tyler.durden
/
pandorafms
mirror of https://github.com/pandorafms/pandorafms.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ent-8332-post-configurar-un-segundo-servidor-ldap' into 'develop' 

Ent 8332 post configurar un segundo servidor ldap

See merge request artica/pandorafms!4823
This commit is contained in:
Daniel Rodriguez 2022-04-19 12:42:43 +00:00
parent be24fd7b28 eceb60e12c
commit b290e6c896
3 changed files with 253 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

137
pandora_console/godmode/setup/setup_auth.php
View File

@ -198,6 +198,136 @@ if (is_ajax()) {
true true
); );
$table->data['ldap_admin_pass'] = $row; $table->data['ldap_admin_pass'] = $row;
// Enable/disable secondary ldap.
// Set default value.
set_unless_defined($config['secondary_ldap_enabled'], false);
$row = [];
$row['name'] = __('Enable secondary LDAP');
$row['control'] .= html_print_checkbox_switch(
'secondary_ldap_enabled',
1,
$config['secondary_ldap_enabled'],
true,
false,
'showAndHide()'
);
$table->data['secondary_ldap_enabled'] = $row;
$row = [];
// LDAP server.
$row = [];
$row['name'] = __('Secondary LDAP server');
$row['control'] = html_print_input_text(
'ldap_server_secondary',
$config['ldap_server_secondary'],
'',
30,
100,
true
);
$table->data['ldap_server_secondary'] = $row;
// LDAP port.
$row = [];
$row['name'] = __('Secondary LDAP port');
$row['control'] = html_print_input_text(
'ldap_port_secondary',
$config['ldap_port_secondary'],
'',
10,
100,
true
);
$table->data['ldap_port_secondary'] = $row;
// LDAP version.
$ldap_versions = [
1 => 'LDAPv1',
2 => 'LDAPv2',
3 => 'LDAPv3',
];
$row = [];
$row['name'] = __('Secondary LDAP version');
$row['control'] = html_print_select(
$ldap_versions,
'ldap_version_secondary',
$config['ldap_version_secondary'],
'',
'',
0,
true
);
$table->data['ldap_version_secondary'] = $row;
// Start TLS.
$row = [];
$row['name'] = __('Secondary start TLS');
$row['control'] = html_print_checkbox_switch(
'ldap_start_tls_secondary',
1,
$config['ldap_start_tls_secondary'],
true
);
$table->data['ldap_start_tls_secondary'] = $row;
// Base DN.
$row = [];
$row['name'] = __('Secondary Base DN');
$row['control'] = html_print_input_text(
'ldap_base_dn_secondary',
$config['ldap_base_dn_secondary'],
'',
60,
100,
true
);
$table->data['ldap_base_dn_secondary'] = $row;
// Login attribute.
$row = [];
$row['name'] = __('Secondary Login attribute');
$row['control'] = html_print_input_text(
'ldap_login_attr_secondary',
$config['ldap_login_attr_secondary'],
'',
60,
100,
true
);
$table->data['ldap_login_attr_secondary'] = $row;
// Admin LDAP login.
$row = [];
$row['name'] = __('Admin secondary LDAP login');
$row['control'] = html_print_input_text(
'ldap_admin_login_secondary',
$config['ldap_admin_login_secondary'],
'',
60,
100,
true
);
$table->data['ldap_admin_login_secondary'] = $row;
// Admin LDAP password.
$row = [];
$row['name'] = __('Admin secondary LDAP password');
$row['control'] = html_print_input_password(
'ldap_admin_pass_secondary',
io_output_password($config['ldap_admin_pass_secondary']),
$alt = '',
60,
100,
true
);
$row['control'] .= ui_print_reveal_password(
'ldap_admin_pass_secondary',
true
);
$table->data['ldap_admin_pass_secondary'] = $row;
break; break;
case 'pandora': case 'pandora':
@ -354,6 +484,12 @@ echo '</form>';
} else { } else {
$('#table1-2FA_all_users').hide(); $('#table1-2FA_all_users').hide();
} }
if ($('input[type=checkbox][name=secondary_ldap_enabled]:checked').val() == 1) {
$("tr[id*='ldap_'][id$='_secondary']").show();
} else {
$( "tr[id*='ldap_'][id$='_secondary']" ).hide();
}
} }
$( document ).ready(function() { $( document ).ready(function() {
@ -370,6 +506,7 @@ echo '</form>';
success: function(data) { success: function(data) {
$('.table_result_auth').remove(); $('.table_result_auth').remove();
$('#table_auth_result').append(data); $('#table_auth_result').append(data);
showAndHide();
} }
}); });
}).change(); }).change();

