/web/acc/admin/ldap.php |
---|
1,4 → 1,7 |
<?php |
require_once("lib/alcasar/freeradius/siteconfig.php"); |
require_once("lib/alcasar/freeradius/ldapconfig.php"); |
/* written by steweb57 */ |
/**************************************************************** |
* CONSTANTES AVEC CHEMINS DES FICHIERS DE CONFIGURATION * |
50,7 → 53,7 |
*****************************************************************/ |
//Création des variables nécessaires |
//variables ldap |
$ldap = ""; |
$ldap_on = ""; |
$ldap_server = ""; //IP ou nom DNS du seveur LDAP (ou AD) |
//par défaut : server = "ldap.your.domain" |
$ldap_identity = ""; //nom d'utilisateur qui intérroge le ldap (vide = anonyme) |
66,99 → 69,25 |
//par défaut : # base_filter = "(objectclass=radiusprofile)" |
/******************************************************** |
* Fichier ALCASAR_RADIUS_SITE * |
* Fichier ALCASAR_RADIUS_SITE * |
*********************************************************/ |
//variables pour le parcourt des fichiers |
//$ouvre : fichier ouvert |
//$tampon : ligne en cours |
// |
//Lecture du fichier /etc/raddb/sites-available/alcasar |
$continue = true; |
$ouvre=fopen(ALCASAR_RADIUS_SITE,"r"); |
if ($ouvre){ |
while (!feof ($ouvre)) |
{ |
$tampon = fgets($ouvre, 4096); |
if ((preg_match('`^([\s#]*ldap[\s]*)$`',$tampon))&&$continue){ |
//Récupération dans la section authorise de la ligne ldap |
//valeur : ldap = authentification ldap authorisée |
//valeur : #ldap = authentification ldap non authorisée |
//section authenticat utile ? |
//section post-auth non utilisée |
$ldap = trim($tampon); |
$continue = false;//arret de la boucle lorsque l'on trouve le premier élément "ldap" dans le fichier |
} |
} |
}else{ |
exit("Erreur d'ouverture du fichier /etc/raddb/sites-available/alcasar"); |
} |
fclose($ouvre); |
/**************************************************************** |
* Fichier ALCASAR_RADIUS_MODULE_LDAP * |
*****************************************************************/ |
$site = new siteConfig(); |
$site->load(ALCASAR_RADIUS_SITE); |
$ldap_on = $site->authorize->ldap; |
/******************************************************** |
* Fichier ALCASAR_RADIUS_MODULE_LDAP * |
*********************************************************/ |
//Lecture du fichier /etc/raddb/modules/ldap |
$ouvre=fopen(ALCASAR_RADIUS_MODULE_LDAP,"r"); |
if ($ouvre){ |
while (!feof ($ouvre)) |
{ |
$tampon = fgets($ouvre, 4096); |
if (preg_match('`^([\s#]*server(\s*)=)`',$tampon)){ |
//if (preg_match('`^((\s*)(#*)(\s*)server\b(\s*)=)`i',$tampon)){ |
//Récupération de la ligne contenant le paramettre ldap server |
$ldap_server = ltrim($tampon); |
} elseif (preg_match('`^([\s#]*identity(\s*)=)`',$tampon)){ |
//Récupération de la ligne contenant le paramettre ldap identity |
$ldap_identity = ltrim($tampon); |
} elseif (preg_match('`^([\s#]*password(\s*)=)`',$tampon)){ |
//Récupération de la ligne contenant le paramettre ldap password |
$ldap_password = ltrim($tampon); |
} elseif (preg_match('`^([\s#]*basedn(\s*)=)`',$tampon)){ |
//Récupération de la ligne contenant le paramettre ldap basedn |
$ldap_basedn = ltrim($tampon); |
} elseif (preg_match('`^([\s#]*filter(\s*)=)`',$tampon)){ |
//Récupération de la ligne contenant le paramettre ldap filter |
$ldap_filter = ltrim($tampon); |
} elseif (preg_match('`^([\s#]*base_filter(\s*)=)`',$tampon)){ |
//Récupération de la ligne contenant le paramettre ldap base_filter |
$ldap_base_filter = ltrim($tampon); |
} |
} |
}else{ |
exit("Erreur d'ouverture du fichier /etc/raddb/modules/ldap"); |
} |
fclose($ouvre); |
$ldap = new ldapConfig(); |
$ldap->load(ALCASAR_RADIUS_MODULE_LDAP); |
$ldap_server = $ldap->server; |
$ldap_identity = $ldap->identity; |
$ldap_password = $ldap->password; |
$ldap_basedn = $ldap->basedn; |
$ldap_filter = $ldap->filter; |
$ldap_base_filter = $ldap->base_filter; |
//mise en forme des parametres ldap récupérés |
//A FAIRE : test de contrôle des valeurs $tmp[O] pour être sur d'avoir les bonnes lignes du fichier de conf !!! |
//pas de test de la variable ldap car tester dans la comparaison du formulaire ci-dessous (si $ldap = "ldap" authentification LDAP activée, elle est désactivé). |
$tmp = explode("=",$ldap_server,2); |
$ldap_server = str_replace("\"","",$tmp[1]); //suppression des " dans la chaine |
$ldap_server = trim($ldap_server); //suppression des espaces avant et après la chaine |
$tmp = explode("=",$ldap_identity,2); |
$ldap_identity = str_replace("\"","",$tmp[1]); //suppression des " dans la chaine |
$ldap_identity = trim($ldap_identity); //suppression des espaces avant et après la chaine |
$tmp = explode("=",$ldap_password,2); |
$ldap_password = str_replace("\"","",$tmp[1]); //suppression des " dans la chaine |
$ldap_password = trim($ldap_password); //suppression des espaces avant et après la chaine |
$tmp = explode("=",$ldap_basedn,2); |
$ldap_basedn = str_replace("\"","",$tmp[1]); //suppression des " dans la chaine |
$ldap_basedn = trim($ldap_basedn); //suppression des espaces avant et après la chaine |
$tmp = explode("=",$ldap_filter,3); |
$ldap_filter = str_replace("\"","",$tmp[1]); //suppression des " dans la chaine |
$ldap_filter = trim($ldap_filter); //suppression des espaces avant et après la chaine |
$ldap_filter = str_replace("(","",$ldap_filter);//suppression du ( dans la chaine |
$tmp = explode("=",$ldap_base_filter,2); |
$ldap_base_filter = str_replace("\"","",$tmp[1]); //suppression des " dans la chaine |
$ldap_base_filter = trim($ldap_base_filter); //suppression des espaces avant et après la chaine |
# Choice of language |
$Language = 'en'; |
if(isset($_SERVER['HTTP_ACCEPT_LANGUAGE'])){ |
290,7 → 219,7 |
} else { |
$new_ldap_server = $ldap_server; |
} |
if (($ldap == "ldap") && (function_exists('ldap_connect'))){ |
if (($ldap_on == "ldap") && (function_exists('ldap_connect'))){ |
echo "<div align='center'><br>"; |
switch(ldap_test($new_ldap_server, $ldap_identity, $ldap_password)){ |
case -2: |
/web/acc/admin/lib/alcasar/freeradius/siteConfig.php |
---|
0,0 → 1,620 |
<?php |
/* |
This class handled of ldap configuration. |
WARNING! This class can't says if the configuration is valid or not. |
*/ |
require_once('configreader.php'); |
class siteConfig |
{ |
/* |
$_sections : radius sections container |
*/ |
protected $_sections = Array(); |
public function __construct() { |
$this->_sections['authorize'] = new sectionItem('authorize'); |
$this->_sections['authenticate'] = new sectionItem('authorize'); |
$this->_sections['preacct'] = new sectionItem('preacct'); |
$this->_sections['accounting'] = new sectionItem('accounting'); |
$this->_sections['session'] = new sectionItem('session'); |
$this->_sections['post-auth'] = new sectionItem('post-auth'); |
$this->_sections['pre-proxy'] = new sectionItem('pre-proxy'); |
$this->_sections['post-proxy'] = new sectionItem('post-proxy'); |
} |
private function _doSpace($nbspace = 0){ |
$resp=""; |
for ($i = 1; $i <= $nbspace; $i++){ |
$resp.=" "; |
} |
return $resp; |
} |
private function _writeModule($module, $default=null, $space=0){ |
if (is_object($module)){ |
if ($module->getType()==='section'){ |
$resp = $this->_doSpace($space).$module." ".$module->getInstanceName(); |
if (count($module->getAll())>0){ |
$resp .= " { \n"; |
foreach ($module->getAll() as $childItem) { |
$resp .= $this->_writeModule($childItem, null, $space+1); |
} |
$resp .= $this->_doSpace($space)." } \n"; |
} elseif ($module->getInstanceName()!==""){ |
$resp .= " { \n"; |
$resp .= "\n"; |
$resp .= $this->_doSpace($space)." } \n"; |
