2013-08-16 16:24:12 +02:00
|
|
|
<?php
|
2016-02-08 15:41:00 +01:00
|
|
|
/* Icinga Web 2 | (c) 2013 Icinga Development Team | GPLv2+ */
|
2013-08-16 16:24:12 +02:00
|
|
|
|
2015-06-02 09:58:57 +02:00
|
|
|
namespace Icinga\Forms\Config\UserBackend;
|
2013-08-16 16:24:12 +02:00
|
|
|
|
2015-07-28 15:07:23 +02:00
|
|
|
use Exception;
|
2015-07-23 17:42:02 +02:00
|
|
|
use Icinga\Data\ResourceFactory;
|
2017-05-31 18:11:36 +02:00
|
|
|
use Icinga\Protocol\Ldap\LdapCapabilities;
|
|
|
|
|
use Icinga\Protocol\Ldap\LdapConnection;
|
|
|
|
|
use Icinga\Protocol\Ldap\LdapException;
|
2014-08-29 15:16:13 +02:00
|
|
|
use Icinga\Web\Form;
|
2013-08-16 16:24:12 +02:00
|
|
|
|
|
|
|
|
/**
|
2015-06-02 09:58:57 +02:00
|
|
|
* Form class for adding/modifying LDAP user backends
|
2013-08-16 16:24:12 +02:00
|
|
|
*/
|
2014-08-29 15:16:13 +02:00
|
|
|
class LdapBackendForm extends Form
|
2013-08-16 16:24:12 +02:00
|
|
|
{
|
|
|
|
|
/**
|
2014-08-29 15:16:13 +02:00
|
|
|
* The ldap resource names the user can choose from
|
2014-08-11 10:43:54 +02:00
|
|
|
*
|
2014-07-29 12:21:58 +02:00
|
|
|
* @var array
|
2014-04-16 11:50:58 +02:00
|
|
|
*/
|
2014-07-29 12:21:58 +02:00
|
|
|
protected $resources;
|
2014-04-16 11:50:58 +02:00
|
|
|
|
2017-10-06 13:26:21 +02:00
|
|
|
/**
|
|
|
|
|
* Default values for the form elements
|
|
|
|
|
*
|
|
|
|
|
* @var string[]
|
|
|
|
|
*/
|
|
|
|
|
protected $suggestions = array();
|
|
|
|
|
|
2014-08-11 10:39:13 +02:00
|
|
|
/**
|
|
|
|
|
* Initialize this form
|
|
|
|
|
*/
|
|
|
|
|
public function init()
|
2013-08-16 16:24:12 +02:00
|
|
|
{
|
2014-08-29 15:16:13 +02:00
|
|
|
$this->setName('form_config_authbackend_ldap');
|
|
|
|
|
}
|
2013-08-16 16:24:12 +02:00
|
|
|
|
2014-08-29 15:16:13 +02:00
|
|
|
/**
|
|
|
|
|
* Set the resource names the user can choose from
|
|
|
|
|
*
|
|
|
|
|
* @param array $resources The resources to choose from
|
|
|
|
|
*
|
2015-04-07 14:23:26 +02:00
|
|
|
* @return $this
|
2014-08-29 15:16:13 +02:00
|
|
|
*/
|
|
|
|
|
public function setResources(array $resources)
|
|
|
|
|
{
|
|
|
|
|
$this->resources = $resources;
|
|
|
|
|
return $this;
|
2014-07-29 12:21:58 +02:00
|
|
|
}
|
2013-08-16 16:24:12 +02:00
|
|
|
|
2014-08-11 10:43:54 +02:00
|
|
|
/**
|
2015-07-23 16:18:09 +02:00
|
|
|
* Create and add elements to this form
|
|
|
|
|
*
|
|
|
|
|
* @param array $formData
|
2014-08-11 10:43:54 +02:00
|
|
|
*/
|
2014-07-29 12:21:58 +02:00
|
|
|
public function createElements(array $formData)
|
|
|
|
|
{
|
2015-06-05 17:20:31 +02:00
|
|
|
$isAd = isset($formData['type']) ? $formData['type'] === 'msldap' : false;
|
|
|
|
|
|
2014-09-03 12:21:31 +02:00
|
|
|
$this->addElement(
|
|
|
|
|
'text',
|
|
|
|
|
'name',
|
|
|
|
|
array(
|
|
|
|
|
'required' => true,
|
2015-01-19 11:26:23 +01:00
|
|
|
'label' => $this->translate('Backend Name'),
|
|
|
|
|
'description' => $this->translate(
|
2015-03-11 09:52:14 +01:00
|
|
|
'The name of this authentication provider that is used to differentiate it from others.'