69
pandora_console/include/auth/mysql.php
View File

@ -239,6 +239,10 @@ function process_user_login_remote($login, $pass, $api=false)
// LDAP // LDAP
case 'ldap': case 'ldap':
$sr = ldap_process_user_login($login, $pass); $sr = ldap_process_user_login($login, $pass);
// Try with secondary server if not login.
if ($sr === false && (bool) $config['secondary_ldap_enabled'] === true) {
$sr = ldap_process_user_login($login, $pass, true);
}
if (!$sr) { if (!$sr) {
return false; return false;
@ -754,7 +758,7 @@ function update_user($id_user, $values)
* *
* @return boolean True if the login is correct, false in other case * @return boolean True if the login is correct, false in other case
*/ */
function ldap_process_user_login($login, $password) function ldap_process_user_login($login, $password, $secondary_server=false)
{ {
global $config; global $config;
@ -764,14 +768,29 @@ function ldap_process_user_login($login, $password)
return false; return false;
} }
$ldap_tokens = [
'ldap_server',
'ldap_port',
'ldap_version',
'ldap_base_dn',
'ldap_login_attr',
'ldap_admin_login',
'ldap_admin_pass',
'ldap_start_tls',
];
foreach ($ldap_tokens as $token) {
$ldap[$token] = $secondary_server === true ? $config[$token.'_secondary'] : $config[$token];
}
// Connect to the LDAP server // Connect to the LDAP server
if (stripos($config['ldap_server'], 'ldap://') !== false if (stripos($ldap['ldap_server'], 'ldap://') !== false
|| stripos($config['ldap_server'], 'ldaps://') !== false || stripos($ldap['ldap_server'], 'ldaps://') !== false
|| stripos($config['ldap_server'], 'ldapi://') !== false || stripos($ldap['ldap_server'], 'ldapi://') !== false
) { ) {
$ds = @ldap_connect($config['ldap_server'].':'.$config['ldap_port']); $ds = @ldap_connect($ldap['ldap_server'].':'.$ldap['ldap_port']);
} else { } else {
$ds = @ldap_connect($config['ldap_server'], $config['ldap_port']); $ds = @ldap_connect($ldap['ldap_server'], $ldap['ldap_port']);
} }
if (!$ds) { if (!$ds) {
@ -781,9 +800,9 @@ function ldap_process_user_login($login, $password)
} }
// Set the LDAP version // Set the LDAP version
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $config['ldap_version']); ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $ldap['ldap_version']);
if ($config['ldap_start_tls']) { if ($ldap['ldap_start_tls']) {
if (!@ldap_start_tls($ds)) { if (!@ldap_start_tls($ds)) {
$config['auth_error'] = 'Could not start TLS for LDAP connection'; $config['auth_error'] = 'Could not start TLS for LDAP connection';
@ldap_close($ds); @ldap_close($ds);
@ -794,20 +813,21 @@ function ldap_process_user_login($login, $password)
if ($config['ldap_function'] == 'local') { if ($config['ldap_function'] == 'local') {
$sr = local_ldap_search( $sr = local_ldap_search(
$config['ldap_server'], $ldap['ldap_server'],
$config['ldap_port'], $ldap['ldap_port'],
$config['ldap_version'], $ldap['ldap_version'],
io_safe_output($config['ldap_base_dn']), io_safe_output($ldap['ldap_base_dn']),
$config['ldap_login_attr'], $ldap['ldap_login_attr'],
io_safe_output($config['ldap_admin_login']), io_safe_output($ldap['ldap_admin_login']),
io_output_password($config['ldap_admin_pass']), io_output_password($ldap['ldap_admin_pass']),
io_safe_output($login) io_safe_output($login),
$ldap['ldap_start_tls']
); );
if ($sr) { if ($sr) {
$user_dn = $sr['dn'][0]; $user_dn = $sr['dn'][0];
$ldap_base_dn = !empty($config['ldap_base_dn']) ? ','.io_safe_output($config['ldap_base_dn']) : ''; $ldap_base_dn = !empty($ldap['ldap_base_dn']) ? ','.io_safe_output($ldap['ldap_base_dn']) : '';
if (!empty($ldap_base_dn)) { if (!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($user_dn), $password)) { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($user_dn), $password)) {
@ -823,17 +843,17 @@ function ldap_process_user_login($login, $password)
} }
} else { } else {
// PHP LDAP function // PHP LDAP function
if ($config['ldap_admin_login'] != '' && $config['ldap_admin_pass'] != '') { if ($ldap['ldap_admin_login'] != '' && $ldap['ldap_admin_pass'] != '') {
if (!@ldap_bind($ds, io_safe_output($config['ldap_admin_login']), io_output_password($config['ldap_admin_pass']))) { if (!@ldap_bind($ds, io_safe_output($ldap['ldap_admin_login']), io_output_password($ldap['ldap_admin_pass']))) {
$config['auth_error'] = 'Admin ldap connection fail'; $config['auth_error'] = 'Admin ldap connection fail';
@ldap_close($ds); @ldap_close($ds);
return false; return false;
} }
} }
$filter = '('.$config['ldap_login_attr'].'='.io_safe_output($login).')'; $filter = '('.$ldap['ldap_login_attr'].'='.io_safe_output($login).')';
$sr = ldap_search($ds, io_safe_output($config['ldap_base_dn']), $filter); $sr = ldap_search($ds, io_safe_output($ldap['ldap_base_dn']), $filter);
$memberof = ldap_get_entries($ds, $sr); $memberof = ldap_get_entries($ds, $sr);
@ -845,7 +865,7 @@ function ldap_process_user_login($login, $password)
} }
unset($memberof['count']); unset($memberof['count']);
$ldap_base_dn = !empty($config['ldap_base_dn']) ? ','.io_safe_output($config['ldap_base_dn']) : ''; $ldap_base_dn = !empty($ldap['ldap_base_dn']) ? ','.io_safe_output($ldap['ldap_base_dn']) : '';
if (!empty($ldap_base_dn)) { if (!empty($ldap_base_dn)) {
if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($memberof['dn']), $password)) { if (strlen($password) != 0 && @ldap_bind($ds, io_safe_output($memberof['dn']), $password)) {
@ -1409,7 +1429,8 @@ function local_ldap_search(
$access_attr=null, $access_attr=null,
$ldap_admin_user=null, $ldap_admin_user=null,
$ldap_admin_pass=null, $ldap_admin_pass=null,
$user=null $user=null,
$ldap_start_tls=null
) { ) {
global $config; global $config;
@ -1419,7 +1440,7 @@ function local_ldap_search(
} }
$tls = ''; $tls = '';
if ($config['ldap_start_tls']) { if ($ldap_start_tls) {
$tls = ' -ZZ '; $tls = ' -ZZ ';
} }

