Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2704 → Rev 2705

/CHANGELOG
4,6 → 4,7
-------------------- 3.4.0 --------------------
NEWS
- Replace DNSmasq server with Unbound
- Add LDAPS (LDAP SSL) support.
 
CHANGES
- Do not perform LDAP query for authentication of trusted authorized equipment.
/alcasar.sh
2178,6 → 2178,8
echo "LDAP_FILTER=" >> $CONF_FILE
echo "LDAP_USER=alcasar" >> $CONF_FILE
echo "LDAP_PASSWORD=" >> $CONF_FILE
echo "LDAP_SSL=on" >> $CONF_FILE
echo "LDAP_CERT_REQUIRED=" >> $CONF_FILE
echo "SMS=off" >> $CONF_FILE
echo "SMS_NUM=" >> $CONF_FILE
echo "MULTIWAN=off" >> $CONF_FILE
/conf/radius/ldap-alcasar
1,5 → 1,6
# -*- text -*-
# Lightweight Directory Access Protocol (LDAP) module for ALCASAR
 
ldap {
server = "localhost"
port = 389
6,28 → 7,38
identity = "cn=alcasaradmin;cn=Users;dc=serverad;dc=com"
password = "mypass"
base_dn = "cn=Users;dc=serverad;dc=com"
user {
base_dn = "${..base_dn}"
# "samaccountname=" for AD; "uid=" for LDAP
filter = (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
}
pool {
start = 5
min = 3
max = 10
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
user {
base_dn = "${..base_dn}"
# "samaccountname=" for AD; "uid=" for LDAP
filter = (samaccountname=%{%{Stripped-User-Name}:-%{User-Name}})
}
options {
chase_referrals = yes
rebind = yes
res_timeout = 10
srv_timelimit = 3
net_timeout = 1
idle = 60
probes = 3
interval = 3
# ldap_debug = 0x0129
}
tls {
# start_tls = yes
# ca_file = /etc/raddb/certs/alcasar-ldaps.crt
# ca_path = ${certdir}
# certificate_file = /path/to/radius.crt
# private_key_file = /path/to/radius.key
# random_file = /dev/urandom
# require_cert = 'demand'
}
pool {
start = 5
min = 3
max = 10
uses = 0
retry_delay = 30
lifetime = 0
idle_timeout = 60
}
}
/conf/sudoers
26,7 → 26,7
Cmnd_Alias UAM=/usr/local/bin/alcasar-uamallowed.sh # to manage the trusted websites (uamallowed)
Cmnd_Alias SERVICE=/usr/bin/systemctl,/usr/sbin/shutdown # to manage the linux services
Cmnd_Alias GAMMU=/usr/local/bin/alcasar-sms.sh # to manage the SMS subsystem
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh,/usr/local/bin/alcasar-https.sh # to manage the certificates
Cmnd_Alias SSL=/usr/local/bin/alcasar-importcert.sh,/usr/local/bin/alcasar-letsencrypt.sh,/usr/local/bin/alcasar-https.sh,/usr/local/bin/alcasar-ldap.sh --import-cert * # to manage the certificates
Cmnd_Alias HTDIGEST=/usr/local/bin/alcasar-profil.sh # to manage htdigest groups
Cmnd_Alias LOG_GEN=/usr/local/bin/alcasar-generate_log.sh # to create log PDF from ACC
Cmnd_Alias LDAP=/usr/local/bin/alcasar-ldap.sh # to enable/disable LDAP connection
/scripts/alcasar-conf.sh
170,9 → 170,16
fi
## From 3.4.0 ##
# Fix subdomain dot position (.domain.org to domain.org.) for Unbound
for file in $DIR_E2G/exceptionsitelist $DIR_BLACKLIST/ossi-bl*/domains $DIR_BLACKLIST/ossi-wl*/domains; do
[ -f $file ] && $SED "s/^\.\(.*\)$/\1./g" $file
done
for file in $DIR_E2G/exceptionsitelist $DIR_BLACKLIST/ossi-bl*/domains $DIR_BLACKLIST/ossi-wl*/domains; do
[ -f $file ] && $SED "s/^\.\(.*\)$/\1./g" $file
done
# Add LDAPS parameters to config file
if [ "$(grep -c '^LDAP_SSL=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then
echo "LDAP_SSL=on" >> $DIR_UPDATE/etc/alcasar.conf
fi
if [ "$(grep -c '^LDAP_CERT_REQUIRED=' $DIR_UPDATE/etc/alcasar.conf)" -eq 0 ]; then
echo "LDAP_CERT_REQUIRED=" >> $DIR_UPDATE/etc/alcasar.conf
fi
###################### End of modifications between versions #######################
# Retrieve the logo
[ -e $DIR_UPDATE/organisme.png ] && cp -f $DIR_UPDATE/organisme.png $DIR_WEB/images/
/scripts/alcasar-ldap.sh
9,43 → 9,53
# activation / désactivation de l'authentification des utilisateurs via un serveur LDAP externe
# enable / disable authentication of users via an extern LDAP server
 