|
2017-10-06 13:26:21 +02:00
|
|
|
),
|
|
|
|
|
'value' => $this->getSuggestion('name')
|
2013-10-23 12:25:51 +02:00
|
|
|
)
|
|
|
|
|
);
|
2014-09-03 12:21:31 +02:00
|
|
|
$this->addElement(
|
|
|
|
|
'select',
|
|
|
|
|
'resource',
|
|
|
|
|
array(
|
|
|
|
|
'required' => true,
|
2015-03-11 09:52:14 +01:00
|
|
|
'label' => $this->translate('LDAP Connection'),
|
|
|
|
|
'description' => $this->translate(
|
|
|
|
|
'The LDAP connection to use for authenticating with this provider.'
|
|
|
|
|
),
|
2015-07-23 16:18:09 +02:00
|
|
|
'multiOptions' => !empty($this->resources)
|
2014-09-03 12:21:31 +02:00
|
|
|
? array_combine($this->resources, $this->resources)
|
2017-10-06 13:26:21 +02:00
|
|
|
: array(),
|
|
|
|
|
'value' => $this->getSuggestion('resource')
|
2014-09-03 12:21:31 +02:00
|
|
|
)
|
|
|
|
|
);
|
2015-07-23 17:42:02 +02:00
|
|
|
|
|
|
|
|
if (! $isAd && !empty($this->resources)) {
|
|
|
|
|
$this->addElement(
|
|
|
|
|
'button',
|
|
|
|
|
'discovery_btn',
|
|
|
|
|
array(
|
2015-10-01 02:53:27 +02:00
|
|
|
'class' => 'control-button',
|
2015-07-23 17:42:02 +02:00
|
|
|
'type' => 'submit',
|
|
|
|
|
'value' => 'discovery_btn',
|
|
|
|
|
'label' => $this->translate('Discover', 'A button to discover LDAP capabilities'),
|
|
|
|
|
'title' => $this->translate(
|
|
|
|
|
'Push to fill in the chosen connection\'s default settings.'
|
|
|
|
|
),
|
|
|
|
|
'decorators' => array(
|
|
|
|
|
array('ViewHelper', array('separator' => '')),
|
2015-10-01 02:53:27 +02:00
|
|
|
array('Spinner'),
|
2015-09-30 12:44:57 +02:00
|
|
|
array('HtmlTag', array('tag' => 'div', 'class' => 'control-group form-controls'))
|
2015-07-23 17:42:02 +02:00
|
|
|
),
|
|
|
|
|
'formnovalidate' => 'formnovalidate'
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2014-09-03 12:21:31 +02:00
|
|
|
$this->addElement(
|
|
|
|
|
'text',
|
|
|
|
|
'user_class',
|
|
|
|
|
array(
|
2015-06-05 17:20:31 +02:00
|
|
|
'preserveDefault' => true,
|
|
|
|
|
'required' => ! $isAd,
|
|
|
|
|
'ignore' => $isAd,
|
|
|
|
|
'disabled' => $isAd ?: null,
|
|
|
|
|
'label' => $this->translate('LDAP User Object Class'),
|
|
|
|
|
'description' => $this->translate('The object class used for storing users on the LDAP server.'),
|
2017-10-06 16:16:12 +02:00
|
|
|
'value' => $this->getSuggestion('user_class')
|
2014-09-03 12:21:31 +02:00
|
|
|
)
|
|
|
|
|
);
|
2015-03-11 09:52:14 +01:00
|
|
|
$this->addElement(
|
|
|
|
|
'text',
|
|
|
|
|
'filter',
|
|
|
|
|
array(
|
2015-06-25 14:22:50 +02:00
|
|
|
'preserveDefault' => true,
|
|
|
|
|
'allowEmpty' => true,
|
2017-10-06 16:16:12 +02:00
|
|
|
'value' => $this->getSuggestion('filter'),
|
2015-06-25 14:22:50 +02:00
|
|
|
'label' => $this->translate('LDAP Filter'),
|
|
|
|
|
'description' => $this->translate(
|
2015-03-11 09:52:14 +01:00
|
|
|
'An additional filter to use when looking up users using the specified connection. '
|
|
|
|
|
. 'Leave empty to not to use any additional filter rules.'
|
|
|
|
|
),
|
2015-06-25 14:22:50 +02:00
|
|
|
'requirement' => $this->translate(
|
2015-06-23 10:32:45 +02:00
|
|
|
'The filter needs to be expressed as standard LDAP expression.'
