tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added secondary ldap server

This commit is contained in:
Calvo 2022-03-29 18:59:27 +02:00
parent a54344348c
commit 7f0dbb0476
3 changed files with 254 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
pandora_console/godmode/setup/setup_auth.php
View File

@ -198,6 +198,136 @@ if (is_ajax()) {
true
);
$table->data['ldap_admin_pass'] = $row;
// Enable/disable secondary ldap.
// Set default value.
set_unless_defined($config['secondary_ldap_enabled'], false);
$row = [];
$row['name'] = __('Enable secondary LDAP');
$row['control'] .= html_print_checkbox_switch(
'secondary_ldap_enabled',
1,
$config['secondary_ldap_enabled'],
true,
false,
'showAndHide()'
);
$table->data['secondary_ldap_enabled'] = $row;
$row = [];
// LDAP server.
$row = [];
$row['name'] = __('Secondary LDAP server');
$row['control'] = html_print_input_text(
'ldap_server_secondary',
$config['ldap_server_secondary'],
'',
30,
100,
true
);
$table->data['ldap_server_secondary'] = $row;
// LDAP port.
$row = [];
$row['name'] = __('Secondary LDAP port');
$row['control'] = html_print_input_text(
'ldap_port_secondary',
$config['ldap_port_secondary'],
'',
10,
100,
true
);
$table->data['ldap_port_secondary'] = $row;
// LDAP version.
$ldap_versions = [
1 => 'LDAPv1',
2 => 'LDAPv2',
3 => 'LDAPv3',
];
$row = [];
$row['name'] = __('Secondary LDAP version');
$row['control'] = html_print_select(
$ldap_versions,
'ldap_version_secondary',
$config['ldap_version_secondary'],
'',
'',
0,
true
);
$table->data['ldap_version_secondary'] = $row;
// Start TLS.
$row = [];
$row['name'] = __('Secondary start TLS');
$row['control'] = html_print_checkbox_switch(
'ldap_start_tls_secondary',
1,
$config['ldap_start_tls_secondary'],
true
);
$table->data['ldap_start_tls_secondary'] = $row;
// Base DN.
$row = [];
$row['name'] = __('Secondary Base DN');
$row['control'] = html_print_input_text(
'ldap_base_dn_secondary',
$config['ldap_base_dn_secondary'],
'',
60,
100,
true
);
$table->data['ldap_base_dn_secondary'] = $row;
// Login attribute.
$row = [];
$row['name'] = __('Secondary Login attribute');
$row['control'] = html_print_input_text(
'ldap_login_attr_secondary',
$config['ldap_login_attr_secondary'],
'',
60,
100,
true
);
$table->data['ldap_login_attr_secondary'] = $row;
// Admin LDAP login.
$row = [];
$row['name'] = __('Admin secondary LDAP login');
$row['control'] = html_print_input_text(
'ldap_admin_login_secondary',
$config['ldap_admin_login_secondary'],
'',
60,
100,
true
);
$table->data['ldap_admin_login_secondary'] = $row;
// Admin LDAP password.
$row = [];
$row['name'] = __('Admin secondary LDAP password');
$row['control'] = html_print_input_password(
'ldap_admin_pass_secondary',
io_output_password($config['ldap_admin_pass_secondary']),
$alt = '',
60,
100,
true
);
$row['control'] .= ui_print_reveal_password(
'ldap_admin_pass_secondary',
true
);
$table->data['ldap_admin_pass_secondary'] = $row;
break;
case 'pandora':
@ -354,6 +484,12 @@ echo '</form>';
} else {
$('#table1-2FA_all_users').hide();
}
if ($('input[type=checkbox][name=secondary_ldap_enabled]:checked').val() == 1) {
$("tr[id*='ldap_'][id$='_secondary']").show();
} else {
$( "tr[id*='ldap_'][id$='_secondary']" ).hide();
}
}
$( document ).ready(function() {
@ -370,6 +506,7 @@ echo '</form>';
success: function(data) {
$('.table_result_auth').remove();
$('#table_auth_result').append(data);
showAndHide();
}
});
}).change();