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off}"
usage="Usage: alcasar-ldap.sh {--on or -on } | {--off or -off} | --import-cert {certificatePath} | --test [-d]"
SED="/bin/sed -i"
CONF_FILE="/usr/local/etc/alcasar.conf"
LDAP_MODULE="/etc/raddb/mods-available/ldap-alcasar"
LDAP_SERVER=`grep ^LDAP_SERVER= $CONF_FILE|cut -d"=" -f2` # IP address of the LDAP server
LDAP_BASE=`grep ^LDAP_BASE= $CONF_FILE|cut -d"=" -f2-` # Where to find the users (cn=**,dc=**,dc=**)
LDAP_UID=`grep ^LDAP_UID= $CONF_FILE|cut -d"=" -f2` # 'samaccuntname' for A.D. - 'UID' for LDAP
LDAP_FILTER=`grep ^LDAP_FILTER= $CONF_FILE|cut -d"=" -f2-` # Filter to limit users search (not used for now)
LDAP_USER=`grep ^LDAP_USER= $CONF_FILE|cut -d"=" -f2-` # LDAP username used by ALCASAR to read the remote directory
LDAP_PASSWORD=`grep ^LDAP_PASSWORD= $CONF_FILE|cut -d"=" -f2-` # its password
OPENLDAP_CONF='/etc/openldap/ldap.conf'
LDAPS_CERT_LOC='/etc/raddb/certs/alcasar-ldaps.crt'
LDAP_SERVER=$(grep '^LDAP_SERVER=' $CONF_FILE | cut -d"=" -f2) # hostname/IP address of the LDAP server
LDAP_USER=$(grep '^LDAP_USER=' $CONF_FILE | cut -d"=" -f2-) # LDAP username used by ALCASAR to read the remote directory
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-) # its password
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-) # Where to find the users (cn=**,dc=**,dc=**)
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2) # 'samaccountname' for A.D. - 'UID' for LDAP
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL status
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
 
nb_args=$#
args=$1
if [ $nb_args -eq 0 ]
then
if [ $nb_args -eq 0 ]; then
nb_args=1
args="-h"
fi
 
case $args in
-\? | -h* | --h*)
echo "$usage"
exit 0
;;
--on | -on)
--on | -on)
$SED "s/^LDAP=.*/LDAP=on/g" $CONF_FILE
$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
if [ "$LDAP_SSL" == 'on' ]; then
$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
$SED "s/^\t\t#?require_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
else
$SED "s/^\tserver =.*/\tserver = \"ldap:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tport =.*/\tport = 389/g" $LDAP_MODULE
echo '' > $OPENLDAP_CONF
fi
$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tfilter =.*/\tfilter = \"(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})\"/g" $LDAP_MODULE
if [ ! -e /etc/raddb/mods-enabled/ldap ]
then
$SED "s/^\t\tfilter =.*/\t\tfilter = \"(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})\"/g" $LDAP_MODULE
if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
fi
if [ -e /etc/raddb/sites-enabled/alcasar ]
then
rm /etc/raddb/sites-enabled/alcasar
fi
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
ln -s /etc/raddb/sites-available/alcasar-with-ldap /etc/raddb/sites-enabled/alcasar
/usr/bin/systemctl restart radiusd.service
;;
52,13 → 62,50
--off | -off)
$SED "s/^LDAP=.*/LDAP=off/g" $CONF_FILE
rm -f /etc/raddb/mods-enabled/ldap
if [ -e /etc/raddb/sites-enabled/alcasar ]
then
rm /etc/raddb/sites-enabled/alcasar
fi
[ -e /etc/raddb/sites-enabled/alcasar ] && rm /etc/raddb/sites-enabled/alcasar
ln -s /etc/raddb/sites-available/alcasar /etc/raddb/sites-enabled/alcasar
/usr/bin/systemctl restart radiusd.service
;;
--import-cert)
cert=$2
[ -z "$cert" ] && echo "$usage" && exit 1
 
if [ "$LDAP_CERT_REQUIRED" == 'on' ]; then
domainName=$(openssl x509 -noout -subject -in $LDAPS_CERT_LOC | cut -d' ' -f2- | sed 's@/[A-Za-z]\+=@\n@g' | tac | tr '\n' '.' | sed 's@\.\+$@@')
if [ "$domainName" != "$LDAP_SERVER" ]; then
echo 'WARN: the common name of the certificate is different from the server domain name'
fi
fi
# TODO : convert DER format to PEM ?
cp -f "$cert" $LDAPS_CERT_LOC
chown root:radius $LDAPS_CERT_LOC
chmod 644 $LDAPS_CERT_LOC
 