} else { |
$resp .= "\n"; |
} |
return $resp; |
}elseif ($module->getType()==='pair'){ |
$resp = $this->_doSpace($space).$module->getName()."="; |
$resp .=$module->getPair($module->getName()); |
$resp .="\n"; |
return $resp; |
} else { |
} |
} elseif (is_array($module)&&count($module)>0) { |
/* |
for section width multiple instance |
!!! empty section are array too!! we must count the array! |
*/ |
$resp = ""; |
foreach ($module as $instance) { |
$resp .= $this->_doSpace($space). $this->_writeModule($instance, $default, $space); |
} |
return $resp; |
} else { |
return $default; |
} |
} |
public function __get($attr){ |
if (array_key_exists($attr, $this->_sections)){ |
return $this->_sections[$attr]; |
} |
return false; |
} |
public function __set($attr, $value){ |
/* |
A FAIRE |
*/ |
} |
public function load($confFile){ |
// use here the parsing class |
require_once("configreader.php"); |
$r = new configReader($confFile); |
$this->_sections['authorize'] = $r->getSection('authorize'); |
$this->_sections['authenticate'] = $r->getSection('authenticate'); |
$this->_sections['preacct'] = $r->getSection('preacct'); |
$this->_sections['accounting'] = $r->getSection('accounting'); |
$this->_sections['session'] = $r->getSection('session'); |
$this->_sections['post-auth'] = $r->getSection('post-auth'); |
$this->_sections['pre-proxy'] = $r->getSection('pre-proxy'); |
$this->_sections['post-proxy'] = $r->getSection('post-proxy'); |
} |
public function __toString() { |
return "siteConfig"; |
} |
public function save($savefile = null, $returnconfig = false){ |
/* |
outpout with template (faster and we can write a lot of comments) |
*/ |
$config = " |
###################################################################### |
# |
# As of 2.0.0, FreeRADIUS supports virtual hosts using the |
# \"server\" section, and configuration directives. |
# |
# Virtual hosts should be put into the \"sites-available\" |
# directory. Soft links should be created in the \"sites-enabled\" |
# directory to these files. This is done in a normal installation. |
# |
# |
###################################################################### |
# |
# Read \"man radiusd\" before editing this file. See the section |
# titled DEBUGGING. It outlines a method where you can quickly |
# obtain the configuration you want, without running into |
# trouble. See also \"man unlang\", which documents the format |
# of this file. |
# |
# This configuration is designed to work in the widest possible |
# set of circumstances, with the widest possible number of |
# authentication methods. This means that in general, you should |
# need to make very few changes to this file. |
# |
# The best way to configure the server for your local system |
# is to CAREFULLY edit this file. Most attempts to make large |
# edits to this file will BREAK THE SERVER. Any edits should |
# be small, and tested by running the server with \"radiusd -X\". |
# Once the edits have been verified to work, save a copy of these |
# configuration files somewhere. (e.g. as a \"tar\" file). Then, |
# make more edits, and test, as above. |
# |
# There are many \"commented out\" references to modules such |
# as ldap, sql, etc. These references serve as place-holders. |
# If you need the functionality of that module, then configure |
# it in radiusd.conf, and un-comment the references to it in |
# this file. In most cases, those small changes will result |
# in the server being able to connect to the DB, and to |
# authenticate users. |
# |
###################################################################### |
# |
# In 1.x, the \"authorize\", etc. sections were global in |
# radiusd.conf. As of 2.0, they SHOULD be in a server section. |
# |
# The server section with no virtual server name is the \"default\" |
# section. It is used when no server name is specified. |
# |
# We don't indent the rest of this file, because doing so |
# would make it harder to read. |
# |
# Authorization. First preprocess (hints and huntgroups files), |
# then realms, and finally look in the \"users\" file. |
# |
# The order of the realm modules will determine the order that |
# we try to find a matching realm. |
# |
# Make *sure* that 'preprocess' comes before any realm if you |
# need to setup hints for the remote radius server |
authorize { |
# |
# The preprocess module takes care of sanitizing some bizarre |
# attributes in the request, and turning them into attributes |
# which are more standard. |
# |
# It takes care of processing the 'raddb/hints' and the |
# 'raddb/huntgroups' files. |
# |
# It also adds the %{Client-IP-Address} attribute to the request. |
".$this->_writeModule($this->_sections['authorize']->preprocess, 'preprocess')." |
# |
# If you want to have a log of authentication requests, |
# un-comment the following line, and the 'detail auth_log' |
# section, above. |
".$this->_writeModule($this->_sections['authorize']->getSection('auth-log'), '# auth_log')." |
# |
# The chap module will set 'Auth-Type := CHAP' if we are |
# handling a CHAP request and Auth-Type has not already been set |
".$this->_writeModule($this->_sections['authorize']->chap, '# chap')." |
# |
# If the users are logging in with an MS-CHAP-Challenge |
# attribute for authentication, the mschap module will find |
# the MS-CHAP-Challenge attribute, and add 'Auth-Type := MS-CHAP' |
# to the request, which will cause the server to then use |
# the mschap module for authentication. |
".$this->_writeModule($this->_sections['authorize']->mschap, '# mschap')." |
# |
# If you have a Cisco SIP server authenticating against |
# FreeRADIUS, uncomment the following line, and the 'digest' |
# line in the 'authenticate' section. |
".$this->_writeModule($this->_sections['authorize']->digest, '# digest')." |
# |
# Look for IPASS style 'realm/', and if not found, look for |
# '@realm', and decide whether or not to proxy, based on |
# that. |
".$this->_writeModule($this->_sections['authorize']->IPASS, '# IPASS')." |
# |
# If you are using multiple kinds of realms, you probably |
# want to set \"ignore_null = yes\" for all of them. |
# Otherwise, when the first style of realm doesn't match, |
# the other styles won't be checked. |
# |
".$this->_writeModule($this->_sections['authorize']->suffix, '# suffix')." |
".$this->_writeModule($this->_sections['authorize']->ntdomain, '# ntdomain')." |
# |
# This module takes care of EAP-MD5, EAP-TLS, and EAP-LEAP |
# authentication. |
# |
# It also sets the EAP-Type attribute in the request |
# attribute list to the EAP type from the packet. |
# |
# As of 2.0, the EAP module returns \"ok\" in the authorize stage |
# for TTLS and PEAP. In 1.x, it never returned \"ok\" here, so |
# this change is compatible with older configurations. |
# |
# The example below uses module failover to avoid querying all |
# of the following modules if the EAP module returns \"ok\". |
# Therefore, your LDAP and/or SQL servers will not be queried |
# for the many packets that go back and forth to set up TTLS |
# or PEAP. The load on those servers will therefore be reduced. |
# |
".$this->_writeModule($this->_sections['authorize']->eap, '# eap { |
# ok = return |
# }')." |
# |
# Pull crypt'd passwords from /etc/passwd or /etc/shadow, |
# using the system API's to get the password. If you want |
# to read /etc/passwd or /etc/shadow directly, see the |
# passwd module in radiusd.conf. |
# |
".$this->_writeModule($this->_sections['authorize']->unix, '# unix')." |
