGO.'" class="logo" alt="logo"></span>'
?><a class="navbar-brand" href="./"><?php print $SITE_NAME ?></a>
</div>
<ul class="nav navbar-nav">
<?php
foreach ($MODULES as $module => $access) {
@ -307,14 +327,14 @@ function render_menu() {
else {
print '<li>';
}
print "<a href='${SERVER_PATH}{$module}/'>$this_module_name</a></li>\n";
print "<a href='{$SERVER_PATH}{$module}/'>$this_module_name</a></li>\n";
}
}
?>
</ul>
<div style="text-align: right;">
<?php if(isset($USER_ID)) { print $USER_ID; } ?>
</div>
<ul class="nav navbar-nav navbar-right">
<li><a style="color:#333"><?php if(isset($USER_ID)) { print $USER_ID; } ?></a></li>
</ul>
</div>
</nav>
<?php
@ -351,7 +371,7 @@ function set_page_access($level) {
return;
}
else {
header("Location: //" . $_SERVER["HTTP_HOST"] . "${SERVER_PATH}setup/index.php?unauthorised\n\n");
header("Location: //" . $_SERVER["HTTP_HOST"] . "{$SERVER_PATH}setup/index.php?unauthorised\n\n");
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: UNAUTHORISED: page security level is 'setup' but IS_SETUP_ADMIN isn't TRUE",0); }
exit(0);
}
@ -364,8 +384,8 @@ function set_page_access($level) {
return;
}
else {
header("Location: //" . $_SERVER["HTTP_HOST"] . "${SERVER_PATH}log_in/index.php?$reason&redirect_to=" . base64_encode($_SERVER['REQUEST_URI']) . "\n\n");
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: no access to page ($reason): page security level is 'admin' but IS_ADMIN = '${IS_ADMIN}' and VALIDATED = '${VALIDATED}' (user) ",0); }
header("Location: //" . $_SERVER["HTTP_HOST"] . "{$SERVER_PATH}log_in/index.php?$reason&redirect_to=" . base64_encode($_SERVER['REQUEST_URI']) . "\n\n");
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: no access to page ($reason): page security level is 'admin' but IS_ADMIN = '{$IS_ADMIN}' and VALIDATED = '{$VALIDATED}' (user) ",0); }
exit(0);
}
}
@ -375,8 +395,8 @@ function set_page_access($level) {
return;
}
else {
header("Location: //" . $_SERVER["HTTP_HOST"] . "${SERVER_PATH}log_in/index.php?$reason&redirect_to=" . base64_encode($_SERVER['REQUEST_URI']) . "\n\n");
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: no access to page ($reason): page security level is 'user' but VALIDATED = '${VALIDATED}'",0); }
header("Location: //" . $_SERVER["HTTP_HOST"] . "{$SERVER_PATH}log_in/index.php?$reason&redirect_to=" . base64_encode($_SERVER['REQUEST_URI']) . "\n\n");
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: no access to page ($reason): page security level is 'user' but VALIDATED = '{$VALIDATED}'",0); }
exit(0);
}
}
@ -397,7 +417,7 @@ function is_valid_email($email) {
function render_js_username_check(){
global $POSIX_REGEX, $ENFORCE_SAFE_SYSTEM_NAMES;
global $USERNAME_REGEX, $ENFORCE_SAFE_SYSTEM_NAMES;
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) {
@ -406,7 +426,7 @@ function render_js_username_check(){
function check_entity_name_validity(name,div_id) {
var check_regex = /$POSIX_REGEX/;
var check_regex = /$USERNAME_REGEX/;
if (! check_regex.test(name) ) {
document.getElementById(div_id).classList.add("has-error");
@ -427,22 +447,24 @@ EoCheckJS;
}
######################################################
function generate_username($fn,$ln) {
global $POSIX_USERNAME_FORMAT;
global $USERNAME_FORMAT;
$username = $POSIX_USERNAME_FORMAT;
$username = $USERNAME_FORMAT;
$username = str_replace('{first_name}',strtolower($fn), $username);
$username = str_replace('{first_name_initial}',strtolower($fn[0]), $username);
$username = str_replace('{last_name}',strtolower($ln), $username);
$username = str_replace('{first_name_initial}',strtolower($ln[0]), $username);
$username = str_replace('{last_name_initial}',strtolower($ln[0]), $username);
return $username;
}
######################################################
function render_js_username_generator($firstname_field_id,$lastname_field_id,$username_field_id,$username_div_id) {
@ -450,7 +472,7 @@ function render_js_username_generator($firstname_field_id,$lastname_field_id,$us
#Parameters are the IDs of the input fields and username name div in the account creation form.