$SED "s/^LDAP_SSL=.*/LDAP_SSL=on/g" $CONF_FILE
$SED "s/^\tserver =.*/\tserver = \"ldaps:\/\/${LDAP_SERVER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tport =.*/\tport = 636/g" $LDAP_MODULE
$SED "s@^#\?\t\tca_file =.*@\t\tca_file = $LDAPS_CERT_LOC@g" $LDAP_MODULE
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
$SED "s/^#\?\t\trequire_cert =.*/\t\trequire_cert = '$require_cert'/g" $LDAP_MODULE
echo -e "TLS_CACERT $LDAPS_CERT_LOC\nTLS_REQCERT $require_cert" > $OPENLDAP_CONF
/usr/bin/systemctl restart radiusd.service
;;
--delete-cert)
[ -f "$LDAPS_CERT_LOC" ] && rm -f $LDAPS_CERT_LOC
;;
--test)
[ -n "$2" ] && [ "$2" == '-d' ] && debugOpt='-d229'
command -v ldapsearch &>/dev/null || { echo >&2 -e "ERR: ldapsearch is not installed\nrun 'dnf install openldap-clients'" ; exit 1; }
if [ "$LDAP_SSL" == 'on' ]; then
protocol='ldaps'
[ "$LDAP_CERT_REQUIRED" == 'on' ] && require_cert='demand' || require_cert='never'
export LDAPTLS_REQCERT="$require_cert"
[ -f "$LDAPS_CERT_LOC" ] && export LDAPTLS_CACERT="$LDAPS_CERT_LOC"
else
protocol='ldap'
fi
/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "($LDAP_UID=*)" 1.1
;;
*)
echo "Argument inconnu : $1";
echo "$usage"
/web/acc/admin/ldap.php
63,9 → 63,17
$l_ldap_user_text = "CN=Common Name. Laissez vide pour utiliser un accès invité (ou anonyme). Obligatoire sur un AD.<br> - Exemple LDAP : 'uid=username,ou=my_lan,o=mycompany,c=FR'.<br> - Exemple AD : 'username' ou 'cn=username,cn=Users,dc=server_name,dc=localdomain'";
$l_ldap_password_label = "Mot de passe:";
$l_ldap_password_text = "Laissez vide pour un accès invité (ou anonyme). Obligatoire sur un AD.";
$l_ldap_ssl_label = "Connexion chiffré";
$l_ldap_ssl_text = "Utiliser une connexion chiffré avec SSL (LDAPS)";
$l_ldap_cert_required_label = "Vérifier le certificat SSL";
$l_ldap_cert_required_text = "Vérifier que le serveur LDAP utilise un certificat connu";
$l_ldap_cert_label = "Certificat SSL (CA)";
$l_ldap_cert_text = "Certificat de l'authorité de certification signant celui du serveur LDAP";
$l_ldap_cert_status_cur = "Certificat actuel : ";
$l_ldap_cert_status_no = "Aucun certificat installé";
$l_ldap_submit = "Enregistrer";
$l_ldap_test_service_failed = "Service LDAP injoignable sur ce serveur (vérifiez l'@IP).";
$l_ldap_test_service_ok = "Un port 389 est actif sur ce serveur";
$l_ldap_test_service_ok = "Un port 389 (636 avec SSL) est actif sur ce serveur";
$l_ldap_test_connection_failed = "Connexion LDAP impossible (vérifiez le service LDAP sur ce serveur)";
$l_ldap_test_connection_ok = "Une connexion LDAP a été établie";
$l_ldap_test_bind_failed = "Echec d'authentification (vérifiez l'utilisateur et le mot de passe)";
74,6 → 82,7
$l_ldap_test_dn_ok = "Le DN de la base semble correct";
$l_ldap_error = "erreur LDAP";
$l_ldap_entries = "entrées dans la base";
$l_ldap_cert_cn_diff_dn = "Le CommonName du certificat (§cert_domainName§) est différent du nom de domaine du serveur";
$l_check = "Vérifier cette configuration";
$l_checkingConf = "Vérification de cette configuration...";
} else { // English
95,9 → 104,17
$l_ldap_user_text = "CN=Common Name. Leave blank to use anonymous binding. Mandatory for AD.<br> e.g. LDAP :'uid=Username,ou=my_lan,o=mycompany,c=US'.<br> e.g. AD : 'username' or 'cn=username,cn=Users,dc=server_name,dc=localdomain'";
$l_ldap_password_label = "Password:";
$l_ldap_password_text = "Leave blank to use anonymous binding. Mandatory for AD.";
$l_ldap_ssl_label = "Secure connection";
$l_ldap_ssl_text = "Use an encrypted connection with SSL (LDAPS)";
$l_ldap_cert_required_label = "Check the SSL certificate";
$l_ldap_cert_required_text = "Verify that the LDAP server uses a trusted certificate";
$l_ldap_cert_label = "SSL certificate (CA)";
$l_ldap_cert_text = "Certificate of the certification authority that signed the LDAP server certificate";
$l_ldap_cert_status_cur = "Current certificate:";
$l_ldap_cert_status_no = "No certificate imported";
$l_ldap_submit = "Save";
$l_ldap_test_service_failed = "LDAP service is not reachable on that server (check IP)";
$l_ldap_test_service_ok = "A port 389 is open on this server";
$l_ldap_test_service_ok = "A port 389 (636 with SSL) is open on this server";
$l_ldap_test_connection_failed = "LDAP connexion failed (check the LDAP service on this server)";
$l_ldap_test_connection_ok = "A LDAP connexion is established";
$l_ldap_test_bind_failed = "LDAP authentication failed (check the LDAP user and password)";
104,6 → 121,7
$l_ldap_test_bind_ok = "Successful authentication";
$l_ldap_test_dn_failed = "DN of the base seems to be wrong (check it)";
$l_ldap_test_dn_ok = "DN of the base seems to be ok";
$l_ldap_cert_cn_diff_dn = "Certificate CommonName (§cert_domainName§) is different from the server domain name";
$l_ldap_error = "LDAP error";
$l_ldap_entries = "entries in the base";
$l_check = "Check this config";
110,29 → 128,43
$l_checkingConf = "Checking this configuration...";
}
 
