From 7f0dbb04769363a54a89f406070299559d75051d Mon Sep 17 00:00:00 2001 From: Calvo Date: Tue, 29 Mar 2022 18:59:27 +0200 Subject: [PATCH] Added secondary ldap server --- pandora_console/godmode/setup/setup_auth.php | 137 +++++++++++++++++++ pandora_console/include/auth/mysql.php | 71 ++++++---- pandora_console/include/functions_config.php | 71 ++++++++++ 3 files changed, 254 insertions(+), 25 deletions(-) diff --git a/pandora_console/godmode/setup/setup_auth.php b/pandora_console/godmode/setup/setup_auth.php index 59d208afaf..e1318f96c2 100644 --- a/pandora_console/godmode/setup/setup_auth.php +++ b/pandora_console/godmode/setup/setup_auth.php @@ -198,6 +198,136 @@ if (is_ajax()) { true ); $table->data['ldap_admin_pass'] = $row; + + // Enable/disable secondary ldap. + // Set default value. + set_unless_defined($config['secondary_ldap_enabled'], false); + + $row = []; + $row['name'] = __('Enable secondary LDAP'); + $row['control'] .= html_print_checkbox_switch( + 'secondary_ldap_enabled', + 1, + $config['secondary_ldap_enabled'], + true, + false, + 'showAndHide()' + ); + + $table->data['secondary_ldap_enabled'] = $row; + $row = []; + + // LDAP server. + $row = []; + $row['name'] = __('Secondary LDAP server'); + $row['control'] = html_print_input_text( + 'ldap_server_secondary', + $config['ldap_server_secondary'], + '', + 30, + 100, + true + ); + $table->data['ldap_server_secondary'] = $row; + + // LDAP port. + $row = []; + $row['name'] = __('Secondary LDAP port'); + $row['control'] = html_print_input_text( + 'ldap_port_secondary', + $config['ldap_port_secondary'], + '', + 10, + 100, + true + ); + $table->data['ldap_port_secondary'] = $row; + + // LDAP version. + $ldap_versions = [ + 1 => 'LDAPv1', + 2 => 'LDAPv2', + 3 => 'LDAPv3', + ]; + $row = []; + $row['name'] = __('Secondary LDAP version'); + $row['control'] = html_print_select( + $ldap_versions, + 'ldap_version_secondary', + $config['ldap_version_secondary'], + '', + '', + 0, + true + ); + $table->data['ldap_version_secondary'] = $row; + + // Start TLS. + $row = []; + $row['name'] = __('Secondary start TLS'); + $row['control'] = html_print_checkbox_switch( + 'ldap_start_tls_secondary', + 1, + $config['ldap_start_tls_secondary'], + true + ); + $table->data['ldap_start_tls_secondary'] = $row; + + // Base DN. + $row = []; + $row['name'] = __('Secondary Base DN'); + $row['control'] = html_print_input_text( + 'ldap_base_dn_secondary', + $config['ldap_base_dn_secondary'], + '', + 60, + 100, + true + ); + $table->data['ldap_base_dn_secondary'] = $row; + + // Login attribute. + $row = []; + $row['name'] = __('Secondary Login attribute'); + $row['control'] = html_print_input_text( + 'ldap_login_attr_secondary', + $config['ldap_login_attr_secondary'], + '', + 60, + 100, + true + ); + $table->data['ldap_login_attr_secondary'] = $row; + + // Admin LDAP login. + $row = []; + $row['name'] = __('Admin secondary LDAP login'); + $row['control'] = html_print_input_text( + 'ldap_admin_login_secondary', + $config['ldap_admin_login_secondary'], + '', + 60, + 100, + true + ); + $table->data['ldap_admin_login_secondary'] = $row; + + // Admin LDAP password. + $row = []; + $row['name'] = __('Admin secondary LDAP password'); + $row['control'] = html_print_input_password( + 'ldap_admin_pass_secondary', + io_output_password($config['ldap_admin_pass_secondary']), + $alt = '', + 60, + 100, + true + ); + $row['control'] .= ui_print_reveal_password( + 'ldap_admin_pass_secondary', + true + ); + $table->data['ldap_admin_pass_secondary'] = $row; break; case 'pandora': @@ -354,6 +484,12 @@ echo ''; } else { $('#table1-2FA_all_users').hide(); } + + if ($('input[type=checkbox][name=secondary_ldap_enabled]:checked').val() == 1) { + $("tr[id*='ldap_'][id$='_secondary']").show(); + } else { + $( "tr[id*='ldap_'][id$='_secondary']" ).hide(); + } } $( document ).ready(function() { @@ -370,6 +506,7 @@ echo ''; success: function(data) { $('.table_result_auth').remove(); $('#table_auth_result').append(data); + showAndHide(); } }); }).change(); diff --git a/pandora_console/include/auth/mysql.php b/pandora_console/include/auth/mysql.php index b6d46a5c06..10bcca871c 100644 --- a/pandora_console/include/auth/mysql.php +++ b/pandora_console/include/auth/mysql.php @@ -227,6 +227,10 @@ function process_user_login_remote($login, $pass, $api=false) // LDAP case 'ldap': $sr = ldap_process_user_login($login, $pass); + // Try with secondary server if not login. + if ($sr === false && (bool) $config['secondary_ldap_enabled'] === true) { + $sr = ldap_process_user_login($login, $pass, true); + } if (!