added option if referrals should be followed

This commit is contained in:
Roland Gruber 2014-01-12 10:18:35 +00:00
parent fe3463b77a
commit 14a619989e
8 changed files with 63 additions and 3 deletions

View File

@ -1,6 +1,7 @@
March 2014 4.5 March 2014 4.5
- IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes - IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes
- Personal: allow to set fields read-only - Personal: allow to set fields read-only
- Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD)
18.12.2013 4.4 18.12.2013 4.4
- PyKota support: users, groups, printers, billing codes - PyKota support: users, groups, printers, billing codes

View File

@ -713,6 +713,15 @@ Have fun!
<section id="a_versUpgrade"> <section id="a_versUpgrade">
<title>Version specific upgrade instructions</title> <title>Version specific upgrade instructions</title>
<section>
<title>4.4 -&gt; 4.5</title>
<para>LAM will no longer follow referrals by default. This is ok for
most installations. If you use LDAP referrals please activate
referral following for your server profile (tab General settings
-&gt; Server settings -&gt; Advanced options).</para>
</section>
<section> <section>
<title>4.3 -&gt; 4.4</title> <title>4.3 -&gt; 4.4</title>
@ -1234,6 +1243,10 @@ Have fun!
linkend="a_accessLevelPasswordReset">this page</link> for details on linkend="a_accessLevelPasswordReset">this page</link> for details on
the different access levels.</para> the different access levels.</para>
<para>By default LAM will not follow LDAP referrals. This is ok for
most installations. If you use LDAP referrals please activate the
referral option in advanced settings.</para>
<screenshot> <screenshot>
<mediaobject> <mediaobject>
<imageobject> <imageobject>

Binary file not shown.

Before

Width:  |  Height:  |  Size: 25 KiB

After

Width:  |  Height:  |  Size: 30 KiB

View File

@ -82,6 +82,8 @@ $helpArray = array (
_("dc=yourcompany,dc=com")), _("dc=yourcompany,dc=com")),
"204" => array ("Headline" => _("SSL certificate"), "204" => array ("Headline" => _("SSL certificate"),
"Text" => _("This is only needed for TLS/SSL connections. By default, LAM will use the certificate authorities installed on your system. If you have a private CA in your company you can upload your CA certificates here and override the system certificates.")), "Text" => _("This is only needed for TLS/SSL connections. By default, LAM will use the certificate authorities installed on your system. If you have a private CA in your company you can upload your CA certificates here and override the system certificates.")),
"205" => array ("Headline" => _("Follow referrals"),
"Text" => _("Specifies if LAM should automatically follow referrals. Activate if you use referrals in your LDAP directory.")),
"206" => array ("Headline" => _("List attributes"), "206" => array ("Headline" => _("List attributes"),
"Text" => _("This is the list of attributes to show in the account list. The entries can either be predefined values, \"#attribute\", or individual ones, \"attribute:description\". Several entries are separated by semicolons.") . "Text" => _("This is the list of attributes to show in the account list. The entries can either be predefined values, \"#attribute\", or individual ones, \"attribute:description\". Several entries are separated by semicolons.") .
"<br><br><br><big><b>" . "<br><br><br><big><b>" .

View File

@ -258,6 +258,9 @@ class LAMConfig {
/** enables/disables TLS encryption */ /** enables/disables TLS encryption */
private $useTLS; private $useTLS;
/** automatically follow referrals */
private $followReferrals = 'false';
/** Array of string: users with admin rights */ /** Array of string: users with admin rights */
private $Admins; private $Admins;
@ -349,7 +352,7 @@ class LAMConfig {
private $lamProMailText = ''; private $lamProMailText = '';
/** List of all settings in config file */ /** List of all settings in config file */
private $settings = array("ServerURL", "useTLS", "Passwd", "Admins", "treesuffix", private $settings = array("ServerURL", "useTLS", "followReferrals", "Passwd", "Admins", "treesuffix",
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", "defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
"modules", "activeTypes", "types", "tools", "accessLevel", 'loginMethod', 'loginSearchSuffix', "modules", "activeTypes", "types", "tools", "accessLevel", 'loginMethod', 'loginSearchSuffix',
'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject', 'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject',
@ -516,6 +519,7 @@ class LAMConfig {
// check if we have to add new entries (e.g. if user upgraded LAM and has an old config file) // check if we have to add new entries (e.g. if user upgraded LAM and has an old config file)
if (!in_array("ServerURL", $saved)) array_push($file_array, "\n\n# server address (e.g. ldap://localhost:389 or ldaps://localhost:636)\n" . "serverURL: " . $this->ServerURL . "\n"); if (!in_array("ServerURL", $saved)) array_push($file_array, "\n\n# server address (e.g. ldap://localhost:389 or ldaps://localhost:636)\n" . "serverURL: " . $this->ServerURL . "\n");
if (!in_array("useTLS", $saved)) array_push($file_array, "\n\n# enable TLS encryption\n" . "useTLS: " . $this->useTLS . "\n"); if (!in_array("useTLS", $saved)) array_push($file_array, "\n\n# enable TLS encryption\n" . "useTLS: " . $this->useTLS . "\n");
if (!in_array("followReferrals", $saved)) array_push($file_array, "\n\n# follow referrals\n" . "followReferrals: " . $this->followReferrals . "\n");
if (!in_array("Passwd", $saved)) array_push($file_array, "\n\n# password to change these preferences via webfrontend\n" . "passwd: " . $this->Passwd . "\n"); if (!in_array("Passwd", $saved)) array_push($file_array, "\n\n# password to change these preferences via webfrontend\n" . "passwd: " . $this->Passwd . "\n");
if (!in_array("Admins", $saved)) array_push($file_array, "\n\n# list of users who are allowed to use LDAP Account Manager\n" . if (!in_array("Admins", $saved)) array_push($file_array, "\n\n# list of users who are allowed to use LDAP Account Manager\n" .
"# names have to be seperated by semicolons\n" . "# names have to be seperated by semicolons\n" .
@ -638,7 +642,7 @@ class LAMConfig {
/** /**
* Sets if TLS is activated. * Sets if TLS is activated.
* *
* @param String yes or no * @param String $useTLS yes or no
* @return boolean true if $useTLS has correct format * @return boolean true if $useTLS has correct format
*/ */
public function setUseTLS($useTLS) { public function setUseTLS($useTLS) {
@ -649,6 +653,23 @@ class LAMConfig {
return false; return false;
} }
/**
* Returns if referrals should be followed.
*
* @return String true or false
*/
public function getFollowReferrals() {
return $this->followReferrals;
}
/**
* Sets if referrals should be followed.
*
* @param String $followReferrals true or false
*/
public function setFollowReferrals($followReferrals) {
$this->followReferrals = $followReferrals;
}
/** /**
* Returns an array of string with all admin names * Returns an array of string with all admin names