 
function ldap_checkServerConfig($f_ldap_server, $f_ldap_identity, $f_ldap_password, $f_ldap_basedn, $f_ldap_uid, $f_ldap_port = 389) {
function ldap_checkServerConfig($f_ldap_server, $f_ldap_identity, $f_ldap_password, $f_ldap_basedn, $f_ldap_uid, $f_ldap_ssl, $f_ldap_cert, $f_ldap_cert_required) {
// Socket to the LDAP port of the server
if (!$sock = @fsockopen($f_ldap_server, $f_ldap_port, $num, $error, 2)) {
if (!$sock = @fsockopen($f_ldap_server, (($f_ldap_ssl) ? 636 : 389), $num, $error, 2)) {
// no network connection
return -2;
}
fclose($sock);
 
// Set LDAP SSL options
if ($f_ldap_ssl) {
if ($f_ldap_cert_required) {
if ($f_ldap_cert) {
// ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, $f_ldap_cert);
}
ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_DEMAND);
 
} else {
// ldap_set_option(NULL, LDAP_OPT_X_TLS_REQUIRE_CERT, LDAP_OPT_X_TLS_NEVER);
}
}
 
// if ok, Test LDAP connection
$ldapconn = ldap_connect($f_ldap_server, $f_ldap_port);
ldap_set_option($ldapconn, LDAP_OPT_TIMELIMIT, 2);
$ldapconn = @ldap_connect((($f_ldap_ssl)?'ldaps':'ldap').'://'.$f_ldap_server);
if (!$ldapconn) {
// LDAP connection failed
return -1;
}
 
ldap_set_option($ldapconn, LDAP_OPT_TIMELIMIT, 2);
// ldap_get_option($ldapconn, LDAP_OPT_X_KEEPALIVE_INTERVAL, $tmp); var_dump($tmp); ////////// TODO : opti keep-alive
 
// if ok, test a ldap-bind with the user used by ALCASAR
$ldapbind = ldap_bind($ldapconn, $f_ldap_identity, $f_ldap_password);
$ldapbind = @ldap_bind($ldapconn, $f_ldap_identity, $f_ldap_password);
if (!$ldapbind) {
// Test LDAP Version 3
ldap_set_option($ldapconn, LDAP_OPT_PROTOCOL_VERSION, 3);
$ldapbind = ldap_bind($ldapconn, $f_ldap_identity, $f_ldap_password);
$ldapbind = @ldap_bind($ldapconn, $f_ldap_identity, $f_ldap_password);
if (!$ldapbind) {
// LDAP Bind failed
return 0;
141,7 → 173,7
 
// if ok, try to query the directory of users
$query = $f_ldap_uid.'=*';
$ldap_result = ldap_search($ldapconn, $f_ldap_basedn, $query);
$ldap_result = @ldap_search($ldapconn, $f_ldap_basedn, $query);
if ($ldap_result) {
$ldap_users_count = ldap_count_entries($ldapconn, $ldap_result);
return ($ldap_users_count + 2);
152,25 → 184,32
}
 