71
pandora_console/include/auth/mysql.php
View File

@ -227,6 +227,10 @@ function process_user_login_remote($login, $pass, $api=false)
// LDAP
case 'ldap':
$sr = ldap_process_user_login($login, $pass);
// Try with secondary server if not login.
if ($sr === false && (bool) $config['secondary_ldap_enabled'] === true) {
$sr = ldap_process_user_login($login, $pass, true);
}
if (!$sr) {
return false;
@ -742,7 +746,7 @@ function update_user($id_user, $values)
*
* @return boolean True if the login is correct, false in other case
*/
function ldap_process_user_login($login, $password)
function ldap_process_user_login($login, $password, $secondary_server=false)
{
global $config;
@ -752,14 +756,29 @@ function ldap_process_user_login($login, $password)
return false;
}
$ldap_tokens = [
'ldap_server',
'ldap_port',
'ldap_version',
'ldap_base_dn',
'ldap_login_attr',
'ldap_admin_login',
'ldap_admin_pass',
'ldap_start_tls',
];
foreach ($ldap_tokens as $token) {
$ldap[$token] = $secondary_server === true ? $config[$token.'_secondary'] : $config[$token];
}
// Connect to the LDAP server
if (stripos($config['ldap_server'], 'ldap://') !== false
|| stripos($config['ldap_server'], 'ldaps://') !== false
|| stripos($config['ldap_server'], 'ldapi://') !== false
if (stripos($ldap['ldap_server'], 'ldap://') !== false
|| stripos($ldap['ldap_server'], 'ldaps://') !== false
|| stripos($ldap['ldap_server'], 'ldapi://') !== false
) {
$ds = @ldap_connect($config['ldap_server'].':'.$config['ldap_port']);
$ds = @ldap_connect($ldap['ldap_server'].':'.$ldap['ldap_port']);
} else {
$ds = @ldap_connect($config['ldap_server'], $config['ldap_port']);
$ds = @ldap_connect($ldap['ldap_server'], $ldap['ldap_port']);
}
if (!$ds) {
@ -769,9 +788,9 @@ function ldap_process_user_login($login, $password)
}
// Set the LDAP version
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $config['ldap_version']);
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $ldap['ldap_version']);
if ($config['ldap_start_tls']) {
if ($ldap['ldap_start_tls']) {
if (!@ldap_start_tls($ds)) {
$config['auth_error'] = 'Could not start TLS for LDAP connection';
@ldap_close($ds);
@ -782,20 +801,21 @@ function ldap_process_user_login($login, $password)
if ($config['ldap_function'] == 'local') {
$sr = local_ldap_search(
$config['ldap_server'],
$config['ldap_port'],
$config['ldap_version'],
io_safe_output($config['ldap_base_dn']),
$config['ldap_login_attr'],
io_safe_output($config['ldap_admin_login']),
io_output_password($config['ldap_admin_pass']),
io_safe_output($login)
$ldap['ldap_server'],
$ldap['ldap_port'],
$ldap['ldap_version'],
io_safe_output($ldap['ldap_base_dn']),
$ldap['ldap_login_attr'],
io_safe_output($ldap['ldap_admin_login']),
io_output_password($ldap['ldap_admin_pass']),
io_safe_output($login),
$ldap['ldap_start_tls']
);
if ($sr) {
$user_dn = $sr['dn'][0];
$ldap_base_dn = !empty($config['ldap_base_dn']) ? ','.io_safe_output($config['ldap_base_dn']) : '';
$ldap_base_dn = !empty($ldap['ldap_base_dn']) ? ','.io_safe_output($ldap['ldap_base_dn']) : '';
if (!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($user_dn), $password)) {
@ -811,17 +831,17 @@ function ldap_process_user_login($login, $password)
}
} else {
// PHP LDAP function
if ($config['ldap_admin_login'] != '' && $config['ldap_admin_pass'] != '') {
if (!@ldap_bind($ds, io_safe_output($config['ldap_admin_login']), io_output_password($config['ldap_admin_pass']))) {
if ($ldap['ldap_admin_login'] != '' && $ldap['ldap_admin_pass'] != '') {
if (!@ldap_bind($ds, io_safe_output($ldap['ldap_admin_login']), io_output_password($ldap['ldap_admin_pass']))) {
$config['auth_error'] = 'Admin ldap connection fail';
@ldap_close($ds);
return false;
}
}
$filter = '('.$config['ldap_login_attr'].'='.io_safe_output($login).')';
$filter = '('.$ldap['ldap_login_attr'].'='.io_safe_output($login).')';
$sr = ldap_search($ds, io_safe_output($config['ldap_base_dn']), $filter);
$sr = ldap_search($ds, io_safe_output($ldap['ldap_base_dn']), $filter);
$memberof = ldap_get_entries($ds, $sr);
@ -833,7 +853,7 @@ function ldap_process_user_login($login, $password)
}
unset($memberof['count']);
$ldap_base_dn = !empty($config['ldap_base_dn']) ? ','.io_safe_output($config['ldap_base_dn']) : '';
$ldap_base_dn = !empty($ldap['ldap_base_dn']) ? ','.io_safe_output($ldap['ldap_base_dn']) : '';
if (!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($memberof['dn']), $password)) {
@ -1397,7 +1417,8 @@ function local_ldap_search(
$access_attr=null,
$ldap_admin_user=null,
$ldap_admin_pass=null,
$user=null
$user=null,
$ldap_start_tls=null
) {
global $config;
@ -1407,7 +1428,7 @@ function local_ldap_search(
}
$tls = '';
if ($config['ldap_start_tls']) {
if ($ldap_start_tls) {
$tls = ' -ZZ ';
}
@ -1431,7 +1452,7 @@ function local_ldap_search(
$dn = " -b '".$dn."'";
$shell_ldap_search = explode("\n", shell_exec('ldapsearch -LLL -o ldif-wrap=no -x'.$ldap_host.$ldap_version.' -E pr=10000/noprompt '.$ldap_admin_user.$ldap_admin_pass.$dn.$filter.$tls.' | grep -v "^#\|^$" | sed "s/:\+ /=>/g"'));
$shell_ldap_search = explode("\n", shell_exec('ldapsearch -LLL -o ldif-wrap=no -x'.$ldap_host.$ldap_version.' -E pr=10000/noprompt '.$ldap_admin_user.$ldap_admin_pass.$dn.$filter.$tls.' | grep -v "^#\|^$" | sed "s/:\+ /=>/g"'));
foreach ($shell_ldap_search as $line) {
$values = explode('=>', $line);
if (!empty($values[0]) && !empty($values[1])) {