71
pandora_console/include/functions_config.php
View File

@ -632,6 +632,38 @@ function config_update_config()
$error_update[] = __('Admin LDAP password'); $error_update[] = __('Admin LDAP password');
} }
if (config_update_value('ldap_server_secondary', get_parameter('ldap_server_secondary'), true) === false) {
$error_update[] = __('Secondary LDAP server');
}
if (config_update_value('ldap_port_secondary', get_parameter('ldap_port_secondary'), true) === false) {
$error_update[] = __('Secondary LDAP port');
}
if (config_update_value('ldap_version_secondary', get_parameter('ldap_version_secondary'), true) === false) {
$error_update[] = __('Secondary LDAP version');
}
if (config_update_value('ldap_start_tls_secondary', get_parameter('ldap_start_tls_secondary'), true) === false) {
$error_update[] = __('Secontary start TLS');
}
if (config_update_value('ldap_base_dn_secondary', get_parameter('ldap_base_dn_secondary'), true) === false) {
$error_update[] = __('Secondary base DN');
}
if (config_update_value('ldap_login_attr_secondary', get_parameter('ldap_login_attr_secondary'), true) === false) {
$error_update[] = __('Secondary login attribute');
}
if (config_update_value('ldap_admin_login_secondary', get_parameter('ldap_admin_login_secondary'), true) === false) {
$error_update[] = __('Admin secondary LDAP login');
}
if (config_update_value('ldap_admin_pass_secondary', io_input_password(io_safe_output(get_parameter('ldap_admin_pass_secondary'))), true) === false) {
$error_update[] = __('Admin secondary LDAP password');
}
if (config_update_value('fallback_local_auth', get_parameter('fallback_local_auth'), true) === false) { if (config_update_value('fallback_local_auth', get_parameter('fallback_local_auth'), true) === false) {
$error_update[] = __('Fallback to local authentication'); $error_update[] = __('Fallback to local authentication');
} }
@ -656,6 +688,10 @@ function config_update_config()
$error_update[] = __('Save profile'); $error_update[] = __('Save profile');
} }
if (config_update_value('secondary_ldap_enabled', get_parameter('secondary_ldap_enabled'), true) === false) {
$error_update[] = __('LDAP secondary enabled');
}
if (config_update_value('rpandora_server', get_parameter('rpandora_server'), true) === false) { if (config_update_value('rpandora_server', get_parameter('rpandora_server'), true) === false) {
$error_update[] = __('MySQL host'); $error_update[] = __('MySQL host');
} }
@ -2628,6 +2664,41 @@ function config_process_config()
config_update_value('ldap_admin_pass', ''); config_update_value('ldap_admin_pass', '');
} }
if (!isset($config['ldap_server_secondary'])) {
config_update_value('ldap_server_secondary', 'localhost');
}
if (!isset($config['ldap_port_secondary'])) {
config_update_value('ldap_port_secondary', 389);
}
if (!isset($config['ldap_version_secondary'])) {
config_update_value('ldap_version_secondary', '3');
}
if (!isset($config['ldap_start_tls_secondary'])) {
config_update_value('ldap_start_tls_secondary', 0);
}
if (!isset($config['ldap_base_dn_secondary'])) {
config_update_value(
'ldap_base_dn_secondary',
'ou=People,dc=edu,dc=example,dc=org'
);
}
if (!isset($config['ldap_login_attr_secondary'])) {
config_update_value('ldap_login_attr_secondary', 'uid');
}
if (!isset($config['ldap_admin_login_secondary'])) {
config_update_value('ldap_admin_login_secondary', '');
}
if (!isset($config['ldap_admin_pass_secondary'])) {
config_update_value('ldap_admin_pass_secondary', '');
}
if (!isset($config['ldap_function'])) { if (!isset($config['ldap_function'])) {
config_update_value('ldap_function', 'local'); config_update_value('ldap_function', 'local');
} }