#The div will be set to warning if the username is invalid.
global $POSIX_USERNAME_FORMAT, $ENFORCE_SAFE_SYSTEM_NAMES;
global $USERNAME_FORMAT, $ENFORCE_SAFE_SYSTEM_NAMES;
$remove_accents="";
if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) { $remove_accents = ".normalize('NFD').replace(/[\u0300-\u036f]/g, '')"; }
@ -462,7 +484,7 @@ function render_js_username_generator($firstname_field_id,$lastname_field_id,$us
var first_name = document.getElementById('$firstname_field_id').value;
var last_name = document.getElementById('$lastname_field_id').value;
var template = '$POSIX_USERNAME_FORMAT';
var template = '$USERNAME_FORMAT';
var actual_username = template;
@ -483,6 +505,7 @@ EoRenderJS;
}
######################################################
function render_js_cn_generator($firstname_field_id,$lastname_field_id,$cn_field_id,$cn_div_id) {
@ -520,6 +543,7 @@ EoRenderCNJS;
}
######################################################
function render_js_email_generator($username_field_id,$email_field_id) {
@ -545,4 +569,170 @@ EoRenderEmailJS;
}
######################################################
function render_js_homedir_generator($username_field_id,$homedir_field_id) {
print <<<EoRenderHomedirJS
<script>
var auto_homedir_update = true;
function update_homedir() {
if ( auto_homedir_update == true ) {
var username = document.getElementById('$username_field_id').value;
document.getElementById('$homedir_field_id').value = "/home/" + username;
}
}
</script>
EoRenderHomedirJS;
}
######################################################
function render_dynamic_field_js() {
?>
<script>
function add_field_to(attribute_name,value=null) {
var parent = document.getElementById(attribute_name + '_input_div');
var input_div = document.createElement('div');
window[attribute_name + '_count'] = (window[attribute_name + '_count'] === undefined) ? 1 : window[attribute_name + '_count'] + 1;
var input_field_id = attribute_name + window[attribute_name + '_count'];
var input_div_id = 'div' + '_' + input_field_id;
input_div.className = 'input-group';
input_div.id = input_div_id;
parent.appendChild(input_div);
var input_field = document.createElement('input');
input_field.type = 'text';
input_field.className = 'form-control';
input_field.id = input_field_id;
input_field.name = attribute_name + '[]';
input_field.value = value;
var button_span = document.createElement('span');
button_span.className = 'input-group-btn';
var remove_button = document.createElement('button');
remove_button.type = 'button';
remove_button.className = 'btn btn-default';
remove_button.onclick = function() { var div_to_remove = document.getElementById(input_div_id); div_to_remove.innerHTML = ""; }
remove_button.innerHTML = '-';
input_div.appendChild(input_field);
input_div.appendChild(button_span);
button_span.appendChild(remove_button);
}
</script>
<?php
}
######################################################
function render_attribute_fields($attribute,$label,$values_r,$resource_identifier,$onkeyup="",$inputtype="",$tabindex=null) {
global $THIS_MODULE_PATH;
?>
<div class="form-group" id="<?php print $attribute; ?>_div">
<label for="<?php print $attribute; ?>" class="col-sm-3 control-label"><?php print $label; ?></label>
<div class="col-sm-6" id="<?php print $attribute; ?>_input_div">
<?php if($inputtype == "multipleinput") {
?><div class="input-group">
<input type="text" class="form-control" id="<?php print $attribute; ?>" name="<?php print $attribute; ?>[]" value="<?php if (isset($values_r[0])) { print $values_r[0]; } ?>">
<div class="input-group-btn"><button type="button" class="btn btn-default" onclick="add_field_to('<?php print $attribute; ?>')">+</i></button></div>
</div>
<?php
if (isset($values_r['count']) and $values_r['count'] > 0) {
unset($values_r['count']);
$remaining_values = array_slice($values_r, 1);