|
|
|
|
|
. ' (e.g. &(foo=bar)(bar=foo) or foo=bar)'
|
2015-03-11 09:52:14 +01:00
|
|
|
),
|
2015-06-25 14:22:50 +02:00
|
|
|
'validators' => array(
|
2015-03-11 09:52:14 +01:00
|
|
|
array(
|
|
|
|
|
'Callback',
|
|
|
|
|
false,
|
|
|
|
|
array(
|
|
|
|
|
'callback' => function ($v) {
|
2015-06-23 10:32:45 +02:00
|
|
|
// This is not meant to be a full syntax check. It will just
|
|
|
|
|
// ensure that we can safely strip unnecessary parentheses.
|
|
|
|
|
$v = trim($v);
|
|
|
|
|
return ! $v || $v[0] !== '(' || (
|
|
|
|
|
strpos($v, ')(') !== false ? substr($v, -2) === '))' : substr($v, -1) === ')'
|
|
|
|
|
);
|
2015-03-11 09:52:14 +01:00
|
|
|
},
|
|
|
|
|
'messages' => array(
|
2015-06-23 10:32:45 +02:00
|
|
|
'callbackValue' => $this->translate('The filter is invalid. Please check your syntax.')
|
2015-03-11 09:52:14 +01:00
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
)
|
|
|
|
|
);
|
2014-09-03 12:21:31 +02:00
|
|
|
$this->addElement(
|
|
|
|
|
'text',
|
|
|
|
|
'user_name_attribute',
|
|
|
|
|
array(
|
2015-06-05 17:20:31 +02:00
|
|
|
'preserveDefault' => true,
|
|
|
|
|
'required' => ! $isAd,
|
|
|
|
|
'ignore' => $isAd,
|
|
|
|
|
'disabled' => $isAd ?: null,
|
|
|
|
|
'label' => $this->translate('LDAP User Name Attribute'),
|
|
|
|
|
'description' => $this->translate(
|
2015-03-11 09:52:14 +01:00
|
|
|
'The attribute name used for storing the user name on the LDAP server.'
|
2015-01-19 11:26:23 +01:00
|
|
|
),
|
2017-10-06 16:16:12 +02:00
|
|
|
'value' => $this->getSuggestion('user_name_attribute')
|
2014-09-03 12:21:31 +02:00
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
$this->addElement(
|
|
|
|
|
'hidden',
|
|
|
|
|
'backend',
|
|
|
|
|
array(
|
2014-11-18 15:06:36 +01:00
|
|
|
'disabled' => true,
|
2017-10-06 13:26:21 +02:00
|
|
|
'value' => $this->getSuggestion('backend', $isAd ? 'msldap' : 'ldap')
|
2014-09-03 12:21:31 +02:00
|
|
|
)
|
|
|
|
|
);
|
2014-10-14 14:44:31 +02:00
|
|
|
$this->addElement(
|
|
|
|
|
'text',
|
|
|
|
|
'base_dn',
|
|
|
|
|
array(
|
2015-07-23 17:42:02 +02:00
|
|
|
'preserveDefault' => true,
|
|
|
|
|
'required' => false,
|
|
|
|
|
'label' => $this->translate('LDAP Base DN'),
|
|
|
|
|
'description' => $this->translate(
|
2015-03-11 09:52:14 +01:00
|
|
|
'The path where users can be found on the LDAP server. Leave ' .
|
|
|
|
|
'empty to select all users available using the specified connection.'
|
2015-07-23 17:42:02 +02:00
|
|
|
),
|
2017-10-06 16:16:12 +02:00
|
|
|
'value' => $this->getSuggestion('base_dn')
|
2014-10-14 14:44:31 +02:00
|
|
|
)
|
|
|
|
|
);
|
2017-05-31 18:11:36 +02:00
|
|
|
|
|
|
|
|
$this->addElement(
|
|
|
|
|
'text',
|
2017-05-31 18:11:38 +02:00
|
|
|
'domain',
|
2017-05-31 18:11:36 +02:00
|
|
|
array(
|
2017-05-31 18:11:38 +02:00
|
|
|
'label' => $this->translate('Domain'),
|
2017-05-31 18:11:36 +02:00
|
|
|
'description' => $this->translate(
|
2017-06-13 11:15:53 +02:00
|
|
|
'The domain the LDAP server is responsible for upon authentication.'
|
|
|
|
|
. ' Note that if you specify a domain here,'
|
|
|
|
|
. ' the LDAP backend only authenticates users who specify a domain upon login.'
|
|
|
|
|
. ' If the domain of the user matches the domain configured here, this backend is responsible for'
|
|
|
|
|
. ' authenticating the user based on the username without the domain part.'