$sr) { return false; @@ -742,7 +746,7 @@ function update_user($id_user, $values) * * @return boolean True if the login is correct, false in other case */ -function ldap_process_user_login($login, $password) +function ldap_process_user_login($login, $password, $secondary_server=false) { global $config; @@ -752,14 +756,29 @@ function ldap_process_user_login($login, $password) return false; } + $ldap_tokens = [ + 'ldap_server', + 'ldap_port', + 'ldap_version', + 'ldap_base_dn', + 'ldap_login_attr', + 'ldap_admin_login', + 'ldap_admin_pass', + 'ldap_start_tls', + ]; + + foreach ($ldap_tokens as $token) { + $ldap[$token] = $secondary_server === true ? $config[$token.'_secondary'] : $config[$token]; + } + // Connect to the LDAP server - if (stripos($config['ldap_server'], 'ldap://') !== false - || stripos($config['ldap_server'], 'ldaps://') !== false - || stripos($config['ldap_server'], 'ldapi://') !== false + if (stripos($ldap['ldap_server'], 'ldap://') !== false + || stripos($ldap['ldap_server'], 'ldaps://') !== false + || stripos($ldap['ldap_server'], 'ldapi://') !== false ) { - $ds = @ldap_connect($config['ldap_server'].':'.$config['ldap_port']); + $ds = @ldap_connect($ldap['ldap_server'].':'.$ldap['ldap_port']); } else { - $ds = @ldap_connect($config['ldap_server'], $config['ldap_port']); + $ds = @ldap_connect($ldap['ldap_server'], $ldap['ldap_port']); } if (!$ds) { @@ -769,9 +788,9 @@ function ldap_process_user_login($login, $password) } // Set the LDAP version - ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $config['ldap_version']); + ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $ldap['ldap_version']); - if ($config['ldap_start_tls']) { + if ($ldap['ldap_start_tls']) { if (!@ldap_start_tls($ds)) { $config['auth_error'] = 'Could not start TLS for LDAP connection'; @ldap_close($ds); @@ -782,20 +801,21 @@ function ldap_process_user_login($login, $password) if ($config['ldap_function'] == 'local') { $sr = local_ldap_search( - $config['ldap_server'], - $config['ldap_port'], - $config['ldap_version'], - io_safe_output($config['ldap_base_dn']), - $config['ldap_login_attr'], - io_safe_output($config['ldap_admin_login']), - io_output_password($config['ldap_admin_pass']), - io_safe_output($login) + $ldap['ldap_server'], + $ldap['ldap_port'], + $ldap['ldap_version'], + io_safe_output($ldap['ldap_base_dn']), + $ldap['ldap_login_attr'], + io_safe_output($ldap['ldap_admin_login']), + io_output_password($ldap['ldap_admin_pass']), + io_safe_output($login), + $ldap['ldap_start_tls'] ); if ($sr) { $user_dn = $sr['dn'][0]; - $ldap_base_dn = !empty($config['ldap_base_dn']) ? ','.io_safe_output($config['ldap_base_dn']) : ''; + $ldap_base_dn = !empty($ldap['ldap_base_dn']) ? ','.io_safe_output($ldap['ldap_base_dn']) : ''; if (!empty($ldap_base_dn)) { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($user_dn), $password)) { @@ -811,17 +831,17 @@ function ldap_process_user_login($login, $password) } } else { // PHP LDAP function - if ($config['ldap_admin_login'] != '' && $config['ldap_admin_pass'] != '') { - if (!@ldap_bind($ds, io_safe_output($config['ldap_admin_login']), io_output_password($config['ldap_admin_pass']))) { + if ($ldap['ldap_admin_login'] != '' && $ldap['ldap_admin_pass'] != '') { + if (!@ldap_bind($ds, io_safe_output($ldap['ldap_admin_login']), io_output_password($ldap['ldap_admin_pass']))) { $config['auth_error'] = 'Admin ldap connection fail'; @ldap_close($ds); return false; } } - $filter = '('.$config['ldap_login_attr'].'='.io_safe_output($login).')'; + $filter = '('.$ldap['ldap_login_attr'].'='.io_safe_output($login).')'; - $sr = ldap_search($ds, io_safe_output($config['ldap_base_dn']), $filter); + $sr = ldap_search($ds, io_safe_output($ldap['ldap_base_dn']), $filter); $memberof = ldap_get_entries($ds, $sr); @@ -833,7 +853,7 @@ function ldap_process_user_login($login, $password) } unset($memberof['count']); - $ldap_base_dn = !empty($config['ldap_base_dn']) ? ','.io_safe_output($config['ldap_base_dn']) : ''; + $ldap_base_dn = !empty($ldap['ldap_base_dn']) ? ','.io_safe_output($ldap['ldap_base_dn']) : ''; if (!empty($ldap_base_dn)) { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($memberof['dn']), $password)) { @@ -1397,7 +1417,8 @@ function local_ldap_search( $access_attr=null, $ldap_admin_user=null, $ldap_admin_pass=null, - $user=null + $user=null, + $ldap_start_tls=null ) { global $config; @@ -1407,7 +1428,7 @@ function local_ldap_search( } $tls = ''; - if ($config['ldap_start_tls']) { + if ($ldap_start_tls) { $tls = ' -ZZ '; } @@ -1431,7 +1452,7 @@ function local_ldap_search( $dn = " -b '".