print "<script>";
foreach($remaining_values as $this_value) { print "add_field_to('$attribute','$this_value');"; }
print "</script>";
}
}
elseif ($inputtype == "binary") {
$button_text="Browse";
$file_button_action="disabled";
$description="Select a file to upload";
$mimetype="";
if (isset($values_r[0])) {
$this_file_info = new finfo(FILEINFO_MIME_TYPE);
$mimetype = $this_file_info->buffer($values_r[0]);
if (strlen($mimetype) > 23) { $mimetype = substr($mimetype,0,19) . "..."; }
$description="Download $mimetype file (" . human_readable_filesize(strlen($values_r[0])) . ")";
$button_text="Replace file";
if ($resource_identifier != "") {
$this_url="//{$_SERVER['HTTP_HOST']}{$THIS_MODULE_PATH}/download.php?resource_identifier={$resource_identifier}&attribute={$attribute}";
$file_button_action="onclick=\"window.open('$this_url','_blank');\"";
}
}
if ($mimetype == "image/jpeg") {
$this_image = base64_encode($values_r[0]);
print "<img class='img-thumbnail' src='data:image/jpeg;base64,$this_image'>";
$description="";
}
else {
?>
<button type="button" <?php print $file_button_action; ?> class="btn btn-default" id="<?php print $attribute; ?>-file-info"><?php print $description; ?></button>
<?php } ?>
<label class="btn btn-default">
<?php print $button_text; ?><input <?php if (isset($tabindex)) { ?>tabindex="<?php print $tabindex; ?>" <?php } ?>type="file" style="display:none" onchange="$('#<?php print $attribute; ?>-file-info').text(this.files[0].name)" id="<?php print $attribute; ?>" name="<?php print $attribute; ?>">
</label>
<?php
}
else { ?>
<input <?php if (isset($tabindex)) { ?>tabindex="<?php print $tabindex; ?>" <?php } ?>type="text" class="form-control" id="<?php print $attribute; ?>" name="<?php print $attribute; ?>" value="<?php if (isset($values_r[0])) { print $values_r[0]; } ?>" <?php if ($onkeyup != "") { print "onkeyup=\"$onkeyup\""; } ?>>
<?php
}
?>
</div>
</div>
<?php
}
######################################################
function human_readable_filesize($bytes) {
for($i = 0; ($bytes / 1024) > 0.9; $i++, $bytes /= 1024) {}
return round($bytes, [0,0,1,2,2,3,3,4,4][$i]).['B','kB','MB','GB','TB','PB','EB','ZB','YB'][$i];
}
######################################################
function render_alert_banner($message,$alert_class="success",$timeout=4000) {
?>
<script>window.setTimeout(function() {$(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); }); }, $<?php print $timeout; ?>);</script>
<div class="alert alert-<?php print $alert_class; ?>" role="alert">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
<p class="text-center"><?php print $message; ?></p>
</div>
<?php
}
##EoFile
?>

21
www/log_in/index.php
View File

@ -22,25 +22,24 @@ if (isset($_GET['logged_out'])) {
if (isset($_POST["user_id"]) and isset($_POST["password"])) {
$ldap_connection = open_ldap_connection();
$user_auth = ldap_auth_username($ldap_connection,$_POST["user_id"],$_POST["password"]);
$is_admin = ldap_is_group_member($ldap_connection,$LDAP['admins_group'],$_POST["user_id"]);
$account_id = ldap_auth_username($ldap_connection,$_POST["user_id"],$_POST["password"]);
$is_admin = ldap_is_group_member($ldap_connection,$LDAP['admins_group'],$account_id);
ldap_close($ldap_connection);
if ($user_auth != FALSE) {
if ($account_id != FALSE) {
set_passkey_cookie($user_auth,$is_admin);
set_passkey_cookie($account_id,$is_admin);
if (isset($_POST["redirect_to"])) {
header("Location: //${_SERVER['HTTP_HOST']}" . base64_decode($_POST['redirect_to']) . "\n\n");
header("Location: //{$_SERVER['HTTP_HOST']}" . base64_decode($_POST['redirect_to']) . "\n\n");
}
else {
if ($IS_ADMIN) { $default_module = "account_manager"; } else { $default_module = "change_password"; }
header("Location: //${_SERVER['HTTP_HOST']}${SERVER_PATH}$default_module?logged_in\n\n");
header("Location: //{$_SERVER['HTTP_HOST']}{$SERVER_PATH}$default_module?logged_in\n\n");