$messages = '';
$LDAPS_CERT_LOC = '/etc/raddb/certs/alcasar-ldaps.crt';
 
if (isset($_POST['auth_enable'])) {
if ($_POST['auth_enable'] === '1') {
// TODO : need to translate messages
$varErrors = [];
if (isset($_POST['ldap_server'])) $ldap_server = $_POST['ldap_server']; else array_push($varErrors, 'Variable error "ldap_server"');
if (isset($_POST['ldap_base_dn'])) $ldap_base_dn = $_POST['ldap_base_dn']; else array_push($varErrors, 'Variable error "ldap_base_dn"');
if (isset($_POST['ldap_uid'])) $ldap_uid = $_POST['ldap_uid']; else array_push($varErrors, 'Variable error "ldap_uid"');
if (isset($_POST['ldap_base_filter'])) $ldap_base_filter = $_POST['ldap_base_filter']; else array_push($varErrors, 'Variable error "ldap_base_filter"');
if (isset($_POST['ldap_user'])) $ldap_user = $_POST['ldap_user']; else array_push($varErrors, 'Variable error "ldap_user"');
if (isset($_POST['ldap_password'])) $ldap_password = $_POST['ldap_password']; else array_push($varErrors, 'Variable error "ldap_password"');
if (isset($_POST['ldap_server'])) $ldap_server = $_POST['ldap_server']; else array_push($varErrors, 'Variable error "ldap_server"');
if (isset($_POST['ldap_base_dn'])) $ldap_base_dn = $_POST['ldap_base_dn']; else array_push($varErrors, 'Variable error "ldap_base_dn"');
if (isset($_POST['ldap_uid'])) $ldap_uid = $_POST['ldap_uid']; else array_push($varErrors, 'Variable error "ldap_uid"');
if (isset($_POST['ldap_base_filter'])) $ldap_base_filter = $_POST['ldap_base_filter']; else array_push($varErrors, 'Variable error "ldap_base_filter"');
if (isset($_POST['ldap_user'])) $ldap_user = $_POST['ldap_user']; else array_push($varErrors, 'Variable error "ldap_user"');
if (isset($_POST['ldap_password'])) $ldap_password = $_POST['ldap_password']; else array_push($varErrors, 'Variable error "ldap_password"');
if (isset($_POST['ldap_ssl'])) $ldap_ssl = $_POST['ldap_ssl']; //else array_push($varErrors, 'Variable error "ldap_ssl"');
if (isset($_FILES['ldap_cert'])) $ldap_cert = $_FILES['ldap_cert']; //else array_push($varErrors, 'Variable error "ldap_cert"');
if (isset($_POST['ldap_cert_required'])) $ldap_cert_required = $_POST['ldap_cert_required']; //else array_push($varErrors, 'Variable error "ldap_cert_required"');
 
// Validation
if (isset($ldap_server)) {
if ((!preg_match('/^([0-9]{1,3}\.){3}([0-9]{1,3})$/', $ldap_server)) && (preg_match('/^[a-zA-Z0-9-_.]+$/', $ldap_server))) {
$ldap_server = gethostbyname($ldap_server);
if (isset($ldap_cert) && ($ldap_cert['error'] === UPLOAD_ERR_OK)) {
if ($ldap_cert_required === 'on') {
$certificateInfos = openssl_x509_parse(file_get_contents($ldap_cert['tmp_name']));
if (preg_match_all('@/[a-zA-Z]+=([^/]+)@', $certificateInfos['name'], $matches)) {
$cert_domainName = implode('.', array_reverse($matches[1]));
if ($cert_domainName !== $ldap_server) {
array_push($varErrors, str_replace("§cert_domainName§", $cert_domainName, $l_ldap_cert_cn_diff_dn));
}
}
}
if (!preg_match('/^([0-9]{1,3}\.){3}([0-9]{1,3})$/', $ldap_server)) {
array_push($varErrors, 'Invalid LDAP server IP');
}
}
 
if (!empty($varErrors)) {
184,7 → 223,12
exec('sed -i '.escapeshellarg("s/^LDAP_FILTER=.*/LDAP_FILTER=$ldap_base_filter/g").' '.CONF_FILE);
exec('sed -i '.escapeshellarg("s/^LDAP_USER=.*/LDAP_USER=$ldap_user/g").' '.CONF_FILE);
exec('sed -i '.escapeshellarg("s/^LDAP_PASSWORD=.*/LDAP_PASSWORD=$ldap_password/g").' '.CONF_FILE);
exec('sed -i '.escapeshellarg("s/^LDAP_SSL=.*/LDAP_SSL=$ldap_ssl/g").' '.CONF_FILE);
exec('sed -i '.escapeshellarg("s/^LDAP_CERT_REQUIRED=.*/LDAP_CERT_REQUIRED=$ldap_cert_required/g").' '.CONF_FILE);
exec('sed -i \'s/^LDAP=.*/LDAP=on/g\' '.CONF_FILE);
if (isset($ldap_cert) && ($ldap_cert['error'] === UPLOAD_ERR_OK)) {
exec('sudo /usr/local/bin/alcasar-ldap.sh --import-cert '.escapeshellarg($ldap_cert['tmp_name']));
}
exec('sudo /usr/local/bin/alcasar-ldap.sh --on');
$messages .= '<span style="font-weight: bold; color: green;">'.$l_ldap_update.'</span><br>';
}
210,14 → 254,24
}
 