# |
# Read the 'users' file |
".$this->_writeModule($this->_sections['authorize']->files, '# files')." |
# |
# Look in an SQL database. The schema of the database |
# is meant to mirror the \"users\" file. |
# |
# See \"Authorization Queries\" in sql.conf |
".$this->_writeModule($this->_sections['authorize']->sql, 'sql')." |
".$this->_writeModule($this->_sections['authorize']->noresetcounter, 'noresetcounter')." |
".$this->_writeModule($this->_sections['authorize']->dailycounter, 'dailycounter')." |
".$this->_writeModule($this->_sections['authorize']->monthlycounter, 'monthlycounter')." |
# |
# If you are using /etc/smbpasswd, and are also doing |
# mschap authentication, the un-comment this line, and |
# configure the 'etc_smbpasswd' module, above. |
".$this->_writeModule($this->_sections['authorize']->etc_smbpasswd, '# etc_smbpasswd')." |
# |
# The ldap module will set Auth-Type to LDAP if it has not |
# already been set |
".$this->_writeModule($this->_sections['authorize']->ldap, '# ldap { |
# fail = 1 |
# }')." |
# |
# Enforce daily limits on time spent logged in. |
".$this->_writeModule($this->_sections['authorize']->daily, '# daily')." |
# |
# Use the checkval modulel |
".$this->_writeModule($this->_sections['authorize']->checkval, '# checkval')." |
".$this->_writeModule($this->_sections['authorize']->expiration, 'expiration')." |
".$this->_writeModule($this->_sections['authorize']->logintime, 'logintime')." |
# |
# If no other module has claimed responsibility for |
# authentication, then try to use PAP. This allows the |
# other modules listed above to add a \"known good\" password |
# to the request, and to do nothing else. The PAP module |
# will then see that password, and use it to do PAP |
# authentication. |
# |
# This module should be listed last, so that the other modules |
# get a chance to set Auth-Type for themselves. |
# |
".$this->_writeModule($this->_sections['authorize']->pap, '# pap')." |
# |
# If \"status_server = yes\", then Status-Server messages are passed |
# through the following section, and ONLY the following section. |
# This permits you to do DB queries, for example. If the modules |
# listed here return \"fail\", then NO response is sent. |
# |
".$this->_writeModule($this->_sections['authorize']->getSection('Autz-Type'), '# Autz-Type Status-Server { |
# |
# }')." |
} |
# Authentication. |
# |
# |
# This section lists which modules are available for authentication. |
# Note that it does NOT mean 'try each module in order'. It means |
# that a module from the 'authorize' section adds a configuration |
# attribute 'Auth-Type := FOO'. That authentication type is then |
# used to pick the apropriate module from the list below. |
# |
# In general, you SHOULD NOT set the Auth-Type attribute. The server |
# will figure it out on its own, and will do the right thing. The |
# most common side effect of erroneously setting the Auth-Type |
# attribute is that one authentication method will work, but the |
# others will not. |
# |
# The common reasons to set the Auth-Type attribute by hand |
# is to either forcibly reject the user (Auth-Type := Reject), |
# or to or forcibly accept the user (Auth-Type := Accept). |
# |
# Note that Auth-Type := Accept will NOT work with EAP. |
# |
# Please do not put \"unlang\" configurations into the \"authenticate\" |
# section. Put them in the \"post-auth\" section instead. That's what |
# the post-auth section is for. |
# |
authenticate { |
# # |
# # PAP authentication, when a back-end database listed |
# # in the 'authorize' section supplies a password. The |
# # password can be clear-text, or encrypted. |
".$this->_writeModule($this->_sections['authenticate']->getSectionInstance('Auth-Type','PAP'), '# Auth-Type PAP { |
# pap |
# }')." |
# |
# # |
# # Most people want CHAP authentication |
# # A back-end database listed in the 'authorize' section |
# # MUST supply a CLEAR TEXT password. Encrypted passwords |
# # won't work. |
".$this->_writeModule($this->_sections['authenticate']->getSectionInstance('Auth-Type','CHAP'), '# Auth-Type CHAP { |
# chap |
# }')." |
# |
# # |
# # MSCHAP authentication. |
".$this->_writeModule($this->_sections['authenticate']->getSectionInstance('Auth-Type','MS-CHAP'), '# Auth-Type MS-CHAP { |
# mschap |
# }')." |
# |
# # |
# # If you have a Cisco SIP server authenticating against |
# # FreeRADIUS, uncomment the following line, and the 'digest' |
# # line in the 'authorize' section. |
".$this->_writeModule($this->_sections['authenticate']->digest, '# digest')." |
# |
# # |
# # Pluggable Authentication Modules. |
".$this->_writeModule($this->_sections['authenticate']->pam, '# pam')." |
# |
# # |
# # See 'man getpwent' for information on how the 'unix' |
# # module checks the users password. Note that packets |
# # containing CHAP-Password attributes CANNOT be authenticated |
# # against /etc/passwd! See the FAQ for details. |
# # |
".$this->_writeModule($this->_sections['authenticate']->unix, '# unix')." |
# |
# # Uncomment it if you want to use ldap for authentication |
# # |
# # Note that this means \"check plain-text password against |
# # the ldap database\", which means that EAP won't work, |
# # as it does not supply a plain-text password. |
".$this->_writeModule($this->_sections['authenticate']->getSectionInstance('Auth-Type','LDAP'), '# Auth-Type LDAP { |
# ldap |
# }')." |
# |
# # |
# # Allow EAP authentication. |
".$this->_writeModule($this->_sections['authenticate']->eap, '# eap')." |
} |
# |
# Pre-accounting. Decide which accounting type to use. |
# |
preacct { |
".$this->_writeModule($this->_sections['preacct']->preprocess, '# preprocess')." |
# |
# Ensure that we have a semi-unique identifier for every |
# request, and many NAS boxes are broken. |
".$this->_writeModule($this->_sections['preacct']->acct_unique, '# acct_unique')." |
# |
# Look for IPASS-style 'realm/', and if not found, look for |
# '@realm', and decide whether or not to proxy, based on |
# that. |
# |
# Accounting requests are generally proxied to the same |
# home server as authentication requests. |
".$this->_writeModule($this->_sections['preacct']->IPASS, '# IPASS')." |
".$this->_writeModule($this->_sections['preacct']->suffix, '# suffix')." |
".$this->_writeModule($this->_sections['preacct']->ntdomain, '# ntdomain')." |
# |
# Read the 'acct_users' file |
".$this->_writeModule($this->_sections['preacct']->files, '# files')." |
} |
# |
# Accounting. Log the accounting data. |
# |
accounting { |
# |
# Create a 'detail'ed log of the packets. |
# Note that accounting requests which are proxied |
# are also logged in the detail file. |
".$this->_writeModule($this->_sections['accounting']->detail, '# detail')." |
".$this->_writeModule($this->_sections['accounting']->daily, '# daily')." |
# Update the wtmp file |
# |
# If you don't use \"radlast\", you can delete this line. |
".$this->_writeModule($this->_sections['accounting']->unix, '# unix')." |
# |
# For Simultaneous-Use tracking. |
# |
# Due to packet losses in the network, the data here |
# may be incorrect. There is little we can do about it. |
".$this->_writeModule($this->_sections['accounting']->radutmp, '# radutmp')." |
".$this->_writeModule($this->_sections['accounting']->sradutmp, 'sradutmp')." |
# Return an address to the IP Pool when we see a stop record. |
".$this->_writeModule($this->_sections['accounting']->main_pool, '# main_pool')." |
# |
# Log traffic to an SQL database. |
# |
# See \"Accounting queries\" in sql.conf |
".$this->_writeModule($this->_sections['accounting']->sql, 'sql')." |