|
|
|
|
|
. ' If your LDAP backend holds usernames with a domain part or if it is not necessary in your setup'
|
|
|
|
|
. ' to authenticate users based on their domains, leave this field empty.'
|
2017-06-21 16:59:46 +02:00
|
|
|
),
|
2017-10-06 13:26:21 +02:00
|
|
|
'preserveDefault' => true,
|
|
|
|
|
'value' => $this->getSuggestion('domain')
|
2017-05-31 18:11:36 +02:00
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
$this->addElement(
|
|
|
|
|
'button',
|
2017-05-31 18:11:38 +02:00
|
|
|
'btn_discover_domain',
|
2017-05-31 18:11:36 +02:00
|
|
|
array(
|
2017-06-07 14:22:51 +02:00
|
|
|
'class' => 'control-button',
|
|
|
|
|
'type' => 'submit',
|
|
|
|
|
'value' => 'discovery_btn',
|
|
|
|
|
'label' => $this->translate('Discover the domain'),
|
|
|
|
|
'title' => $this->translate(
|
|
|
|
|
'Push to disover and fill in the domain of the LDAP server.'
|
|
|
|
|
),
|
|
|
|
|
'decorators' => array(
|
2017-05-31 18:11:36 +02:00
|
|
|
array('ViewHelper', array('separator' => '')),
|
2017-06-07 14:22:51 +02:00
|
|
|
array('Spinner'),
|
|
|
|
|
array('HtmlTag', array('tag' => 'div', 'class' => 'control-group form-controls'))
|
|
|
|
|
),
|
|
|
|
|
'formnovalidate' => 'formnovalidate'
|
2017-05-31 18:11:36 +02:00
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
|
2017-06-21 16:59:46 +02:00
|
|
|
if ($this->getElement('btn_discover_domain')->isChecked() && isset($formData['resource'])) {
|
|
|
|
|
$this->populateDomain(ResourceFactory::create($formData['resource']));
|
2017-05-31 18:11:37 +02:00
|
|
|
}
|
|
|
|
|
}
|
2017-05-31 18:11:36 +02:00
|
|
|
|
2017-10-06 16:16:12 +02:00
|
|
|
public function isValidPartial(array $formData)
|
|
|
|
|
{
|
|
|
|
|
$isAd = isset($formData['type']) && $formData['type'] === 'msldap';
|
|
|
|
|
$baseDn = null;
|
|
|
|
|
$hasAdOid = false;
|
|
|
|
|
$discoverySuccessful = false;
|
|
|
|
|
|
|
|
|
|
if (! $isAd && ! empty($this->resources) && isset($formData['discovery_btn'])
|
|
|
|
|
&& $formData['discovery_btn'] === 'discovery_btn') {
|
|
|
|
|
$connection = ResourceFactory::create(
|
|
|
|
|
isset($formData['resource']) ? $formData['resource'] : reset($this->resources)
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
$discoverySuccessful = true;
|
|
|
|
|
try {
|
|
|
|
|
$capabilities = $connection->bind()->getCapabilities();
|
|
|
|
|
$baseDn = $capabilities->getDefaultNamingContext();
|
|
|
|
|
$hasAdOid = $capabilities->isActiveDirectory();
|
|
|
|
|
} catch (Exception $e) {
|
|
|
|
|
$this->warning(sprintf(
|
|
|
|
|
$this->translate('Failed to discover the chosen LDAP connection: %s'),
|
|
|
|
|
$e->getMessage()
|
|
|
|
|
));
|
|
|
|
|
$discoverySuccessful = false;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if ($discoverySuccessful) {
|
|
|
|
|
if ($isAd || $hasAdOid) {
|
|
|
|
|
// ActiveDirectory defaults
|
|
|
|
|
$userClass = 'user';
|
|
|
|
|
$filter = '!(objectClass=computer)';
|
|
|
|
|
$userNameAttribute = 'sAMAccountName';
|
|
|
|
|
} else {
|
|
|
|
|
// OpenLDAP defaults
|
|
|
|
|
$userClass = 'inetOrgPerson';
|
|
|
|
|
$filter = null;
|
|
|
|
|
$userNameAttribute = 'uid';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
$formData['user_class'] = $userClass;
|
|
|
|
|
$formData['filter'] = $filter;
|
|
|
|
|
$formData['user_name_attribute'] = $userNameAttribute;
|
|
|
|
|
|
|
|
|
|
if ($baseDn !== null) {
|
|
|
|
|
$formData['base_dn'] = $baseDn;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return parent::isValidPartial($formData);
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-31 18:11:37 +02:00
|
|
|
/**
|