}
}
else {
header("Location: //${_SERVER['HTTP_HOST']}${THIS_MODULE_PATH}/index.php?invalid\n\n");
header("Location: //{$_SERVER['HTTP_HOST']}{$THIS_MODULE_PATH}/index.php?invalid\n\n");
}
}
@ -50,7 +49,7 @@ else {
?>
<div class="container">
<div class="col-sm-8">
<div class="col-sm-8 col-sm-offset-2">
<div class="panel panel-default">
<div class="panel-heading text-center">Log in</div>
@ -75,10 +74,10 @@ else {
<?php } ?>
<form class="form-horizontal" action='' method='post'>
<?php if (isset($redirect_to) and ($redirect_to != "")) { ?><input type="hidden" name="redirect_to" value="<?php print $redirect_to; ?>"><?php } ?>
<?php if (isset($redirect_to) and ($redirect_to != "")) { ?><input type="hidden" name="redirect_to" value="<?php print htmlspecialchars($redirect_to); ?>"><?php } ?>
<div class="form-group">
<label for="username" class="col-sm-4 control-label">Username</label>
<label for="username" class="col-sm-4 control-label"><?php print $SITE_LOGIN_FIELD_LABEL; ?></label>
<div class="col-sm-6">
<input type="text" class="form-control" id="user_id" name="user_id">
</div>

2
www/request_account/human.php
View File

@ -66,7 +66,7 @@ for($i = 0; $i < $num_chars; $i++) {
$txt_col = $textcols[rand(0,1)];
$txt_font = $fonts[array_rand($fonts)];
$txt = $human_proof[$i];
imagettftext($image, $size, $angle, $txt_x, $txt_y, $txt_col, $txt_font, $txt);
imagettftext($image, $size, $angle, (int)$txt_x, (int)$txt_y, $txt_col, $txt_font, $txt);
# print "imagettftext( $size, $angle, $txt_x, $txt_y, $txt_col, $txt_font, $txt);<p>";
}

47
www/request_account/index.php
View File

@ -28,14 +28,14 @@ if($_POST) {
array_push($error_messages, "You didn't enter your first name.");
}
else {
$firstname=filter_var($_POST['firstname'], FILTER_SANITIZE_STRING);
$firstname=filter_var($_POST['firstname'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
if (! isset($_POST['lastname']) or $_POST['lastname'] == "") {
array_push($error_messages, "You didn't enter your first name.");
}
else {
$lastname=filter_var($_POST['lastname'], FILTER_SANITIZE_STRING);
$lastname=filter_var($_POST['lastname'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
if (isset($_POST['email']) and $_POST['email'] != "") {
@ -43,7 +43,7 @@ if($_POST) {
}
if (isset($_POST['notes']) and $_POST['notes'] != "") {
$notes=filter_var($_POST['notes'], FILTER_SANITIZE_STRING);
$notes=filter_var($_POST['notes'], FILTER_SANITIZE_FULL_SPECIAL_CHARS);
}
@ -65,7 +65,7 @@ if($_POST) {
$mail_subject = "$firstname $lastname has requested an account for $ORGANISATION_NAME.";
$link_url="${SITE_PROTOCOL}${SERVER_HOSTNAME}${SERVER_PATH}account_manager/new_user.php?account_request&first_name=$firstname&last_name=$lastname&email=$email";
$link_url="{$SITE_PROTOCOL}{$SERVER_HOSTNAME}{$SERVER_PATH}account_manager/new_user.php?account_request&first_name=$firstname&last_name=$lastname&email=$email";
if (!isset($email)) { $email = "n/a"; }
if (!isset($notes)) { $notes = "n/a"; }
@ -83,22 +83,31 @@ EoT;
include_once "mail_functions.inc.php";
$sent_email = send_email($ACCOUNT_REQUESTS_EMAIL,"$ORGANISATION_NAME account requests",$mail_subject,$mail_body);
if ($sent_email) {
$sent_email_message = " Thank you. The request was sent and the administrator will process it as soon as possible.";
}
else {
$sent_email_message = " Unfortunately the request wasn't sent because of a technical problem.";
}
?>
<div class="container">
<div class="col-sm-8">
<div class="panel panel-default">
<div class="panel-body"><?php print $sent_email_message; ?></div>
</div>
if ($sent_email) { ?>
<div class="container">
<div class="col-sm-6 col-sm-offset-3">
<div class="panel panel-success">
<div class="panel-heading">Thank you</div>
<div class="panel-body">
The request was sent and the administrator will process it as soon as possible.