# |
# Instead of sending the query to the SQL server, |
# write it into a log file. |
# |
".$this->_writeModule($this->_sections['accounting']->sql_log, '# sql_log')." |
# Cisco VoIP specific bulk accounting |
".$this->_writeModule($this->_sections['accounting']->getSection('pgsql-voip'), '# pgsql-voip')." |
# Filter attributes from the accounting response. |
".$this->_writeModule($this->_sections['accounting']->getSection('attr_filter.accounting_response'), 'attr_filter.accounting_response')." |
# |
# See \"Autz-Type Status-Server\" for how this works. |
# |
".$this->_writeModule($this->_sections['accounting']->getSectionInstance('Acct-Type','Status-Server'), '# Acct-Type Status-Server { |
# |
# }')." |
} |
# Session database, used for checking Simultaneous-Use. Either the radutmp |
# or rlm_sql module can handle this. |
# The rlm_sql module is *much* faster |
session { |
".$this->_writeModule($this->_sections['session']->radutmp, '# radutmp')." |
# |
# See \"Simultaneous Use Checking Queries\" in sql.conf |
".$this->_writeModule($this->_sections['session']->sql, '# sql')." |
} |
# Post-Authentication |
# Once we KNOW that the user has been authenticated, there are |
# additional steps we can take. |
post-auth { |
# Get an address from the IP Pool. |
".$this->_writeModule($this->_sections['post-auth']->main_pool, '# main_pool')." |
# |
# If you want to have a log of authentication replies, |
# un-comment the following line, and the 'detail reply_log' |
# section, above. |
".$this->_writeModule($this->_sections['post-auth']->reply_log, '# reply_log')." |
# |
# After authenticating the user, do another SQL query. |
# |
# See \"Authentication Logging Queries\" in sql.conf |
".$this->_writeModule($this->_sections['post-auth']->sql, '# sql')." |
# |
# Instead of sending the query to the SQL server, |
# write it into a log file. |
# |
".$this->_writeModule($this->_sections['post-auth']->sql_log, '# sql_log')." |
# |
# Un-comment the following if you have set |
# 'edir_account_policy_check = yes' in the ldap module sub-section of |
# the 'modules' section. |
# |
".$this->_writeModule($this->_sections['post-auth']->ldap, '# ldap')." |
".$this->_writeModule($this->_sections['post-auth']->exec, '# exec')." |
# |
# Access-Reject packets are sent through the REJECT sub-section of the |
# post-auth section. |
# |
# Add the ldap module name (or instance) if you have set |
# 'edir_account_policy_check = yes' in the ldap module configuration |
# |
Post-Auth-Type REJECT { |
attr_filter.access_reject |
} |
".$this->_writeModule($this->_sections['post-auth']->files, '# files')." |
} |
# |
# When the server decides to proxy a request to a home server, |
# the proxied request is first passed through the pre-proxy |
# stage. This stage can re-write the request, or decide to |
# cancel the proxy. |
# |
# Only a few modules currently have this method. |
# |
pre-proxy { |
".$this->_writeModule($this->_sections['preacct']->attr_rewrite, '# attr_rewrite')." |
# Uncomment the following line if you want to change attributes |
# as defined in the preproxy_users file. |
".$this->_writeModule($this->_sections['preacct']->files, '# files')." |
# Uncomment the following line if you want to filter requests |
# sent to remote servers based on the rules defined in the |
# 'attrs.pre-proxy' file. |
".$this->_writeModule($this->_sections['preacct']->getSection('attr_filter.pre-proxy'), '# attr_filter.pre-proxy')." |
# If you want to have a log of packets proxied to a home |
# server, un-comment the following line, and the |
# 'detail pre_proxy_log' section, above. |
".$this->_writeModule($this->_sections['preacct']->pre_proxy_log, '# pre_proxy_log')." |
} |
# |
# When the server receives a reply to a request it proxied |
# to a home server, the request may be massaged here, in the |
# post-proxy stage. |
# |
post-proxy { |
# If you want to have a log of replies from a home server, |
# un-comment the following line, and the 'detail post_proxy_log' |
# section, above. |
".$this->_writeModule($this->_sections['post-proxy']->post_proxy_log, '# post_proxy_log')." |
".$this->_writeModule($this->_sections['post-proxy']->attr_rewrite, '# attr_rewrite')." |
# Uncomment the following line if you want to filter replies from |
# remote proxies based on the rules defined in the 'attrs' file. |
".$this->_writeModule($this->_sections['post-proxy']->getSection('attr_filter.post-proxy'), '# attr_filter.post-proxy')." |
# |
# If you are proxying LEAP, you MUST configure the EAP |
# module, and you MUST list it here, in the post-proxy |
# stage. |
# |
# You MUST also use the 'nostrip' option in the 'realm' |
# configuration. Otherwise, the User-Name attribute |
# in the proxied request will not match the user name |
# hidden inside of the EAP packet, and the end server will |
# reject the EAP request. |
# |
".$this->_writeModule($this->_sections['post-proxy']->eap, '# eap')." |
# |
# If the server tries to proxy a request and fails, then the |
# request is processed through the modules in this section. |
# |
# The main use of this section is to permit robust proxying |
# of accounting packets. The server can be configured to |
# proxy accounting packets as part of normal processing. |
# Then, if the home server goes down, accounting packets can |
# be logged to a local \"detail\" file, for processing with |
# radrelay. When the home server comes back up, radrelay |
# will read the detail file, and send the packets to the |
# home server. |
# |
# With this configuration, the server always responds to |
# Accounting-Requests from the NAS, but only writes |
# accounting packets to disk if the home server is down. |
# |
".$this->_writeModule($this->_sections['post-proxy']->getSection('Post-Proxy-Type'), '# Post-Proxy-Type Fail { |
# detail |
# }')." |
}"; |
if ($savefile !== null){ |
// save config file |
if (is_file($savefile)){ |
// save the file |
if (!is_writable($savefile)) |
return false; |
$updatedFile = fopen( $savefile, 'w' ); |
fwrite( $updatedFile, $config ); |
fclose( $updatedFile ); |
} else { |
// create a new file |
$newFile = fopen($savefile, 'w') or die("can't create file"); |
fwrite( $newFile, $config ); |
fclose( $newFile ); |
} |
} |
// test $returnconfig |
if ($returnconfig){ |
return $config; |
}else{ |
return true; |
} |
} |
} |
/web/acc/admin/lib/alcasar/freeradius/ldapConfig.php |
---|
0,0 → 1,313 |
<?php |
/* |
This class handled of ldap configuration. |
WARNING! This class can't says if the configuration is valid or not. |
*/ |
class ldapConfig |
{ |
protected $_items = Array(); |
protected $_tls = array(); |
protected $instanceName; |
public function __construct($instanceName=null) { |
if ($instanceName!== null) |
$this->instanceName = $instanceName; |
// LDAP setting |
$this->_items['protocol'] = 'ldap://'; |
$this->_items['host'] = 'test'; |
$this->_items['server'] = $this->_items['protocol'].$this->_items['host']; |
$this->_items['port'] = '389';//not use yet (689 = ldaps) |
$this->_items['identity'] = ''; |
$this->_items['password'] = ''; |
$this->_items['basedn'] = 'dc=example,dc=com'; |
$this->_items['filter'] = '(uid=%{Stripped-User-Name:-%{User-Name}})'; |
$this->_items['base_filter'] = ''; |
$this->_items['ldap_connections_number'] = '5'; |
$this->_items['timeout'] = '4'; |
$this->_items['timelimit'] = '3'; |
$this->_items['net_timeout'] = '1'; |
// TLS setting related items |
$this->_tls['start_tls'] = 'no'; // if no all tls config are comments |