// LDAP configuration params
$ldap_status = ($conf['LDAP'] === 'on');
$ldap_server = $conf['LDAP_SERVER'];
$ldap_user = $conf['LDAP_USER'];
$ldap_password = $conf['LDAP_PASSWORD'];
$ldap_base_dn = $conf['LDAP_BASE'];
$ldap_uid = $conf['LDAP_UID'];
$ldap_base_filter = $conf['LDAP_FILTER'];
$ldap_status = ($conf['LDAP'] === 'on');
$ldap_server = $conf['LDAP_SERVER'];
$ldap_user = $conf['LDAP_USER'];
$ldap_password = $conf['LDAP_PASSWORD'];
$ldap_base_dn = $conf['LDAP_BASE'];
$ldap_uid = $conf['LDAP_UID'];
$ldap_base_filter = $conf['LDAP_FILTER'];
$ldap_ssl = ($conf['LDAP_SSL'] === 'on');
$ldap_cert_required = ($conf['LDAP_CERT_REQUIRED'] === 'on');
 
$ldap_cert_subject = NULL;
if (file_exists($LDAPS_CERT_LOC)) {
$certificateInfos = openssl_x509_parse(file_get_contents($LDAPS_CERT_LOC));
if (preg_match_all('@/[a-zA-Z]+=([^/]+)@', $certificateInfos['name'], $matches)) {
$ldap_cert_subject = implode('.', array_reverse($matches[1]));
}
}
 
// AJAX LDAP configuration checker
if (isset($_GET['conf_check'])) {
$response = [
226,28 → 280,51
if ($ldap_status || ($_SERVER['REQUEST_METHOD'] === 'POST')) {
$varErrors = [];
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
if (isset($_POST['ldap_server'])) $ldap_server = $_POST['ldap_server']; else array_push($varErrors, 'Variable error "ldap_server"'); // TODO: need to translate
if (isset($_POST['ldap_base_dn'])) $ldap_base_dn = $_POST['ldap_base_dn']; else array_push($varErrors, 'Variable error "ldap_base_dn"'); // TODO: need to translate
if (isset($_POST['ldap_uid'])) $ldap_uid = $_POST['ldap_uid']; else array_push($varErrors, 'Variable error "ldap_uid"'); // TODO: need to translate
if (isset($_POST['ldap_base_filter'])) $ldap_base_filter = $_POST['ldap_base_filter']; else array_push($varErrors, 'Variable error "ldap_base_filter"'); // TODO: need to translate
if (isset($_POST['ldap_user'])) $ldap_user = $_POST['ldap_user']; else array_push($varErrors, 'Variable error "ldap_user"'); // TODO: need to translate
if (isset($_POST['ldap_password'])) $ldap_password = $_POST['ldap_password']; else array_push($varErrors, 'Variable error "ldap_password"'); // TODO: need to translate
// TODO : need to translate messages
if (isset($_POST['ldap_server'])) $ldap_server = $_POST['ldap_server']; else array_push($varErrors, 'Variable error "ldap_server"');
if (isset($_POST['ldap_base_dn'])) $ldap_base_dn = $_POST['ldap_base_dn']; else array_push($varErrors, 'Variable error "ldap_base_dn"');
if (isset($_POST['ldap_uid'])) $ldap_uid = $_POST['ldap_uid']; else array_push($varErrors, 'Variable error "ldap_uid"');
if (isset($_POST['ldap_base_filter'])) $ldap_base_filter = $_POST['ldap_base_filter']; else array_push($varErrors, 'Variable error "ldap_base_filter"');
if (isset($_POST['ldap_user'])) $ldap_user = $_POST['ldap_user']; else array_push($varErrors, 'Variable error "ldap_user"');
if (isset($_POST['ldap_password'])) $ldap_password = $_POST['ldap_password']; else array_push($varErrors, 'Variable error "ldap_password"');
if (isset($_POST['ldap_ssl'])) $ldap_ssl = ($_POST['ldap_ssl'] === 'on'); //else array_push($varErrors, 'Variable error "ldap_ssl"');
if (isset($_FILES['ldap_cert'])) $ldap_cert = $_FILES['ldap_cert']; //else array_push($varErrors, 'Variable error "ldap_cert"');
if (isset($_POST['ldap_cert_required'])) $ldap_cert_required = ($_POST['ldap_cert_required'] === 'on'); //else array_push($varErrors, 'Variable error "ldap_cert_required"');
}
 