</div>
</div>
</div>
</div>
<?php }
else { ?>
<div class="container">
<div class="col-sm-6 col-sm-offset-3">
<div class="panel panel-danger">
<div class="panel-heading">Error</div>
<div class="panel-body">
Unfortunately the account request wasn't sent because of a technical issue.
</div>
</div>
</div>
</div>
</div>
<?php
}
render_footer();
exit(0);
@ -106,7 +115,7 @@ EoT;
}
?>
<div class="container">
<div class="col-sm-8">
<div class="col-sm-8 col-sm-offset-2">
<div class="panel panel-default">
<div class="panel-body">

4
www/setup/index.php
View File

@ -13,10 +13,10 @@ if (isset($_POST["admin_password"])) {
if ($user_auth != FALSE) {
set_setup_cookie($user_auth);
header("Location: //${_SERVER["HTTP_HOST"]}${THIS_MODULE_PATH}/run_checks.php\n\n");
header("Location: //{$_SERVER["HTTP_HOST"]}{$THIS_MODULE_PATH}/run_checks.php\n\n");
}
else {
header("Location: //${_SERVER["HTTP_HOST"]}${THIS_MODULE_PATH}/index.php?invalid\n\n");
header("Location: //{$_SERVER["HTTP_HOST"]}{$THIS_MODULE_PATH}/index.php?invalid\n\n");
}
}

50
www/setup/run_checks.php
View File

@ -35,14 +35,14 @@ $ldap_connection = open_ldap_connection();
<?php
#Can we connect? The open_ldap_connection() function will call die() if we can't.
print "$li_good Connected to ${LDAP['uri']}</li>\n";
print "$li_good Connected to {$LDAP['uri']}</li>\n";
#TLS?
if ($LDAP['connection_type'] != "plain") {
print "$li_good Encrypted connection to ${LDAP['uri']} via ${LDAP['connection_type']}</li>\n";
print "$li_good Encrypted connection to {$LDAP['uri']} via {$LDAP['connection_type']}</li>\n";
}
else {
print "$li_warn Unable to connect to ${LDAP['uri']} via StartTLS. ";
print "$li_warn Unable to connect to {$LDAP['uri']} via StartTLS. ";
print "<a href='#' data-toggle='popover' title='StartTLS' data-content='";
print "The connection to the LDAP server works, but encrypted communication can&#39;t be enabled.";
print "'>What's this?</a></li>\n";
@ -98,14 +98,14 @@ else {
<ul class="list-group">
<?php
$group_filter = "(&(objectclass=organizationalUnit)(ou=${LDAP['group_ou']}))";
$ldap_group_search = ldap_search($ldap_connection, "${LDAP['base_dn']}", $group_filter);
$group_filter = "(&(objectclass=organizationalUnit)(ou={$LDAP['group_ou']}))";
$ldap_group_search = ldap_search($ldap_connection, "{$LDAP['base_dn']}", $group_filter);
$group_result = ldap_get_entries($ldap_connection, $ldap_group_search);
if ($group_result['count'] != 1) {
print "$li_fail The group OU (<strong>${LDAP['group_dn']}</strong>) doesn't exist. ";
print "<a href='#' data-toggle='popover' title='${LDAP['group_dn']}' data-content='";
print "$li_fail The group OU (<strong>{$LDAP['group_dn']}</strong>) doesn't exist. ";
print "<a href='#' data-toggle='popover' title='{$LDAP['group_dn']}' data-content='";
print "This is the Organizational Unit (OU) that the groups are stored under.";
print "'>What's this?</a>";
print "<label class='pull-right'><input type='checkbox' name='setup_group_ou' class='pull-right' checked>Create?&nbsp;</label>";
@ -114,17 +114,17 @@ if ($group_result['count'] != 1) {
}
else {
print "$li_good The group OU (<strong>${LDAP['group_dn']}</strong>) is present.</li>";
print "$li_good The group OU (<strong>{$LDAP['group_dn']}</strong>) is present.</li>";
}
$user_filter = "(&(objectclass=organizationalUnit)(ou=${LDAP['user_ou']}))";
$ldap_user_search = ldap_search($ldap_connection, "${LDAP['base_dn']}", $user_filter);
