tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

2014-03-30 Junichi Satoh <junichi@rworks.jp> 

* include/functions_config.php, include/auth/mysql.php,
	godmode/setup/setup_auth.php: Added the feature to fallback to local
	authentication when remote authentication is failed.



git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@9677 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f
This commit is contained in:
jsatoh 2014-03-30 11:30:46 +00:00
parent ec716367d1
commit 1fffdb4997
4 changed files with 199 additions and 161 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
pandora_console/ChangeLog
View File

@ -1,3 +1,9 @@
2014-03-30 Junichi Satoh <junichi@rworks.jp>
* include/functions_config.php, include/auth/mysql.php,
godmode/setup/setup_auth.php: Added the feature to fallback to local
authentication when remote authentication is failed.
2014-03-28 Miguel de Dios <miguel.dedios@artica.es>
* include/functions_graph.php: set the zeroes values in the boolean

56
pandora_console/godmode/setup/setup_auth.php
View File

@ -41,49 +41,57 @@ if (enterprise_installed()) {
}
$table->data[0][1] = html_print_select ($auth_methods, 'auth', $config['auth'], 'show_selected_rows ();', '', 0, true);
$table->data[1][0] = __('Autocreate remote users');
$table->data[1][1] = __('Yes').'&nbsp;'.html_print_radio_button_extended ('autocreate_remote_users', 1, '', $config['autocreate_remote_users'], false, 'enable_profile_options ();', '', true).'&nbsp;&nbsp;';
$table->data[1][1] .= __('No').'&nbsp;'.html_print_radio_button_extended ('autocreate_remote_users', 0, '', $config['autocreate_remote_users'], false, 'enable_profile_options ();', '', true);
$table->data[1][0] = __('Fallback to local authentication') . ui_print_help_tip(__("Enable this option if you want to fallback to local authentication when remote (ldap etc...) authentication failed."), true);
$table->data[1][1] = __('Yes').'&nbsp;'.html_print_radio_button ('fallback_local_auth', 1, '', $config['fallback_local_auth'], true).'&nbsp;&nbsp;';
$table->data[1][1] .= __('No').'&nbsp;'.html_print_radio_button ('fallback_local_auth', 0, '', $config['fallback_local_auth'], true);
$table->data[2][0] = __('Autocreate remote users');
$table->data[2][1] = __('Yes').'&nbsp;'.html_print_radio_button_extended ('autocreate_remote_users', 1, '', $config['autocreate_remote_users'], false, 'enable_profile_options ();', '', true).'&nbsp;&nbsp;';
$table->data[2][1] .= __('No').'&nbsp;'.html_print_radio_button_extended ('autocreate_remote_users', 0, '', $config['autocreate_remote_users'], false, 'enable_profile_options ();', '', true);
$table->rowstyle[1] = $config['auth'] != 'mysql' ? '' : 'display: none;';
$table->data[2][0] = __('Autocreate profile');
$table->data[3][0] = __('Autocreate profile');
$profile_list = profile_get_profiles ();
if ($profile_list === false) {
$profile_list = array ();
}
$table->data[2][1] = html_print_select ($profile_list, 'default_remote_profile', $config['default_remote_profile'], '', '', '', true, false, true, '', $config['autocreate_remote_users'] == 0);
$table->data[3][0] = __('Autocreate profile group');
$table->data[3][1] = html_print_select_groups ($config['id_user'], "AR", true, 'default_remote_group', $config['default_remote_group'], '', '', '', true, false, true, '', $config['autocreate_remote_users'] == 0);
$table->data[4][0] = __('Autocreate blacklist') . ui_print_help_icon ('autocreate_blacklist', true);
$table->data[4][1] = html_print_input_text ('autocreate_blacklist', $config['autocreate_blacklist'], '', 60, 100, true);