$dn."'"; - $shell_ldap_search = explode("\n", shell_exec('ldapsearch -LLL -o ldif-wrap=no -x'.$ldap_host.$ldap_version.' -E pr=10000/noprompt '.$ldap_admin_user.$ldap_admin_pass.$dn.$filter.$tls.' | grep -v "^#\|^$" | sed "s/:\+ /=>/g"')); + $shell_ldap_search = explode("\n", shell_exec('ldapsearch -LLL -o ldif-wrap=no -x'.$ldap_host.$ldap_version.' -E pr=10000/noprompt '.$ldap_admin_user.$ldap_admin_pass.$dn.$filter.$tls.' | grep -v "^#\|^$" | sed "s/:\+ /=>/g"')); foreach ($shell_ldap_search as $line) { $values = explode('=>', $line); if (!empty($values[0]) && !empty($values[1])) { diff --git a/pandora_console/include/functions_config.php b/pandora_console/include/functions_config.php index 6f79be6c76..07537de173 100644 --- a/pandora_console/include/functions_config.php +++ b/pandora_console/include/functions_config.php @@ -632,6 +632,38 @@ function config_update_config() $error_update[] = __('Admin LDAP password'); } + if (config_update_value('ldap_server_secondary', get_parameter('ldap_server_secondary'), true) === false) { + $error_update[] = __('Secondary LDAP server'); + } + + if (config_update_value('ldap_port_secondary', get_parameter('ldap_port_secondary'), true) === false) { + $error_update[] = __('Secondary LDAP port'); + } + + if (config_update_value('ldap_version_secondary', get_parameter('ldap_version_secondary'), true) === false) { + $error_update[] = __('Secondary LDAP version'); + } + + if (config_update_value('ldap_start_tls_secondary', get_parameter('ldap_start_tls_secondary'), true) === false) { + $error_update[] = __('Secontary start TLS'); + } + + if (config_update_value('ldap_base_dn_secondary', get_parameter('ldap_base_dn_secondary'), true) === false) { + $error_update[] = __('Secondary base DN'); + } + + if (config_update_value('ldap_login_attr_secondary', get_parameter('ldap_login_attr_secondary'), true) === false) { + $error_update[] = __('Secondary login attribute'); + } + + if (config_update_value('ldap_admin_login_secondary', get_parameter('ldap_admin_login_secondary'), true) === false) { + $error_update[] = __('Admin secondary LDAP login'); + } + + if (config_update_value('ldap_admin_pass_secondary', io_input_password(io_safe_output(get_parameter('ldap_admin_pass_secondary'))), true) === false) { + $error_update[] = __('Admin secondary LDAP password'); + } + if (config_update_value('fallback_local_auth', get_parameter('fallback_local_auth'), true) === false) { $error_update[] = __('Fallback to local authentication'); } @@ -656,6 +688,10 @@ function config_update_config() $error_update[] = __('Save profile'); } + if (config_update_value('secondary_ldap_enabled', get_parameter('secondary_ldap_enabled'), true) === false) { + $error_update[] = __('LDAP secondary enabled'); + } + if (config_update_value('rpandora_server', get_parameter('rpandora_server'), true) === false) { $error_update[] = __('MySQL host'); } @@ -2628,6 +2664,41 @@ function config_process_config() config_update_value('ldap_admin_pass', ''); } + if (!isset($config['ldap_server_secondary'])) { + config_update_value('ldap_server_secondary', 'localhost'); + } + + if (!isset($config['ldap_port_secondary'])) { + config_update_value('ldap_port_secondary', 389); + } + + if (!isset($config['ldap_version_secondary'])) { + config_update_value('ldap_version_secondary', '3'); + } + + if (!isset($config['ldap_start_tls_secondary'])) { + config_update_value('ldap_start_tls_secondary', 0); + } + + if (!isset($config['ldap_base_dn_secondary'])) { + config_update_value( + 'ldap_base_dn_secondary', + 'ou=People,dc=edu,dc=example,dc=org' + ); + } + + if (!isset($config['ldap_login_attr_secondary'])) { + config_update_value('ldap_login_attr_secondary', 'uid'); + } + + if (!isset($config['ldap_admin_login_secondary'])) { + config_update_value('ldap_admin_login_secondary', ''); + } + + if (!isset($config['ldap_admin_pass_secondary'])) { + config_update_value('ldap_admin_pass_secondary', ''); + } + if (!isset($config['ldap_function'])) { config_update_value('ldap_function', 'local'); }