$user_filter = "(&(objectclass=organizationalUnit)(ou={$LDAP['user_ou']}))";
$ldap_user_search = ldap_search($ldap_connection, "{$LDAP['base_dn']}", $user_filter);
$user_result = ldap_get_entries($ldap_connection, $ldap_user_search);
if ($user_result['count'] != 1) {
print "$li_fail The user OU (<strong>${LDAP['user_dn']}</strong>) doesn't exist. ";
print "<a href='#' data-toggle='popover' title='${LDAP['user_dn']}' data-content='";
print "$li_fail The user OU (<strong>{$LDAP['user_dn']}</strong>) doesn't exist. ";
print "<a href='#' data-toggle='popover' title='{$LDAP['user_dn']}' data-content='";
print "This is the Organisational Unit (OU) that the user accounts are stored under.";
print "'>What's this?</a>";
print "<label class='pull-right'><input type='checkbox' name='setup_user_ou' class='pull-right' checked>Create?&nbsp;</label>";
@ -133,7 +133,7 @@ if ($user_result['count'] != 1) {
}
else {
print "$li_good The user OU (<strong>${LDAP['user_dn']}</strong>) is present.</li>";
print "$li_good The user OU (<strong>{$LDAP['user_dn']}</strong>) is present.</li>";
}
?>
@ -148,13 +148,13 @@ else {
<?php
$gid_filter = "(&(objectclass=device)(cn=lastGID))";
$ldap_gid_search = ldap_search($ldap_connection, "${LDAP['base_dn']}", $gid_filter);
$ldap_gid_search = ldap_search($ldap_connection, "{$LDAP['base_dn']}", $gid_filter);
$gid_result = ldap_get_entries($ldap_connection, $ldap_gid_search);
if ($gid_result['count'] != 1) {
print "$li_warn The <strong>lastGID</strong> entry doesn't exist. ";
print "<a href='#' data-toggle='popover' title='cn=lastGID,${LDAP['base_dn']}' data-content='";
print "<a href='#' data-toggle='popover' title='cn=lastGID,{$LDAP['base_dn']}' data-content='";
print "This is used to store the last group ID used when creating a POSIX group. Without this the highest current group ID is found and incremented, but this might re-use the GID from a deleted group.";
print "'>What's this?</a>";
print "<label class='pull-right'><input type='checkbox' name='setup_last_gid' class='pull-right' checked>Create?&nbsp;</label>";
@ -168,13 +168,13 @@ else {
$uid_filter = "(&(objectclass=device)(cn=lastUID))";
$ldap_uid_search = ldap_search($ldap_connection, "${LDAP['base_dn']}", $uid_filter);
$ldap_uid_search = ldap_search($ldap_connection, "{$LDAP['base_dn']}", $uid_filter);
$uid_result = ldap_get_entries($ldap_connection, $ldap_uid_search);
if ($uid_result['count'] != 1) {
print "$li_warn The <strong>lastUID</strong> entry doesn't exist. ";
print "<a href='#' data-toggle='popover' title='cn=lastUID,${LDAP['base_dn']}' data-content='";
print "<a href='#' data-toggle='popover' title='cn=lastUID,{$LDAP['base_dn']}' data-content='";
print "This is used to store the last user ID used when creating a POSIX account. Without this the highest current user ID is found and incremented, but this might re-use the UID from a deleted account.";
print "'>What's this?</a>";
print "<label class='pull-right'><input type='checkbox' name='setup_last_uid' class='pull-right' checked>Create?&nbsp;</label>";
@ -187,8 +187,8 @@ else {
}
$defgroup_filter = "(&(objectclass=posixGroup)(cn=${DEFAULT_USER_GROUP}))";
$ldap_defgroup_search = ldap_search($ldap_connection, "${LDAP['base_dn']}", $defgroup_filter);
$defgroup_filter = "(&(objectclass=posixGroup)({$LDAP['group_attribute']}={$DEFAULT_USER_GROUP}))";
