2010-08-10 Ramon Novoa <rnovoa@artica.es>

* include/auth/mysql.php, include/functions_config.php,
          include/config_process.php, pandora_console.spec,
          ajax.php, godmode/menu.php: Added support for different
          authentication schemes. Local database and LDAP are
          implemented.

        * operation/agentes/networkmap.topology.php,
          operation/agentes/networkmap.groups.php: Small fixes. Use filter name
          to compose file names.




git-svn-id: https://svn.code.sf.net/p/pandora/code/trunk@3113 c3f86ba8-e40f-0410-aaad-9ba5e7f4b01f

pandora_console/ChangeLog

@@ -1,3 +1,15 @@
+010-08-10  Ramon Novoa  <rnovoa@artica.es>
+
+	* include/auth/mysql.php, include/functions_config.php,
+	  include/config_process.php, pandora_console.spec,
+	  ajax.php, godmode/menu.php: Added support for different
+	  authentication schemes. Local database and LDAP are
+	  implemented.
+
+	* operation/agentes/networkmap.topology.php,
+	  operation/agentes/networkmap.groups.php: Small fixes. Use filter name
+	  to compose file names.
+
 2010-08-09  Sergio Martin <sergio.martin@artica.es>
 
 	* extensions/agents_modules.php: Fixed the horizontal 

pandora_console/ajax.php

@@ -21,12 +21,7 @@ if ((! file_exists("include/config.php")) || (! is_readable("include/config.php"
 require_once ('include/config.php');
 require_once ('include/functions.php');
 require_once ('include/functions_db.php');
-
-if (!isset ($config["auth"])) {
-	require_once ("include/auth/mysql.php");
-} else {
-	require_once ("include/auth/".$config["auth"]["scheme"].".php");
-}
+require_once ('include/auth/mysql.php');
 
 // Real start
 session_start ();

pandora_console/godmode/menu.php

@@ -177,6 +177,7 @@ if (give_acl ($config['id_user'], 0, "PM")) {
 
 	$sub = array ();
 
+	$sub["godmode/setup/setup_auth"]["text"] = __('Authentication');
 	$sub["godmode/setup/performance"]["text"] = __('Performance');
 	$sub["godmode/setup/setup_visuals"]["text"] = __('Visual styles');
 	$sub["godmode/setup/file_manager"]["text"] = __('File manager');

pandora_console/include/auth/mysql.php

@@ -54,6 +54,8 @@ if (!isset ($config)) {
 ');
 }
 
+enterprise_include ('include/auth/mysql.php');
+
 $config["user_can_update_info"] = true;
 $config["user_can_update_password"] = true;
 $config["admin_can_add_user"] = true;
@@ -70,24 +72,94 @@ $config["admin_can_make_admin"] = true;
  * @return mixed False in case of error or invalid credentials, the username in case it's correct.
  */
 function process_user_login ($login, $pass) {
-	global $mysql_cache;
+	global $config, $mysql_cache;
 	
-	// Connect to Database
-	$sql = sprintf ("SELECT `id_user`, `password` FROM `tusuario` WHERE `id_user` = '%s'", $login);
-	$row = get_db_row_sql ($sql);
+	// Always authenticate admins against the local database
+	if (strtolower ($config["auth"]) == 'mysql' || is_user_admin ($login)) {
 	