$this->_tls['cacertfile'] = '#'; |
$this->_tls['cacertdir'] = '#'; |
$this->_tls['certfile'] = '#'; |
$this->_tls['keyfile'] = '#'; |
$this->_tls['randfile'] = '#'; |
$this->_tls['require_cert'] = '#'; |
// others ldap setting (optional) |
$this->_items['default_profile'] = '#'; |
$this->_items['profile_attribute'] = '#'; |
$this->_items['access_attr'] = '#'; |
// Mapping of RADIUS dictionary attributes to LDAP |
// directory attributes. |
$this->_items['dictionary_mapping'] = '${confdir}/ldap.attrmap'; |
// for ldap like NOVEL |
$this->_items['password_attribute'] = '#'; |
$this->_items['edir_account_policy_check'] = 'no'; |
// Group membership checking. Disabled by default. |
$this->_items['groupname_attribute'] = '#'; |
$this->_items['groupmembership_filter'] = '#'; |
$this->_items['groupmembership_attribute'] = '#'; |
$this->_items['compare_check_items'] = '#'; |
$this->_items['do_xlat'] = '#'; |
$this->_items['access_attr_used_for_allow'] = '#'; |
// auth option |
$this->_items['set_auth_type'] = '#'; |
// debug option |
$this->_items['ldap_debug'] = '#'; |
} |
public function __get($attr){ // to get an $item |
if ($attr==='tls'){ |
return $this->_tls; |
} elseif (array_key_exists($attr, $this->_items)){ |
return $this->_items[$attr]; |
} elseif (array_key_exists($attr, $this->_tls)){ |
return $this->_tls[$attr]; |
} |
// nothing else! |
} |
public function __set($attr, $value){// to set an $item |
if (array_key_exists($attr, $this->_items)){ |
$this->_items[$attr] = $value; |
} elseif (array_key_exists($attr, $this->_tls)){ |
$this->_tls[$attr] = $value; |
} |
} |
public function load($confFile){ |
// use here the parsing class |
require_once("configreader.php"); |
$r = new configReader($confFile); |
/* |
loading only if the file containt only one ldap instance. |
If more instance are found, we use the default values instead. |
*/ |
if (is_object($r->ldap)){ |
$this->instanceName = $r->ldap->getInstanceName(); |
$items = $r->ldap->getpair(); |
foreach ($this->_items as $key => $value){ |
if (array_key_exists($key, $items)) |
$this->_items[$key] = $items[$key]; |
} |
if (is_object($r->ldap->tls)){ |
$tls = $r->ldap->tls->getpair(); |
foreach ($this->_tls as $key => $value){ |
if (array_key_exists($key, $tls)) |
$this->_tls[$key] = $tls[$key]; |
} |
} |
} |
} |
public function __toString() { |
return $this->save(null, true); |
} |
protected function _noComment($name, $value, $quote = false){ |
if ($value !== '#'){ |
if ($quote === true){ |
return $name." = \"".$value."\""; |
} else { |
return $name." = ".$value; |
} |
} |
} |
public function save($savefile = null, $returnconfig = false){ |
// make config file |
$config = " |
# Lightweight Directory Access Protocol (LDAP) |
# |
# This module definition allows you to use LDAP for |
# authorization and authentication. |
# |
# See raddb/sites-available/default for reference to the |
# ldap module in the authorize and authenticate sections. |
# |
# However, LDAP can be used for authentication ONLY when the |
# Access-Request packet contains a clear-text User-Password |
# attribute. LDAP authentication will NOT work for any other |
# authentication method. |
# |
# This means that LDAP servers don't understand EAP. If you |
# force \"Auth-Type = LDAP\", and then send the server a |
# request containing EAP authentication, then authentication |
# WILL NOT WORK. |
# |
# The solution is to use the default configuration, which does |
# work. |
# |
# Setting \"Auth-Type = LDAP\" is ALMOST ALWAYS WRONG. We |
# really can't emphasize this enough. |
# |
ldap ".$this->instanceName."{ |
# |
# Note that this needs to match the name in the LDAP |
# server certificate, if you're using ldaps. |
server = \"".$this->_items['server']."\" |
identity = \"".$this->_items['identity']."\" |
password = ".$this->_items['password']." |
basedn = \"".$this->_items['basedn']."\" |
filter = \"".$this->_items['filter']."\" |
base_filter = \"".$this->_items['base_filter']."\" |
# How many connections to keep open to the LDAP server. |
# This saves time over opening a new LDAP socket for |
# every authentication request. |
ldap_connections_number = ".$this->_items['ldap_connections_number']." |
# seconds to wait for LDAP query to finish. default: 20 |
timeout = ".$this->_items['timeout']." |
# seconds LDAP server has to process the query (server-side |
# time limit). default: 20 |
# |
# LDAP_OPT_TIMELIMIT is set to this value. |
timelimit = ".$this->_items['timelimit']." |
# |
# seconds to wait for response of the server. (network |
# failures) default: 10 |
# |
# LDAP_OPT_NETWORK_TIMEOUT is set to this value. |
net_timeout = ".$this->_items['net_timeout']." |
# |
# This subsection configures the tls related items |
# that control how FreeRADIUS connects to an LDAP |
# server. It contains all of the \"tls_*\" configuration |
# entries used in older versions of FreeRADIUS. Those |
# configuration entries can still be used, but we recommend |
# using these. |
# |
tls { |
# Set this to 'yes' to use TLS encrypted connections |
# to the LDAP database by using the StartTLS extended |
# operation. |
# |
# The StartTLS operation is supposed to be |
# used with normal ldap connections instead of |
# using ldaps (port 689) connections |
start_tls = ".$this->_tls['start_tls']." |
# cacertfile = /path/to/cacert.pem |
# cacertdir = /path/to/ca/dir/ |
# certfile = /path/to/radius.crt |
# keyfile = /path/to/radius.key |
# randfile = /path/to/rnd |
".$this->_noComment("cacertfile", $this->_tls['cacertfile'])." |
".$this->_noComment("cacertdir", $this->_tls['cacertdir'])." |
".$this->_noComment("certfile", $this->_tls['certfile'])." |
".$this->_noComment("keyfile", $this->_tls['keyfile'])." |
".$this->_noComment("randfile", $this->_tls['randfile'])." |
# Certificate Verification requirements. Can be: |
# \"never\" (don't even bother trying) |
# \"allow\" (try, but don't fail if the cerificate |
# can't be verified) |
# \"demand\" (fail if the certificate doesn't verify.) |
# |
# The default is \"allow\" |
# require_cert = \"demand\" |
".$this->_noComment("require_cert", $this->_tls['require_cert'], true)." |
} |
# default_profile = \"cn=radprofile,ou=dialup,o=My Org,c=UA\" |
# profile_attribute = \"radiusProfileDn\" |
# access_attr = \"dialupAccess\" |
".$this->_noComment("default_profile", $this->_items['default_profile'], true)." |
".$this->_noComment("profile_attribute", $this->_items['profile_attribute'], true)." |
".$this->_noComment("access_attr", $this->_items['access_attr'], true)." |
# Mapping of RADIUS dictionary attributes to LDAP |
# directory attributes. |
dictionary_mapping = ".$this->_items['dictionary_mapping']." |
# Set password_attribute = nspmPassword to get the |
# user's password from a Novell eDirectory |
# backend. This will work ONLY IF FreeRADIUS has been |
# built with the --with-edir configure option. |
# |
# See also the following links: |
# |
# http://www.novell.com/coolsolutions/appnote/16745.html |
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html |
# |
# Novell may require TLS encrypted sessions before returning |
# the user's password. |
# |
# password_attribute = userPassword |
".$this->_noComment("access_attr", $this->_items['access_attr'])." |
# Un-comment the following to disable Novell |
# eDirectory account policy check and intruder |
# detection. This will work *only if* FreeRADIUS is |
# configured to build with --with-edir option. |
# |
edir_account_policy_check = no |
".$this->_noComment("access_attr", $this->_items['access_attr'])." |