$ldap_defgroup_search = ldap_search($ldap_connection, "{$LDAP['base_dn']}", $defgroup_filter);
$defgroup_result = ldap_get_entries($ldap_connection, $ldap_defgroup_search);
if ($defgroup_result['count'] != 1) {
@ -207,15 +207,15 @@ else {
}
$adminsgroup_filter = "(&(objectclass=posixGroup)(cn=${LDAP['admins_group']}))";
$ldap_adminsgroup_search = ldap_search($ldap_connection, "${LDAP['base_dn']}", $adminsgroup_filter);
$adminsgroup_filter = "(&(objectclass=posixGroup)({$LDAP['group_attribute']}={$LDAP['admins_group']}))";
$ldap_adminsgroup_search = ldap_search($ldap_connection, "{$LDAP['base_dn']}", $adminsgroup_filter);
$adminsgroup_result = ldap_get_entries($ldap_connection, $ldap_adminsgroup_search);
if ($adminsgroup_result['count'] != 1) {
print "$li_fail The group defining LDAP account administrators (<strong>${LDAP['admins_group']}</strong>) doesn't exist. ";
print "$li_fail The group defining LDAP account administrators (<strong>{$LDAP['admins_group']}</strong>) doesn't exist. ";
print "<a href='#' data-toggle='popover' title='LDAP account administrators group' data-content='";
print "Only members of this group (${LDAP['admins_group']}) will be able to access the account managment section, so it&#39;s definitely something you&#39;ll want to create.";
print "Only members of this group ({$LDAP['admins_group']}) will be able to access the account managment section, so it&#39;s definitely something you&#39;ll want to create.";
print "'>What's this?</a>";
print "<label class='pull-right'><input type='checkbox' name='setup_admins_group' class='pull-right' checked>Create?&nbsp;</label>";
print "</li>\n";
@ -223,7 +223,7 @@ if ($adminsgroup_result['count'] != 1) {
}
else {
print "$li_good The LDAP account administrators group (<strong>${LDAP['admins_group']}</strong>) is present.</li>";
print "$li_good The LDAP account administrators group (<strong>{$LDAP['admins_group']}</strong>) is present.</li>";
$admins = ldap_get_group_members($ldap_connection,$LDAP['admins_group']);
@ -249,7 +249,7 @@ if ($show_finish_button == TRUE) {
?>
</form>
<div class='well'>
<form action="<?php print "${SERVER_PATH}log_in"; ?>">
<form action="<?php print "{$SERVER_PATH}log_in"; ?>">
<input type='submit' class="btn btn-success center-block" value='Done'>
</form>
</div>

28
www/setup/setup_ldap.php
View File

@ -37,11 +37,11 @@ if (isset($_POST['fix_problems'])) {
if (isset($_POST['setup_group_ou'])) {
$ou_add = @ ldap_add($ldap_connection, $LDAP['group_dn'], array( 'objectClass' => 'organizationalUnit', 'ou' => $LDAP['group_ou'] ));
if ($ou_add == TRUE) {
print "$li_good Created OU <strong>${LDAP['group_dn']}</strong></li>\n";
print "$li_good Created OU <strong>{$LDAP['group_dn']}</strong></li>\n";
}
else {
$error = ldap_error($ldap_connection);
print "$li_fail Couldn't create ${LDAP['group_dn']}: <pre>$error</pre></li>\n";
print "$li_fail Couldn't create {$LDAP['group_dn']}: <pre>$error</pre></li>\n";
$no_errors = FALSE;
}
}
@ -50,11 +50,11 @@ if (isset($_POST['fix_problems'])) {
if (isset($_POST['setup_user_ou'])) {
$ou_add = @ ldap_add($ldap_connection, $LDAP['user_dn'], array( 'objectClass' => 'organizationalUnit', 'ou' => $LDAP['user_ou'] ));
if ($ou_add == TRUE) {
print "$li_good Created OU <strong>${LDAP['user_dn']}</strong></li>\n";
print "$li_good Created OU <strong>{$LDAP['user_dn']}</strong></li>\n";
}
else {