2017-05-31 18:11:38 +02:00
|
|
|
* Discover the domain the LDAP server is responsible for and fill it in the form
|
2017-05-31 18:11:37 +02:00
|
|
|
*
|
|
|
|
|
* @param LdapConnection $connection
|
|
|
|
|
*/
|
2017-05-31 18:11:38 +02:00
|
|
|
public function populateDomain(LdapConnection $connection)
|
2017-05-31 18:11:37 +02:00
|
|
|
{
|
|
|
|
|
try {
|
2017-05-31 18:11:38 +02:00
|
|
|
$domain = $this->discoverDomain($connection);
|
2017-05-31 18:11:37 +02:00
|
|
|
} catch (LdapException $e) {
|
2017-05-31 18:11:38 +02:00
|
|
|
$this->_elements['btn_discover_domain']->addError($e->getMessage());
|
2017-05-31 18:11:36 +02:00
|
|
|
}
|
|
|
|
|
|
2017-05-31 18:11:38 +02:00
|
|
|
$this->_elements['domain']->setValue($domain);
|
2017-05-31 18:11:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2017-05-31 18:11:38 +02:00
|
|
|
* Discover the domain the LDAP server is responsible for
|
2017-05-31 18:11:36 +02:00
|
|
|
*
|
|
|
|
|
* @param LdapConnection $connection
|
|
|
|
|
*
|
2017-05-31 18:11:38 +02:00
|
|
|
* @return string
|
2017-05-31 18:11:36 +02:00
|
|
|
*/
|
2017-05-31 18:11:38 +02:00
|
|
|
protected function discoverDomain(LdapConnection $connection)
|
2017-05-31 18:11:36 +02:00
|
|
|
{
|
|
|
|
|
$cap = LdapCapabilities::discoverCapabilities($connection);
|
|
|
|
|
|
|
|
|
|
if ($cap->isActiveDirectory()) {
|
2017-05-31 18:11:38 +02:00
|
|
|
$netBiosName = $cap->getNetBiosName();
|
2017-05-31 18:11:36 +02:00
|
|
|
if ($netBiosName !== null) {
|
2017-05-31 18:11:38 +02:00
|
|
|
return $netBiosName;
|
2017-05-31 18:11:36 +02:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-05-31 18:11:38 +02:00
|
|
|
return $this->defaultNamingContextToFQDN($cap);
|
2017-05-31 18:11:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get the default naming context as FQDN
|
|
|
|
|
*
|
|
|
|
|
* @param LdapCapabilities $cap
|
|
|
|
|
*
|
|
|
|
|
* @return string|null
|
|
|
|
|
*/
|
|
|
|
|
protected function defaultNamingContextToFQDN(LdapCapabilities $cap)
|
|
|
|
|
{
|
|
|
|
|
$defaultNamingContext = $cap->getDefaultNamingContext();
|
|
|
|
|
if ($defaultNamingContext !== null) {
|
|
|
|
|
$validationMatches = array();
|
|
|
|
|
if (preg_match('/\bdc=[^,]+(?:,dc=[^,]+)*$/', strtolower($defaultNamingContext), $validationMatches)) {
|
|
|
|
|
$splitMatches = array();
|
|
|
|
|
preg_match_all('/dc=([^,]+)/', $validationMatches[0], $splitMatches);
|
|
|
|
|
return implode('.', $splitMatches[1]);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-10-06 13:26:21 +02:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get the default values for the form elements
|
|
|
|
|
*
|
|
|
|
|
* @return string[]
|
|
|
|
|
*/
|
|
|
|
|
public function getSuggestions()
|
|
|
|
|
{
|
|
|
|
|
return $this->suggestions;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Get the default value for the given form element or the given default
|
|
|
|
|
*
|
|
|
|
|
* @param string $element
|
|
|
|
|
* @param string $default
|
|
|
|
|
*
|
|
|
|
|
* @return string
|
|
|
|
|
*/
|
|
|
|
|
public function getSuggestion($element, $default = null)
|
|
|
|
|
{
|
|
|
|
|
return isset($this->suggestions[$element]) ? $this->suggestions[$element] : $default;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* Set the default values for the form elements
|
|
|
|
|
*
|
|
|
|
|
* @param string[] $suggestions
|
|
|
|
|
*
|
|
|
|
|
* @return $this
|
|
|
|
|
*/
|
|
|
|
|
public function setSuggestions(array $suggestions)
|
|
|
|
|
{
|
|
|
|
|
$this->suggestions = $suggestions;
|
|
|
|
|
|
|
|
|
|
return $this;
|
|
|
|
|
}
|
2013-08-16 16:24:12 +02:00
|
|
|
}
|