# |
# Group membership checking. Disabled by default. |
# |
# groupname_attribute = cn |
# groupmembership_filter = \"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))\" |
# groupmembership_attribute = radiusGroupName |
".$this->_noComment("groupname_attribute", $this->_items['groupname_attribute'])." |
".$this->_noComment("groupmembership_filter", $this->_items['groupmembership_filter'], true)." |
".$this->_noComment("groupmembership_attribute", $this->_items['groupmembership_attribute'])." |
# compare_check_items = yes |
# do_xlat = yes |
# access_attr_used_for_allow = yes |
".$this->_noComment("compare_check_items", $this->_items['compare_check_items'])." |
".$this->_noComment("do_xlat", $this->_items['do_xlat'])." |
".$this->_noComment("access_attr_used_for_allow", $this->_items['access_attr_used_for_allow'])." |
# |
# By default, if the packet contains a User-Password, |
# and no other module is configured to handle the |
# authentication, the LDAP module sets itself to do |
# LDAP bind for authentication. |
# |
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION. |
# |
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP). |
# |
# You can disable this behavior by setting the following |
# configuration entry to \"no\". |
# |
# allowed values: {no, yes} |
# set_auth_type = yes |
# set_auth_type = no |
".$this->_noComment("set_auth_type", $this->_items['set_auth_type'])." |
# ldap_debug: debug flag for LDAP SDK |
# (see OpenLDAP documentation). Set this to enable |
# huge amounts of LDAP debugging on the screen. |
# You should only use this if you are an LDAP expert. |
# |
# default: 0x0000 (no debugging messages) |
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS) |
#ldap_debug = 0x0028 |
".$this->_noComment("ldap_debug", $this->_items['ldap_debug'])." |
} |
"; |
if ($savefile !== null){ |
// save config file |
if (is_file($savefile)){ |
// save the file |
if (!is_writable($savefile)) |
return false; |
$updatedFile = fopen( $savefile, 'w' ); |
fwrite( $updatedFile, $config ); |
fclose( $updatedFile ); |
} else { |
// create a new file |
$newFile = fopen($savefile, 'w') or die("can't create file"); |
fwrite( $newFile, $config ); |
fclose( $newFile ); |
} |
} |
// test $returnconfig |
if (($returnconfig===true)||($returnconfig==="yes")){ |
return $config; |
}else{ |
return true; |
} |
} |
} |
?> |
/web/acc/admin/lib/alcasar/freeradius/configreader.php |
---|
0,0 → 1,423 |
<?php |
/* |
TODO : |
- reprendre toutes les expressions régulières [ à contrôler] |
- prise en compte de tous les types de commentaires |
- prise en compte d'une valeurs multiligne |
- suppressions plus rigoureuse des quote et double cote. (FAIT) |
- correction de quelques bugs |
- prise en charge de la lecture de section "nommée" (etc: ldap toto {...} )[fait à tester] |
-> pas de setter pour le configreader |
*/ |
/** |
* Page contenant les classes <b>confItem</b>, <b>pairItem</b>, <b>sectionItem</b> et <b>configReader</b>. |
* Ces classes permettent de parser des fichiers de configuration du même format |
* que ceux utilisés par freeradius. |
*/ |
/* |
The file consists of configuration items (variable = value pairs), sections, and comments. |
*/ |
/** |
* Classe abstraite <b>confItem</b>. |
* |
* @name confItem |
* @author steweb57 |
* @version 0.1.0 |
*/ |
Abstract class confItem |
{ |
/** |
* Variable contenant le type d'item (pair ou section) |
* @var string |
*/ |
protected $_type = null; |
/** |
* Variable contenant le nom de l'item |
* @var string |
*/ |
protected $_name = null; |
/** |
* Variable contenant le nom de la section |
* @var string |
*/ |
/** |
* Variable contenant le nom de l'instance de l'item |
* @var string |
*/ |
protected $_instanceName = null; |
/** |
protected $_parent = null; |
/** |
* Tableau contenant les parametres (items) |
* @var array |
*/ |
protected $_items = array(); |
/** |
* Return the parent confItem |
* |
* @name getParent()() |
* @return confItem |
*/ |
public function getParent(){ |
return $this->_parent; |
} |
/** |
* return the type of the confItem |
* |
* @name getType() |
* @return string |
*/ |
public function getType(){ |
return $this->_type; |
} |
public function getAll(){ |
return $this->_items; |
} |
/** |
* return the name of the confItem |
* |
* @name getName() |
* @return string |
*/ |
public function getName(){ |
return $this->_name; |
} |
/** |
* return the instance name of the confItem |
* |
* @name getInstanceName() |
* @return string |
*/ |
public function getInstanceName(){ |
return $this->_instanceName; |
} |
/** |
* |
* Return the specified atribute |
* |
* @name __get() |
* @param string $attr |
* @return mixed (confitem object or string) |
*/ |
public function __get($attr) { |
$resp=array(); |
foreach ($this->_items as $item){ |
if (is_object($item)){ |
if ($item->getName() === $attr){ |
$resp[] = $item; |
} |
} else { |
if (array_key_exists($attr, $this->_items)) |
$resp[] = $this->_items[$attr]; |
} |
} |
if (count($resp)===1){ |
return $resp[0]; |
} else { |
return $resp;// si vide, on répond par un array vide ou par false? |
} |
} |
/** |
* Converte the object to a string |
* |
* @name __toString() |
* @return string |
*/ |
public function __toString() { |
return $this->_name; |
} |
} |
/** |
* Classe <b>pairItem</b>. |
* |
* @name pairItem |
* @author steweb57 |
* @version 0.1.0 |
*/ |
class pairItem extends confItem |
{ |
protected $_type = 'pair'; |
protected $_name = ''; |
/** |
* Constructeur |
* |
* <p>création de l'instance de la classe</p> |
* |
* @name pairItem::__construct() |
* @param string $attr, $value |
* @return void |
*/ |
public function __construct($attr,$value) { |
$this->_items[$attr] = $value; |
$this->_name = $attr; |
} |
/** |
* Converte the object to a string |
* |
* @name __toString() |
* @return string |
*/ |
public function __toString() { |
return $this->_items[$this->_name];// ? afficher le nom de la variable ou sa valeur? |
} |
/** |
* Get a pair value |
* |
* @name getPair() |
* @param string $pairName |
* @return string |
*/ |
public function getPair($pairName = null){ |
if ($pairName!==null){ |
if (array_key_exists($pairName, $this->_items)) |
return $this->_items[$pairName]; |
} else { |
return $this->_items; |
} |
} |
} |
class sectionItem extends confItem |
{ |
protected $_type = 'section'; |
protected $_name = ''; |
public function __construct($name, sectionItem &$parent=null, $instanceName = "") { |
$this->_parent = $parent; |
$this->_name = $name; |
$this->_instanceName = $instanceName; |
} |
public function addSection($name, $instanceName = "") { |
$this->_items[] = new sectionItem($name, $this, $instanceName); |
return end($this->_items); |
} |
public function addPair($name, $value) { |
$this->_items[] = new pairItem($name, $value); |
return end($this->_items); |
} |
/** |
* return the child instance of the confSection |
* |
* @name getInstance() |
* @return string |
*/ |
public function getInstance($instanceName=nill){ |
if ($instanceName === null) |
return false; |
$resp = array(); |
foreach ($this->_items as $item){ |
if ($item->getType() !== 'section'){ |
continue; |
} |
if ($item->getInstanceName() === $instanceName){ |
$resp[] = $item; |
} |
} |
if (count($resp)===1){ |
return $resp[0]; |
} else { |
return $resp; |
} |
} |
public function getSectionInstance($sectionName = null, $instanceName=null){ |
if (($sectionName === null)||($instanceName === null)) |
return false; |
$resp = array(); |
foreach ($this->_items as $item){ |
