From 1fffdb499747e25d68e3e1a2e8e641288e54e344 Mon Sep 17 00:00:00 2001 From: jsatoh Date: Sun, 30 Mar 2014 11:30:46 +0000 Subject: [PATCH] 2014-03-30 Junichi Satoh * include/functions_config.php, include/auth/mysql.php, godmode/setup/setup_auth.php: Added the feature to fallback to local authentication when remote authentication is failed. git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@9677 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f --- pandora_console/ChangeLog | 6 + pandora_console/godmode/setup/setup_auth.php | 56 ++-- pandora_console/include/auth/mysql.php | 292 ++++++++++--------- pandora_console/include/functions_config.php | 6 + 4 files changed, 199 insertions(+), 161 deletions(-) diff --git a/pandora_console/ChangeLog b/pandora_console/ChangeLog index 6d440d288c..3452392d85 100644 --- a/pandora_console/ChangeLog +++ b/pandora_console/ChangeLog @@ -1,3 +1,9 @@ +2014-03-30 Junichi Satoh + + * include/functions_config.php, include/auth/mysql.php, + godmode/setup/setup_auth.php: Added the feature to fallback to local + authentication when remote authentication is failed. + 2014-03-28 Miguel de Dios * include/functions_graph.php: set the zeroes values in the boolean diff --git a/pandora_console/godmode/setup/setup_auth.php b/pandora_console/godmode/setup/setup_auth.php index 3c50918955..2c29c91633 100644 --- a/pandora_console/godmode/setup/setup_auth.php +++ b/pandora_console/godmode/setup/setup_auth.php @@ -41,49 +41,57 @@ if (enterprise_installed()) { } $table->data[0][1] = html_print_select ($auth_methods, 'auth', $config['auth'], 'show_selected_rows ();', '', 0, true); -$table->data[1][0] = __('Autocreate remote users'); -$table->data[1][1] = __('Yes').' '.html_print_radio_button_extended ('autocreate_remote_users', 1, '', $config['autocreate_remote_users'], false, 'enable_profile_options ();', '', true).'  '; -$table->data[1][1] .= __('No').' '.html_print_radio_button_extended ('autocreate_remote_users', 0, '', $config['autocreate_remote_users'], false, 'enable_profile_options ();', '', true); +$table->data[1][0] = __('Fallback to local authentication') . ui_print_help_tip(__("Enable this option if you want to fallback to local authentication when remote (ldap etc...) authentication failed."), true); +$table->data[1][1] = __('Yes').' '.html_print_radio_button ('fallback_local_auth', 1, '', $config['fallback_local_auth'], true).'  '; +$table->data[1][1] .= __('No').' '.html_print_radio_button ('fallback_local_auth', 0, '', $config['fallback_local_auth'], true); + +$table->data[2][0] = __('Autocreate remote users'); +$table->data[2][1] = __('Yes').' '.html_print_radio_button_extended ('autocreate_remote_users', 1, '', $config['autocreate_remote_users'], false, 'enable_profile_options ();', '', true).'  '; +$table->data[2][1] .= __('No').' '.html_print_radio_button_extended ('autocreate_remote_users', 0, '', $config['autocreate_remote_users'], false, 'enable_profile_options ();', '', true); $table->rowstyle[1] = $config['auth'] != 'mysql' ? '' : 'display: none;'; -$table->data[2][0] = __('Autocreate profile'); +$table->data[3][0] = __('Autocreate profile'); $profile_list = profile_get_profiles (); if ($profile_list === false) { $profile_list = array (); } -$table->data[2][1] = html_print_select ($profile_list, 'default_remote_profile', $config['default_remote_profile'], '', '', '', true, false, true, '', $config['autocreate_remote_users'] == 0); -$table->data[3][0] = __('Autocreate profile group'); -$table->data[3][1] = html_print_select_groups ($config['id_user'], "AR", true, 'default_remote_group', $config['default_remote_group'], '', '', '', true, false, true, '', $config['autocreate_remote_users'] == 0); -$table->data[4][0] = __('Autocreate blacklist') . ui_print_help_icon ('autocreate_blacklist', true); -$table->data[4][1] = html_print_input_text ('autocreate_blacklist', $config['autocreate_blacklist'], '', 60, 100, true); +$table->data[3][1] = html_print_select ($profile_list, 'default_remote_profile', $config['default_remote_profile'], '', '', '', true, false, true, '', $config['autocreate_remote_users'] == 0); +$table->data[4][0] = __('Autocreate profile group'); +$table->data[4][1] = html_print_select_groups ($config['id_user'], "AR", true, 'default_remote_group', $config['default_remote_group'], '', '', '', true, false, true, '', $config['autocreate_remote_users'] == 