-	//Check that row exists, that password is not empty and that password is the same hash
-	if ($row !== false && $row["password"] !== md5 ("") && $row["password"] == md5 ($pass)) {
-		// Login OK
-		// Nick could be uppercase or lowercase (select in MySQL
-		// is not case sensitive)
-		// We get DB nick to put in PHP Session variable,
-		// to avoid problems with case-sensitive usernames.
-		// Thanks to David Muñiz for Bug discovery :)
-		return $row["id_user"];
+		// Connect to Database
+		$sql = sprintf ("SELECT `id_user`, `password` FROM `tusuario` WHERE `id_user` = '%s'", $login);
+		$row = get_db_row_sql ($sql);
+		
+		//Check that row exists, that password is not empty and that password is the same hash
+		if ($row !== false && $row["password"] !== md5 ("") && $row["password"] == md5 ($pass)) {
+			// Login OK
+			// Nick could be uppercase or lowercase (select in MySQL
+			// is not case sensitive)
+			// We get DB nick to put in PHP Session variable,
+			// to avoid problems with case-sensitive usernames.
+			// Thanks to David Muñiz for Bug discovery :)
+			return $row["id_user"];
+		} else {
+			$mysql_cache["auth_error"] = "User not found in database or incorrect password";
+		}
+
+		return false;
+
+	// Remote authentication
 	} else {
-		$mysql_cache["auth_error"] = "User not found in database or incorrect password";
+		
+		switch ($config["auth"]) {
+			
+			// LDAP
+			case 'ldap':
+				if (ldap_process_user_login ($login, $pass) === false) {
+					$config["auth_error"] = "User not found in database or incorrect password";
+					return false;
+				}
+				break;
+				
+			// Active Directory
+			case 'ad':
+				if (enterprise_hook ('ad_process_user_login', array ($login, $pass)) === false) {
+					$config["auth_error"] = "User not found in database or incorrect password";
+					return false;
+				}
+				break;
+
+			// Remote Pandora FMS
+			case 'pandora':
+				if (enterprise_hook ('remote_pandora_process_user_login', array ($login, $pass)) === false) {
+					$config["auth_error"] = "User not found in database or incorrect password";
+					return false;
+				}
+				break;
+
+			// Remote Babel Enterprise
+			case 'babel':
+				if (enterprise_hook ('remote_babel_process_user_login', array ($login, $pass)) === false) {
+					$config["auth_error"] = "User not found in database or incorrect password";
+					return false;
+				}
+				break;
+
+			// Unknown authentication method
+			default:
+				$config["auth_error"] = "User not found in database or incorrect password";
+				return false;
+		}
+		
+		// Authentication ok, check if the user exists in the local database
+		if (is_user ($login)) {
+			return $login;
+		}
+
+		// The user does not exist and can not be created
+		if ($config['autocreate_remote_users'] == 0) {
+			$config["auth_error"] = "User not found in database or incorrect password";
+			return false;
+		}
+
+		// Create the user in the local database
+		if (create_user ($login, $pass, array ('fullname' => $login, 'comments' => 'Imported from ' . $config['auth'])) === false) {
+			$config["auth_error"] = "User not found in database or incorrect password";
+			return false;
+		}
+
+		create_user_profile ($login, $config['default_remote_profile'], $config['default_remote_group']);	
+		return $login;
 	}
+
 	return false;
 }
 
@@ -298,6 +370,50 @@ function update_user ($id_user, $values) {
 	return process_sql_update ("tusuario", $values, array ("id_user" => $id_user));
 }
 
+/**
+ * Authenticate against an LDAP server.
+ *
+ * @param string User login
+ * @param string User password (plain text)
+ *
+ * @return bool True if the login is correct, false in other case
+ */
+function ldap_process_user_login ($login, $password) {
+	global $config;
+	
+	if (! function_exists ("ldap_connect")) {
+		$config["auth_error"] = 'Your installation of PHP does not support LDAP';
+		return false;
+	}
+
+	// Connect to the LDAP server
+	$ds = @ldap_connect ($config["ldap_server"], $config["ldap_port"]);
+	if (!$ds) {
+		$config["auth_error"] = 'Error connecting to LDAP server';
+		return false;
+	}
+
+	// Set the LDAP version
+	ldap_set_option ($ds, LDAP_OPT_PROTOCOL_VERSION, $config["ldap_version"]);
+
+	if ($config["ldap_start_tls"]) {
+		if (!@ldap_start_tls ($ds)) { 
+			$config["auth_error"] = 'Could not start TLS for LDAP connection';
+			@ldap_close ($ds);
+			return false;
+		}
+	}
+
+	if (!@ldap_bind ($ds, $config["ldap_login_attr"]."=".$login.",".$config["ldap_base_dn"], $password)) {
+		$config["auth_error"] = 'User not found in database or incorrect password';
+		@ldap_close ($ds);
+		return false;
+	}
+
+	@ldap_close ($ds);
+	return true;
+}
+
 //Reference the global use authorization error to last auth error.
 $config["auth_error"] = &$mysql_cache["auth_error"];
 ?>

pandora_console/include/config_process.php

@@ -61,6 +61,12 @@ if (! $config['dbconnection']) {
 
 $ownDir = dirname(__FILE__) . '/';
 
+if (! defined ('EXTENSIONS_DIR'))
+	define ('EXTENSIONS_DIR', 'extensions');
+
+if (! defined ('ENTERPRISE_DIR'))
+	define ('ENTERPRISE_DIR', 'enterprise');
+
 mysql_select_db ($config["dbname"]);
 require_once ($ownDir . 'functions.php');
 require_once ($ownDir . 'functions_db.php');
@@ -103,12 +109,6 @@ if (file_exists ('./include/languages/'.$config["user_language"].'.mo')) {
 	$l10n->load_tables();
 }
 
-if (! defined ('EXTENSIONS_DIR'))
-	define ('EXTENSIONS_DIR', 'extensions');
-
-if (! defined ('ENTERPRISE_DIR'))
-	define ('ENTERPRISE_DIR', 'enterprise');
-
 require_once ($ownDir . 'functions_extensions.php');
 