// Validation
if (isset($ldap_server)) {
if ((!preg_match('/^([0-9]{1,3}\.){3}([0-9]{1,3})$/', $ldap_server)) && (preg_match('/^[a-zA-Z0-9-_.]+$/', $ldap_server))) {
$ldap_server = gethostbyname($ldap_server);
}
if (!preg_match('/^([0-9]{1,3}\.){3}([0-9]{1,3})$/', $ldap_server)) {
array_push($varErrors, 'Invalid LDAP server IP'); // TODO: need to translate
}
if (($ldap_cert_required) && isset($ldap_cert) && ($ldap_cert['error'] === UPLOAD_ERR_OK)) {
$ldap_cert_tmpFilename = $ldap_cert['tmp_name'];
} else {
$ldap_cert_tmpFilename = NULL;
}
 
if (!empty($varErrors)) {
$response['errors'] = $varErrors;
} else {
$response['result'] = ldap_checkServerConfig($ldap_server, $ldap_user, $ldap_password, $ldap_base_dn, $ldap_uid);
$result = ldap_checkServerConfig($ldap_server, $ldap_user, $ldap_password, $ldap_base_dn, $ldap_uid, $ldap_ssl, $ldap_cert_tmpFilename, $ldap_cert_required);
 
if (($result === 0) && ($ldap_ssl && $ldap_cert_required && ((isset($ldap_cert) && ($ldap_cert['error'] === UPLOAD_ERR_OK)) || (file_exists($LDAPS_CERT_LOC))))) {
if (filter_var($ldap_server, FILTER_VALIDATE_IP) !== false) {
if (isset($ldap_cert) && ($ldap_cert['error'] === UPLOAD_ERR_OK)) {
$certificateInfos = openssl_x509_parse(file_get_contents($ldap_cert['tmp_name']));
} else {
$certificateInfos = openssl_x509_parse(file_get_contents($LDAPS_CERT_LOC));
}
if (preg_match_all('@/[a-zA-Z]+=([^/]+)@', $certificateInfos['name'], $matches)) {
$cert_domainName = implode('.', array_reverse($matches[1]));
if ($cert_domainName !== $ldap_server) {
$response['warnings'][] = str_replace("§cert_domainName§", $cert_domainName, $l_ldap_cert_cn_diff_dn);
}
}
$res = ldap_checkServerConfig($cert_domainName, $ldap_user, $ldap_password, $ldap_base_dn, $ldap_uid, $ldap_ssl, $ldap_cert_tmpFilename, $ldap_cert_required);
if ($res > 1) {
$result = $res;
}
$result = max($result, $res);
}
}
 
$response['result'] = $result;
}
}
 
267,7 → 344,7
<link type="text/css" href="/css/ldap.css" rel="stylesheet">
<script>
function onLdapStatusChange() {
var listToDisables = ['ldap_server', 'ldap_dn', 'ldap_uid', 'ldap_base_filter', 'ldap_user', 'ldap_password'];
var listToDisables = ['ldap_server', 'ldap_dn', 'ldap_uid', 'ldap_base_filter', 'ldap_user', 'ldap_password', 'ldap_ssl', 'ldap_cert_required', 'ldap_cert'];
var formSubmit = document.querySelector('form input[type="submit"]');
var btn_checkConf = document.getElementById('btn-checkconf');
var isChecked = false;
274,11 → 351,25
 
if (document.getElementById('auth_enable').value === '1') {
for (var i=0; i<listToDisables.length; i++) {
document.getElementById(listToDisables[i]).style.backgroundColor = '#ffffff';
document.getElementById(listToDisables[i]).style.backgroundColor = null;
document.getElementById(listToDisables[i]).disabled = false;
}
if (document.getElementById('ldap_ssl').value === 'off') {
document.getElementById('ldap_cert_required').style.backgroundColor = '#c0c0c0';
document.getElementById('ldap_cert_required').disabled = true;
document.getElementById('ldap_cert').style.backgroundColor = '#c0c0c0';
document.getElementById('ldap_cert').disabled = true;
}
else if (document.getElementById('ldap_cert_required').value === 'off') {
document.getElementById('ldap_cert').style.backgroundColor = '#c0c0c0';
document.getElementById('ldap_cert').disabled = true;
}
formSubmit.style.display = 'none';
btn_checkConf.style.display = null;
<?php if (PHP_VERSION_ID < 70100): ?>
// Compatibility with PHP < 7.1.0 # TODO : remove if ever Mageia 7 is released
formSubmit.style.display = null;
<?php endif; ?>
} else {
for (var i=0; i<listToDisables.length; i++) {
document.getElementById(listToDisables[i]).style.backgroundColor = '#c0c0c0';
293,20 → 384,10
var messagesElem = document.querySelector('fieldset > legend > div');
var formSubmit = document.querySelector('form input[type="submit"]');
var btn_checkConf = document.getElementById('btn-checkconf');
var form = document.getElementById('form-config_ldap');
var post_data = new FormData(form);
post_data.delete('auth_enable');
 