$table->data[3][1] = html_print_select ($profile_list, 'default_remote_profile', $config['default_remote_profile'], '', '', '', true, false, true, '', $config['autocreate_remote_users'] == 0);
$table->data[4][0] = __('Autocreate profile group');
$table->data[4][1] = html_print_select_groups ($config['id_user'], "AR", true, 'default_remote_group', $config['default_remote_group'], '', '', '', true, false, true, '', $config['autocreate_remote_users'] == 0);
$table->data[5][0] = __('Autocreate blacklist') . ui_print_help_icon ('autocreate_blacklist', true);
$table->data[5][1] = html_print_input_text ('autocreate_blacklist', $config['autocreate_blacklist'], '', 60, 100, true);
for ($i = 1; $i <= 4; $i++) {
$table->rowstyle[$i] = $config['auth'] != 'mysql' ? '' : 'display: none;';
$table->rowclass[$i] = 'remote';
}
$table->data[5][0] = __('LDAP server');
$table->data[5][1] = html_print_input_text ('ldap_server', $config['ldap_server'], '', 30, 100, true);
$table->data[6][0] = __('LDAP port');
$table->data[6][1] = html_print_input_text ('ldap_port', $config['ldap_port'], '', 10, 100, true);
$table->data[7][0] = __('LDAP version');
$table->data[6][0] = __('LDAP server');
$table->data[6][1] = html_print_input_text ('ldap_server', $config['ldap_server'], '', 30, 100, true);
$table->data[7][0] = __('LDAP port');
$table->data[7][1] = html_print_input_text ('ldap_port', $config['ldap_port'], '', 10, 100, true);
$table->data[8][0] = __('LDAP version');
$ldap_versions = array (1 => 'LDAPv1', 2 => 'LDAPv2', 3 => 'LDAPv3');
$table->data[7][1] = html_print_select ($ldap_versions, 'ldap_version', $config['ldap_version'], '', '', 0, true);
$table->data[8][0] = __('Start TLS');
$table->data[8][1] = __('Yes').'&nbsp;'.html_print_radio_button ('ldap_start_tls', 1, '', $config['ldap_start_tls'], true).'&nbsp;&nbsp;';
$table->data[8][1] .= __('No').'&nbsp;'.html_print_radio_button ('ldap_start_tls', 0, '', $config['ldap_start_tls'], true);
$table->data[9][0] = __('Base DN');
$table->data[9][1] = html_print_input_text ('ldap_base_dn', $config['ldap_base_dn'], '', 60, 100, true);
$table->data[10][0] = __('Login attribute');
$table->data[10][1] = html_print_input_text ('ldap_login_attr', $config['ldap_login_attr'], '', 60, 100, true);
$table->data[8][1] = html_print_select ($ldap_versions, 'ldap_version', $config['ldap_version'], '', '', 0, true);
$table->data[9][0] = __('Start TLS');
$table->data[9][1] = __('Yes').'&nbsp;'.html_print_radio_button ('ldap_start_tls', 1, '', $config['ldap_start_tls'], true).'&nbsp;&nbsp;';
$table->data[9][1] .= __('No').'&nbsp;'.html_print_radio_button ('ldap_start_tls', 0, '', $config['ldap_start_tls'], true);
$table->data[10][0] = __('Base DN');
$table->data[10][1] = html_print_input_text ('ldap_base_dn', $config['ldap_base_dn'], '', 60, 100, true);
$table->data[11][0] = __('Login attribute');
$table->data[11][1] = html_print_input_text ('ldap_login_attr', $config['ldap_login_attr'], '', 60, 100, true);
// Hide LDAP configuration options
for ($i = 5; $i <= 10; $i++) {
for ($i = 2; $i <= 11; $i++) {
$table->rowstyle[$i] = $config['auth'] == 'ldap' ? '' : 'display: none;';
$table->rowclass[$i] = 'ldap';
}
// Hide fallback option when local authentication is selected.
$table->rowstyle[1] = $config['auth'] == 'mysql' ? 'display: none;' : '';
$table->rowclass[1] = 'remote';
// Add enterprise authentication options
if (enterprise_installed()) {
add_enterprise_auth_options($table, 11);
add_enterprise_auth_options($table, 12);
}
echo '<form id="form_setup" method="post">';