0); +$table->data[5][0] = __('Autocreate blacklist') . ui_print_help_icon ('autocreate_blacklist', true); +$table->data[5][1] = html_print_input_text ('autocreate_blacklist', $config['autocreate_blacklist'], '', 60, 100, true); for ($i = 1; $i <= 4; $i++) { $table->rowstyle[$i] = $config['auth'] != 'mysql' ? '' : 'display: none;'; $table->rowclass[$i] = 'remote'; } -$table->data[5][0] = __('LDAP server'); -$table->data[5][1] = html_print_input_text ('ldap_server', $config['ldap_server'], '', 30, 100, true); -$table->data[6][0] = __('LDAP port'); -$table->data[6][1] = html_print_input_text ('ldap_port', $config['ldap_port'], '', 10, 100, true); -$table->data[7][0] = __('LDAP version'); +$table->data[6][0] = __('LDAP server'); +$table->data[6][1] = html_print_input_text ('ldap_server', $config['ldap_server'], '', 30, 100, true); +$table->data[7][0] = __('LDAP port'); +$table->data[7][1] = html_print_input_text ('ldap_port', $config['ldap_port'], '', 10, 100, true); +$table->data[8][0] = __('LDAP version'); $ldap_versions = array (1 => 'LDAPv1', 2 => 'LDAPv2', 3 => 'LDAPv3'); -$table->data[7][1] = html_print_select ($ldap_versions, 'ldap_version', $config['ldap_version'], '', '', 0, true); -$table->data[8][0] = __('Start TLS'); -$table->data[8][1] = __('Yes').' '.html_print_radio_button ('ldap_start_tls', 1, '', $config['ldap_start_tls'], true).'  '; -$table->data[8][1] .= __('No').' '.html_print_radio_button ('ldap_start_tls', 0, '', $config['ldap_start_tls'], true); -$table->data[9][0] = __('Base DN'); -$table->data[9][1] = html_print_input_text ('ldap_base_dn', $config['ldap_base_dn'], '', 60, 100, true); -$table->data[10][0] = __('Login attribute'); -$table->data[10][1] = html_print_input_text ('ldap_login_attr', $config['ldap_login_attr'], '', 60, 100, true); +$table->data[8][1] = html_print_select ($ldap_versions, 'ldap_version', $config['ldap_version'], '', '', 0, true); +$table->data[9][0] = __('Start TLS'); +$table->data[9][1] = __('Yes').' '.html_print_radio_button ('ldap_start_tls', 1, '', $config['ldap_start_tls'], true).'  '; +$table->data[9][1] .= __('No').' '.html_print_radio_button ('ldap_start_tls', 0, '', $config['ldap_start_tls'], true); +$table->data[10][0] = __('Base DN'); +$table->data[10][1] = html_print_input_text ('ldap_base_dn', $config['ldap_base_dn'], '', 60, 100, true); +$table->data[11][0] = __('Login attribute'); +$table->data[11][1] = html_print_input_text ('ldap_login_attr', $config['ldap_login_attr'], '', 60, 100, true); // Hide LDAP configuration options -for ($i = 5; $i <= 10; $i++) { +for ($i = 2; $i <= 11; $i++) { $table->rowstyle[$i] = $config['auth'] == 'ldap' ? '' : 'display: none;'; $table->rowclass[$i] = 'ldap'; } +// Hide fallback option when local authentication is selected. +$table->rowstyle[1] = $config['auth'] == 'mysql' ? 'display: none;' : ''; +$table->rowclass[1] = 'remote'; + // Add enterprise authentication options if (enterprise_installed()) { - add_enterprise_auth_options($table, 11); + add_enterprise_auth_options($table, 12); } echo '
'; diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php index ea7f3d90af..9a491c6a3b 100644 --- a/pandora_console/include/auth/mysql.php +++ b/pandora_console/include/auth/mysql.php @@ -80,155 +80,173 @@ function process_user_login ($login, $pass, $api = false) { // Always authenticate admins against the local database if (strtolower ($config["auth"]) == 'mysql' || is_user_admin ($login)) { - // Connect to Database - switch ($config["dbtype"]) { - case "mysql": - if (!$api) { - $sql = sprintf ("SELECT `id_user`, `password` - FROM `tusuario` - WHERE `id_user` = '%s' AND `not_login` = 0 - AND `disabled` = 0", $login); - } - else { - $sql = sprintf ("SELECT `id_user`, `password` - FROM `tusuario` - WHERE `id_user` = '%s' - AND `disabled` = 0", $login); - } - break; - case "postgresql": - if (!$api) { - $sql = sprintf ('SELECT "id_user", "password" - FROM "tusuario" - WHERE "id_user" = \'%s\' AND "not_login" = 0 - AND "disabled" = 0', $login); - } - else { - $sql = sprintf ('SELECT "id_user", "password" - FROM "tusuario" - WHERE "id_user" = \'%s\' - AND "disabled" = 0', $login); - } - break; - case "oracle": - if (!