if ($item->getType() !== 'section'){ |
continue; |
} |
if (($item->getName() === $sectionName)&&($item->getInstanceName() === $instanceName)){ |
$resp[] = $item; |
} |
} |
if (count($resp)===1){ |
return $resp[0]; |
} else { |
return $resp; |
} |
} |
public function getSection($sectionName = null){ |
$resp = array(); |
foreach ($this->_items as $item){ |
if ($item->getType() !== 'section'){ |
continue; |
} |
if ($sectionName === null){ |
$resp[] = $item; |
} else { |
if ($item->getName() === $sectionName){ |
$resp[] = $item; |
} |
} |
} |
if (count($resp)===1){ |
return $resp[0]; |
} else { |
return $resp; |
} |
} |
public function getPair($pairName = null){ |
$resp = array(); |
foreach ($this->_items as $item){ |
if ($item->getType() !== 'pair'){ |
continue; |
} |
if ($pairName === null){ |
$resp[] = $item; |
} else { |
if ($item->getName() === $pairName){ |
//return $item; //only the first answer |
$resp[] = $item; |
} |
} |
} |
if (count($resp)===1){ |
return $resp[0]; |
} else { |
return $resp; |
} |
} |
} |
/** |
* Classe <b>configReader</b>. |
* |
* @name configReader |
* @author steweb57 |
* @version 0.1.0 |
*/ |
class configReader extends sectionItem |
{ |
private $_file = null; |
private $_pt = null; |
protected $_name = "root"; |
/** |
* Constructeur |
* |
* <p>création de l'instance de la classe</p> |
* |
* @name config_file::__construct() |
* @param string $filename |
* @return void |
*/ |
public function __construct($filename=null) { |
if ($filename !== null){ |
$this->parse($filename); |
} |
} |
/** |
* Destructeur |
*/ |
public function __destruct() { |
$this->_file = NULL; |
} |
private function _deleteComment($line){ |
return $line; |
} |
public function parse($filename=null){ |
if ($filename !== null){ |
// test is_file et file_exist à faire |
$this->_file = $filename; |
} |
if ($this->_file===null) return false; |
$fro = fopen( $this->_file, 'r' ); |
while( $line = fgets( $fro ) ) |
{ |
/* |
on saute les commentaires |
*/ |
if (preg_match('/^[[:space:]]*#/',$line) || preg_match('/^[[:space:]]*$/',$line)) |
continue; |
//test d'entrée dans une section |
//if (preg_match('`^([\s[:print:]]*{[\s[:print:]]*)$`',$line)){//test section |
if (preg_match('`^([\sa-zA-Z0-9_-]*{[\s[:print:]]*)$`',$line)){//test section |
/* |
BUG : filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" |
*/ |
// Nétoyage des commentaires et espaces |
$tmp = explode("{", $line, 2); |
$line = trim($tmp[0]); |
// test here if exist an instance name |
$tmpInstanceName = ""; |
$t = explode(" ", $line, 2); |
$tmpSectionName = $t[0]; |
if (count($t)>1){ |
$tmpInstanceName = $t[1]; |
} |
// end test of an instance name |
if ($this->_pt===null){ |
$this->addSection($tmpSectionName, $tmpInstanceName); |
$this->_pt = end($this->_items); |
} else { |
$this->_pt = $this->_pt->addSection($tmpSectionName, $tmpInstanceName); |
} |
} |
//recherche fin de section |
//elseif (preg_match('`^([\s]*}[\s]*)$`',$line)){//test fin de section |
elseif (preg_match('`^([\s]*}[\s[:print:]]*)$`',$line)){//test fin de section |
$this->_pt = $this->_pt->getParent(); |
} |
//test de présence d'une pair parametre/valeur |
elseif (preg_match('`^([\s[:print:]]*=)`',$line)){ //test pair |
$tmpPair = trim($line); |
list($pairName, $pairValue) = explode('=', $tmpPair, 2); |
$pairName = trim($pairName); |
$pairValue = trim($pairValue); |
/* |
A FAIRE : |
- prendre en compte le multi-ligne |
*/ |
$l = strlen($pairValue); |
if (strpos($pairValue, "'") === 0){ // valeur entre des quotes |
$pairValue = preg_replace("`^[']([[:print:]]*)[']([[:print:]]*)`","$1",$pairValue); |
}elseif(strpos($pairValue, '"') === 0){// valeur entre des double-quotes |
$pairValue = preg_replace('`^["]([[:print:]]*)["]([[:print:]]*)`','$1',$pairValue); |
}else{ // valeur sans quote ou double-quote |
//suppression des commentaires (pour un # dans la chaine, alors il faut que la chaine soit entre quote ou double-quote) |
$tmp = explode("#", $pairValue, 2); |
$pairValue = trim($tmp[0]); |
} |
if ($this->_pt===null){ |
$this->addPair($pairName,$pairValue); |
} else { |
$this->_pt->addPair($pairName,$pairValue); |
} |
} |
//test de présence d'un parametre (c'est traité comme une section mais sans contenu!) |
elseif (preg_match('`^([\s[:print:]]*)$`',$line)) { //test value |
$tmpItem = trim($line); |
if ($this->_pt===null){ |
$this->addSection($tmpItem); |
} else { |
$this->_pt->addSection($tmpItem); |
} |
} |
} |
fclose( $fro ); |
$this->_pt=null; |
} |
} |
?> |
/web/acc/admin/update_ldap.php |
---|
1,5 → 1,7 |
<?php |
/* written by steweb57 */ |
require_once("lib/alcasar/freeradius/siteconfig.php"); |
require_once("lib/alcasar/freeradius/ldapconfig.php"); |
/******************************************************************** |
* CONSTANTES AVEC CHEMINS DES FICHIERS DE CONFIGURATION * |
*********************************************************************/ |
21,13 → 23,6 |
* VARIABLES DE FORMULAIRE * |
*********************************************************************/ |
//variables pour le parcourt des fichiers |
// - $ouvre : fichier ouvert |
// - $tampon : ligne en cours |
//autres variables utilisées |
// - $fichier : fichier temporaire utilisé pour la mise à jours des fichiers de configuration |
// - les variables contennant les données de formulaire |
//Récupération des variables de formulaire |
if (isset($_POST['auth_enable'])) $auth_enable = $_POST['auth_enable']; else erreur('Erreur de variable auth_enable'); |
if ($auth_enable == "1"){ //test $auth_enable |
36,7 → 31,7 |
if (isset($_POST['ldap_filter'])) $ldap_filter = $_POST['ldap_filter']; else erreur('Erreur de variable ldap_filter'); |
if (isset($_POST['ldap_base_filter'])) $ldap_base_filter = $_POST['ldap_base_filter']; else erreur('Erreur de variable ldap_base_filter'); |
if (isset($_POST['ldap_user'])) $ldap_user = $_POST['ldap_user']; else erreur('Erreur de variable ldap_user'); |
if (isset($_POST['ldap_password'])) $ldap_password = $_POST['ldap_password']; else erreur('Erreur de variable ldap_password'); |
if (isset($_POST['ldap_password'])) $ldap_password = $_POST['ldap_password']; else erreur('Erreur de variable ldap_password'); |
} //test $auth_enable |
/******************************************************************** |
58,172 → 53,37 |
} |
/******************************************************************** |
* VARIABLES TEMPORAIRES * |
*********************************************************************/ |
//création des nouveaux fichiers de configuration |
//Initialisation de $fichier |
$fichier = ""; |
//variables de test pour la section autorize |
$section_autorize = false; // indique si on est dans la section autorize |
$num_section_autorize = 0; // indique si on se situe dans une sous section (pouvant avoir un parametre ldap ???) |
$nb_ldap = 0; // indique si le paramtre ldap n'est pas saisie deux fois (y compris les commentaires) |
//variables de test pour la section authenticate |
$section_authenticate = false; // indique si on est dans la section authenticate |
$section_authenticate_section_ldap = false; // indique si on se situe dans la sous section Auth-Type LDAP |
$section_authenticate_section_ldap_1 = false; // indique si Auth-Type LDAP déjà configuré |
$section_authenticate_section_ldap_2 = false; // indique si parametre ldap de Auth-Type LDAP déjà configuré |
$section_authenticate_section_ldap_3 = false; // indique si la fin de Auth-Type LDAP déjà configuré |
$num_section_authenticate = 0; |
/******************************************************************** |