292
pandora_console/include/auth/mysql.php
View File

@ -80,155 +80,173 @@ function process_user_login ($login, $pass, $api = false) {
// Always authenticate admins against the local database
if (strtolower ($config["auth"]) == 'mysql' || is_user_admin ($login)) {
// Connect to Database
switch ($config["dbtype"]) {
case "mysql":
if (!$api) {
$sql = sprintf ("SELECT `id_user`, `password`
FROM `tusuario`
WHERE `id_user` = '%s' AND `not_login` = 0
AND `disabled` = 0", $login);
}
else {
$sql = sprintf ("SELECT `id_user`, `password`
FROM `tusuario`
WHERE `id_user` = '%s'
AND `disabled` = 0", $login);
}
break;
case "postgresql":
if (!$api) {
$sql = sprintf ('SELECT "id_user", "password"
FROM "tusuario"
WHERE "id_user" = \'%s\' AND "not_login" = 0
AND "disabled" = 0', $login);
}
else {
$sql = sprintf ('SELECT "id_user", "password"
FROM "tusuario"
WHERE "id_user" = \'%s\'
AND "disabled" = 0', $login);
}
break;
case "oracle":
if (!$api) {
$sql = sprintf ('SELECT id_user, password
FROM tusuario
WHERE id_user = \'%s\' AND not_login = 0
AND disabled = 0', $login);
}
else {
$sql = sprintf ('SELECT id_user, password
FROM tusuario
WHERE id_user = \'%s\'
AND disabled = 0', $login);
}
break;
}
$row = db_get_row_sql ($sql);
//Check that row exists, that password is not empty and that password is the same hash
if ($row !== false && $row["password"] !== md5 ("")
&& $row["password"] == md5 ($pass)) {
// Login OK
// Nick could be uppercase or lowercase (select in MySQL
// is not case sensitive)
// We get DB nick to put in PHP Session variable,
// to avoid problems with case-sensitive usernames.
// Thanks to David Muñiz for Bug discovery :)
return $row["id_user"];
}
else {
if (!user_can_login($login)) {
$mysql_cache["auth_error"] = "User only can use the API.";
$config["auth_error"] = "User only can use the API.";
}
else {
$mysql_cache["auth_error"] = "User not found in database or incorrect password";
$config["auth_error"] = "User not found in database or incorrect password";
}
}
return false;
return process_user_login_local ($login, $pass, $api);
}
else {
// Remote authentication
switch ($config["auth"]) {
// LDAP
case 'ldap':
if (ldap_process_user_login ($login, $pass) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Active Directory
case 'ad':
if (enterprise_hook ('ad_process_user_login', array ($login, $pass)) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Remote Pandora FMS
case 'pandora':
if (enterprise_hook ('remote_pandora_process_user_login', array ($login, $pass)) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Remote Babel Enterprise
case 'babel':
if (enterprise_hook ('remote_babel_process_user_login', array ($login, $pass)) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Remote Integria
case 'integria':
if (enterprise_hook ('remote_integria_process_user_login', array ($login, $pass)) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Unknown authentication method
default:
$config["auth_error"] = "User not found in database or incorrect password";
return false;
break;
$login_remote = process_user_login_remote ($login, $pass, $api);
if ($login_remote == false && $config['fallback_local_auth'] == '1') {
return process_user_login_local ($login, $pass, $api);
}
// Authentication ok, check if the user exists in the local database
if (is_user ($login)) {
if (!user_can_login($login)) {
return false;
else {
return $login_remote;
}
}
return false;
}
function process_user_login_local ($login, $pass, $api = false) {
global $config, $mysql_cache;
// Connect to Database
switch ($config["dbtype"]) {
case "mysql":
if (!$api) {
$sql = sprintf ("SELECT `id_user`, `password`
FROM `tusuario`
WHERE `id_user` = '%s' AND `not_login` = 0
AND `disabled` = 0", $login);
}
return $login;
else {
$sql = sprintf ("SELECT `id_user`, `password`
FROM `tusuario`
WHERE `id_user` = '%s'
AND `disabled` = 0", $login);
}
break;
case "postgresql":
if (!$api) {
$sql = sprintf ('SELECT "id_user", "password"
FROM "tusuario"
WHERE "id_user" = \'%s\' AND "not_login" = 0
AND "disabled" = 0', $login);
}
else {
$sql = sprintf ('SELECT "id_user", "password"
FROM "tusuario"
WHERE "id_user" = \'%s\'
AND "disabled" = 0', $login);
}
break;
case "oracle":
if (!$api) {
$sql = sprintf ('SELECT id_user, password
FROM tusuario