$api) { - $sql = sprintf ('SELECT id_user, password - FROM tusuario - WHERE id_user = \'%s\' AND not_login = 0 - AND disabled = 0', $login); - } - else { - $sql = sprintf ('SELECT id_user, password - FROM tusuario - WHERE id_user = \'%s\' - AND disabled = 0', $login); - } - break; - } - $row = db_get_row_sql ($sql); - - //Check that row exists, that password is not empty and that password is the same hash - if ($row !== false && $row["password"] !== md5 ("") - && $row["password"] == md5 ($pass)) { - // Login OK - // Nick could be uppercase or lowercase (select in MySQL - // is not case sensitive) - // We get DB nick to put in PHP Session variable, - // to avoid problems with case-sensitive usernames. - // Thanks to David Muñiz for Bug discovery :) - return $row["id_user"]; - } - else { - if (!user_can_login($login)) { - $mysql_cache["auth_error"] = "User only can use the API."; - $config["auth_error"] = "User only can use the API."; - } - else { - $mysql_cache["auth_error"] = "User not found in database or incorrect password"; - $config["auth_error"] = "User not found in database or incorrect password"; - } - } - - return false; + return process_user_login_local ($login, $pass, $api); } else { - // Remote authentication - switch ($config["auth"]) { - // LDAP - case 'ldap': - if (ldap_process_user_login ($login, $pass) === false) { - $config["auth_error"] = "User not found in database or incorrect password"; - return false; - } - break; - - // Active Directory - case 'ad': - if (enterprise_hook ('ad_process_user_login', array ($login, $pass)) === false) { - $config["auth_error"] = "User not found in database or incorrect password"; - return false; - } - break; - - // Remote Pandora FMS - case 'pandora': - if (enterprise_hook ('remote_pandora_process_user_login', array ($login, $pass)) === false) { - $config["auth_error"] = "User not found in database or incorrect password"; - return false; - } - break; - - // Remote Babel Enterprise - case 'babel': - if (enterprise_hook ('remote_babel_process_user_login', array ($login, $pass)) === false) { - $config["auth_error"] = "User not found in database or incorrect password"; - return false; - } - break; - - // Remote Integria - case 'integria': - if (enterprise_hook ('remote_integria_process_user_login', array ($login, $pass)) === false) { - $config["auth_error"] = "User not found in database or incorrect password"; - return false; - } - break; - - // Unknown authentication method - default: - $config["auth_error"] = "User not found in database or incorrect password"; - return false; - break; + $login_remote = process_user_login_remote ($login, $pass, $api); + if ($login_remote == false && $config['fallback_local_auth'] == '1') { + return process_user_login_local ($login, $pass, $api); } - - // Authentication ok, check if the user exists in the local database - if (is_user ($login)) { - if (!user_can_login($login)) { - return false; + else { + return $login_remote; + } + } + + return false; +} + +function process_user_login_local ($login, $pass, $api = false) { + global $config, $mysql_cache; + + // Connect to Database + switch ($config["dbtype"]) { + case "mysql": + if (!$api) { + $sql = sprintf ("SELECT `id_user`, `password` + FROM `tusuario` + WHERE `id_user` = '%s' AND `not_login` = 0 + AND `disabled` = 0", $login); } - - return $login; + else { + $sql = sprintf ("SELECT `id_user`, `password` + FROM `tusuario` + WHERE `id_user` = '%s' + AND `disabled` = 0", $login); + } + break; + case "postgresql": + if (!$api) { + $sql = sprintf ('SELECT "id_user", "password" + FROM "tusuario" + WHERE "id_user" = \'%s\' AND "not_login" = 0 + AND "disabled" = 0', $login); + } + else { + $sql = sprintf ('SELECT "id_user", "password" + FROM "tusuario" + WHERE "id_user" = \'%s\' + AND "disabled" = 0', $login); + } + break; + case "oracle": + if (!$api) { + $sql = sprintf ('SELECT id_user, password + FROM tusuario + WHERE id_user = \'%s\' AND not_login = 0 + AND disabled = 0', $login); + } + else { + $sql = sprintf ('SELECT id_user, password + FROM tusuario + WHERE id_user = \'%s\' + AND disabled = 0', $login); + } + break; + } + $row = db_get_row_sql ($sql); + + //Check that row exists, that password is not empty and that password is the same hash + if ($row !== false && $row["password"] !