 $config['extensions'] = get_extensions ();

pandora_console/include/functions_config.php

@@ -180,6 +180,30 @@ function update_config () {
 	update_config_value ('acl_enterprise', get_parameter ('acl_enterprise', $config['acl_enterprise']));
 	update_config_value ('metaconsole', get_parameter ('metaconsole', $config['metaconsole']));
 	update_config_value ('gis_purge', get_parameter ('gis_purge', $config['gis_purge']));
+	update_config_value ('auth', get_parameter ('auth', $config['auth']));
+	update_config_value ('autocreate_remote_users', get_parameter ('autocreate_remote_users', $config['autocreate_remote_users']));
+	update_config_value ('default_remote_profile', get_parameter ('default_remote_profile', $config['default_remote_profile']));
+	update_config_value ('default_remote_group', get_parameter ('default_remote_group', $config['default_remote_group']));
+
+	update_config_value ('ldap_server', get_parameter ('ldap_server', $config['ldap_server']));
+	update_config_value ('ldap_port', get_parameter ('ldap_port', $config['ldap_port']));
+	update_config_value ('ldap_version', get_parameter ('ldap_version', $config['ldap_version']));
+	update_config_value ('ldap_start_tls', get_parameter ('ldap_start_tls', $config['ldap_start_tls']));
+	update_config_value ('ldap_base_dn', get_parameter ('ldap_base_dn', $config['ldap_base_dn']));
+	update_config_value ('ldap_login_attr', get_parameter ('ldap_login_attr', $config['ldap_login_attr']));
+
+	update_config_value ('ad_server', get_parameter ('ad_server', $config['ad_server']));
+	update_config_value ('ad_port', get_parameter ('ad_port', $config['ad_port']));
+	update_config_value ('ad_start_tls', get_parameter ('ad_start_tls', $config['ad_start_tls']));
+	update_config_value ('ad_domain', get_parameter ('ad_domain', $config['ad_domain']));
+
+	update_config_value ('rpandora_server', get_parameter ('rpandora_server', $config['rpandora_server']));
+	update_config_value ('rpandora_port', get_parameter ('rpandora_port', $config['rpandora_port']));
+	update_config_value ('rpandora_pass', get_parameter ('rpandora_pass', $config['rpandora_pass']));
+
+	update_config_value ('rbabel_server', get_parameter ('rbabel_server', $config['rbabel_server']));
+	update_config_value ('rbabel_port', get_parameter ('rbabel_port', $config['rbabel_port']));
+	update_config_value ('rbabel_pass', get_parameter ('rbabel_pass', $config['rbabel_pass']));
 }
 
 /**
@@ -197,13 +221,7 @@ function process_config () {
 	
 	/* Compatibility fix */
 	foreach ($configs as $c) {
-		switch ($c["token"]) {
-		case "auth":
-			include ($config["homedir"]."/general/error_authconfig.php");
-			exit;
-		default:
 			$config[$c['token']] = $c['value'];
-		}
 	}
 	
 	if (!isset ($config['language'])) {
@@ -341,13 +359,8 @@ function process_config () {
 	// if (!isset ($config["autoupdate"])){
 	// 	update_config_value ('autoupdate', true);
 	// }
-
-	if (!isset ($config["auth"])) {
-		require_once ($config["homedir"]."/include/auth/mysql.php");
-	} else {
-		require_once ($config["homedir"]."/include/auth/".$config["auth"]["scheme"].".php");
-	}
 	
+	require_once ($config["homedir"]."/include/auth/mysql.php");
 	
 	// Next is the directory where "/attachment" directory is placed, to upload files stores. 
 	// This MUST be writtable by http server user, and should be in pandora root. 
@@ -412,6 +425,102 @@ function process_config () {
 		update_config_value ( 'activate_gis', 0);
 	}
 