71
pandora_console/include/functions_config.php
View File

@ -632,6 +632,38 @@ function config_update_config()
$error_update[] = __('Admin LDAP password');
}
if (config_update_value('ldap_server_secondary', get_parameter('ldap_server_secondary'), true) === false) {
$error_update[] = __('Secondary LDAP server');
}
if (config_update_value('ldap_port_secondary', get_parameter('ldap_port_secondary'), true) === false) {
$error_update[] = __('Secondary LDAP port');
}
if (config_update_value('ldap_version_secondary', get_parameter('ldap_version_secondary'), true) === false) {
$error_update[] = __('Secondary LDAP version');
}
if (config_update_value('ldap_start_tls_secondary', get_parameter('ldap_start_tls_secondary'), true) === false) {
$error_update[] = __('Secontary start TLS');
}
if (config_update_value('ldap_base_dn_secondary', get_parameter('ldap_base_dn_secondary'), true) === false) {
$error_update[] = __('Secondary base DN');
}
if (config_update_value('ldap_login_attr_secondary', get_parameter('ldap_login_attr_secondary'), true) === false) {
$error_update[] = __('Secondary login attribute');
}
if (config_update_value('ldap_admin_login_secondary', get_parameter('ldap_admin_login_secondary'), true) === false) {
$error_update[] = __('Admin secondary LDAP login');
}
if (config_update_value('ldap_admin_pass_secondary', io_input_password(io_safe_output(get_parameter('ldap_admin_pass_secondary'))), true) === false) {
$error_update[] = __('Admin secondary LDAP password');
}
if (config_update_value('fallback_local_auth', get_parameter('fallback_local_auth'), true) === false) {
$error_update[] = __('Fallback to local authentication');
}
@ -656,6 +688,10 @@ function config_update_config()
$error_update[] = __('Save profile');
}
if (config_update_value('secondary_ldap_enabled', get_parameter('secondary_ldap_enabled'), true) === false) {
$error_update[] = __('LDAP secondary enabled');
}
if (config_update_value('rpandora_server', get_parameter('rpandora_server'), true) === false) {
$error_update[] = __('MySQL host');
}
@ -2628,6 +2664,41 @@ function config_process_config()
config_update_value('ldap_admin_pass', '');
}
if (!isset($config['ldap_server_secondary'])) {
config_update_value('ldap_server_secondary', 'localhost');
}
if (!isset($config['ldap_port_secondary'])) {
config_update_value('ldap_port_secondary', 389);
}
if (!isset($config['ldap_version_secondary'])) {
config_update_value('ldap_version_secondary', '3');
}
if (!isset($config['ldap_start_tls_secondary'])) {
config_update_value('ldap_start_tls_secondary', 0);
}
if (!isset($config['ldap_base_dn_secondary'])) {
config_update_value(
'ldap_base_dn_secondary',
'ou=People,dc=edu,dc=example,dc=org'
);
}
if (!isset($config['ldap_login_attr_secondary'])) {
config_update_value('ldap_login_attr_secondary', 'uid');
}
if (!isset($config['ldap_admin_login_secondary'])) {
config_update_value('ldap_admin_login_secondary', '');
}
if (!isset($config['ldap_admin_pass_secondary'])) {
config_update_value('ldap_admin_pass_secondary', '');
}
if (!isset($config['ldap_function'])) {
config_update_value('ldap_function', 'local');
}