* Fichier ALCASAR_RADIUS_SITE * |
*********************************************************************/ |
//Lecture du fichier /etc/raddb/sites-available/alcasar et création d'une nouvelle version du fichier. |
$continue = true; |
$ouvre=fopen(ALCASAR_RADIUS_SITE,"r"); |
while (!feof ($ouvre)) |
{ |
$tampon = fgets($ouvre, 4096); |
if ((!$section_autorize) && (preg_match('`^([\s]*authorize[\s]*{[\s]*)$`',$tampon))){ //test si on est dans la section authorize |
$section_autorize = true; |
} |
if ((!$section_authenticate) && (preg_match('`^([\s]*authenticate[\s]*{[\s]*)$`',$tampon))){ //on est dans la section authenticate |
$section_authenticate = true; |
} |
/******************************************************************** |
* SECTION AUTHORIZE * |
*********************************************************************/ |
if ($section_autorize){ //on est dans la section authorize |
if ((preg_match('`^([\s[:alnum:]-_]*{[\s]*)$`',$tampon)) && (!preg_match('`^([\s]*authorize[\s]*{[\s]*)$`',$tampon))){ //on trouve des sous sections non commentées |
$num_section_autorize = $num_section_autorize + 1; |
$fichier = $fichier.$tampon; |
} elseif ((preg_match('`^([\s#]*ldap[\s]*)$`',$tampon))&&($num_section_autorize == 0)){ // conf du parametre ldap uniquement si l'on n'est pas dans une sous section! |
//Récupération dans la section authorise de la ligne ldap |
//valeur : ldap = authentification ldap authorisée |
//valeur : #ldap = authentification ldap non authorisée |
if (($auth_enable == "1") && ($nb_ldap ==0)){ |
$fichier = $fichier."ldap\n"; |
}else{ |
$fichier = $fichier."# ldap\n"; |
} |
$nb_ldap = $nb_ldap + 1;//calcule si le parametre ldap n'est pas présent plusieurs fois. |
} elseif (preg_match('`^([\s]*}[\s]*)$`',$tampon)){ //une section se termine |
if ($num_section_autorize == 0){ // fin de la section authorize |
$section_autorize = false; |
} else { // on referme une sous section |
$num_section_autorize = $num_section_autorize - 1; |
} |
$fichier = $fichier.$tampon; |
} else { |
$fichier = $fichier.$tampon; |
} |
//fin de section authorize |
} elseif (($section_authenticate)){ //on est dans la section authenticate |
/******************************************************************** |
* SECTION AUTHENTICATE * |
*********************************************************************/ |
// pas de test de sous-section! |
//on recherhe la section ldap |
## Auth-Type LDAP { |
# ldap |
## } |
if (preg_match('`^([\s#]*Auth-Type[\s]*LDAP[\s]{[\s]*)$`',$tampon)) { // test si on est dans la sous section Auth-Type LDAP (commentée ou non !) |
$section_authenticate_section_ldap = true; |
if (($auth_enable == "1") && (!$section_authenticate_section_ldap_1)){ |
$fichier = $fichier."Auth-Type LDAP { \n"; |
} else { |
$fichier = $fichier."# Auth-Type LDAP { \n"; |
} |
$section_authenticate_section_ldap_1 = true; // Auth-Type LDAP { est traité, les prochaines occurences trouvées seront tous mis en commentaire |
} else { |
if ($section_authenticate_section_ldap){ // on est dans la section Auth-Type LDAP |
if (preg_match('`^([\s#]*ldap[\s]*)$`',$tampon)){ //parametre ldap |
if (($auth_enable == "1") && (!$section_authenticate_section_ldap_2)){ |
$fichier = $fichier."ldap\n"; |
} else { |
$fichier = $fichier."# ldap\n"; |
} |
$section_authenticate_section_ldap_2 = true; // le parametre ldap est traité, les prochaines occurences trouvées seront tous mis en commentaire |
} elseif (preg_match('`^([\s#]*}[\s]*)$`',$tampon)){ //fin de section Auth-Type LDAP (le premier #} ou } trouvé dans la section Auth-Type LDAP indique la fin de la section) |
if (($auth_enable == "1") && (!$section_authenticate_section_ldap_3)){ |
$fichier = $fichier."}\n"; |
} else { |
$fichier = $fichier."# }\n"; |
} |
$section_authenticate_section_ldap_3 = true; // } de fin de section Auth-Type LDAP est traité, les prochaines occurences trouvées seront tous mis en commentaire //!inutile |
$section_authenticate_section_ldap = false; //inutile de continuer de parcourir la section Auth-Type LDAP |
$section_authenticate = false; //inutile de continuer de parcourir la section authenticate |
} else { |
$fichier = $fichier.$tampon; // on écrit tous les autres valeurs ou commentaires présents dans la section Auth-Type LDAP du fichier |
} |
} else { |
$fichier = $fichier.$tampon; // on écrit tous les autres valeurs ou commentaires présents dans la section authenticate du fichier |
} |
} |
//fin de section authenticate |
} else { //on est ni dans la section authorize ni dans la section authenticate |
$fichier = $fichier.$tampon; |
} |
} |
fclose($ouvre); |
$site = new siteConfig(); |
$site->load(ALCASAR_RADIUS_SITE); |
if ($auth_enable == "1"){ //test $auth_enable |
$site->authorize->ldap = 'ldap'; |
$site->authenticate->ldap = 'ldap'; |
} else { |
$site->authorize->ldap = false; |
$site->authenticate->ldap = false; |
} |
//Sauvegarde du /etc/raddb/sites-available/alcasar |
$ouvre=fopen(ALCASAR_RADIUS_SITE,"w+"); |
fwrite($ouvre, $fichier); |
fclose($ouvre); |
$site->save(ALCASAR_RADIUS_SITE); |
/******************************************************************** |
* Fichier ALCASAR_RADIUS_MODULE_LDAP * |
*********************************************************************/ |
// TO DO : faire le controle des doublons comme sur le fichiers précédent ! |
//on ne modifie ALCASAR_RADIUS_MODULE_LDAP uniquement si l'authentification ldap est active |
if ($auth_enable == "1"){ //test $auth_enable |
//Ré-Initialisation de $fichier |
$fichier = ""; |
//Lecture du fichier /etc/raddb/modules/ldap et création d'une nouvelle version du fichier. |
$ouvre=fopen(ALCASAR_RADIUS_MODULE_LDAP,"r"); |
while (!feof ($ouvre)) |
{ |
$tampon = fgets($ouvre, 4096); |
if (preg_match('`^([\s#]*server(\s*)=)`',$tampon)){ |
//Mise a jour du paramettre ldap server |
$fichier = $fichier."server = \"".$ldap_server."\"\n"; |
} elseif (preg_match('`^([\s#]*identity(\s*)=)`',$tampon)){ |
//Mise a jour du paramettre ldap identity |
$fichier = $fichier."identity = \"".$ldap_user."\"\n"; |
} elseif (preg_match('`^([\s#]*password(\s*)=)`',$tampon)){ |
//Mise a jour du paramettre ldap password |
$fichier = $fichier."password = ".$ldap_password."\n"; |
} elseif (preg_match('`^([\s#]*basedn(\s*)=)`',$tampon)){ |
//Mise a jour du paramettre ldap basedn |
$fichier = $fichier."basedn = \"".$ldap_base_dn."\"\n"; |
} elseif (preg_match('`^([\s#]*filter(\s*)=)`',$tampon)){ |
//Mise a jour du paramettre ldap filter |
$fichier = $fichier."filter = \"(".$ldap_filter."=%{Stripped-User-Name:-%{User-Name}})\"\n"; |
} elseif (preg_match('`^([\s#]*base_filter(\s*)=)`',$tampon)){ |
//Mise a jour du paramettre ldap base_filter |
$fichier = $fichier."base_filter = \"".$ldap_base_filter."\"\n"; |
} else { |
//On ne fait rien |
$fichier = $fichier.$tampon; |
} |
} |
fclose($ouvre); |
//sauvegarde du fichier /etc/raddb/modules/ldap |
$ouvre=fopen(ALCASAR_RADIUS_MODULE_LDAP,"w+"); |
fwrite($ouvre, $fichier); |
fclose($ouvre); |
// chargement de la configuration courante |
$ldap = new ldapConfig(); |
$ldap->load(ALCASAR_RADIUS_MODULE_LDAP); |
// mise à jours des données |
$ldap->server = $ldap_server; |
$ldap->identity = $ldap_identity; |
$ldap->password = $ldap_password; |
$ldap->basedn = $ldap_basedn; |
$ldap->filter = $ldap_filter; |
$ldap->base_filter = $ldap_base_filter; |
//sauvegarde du fichier /etc/raddb/modules/ldap |
$ldap->save(ALCASAR_RADIUS_MODULE_LDAP); |
} //test $auth_enable |
/**************************************************************** |