+	if (!isset ($config['auth'])) {
+		update_config_value ( 'auth', 'mysql');
+	}
+
+	if (!isset ($config['autocreate_remote_users'])) {
+		update_config_value ('autocreate_remote_users', 0);
+	}
+
+	if (!isset ($config['default_remote_profile'])) {
+		update_config_value ('default_remote_profile', 0);
+	}
+
+	if (!isset ($config['default_remote_group'])) {
+		update_config_value ('default_remote_group', 0);
+	}
+
+	if (!isset ($config['ldap_server'])) {
+		update_config_value ( 'ldap_server', 'localhost');
+	}
+
+	if (!isset ($config['ldap_port'])) {
+		update_config_value ( 'ldap_port', 389);
+	}
+
+	if (!isset ($config['ldap_version'])) {
+		update_config_value ( 'ldap_version', '3');
+	}
+
+	if (!isset ($config['ldap_start_tls'])) {
+		update_config_value ( 'ldap_start_tls', 0);
+	}
+
+	if (!isset ($config['ldap_base_dn'])) {
+		update_config_value ( 'ldap_base_dn', 'ou=People,dc=edu,dc=example,dc=org');
+	}
+
+	if (!isset ($config['ldap_login_attr'])) {
+		update_config_value ( 'ldap_login_attr', 'uid');
+	}
+
+	if (!isset ($config['ad_server'])) {
+		update_config_value ( 'ad_server', 'localhost');
+	}
+
+	if (!isset ($config['ad_port'])) {
+		update_config_value ( 'ad_port', 389);
+	}
+
+	if (!isset ($config['ad_start_tls'])) {
+		update_config_value ( 'ad_start_tls', 0);
+	}
+
+	if (!isset ($config['ad_domain'])) {
+		update_config_value ( 'ad_domain', '');
+	}
+
+	if (!isset ($config['rpandora_server'])) {
+		update_config_value ( 'rpandora_server', 'localhost');
+	}
+
+	if (!isset ($config['rpandora_port'])) {
+		update_config_value ( 'rpandora_port', 3306);
+	}
+
+	if (!isset ($config['rpandora_dbname'])) {
+		update_config_value ( 'rpandora_dbname', 'pandora');
+	}
+
+	if (!isset ($config['rpandora_user'])) {
+		update_config_value ( 'rpandora_user', 'pandora');
+	}
+
+	if (!isset ($config['rpandora_pass'])) {
+		update_config_value ( 'rpandora_pass', '');
+	}
+
+	if (!isset ($config['rbabel_server'])) {
+		update_config_value ( 'rbabel_server', 'localhost');
+	}
+
+	if (!isset ($config['rbabel_port'])) {
+		update_config_value ( 'rbabel_port', 3306);
+	}
+
+	if (!isset ($config['rbabel_dbname'])) {
+		update_config_value ( 'rbabel_dbname', 'babel');
+	}
+
+	if (!isset ($config['rbabel_user'])) {
+		update_config_value ( 'rbabel_user', 'babel');
+	}
+
+	if (!isset ($config['rbabel_pass'])) {
+		update_config_value ( 'rbabel_pass', '');
+	}
+
 	/* Finally, check if any value was overwritten in a form */
 	update_config ();
 }

pandora_console/operation/agentes/networkmap.groups.php

@@ -42,9 +42,9 @@ if ($graph === false) {
 
 // Generate image and map
 // If image was generated just a few minutes ago, then don't regenerate (it takes long) unless regen checkbox is set
-$filename_map = $config["attachment_store"]."/networkmap_".$layout;
-$filename_img = "attachment/networkmap_".$layout."_".$font_size;
-$filename_dot = $config["attachment_store"]."/networkmap_".$layout;
+$filename_map = safe_url_extraclean ($config["attachment_store"])."/networkmap_".$filter;
+$filename_img = "attachment/networkmap_".$filter."_".$font_size;
+$filename_dot = safe_url_extraclean ($config["attachment_store"])."/networkmap_".$filter;
 if ($simple) {
 	$filename_map .= "_simple";
 	$filename_img .= "_simple";

pandora_console/operation/agentes/networkmap.topology.php

@@ -42,9 +42,9 @@ if ($graph === false) {
 
 // Generate image and map
 // If image was generated just a few minutes ago, then don't regenerate (it takes long) unless regen checkbox is set
-$filename_map = $config["attachment_store"]."/networkmap_".$layout;
-$filename_img = "attachment/networkmap_".$layout."_".$font_size;
-$filename_dot = $config["attachment_store"]."/networkmap_".$layout;
+$filename_map = safe_url_extraclean ($config["attachment_store"])."/networkmap_".$filter;
+$filename_img = "attachment/networkmap_".$filter."_".$font_size;
+$filename_dot = safe_url_extraclean ($config["attachment_store"])."/networkmap_".$filter;
 if ($simple) {
 	$filename_map .= "_simple";
 	$filename_img .= "_simple";

pandora_console/pandora_console.spec

@@ -32,7 +32,7 @@ Requires:           php >= 4.3.0
 Requires:           php5-gd, php5-snmp, php5-pear, php5-json, php5-gettext
 Requires:           php5-mysql, php5-ldap, php5-mbstring, php5
 Requires:           graphviz, xorg-x11-fonts-core
-Requires:           php5-pear-db php-pear-xml_rpc
+Requires:           php5-pear-db, php-pear-xml_rpc
 Provides:           %{name}-%{version}
 
 %description