$error = ldap_error($ldap_connection);
print "$li_fail Couldn't create ${LDAP['user_dn']}: <pre>$error</pre></li>\n";
print "$li_fail Couldn't create {$LDAP['user_dn']}: <pre>$error</pre></li>\n";
$no_errors = FALSE;
}
}
@ -69,14 +69,14 @@ if (isset($_POST['fix_problems'])) {
'serialnumber' => $highest_gid,
'description' => $description );
$gid_add = @ ldap_add($ldap_connection, "cn=lastGID,${LDAP['base_dn']}", $add_lastgid_r);
$gid_add = @ ldap_add($ldap_connection, "cn=lastGID,{$LDAP['base_dn']}", $add_lastgid_r);
if ($gid_add == TRUE) {
print "$li_good Created <strong>cn=lastGID,${LDAP['base_dn']}</strong></li>\n";
print "$li_good Created <strong>cn=lastGID,{$LDAP['base_dn']}</strong></li>\n";
}
else {
$error = ldap_error($ldap_connection);
print "$li_fail Couldn't create cn=lastGID,${LDAP['base_dn']}: <pre>$error</pre></li>\n";
print "$li_fail Couldn't create cn=lastGID,{$LDAP['base_dn']}: <pre>$error</pre></li>\n";
$no_errors = FALSE;
}
}
@ -91,14 +91,14 @@ if (isset($_POST['fix_problems'])) {
'serialnumber' => $highest_uid,
'description' => $description );
$uid_add = @ ldap_add($ldap_connection, "cn=lastUID,${LDAP['base_dn']}", $add_lastuid_r);
$uid_add = @ ldap_add($ldap_connection, "cn=lastUID,{$LDAP['base_dn']}", $add_lastuid_r);
if ($uid_add == TRUE) {
print "$li_good Created <strong>cn=lastUID,${LDAP['base_dn']}</strong></li>\n";
print "$li_good Created <strong>cn=lastUID,{$LDAP['base_dn']}</strong></li>\n";
}
else {
$error = ldap_error($ldap_connection);
print "$li_fail Couldn't create cn=lastUID,${LDAP['base_dn']}: <pre>$error</pre></li>\n";
print "$li_fail Couldn't create cn=lastUID,{$LDAP['base_dn']}: <pre>$error</pre></li>\n";
$no_errors = FALSE;
}
}
@ -123,7 +123,7 @@ if (isset($_POST['fix_problems'])) {
$group_add = ldap_new_group($ldap_connection,$LDAP['admins_group']);
if ($group_add == TRUE) {
print "$li_good Created LDAP administrators group: <strong>${LDAP['admins_group']}</strong></li>\n";
print "$li_good Created LDAP administrators group: <strong>{$LDAP['admins_group']}</strong></li>\n";
}
else {
$error = ldap_error($ldap_connection);
@ -138,19 +138,19 @@ if (isset($_POST['fix_problems'])) {
?>
<div class="form-group">
<form action="<?php print "${SERVER_PATH}account_manager/new_user.php"; ?>" method="post">
<form action="<?php print "{$SERVER_PATH}account_manager/new_user.php"; ?>" method="post">
<input type="hidden" name="setup_admin_account">
<?php
print "$li_fail The LDAP administration group is empty. ";
print "<a href='#' data-toggle='popover' title='LDAP account administrators' data-content='";
print "Only members of this group (${LDAP['admins_group']}) will be able to access the account managment section, so we need to add people to it.";
print "Only members of this group ({$LDAP['admins_group']}) will be able to access the account managment section, so we need to add people to it.";
print "'>What's this?</a>";
print "<label class='pull-right'><input type='checkbox' name='setup_admin_account' class='pull-right' checked>Create a new account and add it to the admin group?&nbsp;</label>";
print "</li>\n";
$show_create_admin_button = TRUE;
}
else {
print "$li_good The LDAP account administrators group (<strong>${LDAP['admins_group']}</strong>) isn't empty.</li>";
print "$li_good The LDAP account administrators group (<strong>{$LDAP['admins_group']}</strong>) isn't empty.</li>";
}