tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch '1241-adv-config-in-ldap-auth-dev' into 'develop' 

1241 adv config in ldap auth dev

See merge request !853
This commit is contained in:
vgilc 2017-10-04 15:49:39 +02:00
parent 45c35a1a0f d372d3a93e
commit aaa21d2bd8
2 changed files with 191 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
pandora_console/include/auth/mysql.php
View File

@ -173,8 +173,6 @@ function process_user_login_local ($login, $pass, $api = false) {
function process_user_login_remote ($login, $pass, $api = false) {
global $config, $mysql_cache;
// Remote authentication
switch ($config["auth"]) {
// LDAP
@ -219,8 +217,6 @@ function process_user_login_remote ($login, $pass, $api = false) {
// Authentication ok, check if the user exists in the local database
if (is_user ($login)) {
if (!user_can_login($login)) {
return false;
}
@ -228,10 +224,27 @@ function process_user_login_remote ($login, $pass, $api = false) {
if (($config["auth"] === 'ad') &&
(isset($config['ad_advanced_config']) && $config['ad_advanced_config'])) {
$return = enterprise_hook ('prepare_permissions_groups_of_user_ad',
array ($login, $pass, false, true, defined('METACONSOLE')));
if ($return === "error_permissions") {
$config["auth_error"] =
__("Problems with configuration permissions. Please contact with Administrator");
return false;
}
else {
if ($return === "permissions_changed") {
$config["auth_error"] =
__("Your permissions have changed. Please, login again.");
return false;
}
}
}
elseif (($config["auth"] === 'ldap') &&
(isset($config['ldap_advanced_config']) && $config['ldap_advanced_config'])) {
$return = enterprise_hook ('prepare_permissions_groups_of_user_ldap',
array ($login, $pass, false, true, defined('METACONSOLE')));
if ($return === "error_permissions") {
$config["auth_error"] =
@ -245,13 +258,13 @@ function process_user_login_remote ($login, $pass, $api = false) {
return false;
}
}
change_local_user_pass_ldap ($login, $pass);
}
return $login;
}
// The user does not exist and can not be created
if ($config['autocreate_remote_users'] == 0 || is_user_blacklisted ($login)) {
$config["auth_error"] = __("Ooops User not found in
@ -297,6 +310,41 @@ function process_user_login_remote ($login, $pass, $api = false) {
return false;
}
}
elseif ($config["auth"] === 'ldap' &&
(isset($config['ldap_advanced_config']) &&
$config['ldap_advanced_config'])) {
if ( defined('METACONSOLE') ) {
enterprise_include_once('include/functions_metaconsole.php');
enterprise_include_once ('meta/include/functions_groups_meta.php');
$return = groups_meta_synchronizing();
if ($return["group_create_err"] > 0 || $return["group_update_err"] > 0) {
$config["auth_error"] = __('Fail the group synchronizing');
return false;
}
$return = meta_tags_synchronizing();
if ($return['tag_create_err'] > 0 || $return['tag_update_err'] > 0) {
$config["auth_error"] = __('Fail the tag synchronizing');
return false;
}
}
// Create the user
if (enterprise_hook ('prepare_permissions_groups_of_user_ldap',
array($login,
$pass,
array ('fullname' => $login,
'comments' => 'Imported from ' . $config['auth']),
false, defined('METACONSOLE'))) === false) {
$config["auth_error"] = __("User not found in database
or incorrect password");
return false;
}
}
else {
$user_info = array ('fullname' => $login,
@ -644,33 +692,51 @@ function ldap_process_user_login ($login, $password) {
return false;
}
}
$dc = $config["ldap_base_dn"];
$ldap_login_attr = !empty($config["ldap_login_attr"]) ? io_safe_output($config["ldap_login_attr"]) . "=" : '';
#Search group of this user it belong.
$filter="(cn=" . io_safe_output($login) . ")";
$justthese = array("objectclass=group");
$sr = ldap_search($ds, $dc, $filter, $justthese);
$memberof = ldap_get_entries($ds, $sr);
if ($memberof["count"] == 0 && !isset($memberof[0]["memberof"])) {
@ldap_close ($ds);
return false;
}
else {
$memberof = $memberof[0];
}
unset($memberof["count"]);
$ldap_base_dn = !empty($config["ldap_base_dn"]) ? "," . io_safe_output($config["ldap_base_dn"]) : '';
if(!empty($ldap_base_dn)){
if (strlen($password) == 0 ||
!@ldap_bind($ds, $ldap_login_attr.io_safe_output($login).$ldap_base_dn, $password) ) {
$config["auth_error"] = 'User not found in database or incorrect password';
@ldap_close ($ds);
return false;
$correct = false;
if(!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, $memberof['dn'], $password) ) {
$correct = true;
}
} else {
if (strlen($password) == 0 ||
!@ldap_bind($ds, io_safe_output($login), $password) ) {
$config["auth_error"] = 'User not found in database or incorrect password';
@ldap_close ($ds);
return false;
}
else {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($login), $password) ) {
$correct = true;
}
}
@ldap_close ($ds);
return true;
if ($correct) {
return true;
}
else {
$config["auth_error"] = 'User not found in database or incorrect password';
return false;
}
}
/**
@ -693,6 +759,27 @@ function is_user_blacklisted ($user) {
return false;
}
/**
* Update local user pass from ldap user
*
* @param string Login
* @param string Password
*
* @return bool
*/
function change_local_user_pass_ldap ($id_user, $password) {
$local_user_pass = db_get_value_filter('password', 'tusuario', array('id_user' => $id_user));
if (md5($password) !== $local_user_pass) {
$values_update = array();
$values_update['password'] = md5($password);
db_process_sql_update('tusuario', $values_update, array('id_user' => $id_user));
}
return;
}
//Reference the global use authorization error to last auth error.
$config["auth_error"] = &$mysql_cache["auth_error"];
?>