WHERE id_user = \'%s\' AND not_login = 0
AND disabled = 0', $login);
}
else {
$sql = sprintf ('SELECT id_user, password
FROM tusuario
WHERE id_user = \'%s\'
AND disabled = 0', $login);
}
break;
}
$row = db_get_row_sql ($sql);
//Check that row exists, that password is not empty and that password is the same hash
if ($row !== false && $row["password"] !== md5 ("")
&& $row["password"] == md5 ($pass)) {
// Login OK
// Nick could be uppercase or lowercase (select in MySQL
// is not case sensitive)
// We get DB nick to put in PHP Session variable,
// to avoid problems with case-sensitive usernames.
// Thanks to David Muñiz for Bug discovery :)
return $row["id_user"];
}
else {
if (!user_can_login($login)) {
$mysql_cache["auth_error"] = "User only can use the API.";
$config["auth_error"] = "User only can use the API.";
}
// The user does not exist and can not be created
if ($config['autocreate_remote_users'] == 0 || is_user_blacklisted ($login)) {
$config["auth_error"] = "Ooops User not found in database or incorrect password";
return false;
}
// Create the user in the local database
if (create_user ($login, $pass, array ('fullname' => $login, 'comments' => 'Imported from ' . $config['auth'])) === false) {
else {
$mysql_cache["auth_error"] = "User not found in database or incorrect password";
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
profile_create_user_profile ($login, $config['default_remote_profile'], $config['default_remote_group']);
return $login;
}
return false;
}
function process_user_login_remote ($login, $pass, $api = false) {
global $config, $mysql_cache;
// Remote authentication
switch ($config["auth"]) {
// LDAP
case 'ldap':
if (ldap_process_user_login ($login, $pass) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Active Directory
case 'ad':
if (enterprise_hook ('ad_process_user_login', array ($login, $pass)) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Remote Pandora FMS
case 'pandora':
if (enterprise_hook ('remote_pandora_process_user_login', array ($login, $pass)) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Remote Babel Enterprise
case 'babel':
if (enterprise_hook ('remote_babel_process_user_login', array ($login, $pass)) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Remote Integria
case 'integria':
if (enterprise_hook ('remote_integria_process_user_login', array ($login, $pass)) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
break;
// Unknown authentication method
default:
$config["auth_error"] = "User not found in database or incorrect password";
return false;
break;
}
// Authentication ok, check if the user exists in the local database
if (is_user ($login)) {
if (!user_can_login($login)) {
return false;
}
return $login;
}
// The user does not exist and can not be created
if ($config['autocreate_remote_users'] == 0 || is_user_blacklisted ($login)) {
$config["auth_error"] = "Ooops User not found in database or incorrect password";
return false;
}
// Create the user in the local database
if (create_user ($login, $pass, array ('fullname' => $login, 'comments' => 'Imported from ' . $config['auth'])) === false) {
$config["auth_error"] = "User not found in database or incorrect password";
return false;
}
profile_create_user_profile ($login, $config['default_remote_profile'], $config['default_remote_group']);
return $login;
}
/**
* Checks if a user is administrator.
*

6
pandora_console/include/functions_config.php
View File

@ -280,6 +280,8 @@ function config_update_config () {
$error_update[] = __('Base DN');
if (!config_update_value ('ldap_login_attr', get_parameter ('ldap_login_attr')))
$error_update[] = __('Login attribute');
if (!config_update_value ('fallback_local_auth', get_parameter ('fallback_local_auth')))
$error_update[] = __('Fallback to local authentication');
if (!config_update_value ('rpandora_server', get_parameter ('rpandora_server')))
$error_update[] = __('Pandora FMS host');
@ -883,6 +885,10 @@ function config_process_config () {
if (!isset ($config['ldap_login_attr'])) {
config_update_value ( 'ldap_login_attr', 'uid');
}
if (!isset ($config['fallback_local_auth'])) {
config_update_value ( 'fallback_local_auth', '0');
}
if (!isset ($config['ad_server'])) {
config_update_value ( 'ad_server', 'localhost');