var ldap_config = {
ldap_status: (document.getElementById('auth_enable').value === '1'),
ldap_server: document.getElementById('ldap_server').value,
ldap_user: document.getElementById('ldap_user').value,
ldap_password: document.getElementById('ldap_password').value,
ldap_base_dn: document.getElementById('ldap_dn').value,
ldap_uid: document.getElementById('ldap_uid').value,
ldap_base_filter: document.getElementById('ldap_base_filter').value
};
 
// Format HTTP POST data
var post_data = Object.keys(ldap_config).map( function (k) { return encodeURIComponent(k) + '=' + encodeURIComponent(ldap_config[k]) } ).join('&');
 
messagesElem.innerHTML = '<?= $l_checkingConf ?>';
 
var xhr = new XMLHttpRequest();
347,10 → 428,17
formSubmit.style.display = 'none';
btn_checkConf.style.display = null;
}
<?php if (PHP_VERSION_ID < 70100): ?>
// Compatibility with PHP < 7.1.0 # TODO : remove if ever Mageia 7 is released
formSubmit.style.display = null;
<?php endif; ?>
 
if (typeof data.errors !== 'undefined') {
messages = '<span style=\"color: red\">' + data.errors.join('</span><br><span style=\"color: red\">') + '</span><br>';
}
if (typeof data.warnings !== 'undefined') {
messages += '<br><span style=\"color: orange\">' + data.warnings.join('</span><br><span style=\"color: orange\">') + '</span><br>';
}
 
messagesElem.innerHTML = messages;
} else {
359,7 → 447,6
}
};
xhr.open('POST', 'ldap.php?conf_check', true);
xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
xhr.send(post_data);
}
</script>
368,7 → 455,7
<div class="panel">
<div class="panel-header"><?= $l_ldap_legend ?></div>
<div class="panel-body">
<form name="config_ldap" method="POST" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>">
<form id="form-config_ldap" name="config_ldap" method="POST" action="<?= htmlspecialchars($_SERVER['PHP_SELF']) ?>" enctype="multipart/form-data">
<fieldset>
<legend>
<br>
440,9 → 527,43
<?= $l_ldap_password_text ?>
</dt>
<dd>
<input type="text" id="ldap_password" type="password" size="40" name="ldap_password" value="<?= htmlspecialchars($ldap_password) ?>" oninput="onLdapStatusChange();">
<input type="password" id="ldap_password" size="40" name="ldap_password" value="<?= htmlspecialchars($ldap_password) ?>" oninput="onLdapStatusChange();">
</dd>
</dl>
<dl>
<dt>
<label for="ldap_ssl"><?= $l_ldap_ssl_label ?></label><br>
<?= $l_ldap_ssl_text ?><br>
</dt>
<dd>
<select id="ldap_ssl" name="ldap_ssl" onchange="onLdapStatusChange();">
<option value="on"<?= ($ldap_ssl) ? ' selected="selected"' : '' ?>><?= $l_ldap_YES ?></option>
<option value="off"<?= (!$ldap_ssl) ? ' selected="selected"' : '' ?>><?= $l_ldap_NO ?></option>
</select>
</dd>
</dl>
<dl>
<dt>
<label for="ldap_cert_required"><?= $l_ldap_cert_required_label ?></label><br>
<?= $l_ldap_cert_required_text ?><br>
</dt>
<dd>
<select id="ldap_cert_required" name="ldap_cert_required" onchange="onLdapStatusChange();">
<option value="on"<?= ($ldap_cert_required) ? ' selected="selected"' : '' ?>><?= $l_ldap_YES ?></option>
<option value="off"<?= (!$ldap_cert_required) ? ' selected="selected"' : '' ?>><?= $l_ldap_NO ?></option>
</select>
</dd>
</dl>
<dl>
<dt>
<label for="ldap_cert"><?= $l_ldap_cert_label ?></label><br>
<?= $l_ldap_cert_text ?><br>
<?= (($ldap_cert_subject) ? "$l_ldap_cert_status_cur $ldap_cert_subject" : $l_ldap_cert_status_no ) ?>
</dt>
<dd>
<input type="file" id="ldap_cert" name="ldap_cert" oninput="onLdapStatusChange();">
</dd>
</dl>
<p>
<button id="btn-checkconf" onclick="checkConfig(); return false;"><?= $l_check ?></button>
<input id="submit" type="submit" value="<?= $l_ldap_submit ?>" name="submit">