== md5 ("") + && $row["password"] == md5 ($pass)) { + // Login OK + // Nick could be uppercase or lowercase (select in MySQL + // is not case sensitive) + // We get DB nick to put in PHP Session variable, + // to avoid problems with case-sensitive usernames. + // Thanks to David Muñiz for Bug discovery :) + return $row["id_user"]; + } + else { + if (!user_can_login($login)) { + $mysql_cache["auth_error"] = "User only can use the API."; + $config["auth_error"] = "User only can use the API."; } - - // The user does not exist and can not be created - if ($config['autocreate_remote_users'] == 0 || is_user_blacklisted ($login)) { - $config["auth_error"] = "Ooops User not found in database or incorrect password"; - return false; - } - - // Create the user in the local database - if (create_user ($login, $pass, array ('fullname' => $login, 'comments' => 'Imported from ' . $config['auth'])) === false) { + else { + $mysql_cache["auth_error"] = "User not found in database or incorrect password"; $config["auth_error"] = "User not found in database or incorrect password"; - return false; } - - profile_create_user_profile ($login, $config['default_remote_profile'], $config['default_remote_group']); - return $login; } return false; } +function process_user_login_remote ($login, $pass, $api = false) { + global $config, $mysql_cache; + + // Remote authentication + switch ($config["auth"]) { + // LDAP + case 'ldap': + if (ldap_process_user_login ($login, $pass) === false) { + $config["auth_error"] = "User not found in database or incorrect password"; + return false; + } + break; + + // Active Directory + case 'ad': + if (enterprise_hook ('ad_process_user_login', array ($login, $pass)) === false) { + $config["auth_error"] = "User not found in database or incorrect password"; + return false; + } + break; + + // Remote Pandora FMS + case 'pandora': + if (enterprise_hook ('remote_pandora_process_user_login', array ($login, $pass)) === false) { + $config["auth_error"] = "User not found in database or incorrect password"; + return false; + } + break; + + // Remote Babel Enterprise + case 'babel': + if (enterprise_hook ('remote_babel_process_user_login', array ($login, $pass)) === false) { + $config["auth_error"] = "User not found in database or incorrect password"; + return false; + } + break; + + // Remote Integria + case 'integria': + if (enterprise_hook ('remote_integria_process_user_login', array ($login, $pass)) === false) { + $config["auth_error"] = "User not found in database or incorrect password"; + return false; + } + break; + + // Unknown authentication method + default: + $config["auth_error"] = "User not found in database or incorrect password"; + return false; + break; + } + + // Authentication ok, check if the user exists in the local database + if (is_user ($login)) { + if (!user_can_login($login)) { + return false; + } + + return $login; + } + + // The user does not exist and can not be created + if ($config['autocreate_remote_users'] == 0 || is_user_blacklisted ($login)) { + $config["auth_error"] = "Ooops User not found in database or incorrect password"; + return false; + } + + // Create the user in the local database + if (create_user ($login, $pass, array ('fullname' => $login, 'comments' => 'Imported from ' . $config['auth'])) === false) { + $config["auth_error"] = "User not found in database or incorrect password"; + return false; + } + + profile_create_user_profile ($login, $config['default_remote_profile'], $config['default_remote_group']); + return $login; +} + /** * Checks if a user is administrator. * diff --git a/pandora_console/include/functions_config.php b/pandora_console/include/functions_config.php index de5d26c4e0..49038fda86 100644 --- a/pandora_console/include/functions_config.php +++ b/pandora_console/include/functions_config.php @@ -280,6 +280,8 @@ function config_update_config () { $error_update[] = __('Base DN'); if (!config_update_value ('ldap_login_attr', get_parameter ('ldap_login_attr'))) $error_update[] = __('Login attribute'); + if (!config_update_value ('fallback_local_auth', get_parameter ('fallback_local_auth'))) + $error_update[] = __('Fallback to local authentication'); if (!config_update_value ('rpandora_server', get_parameter ('rpandora_server'))) $error_update[] = __('Pandora FMS host'); @@ -883,6 +885,10 @@ function config_process_config () { if (!isset ($config['ldap_login_attr'])) { config_update_value ( 'ldap_login_attr', 'uid'); } + + if (!isset ($config['fallback_local_auth'])) { + config_update_value ( 'fallback_local_auth', '0'); + } if (!isset ($config['ad_server'])) { config_update_value ( 'ad_server', 'localhost');