77
pandora_console/include/functions_config.php
View File

@ -319,11 +319,14 @@ function config_update_config () {
$error_update[] = __('Start TLS');
if (!config_update_value ('ad_advanced_config', get_parameter ('ad_advanced_config')))
$error_update[] = __('Advanced Config AD');
if (!config_update_value ('ldap_advanced_config', get_parameter ('ldap_advanced_config')))
$error_update[] = __('Advanced Config LDAP');
if (!config_update_value ('ad_domain', get_parameter ('ad_domain')))
$error_update[] = __('Domain');
if (!config_update_value ('ad_adv_perms', get_parameter ('ad_adv_perms')))
$error_update[] = __('Advanced Permisions AD');
if (!config_update_value ('ldap_adv_perms', get_parameter ('ldap_adv_perms')))
$error_update[] = __('Advanced Permisions LDAP');
if (!config_update_value ('ldap_server', get_parameter ('ldap_server')))
$error_update[] = __('LDAP server');
if (!config_update_value ('ldap_port', get_parameter ('ldap_port')))
@ -1349,10 +1352,18 @@ function config_process_config () {
if (!isset ($config['ad_advanced_config'])) {
config_update_value ( 'ad_advanced_config', 0);
}
if (!isset ($config['ldap_advanced_config'])) {
config_update_value ( 'ldap_advanced_config', 0);
}
if (!isset ($config['ad_adv_user_node'])) {
config_update_value ( 'ad_adv_user_node', 1);
}
if (!isset ($config['ldap_adv_user_node'])) {
config_update_value ( 'ldap_adv_user_node', 1);
}
if (!isset ($config['ad_domain'])) {
config_update_value ( 'ad_domain', '');
@ -1421,6 +1432,70 @@ function config_process_config () {
config_update_value ('ad_adv_perms', $temp_ad_adv_perms);
}
}
if (!isset ($config['ldap_adv_perms'])) {
config_update_value ('ldap_adv_perms', '');
}
else {
if (!json_decode(io_safe_output($config['ldap_adv_perms']))) {
$temp_ldap_adv_perms = array();
if ($config['ldap_adv_perms'] != '') {
$perms = explode(';', io_safe_output($config['ldap_adv_perms']));
foreach ($perms as $ad_adv_perm) {
if (preg_match('/[\[\]]/',$ad_adv_perm)) {
$all_data = explode (",", io_safe_output($ad_adv_perm));
$profile = $all_data[0];
$group_pnd = $all_data[1];
$groups_ad = str_replace(array("[","]"), "", $all_data[2]);
$tags = str_replace(array("[","]"), "", $all_data[3]);
$groups_ad = explode('|', $groups_ad);
$tags_name = explode('|', $tags);
$tags_ids = array();
foreach ($tags_name as $tag) {
$tags_ids[] = tags_get_id($tag);
}
$profile = profile_get_profiles(
array(
"name" => io_safe_input($profile)));
if (!$profile)
continue;
$profile_id = array_keys($profile);
$id_grupo = groups_get_id (io_safe_input($group_pnd), false);
$new_ldap_adv_perms[] =
array('profile' => $profile_id[0],
'group' => array($id_grupo),
'tags' => $tags_ids,
'groups_ldap' => $groups_ldap);
}
else {
$all_data = explode (",", io_safe_output($ad_adv_perm));
$profile = $all_data[0];
$group_pnd = $all_data[1];
$groups_ad = $all_data[2];
$tags = $all_data[3];
$profile = profile_get_profiles(
array(
"name" => io_safe_input($profile)));
if (!$profile)
continue;
$profile_id = array_keys($profile);
$id_grupo = groups_get_id (io_safe_input($group_pnd), false);
$new_ldap_adv_perms[] =
array('profile' => $profile_id[0],
'group' => array($id_grupo),
'tags' => array($tags),
'groups_ldap' => array($groups_ldap));
}
}
if (!empty($new_ldap_adv_perms)) {
$temp_ldap_adv_perms = json_encode($new_ldap_adv_perms);
}
}
config_update_value ('ldap_adv_perms', $temp_ldap_adv_perms);
}
}
if (!isset ($config['rpandora_server'])) {
config_update_value ( 'rpandora_server', 'localhost');