View File

@ -100,6 +100,9 @@ class Ldap{
if ($this->server) { if ($this->server) {
// use LDAPv3 // use LDAPv3
ldap_set_option($this->server, LDAP_OPT_PROTOCOL_VERSION, 3); ldap_set_option($this->server, LDAP_OPT_PROTOCOL_VERSION, 3);
// referral following
$followReferrals = ($this->conf->getFollowReferrals() === 'true') ? 1 : 0;
ldap_set_option($this->server,LDAP_OPT_REFERRALS, $followReferrals);
// start TLS if specified // start TLS if specified
$useTLS = $this->conf->getUseTLS(); $useTLS = $this->conf->getUseTLS();
if (isset($useTLS) && ($useTLS == "yes")) { if (isset($useTLS) && ($useTLS == "yes")) {

View File

@ -186,7 +186,9 @@ class myldap extends DS {
/* Disabling this makes it possible to browse the tree for Active Directory, and seems /* Disabling this makes it possible to browse the tree for Active Directory, and seems
* to not affect other LDAP servers (tested with OpenLDAP) as phpLDAPadmin explicitly * to not affect other LDAP servers (tested with OpenLDAP) as phpLDAPadmin explicitly
* specifies deref behavior for each ldap_search operation. */ * specifies deref behavior for each ldap_search operation. */
ldap_set_option($resource,LDAP_OPT_REFERRALS,1); // TODO provide upstream patch if PLA gets active again
$followReferrals = ($_SESSION['config']->getFollowReferrals() === 'true') ? 1 : 0;
ldap_set_option($resource,LDAP_OPT_REFERRALS, $followReferrals);
# Try to fire up TLS is specified in the config # Try to fire up TLS is specified in the config
if ($this->isTLSEnabled()) if ($this->isTLSEnabled())

View File

@ -253,6 +253,7 @@ $searchLimitOptions = array(
$limitSelect = new htmlTableExtendedSelect('searchLimit', $searchLimitOptions, array($conf->get_searchLimit()), _("LDAP search limit"), '222'); $limitSelect = new htmlTableExtendedSelect('searchLimit', $searchLimitOptions, array($conf->get_searchLimit()), _("LDAP search limit"), '222');
$limitSelect->setHasDescriptiveElements(true); $limitSelect->setHasDescriptiveElements(true);
$serverSettingsContent->addElement($limitSelect, true); $serverSettingsContent->addElement($limitSelect, true);
// access level is only visible in Pro version // access level is only visible in Pro version
if (isLAMProVersion()) { if (isLAMProVersion()) {
$accessOptions = array( $accessOptions = array(
@ -265,6 +266,17 @@ if (isLAMProVersion()) {
$serverSettingsContent->addElement($accessSelect, true); $serverSettingsContent->addElement($accessSelect, true);
} }
// advanced options
$advancedOptionsContent = new htmlTable();
// referrals
$followReferrals = ($conf->getFollowReferrals() === 'true');
$advancedOptionsContent->addElement(new htmlTableExtendedInputCheckbox('followReferrals',$followReferrals , _('Follow referrals'), '205'), true);
// build advanced options box
$advancedOptions = new htmlAccordion('advancedOptions_server', array(_('Advanced options') => $advancedOptionsContent), false);
$advancedOptions->colspan = 15;
$serverSettingsContent->addElement($advancedOptions, true);
$serverSettings = new htmlFieldset($serverSettingsContent, _("Server settings"), '../../graphics/profiles.png'); $serverSettings = new htmlFieldset($serverSettingsContent, _("Server settings"), '../../graphics/profiles.png');
$container->addElement($serverSettings, true); $container->addElement($serverSettings, true);
$container->addElement(new htmlSpacer(null, '10px'), true); $container->addElement(new htmlSpacer(null, '10px'), true);
@ -486,6 +498,12 @@ function checkInput() {
if ((strpos($_POST['serverurl'], 'ldaps://') !== false) && ($_POST['useTLS'] == 'yes')) { if ((strpos($_POST['serverurl'], 'ldaps://') !== false) && ($_POST['useTLS'] == 'yes')) {
$errors[] = array("ERROR", _('You cannot use SSL and TLS encryption at the same time. Please use either "ldaps://" or TLS.')); $errors[] = array("ERROR", _('You cannot use SSL and TLS encryption at the same time. Please use either "ldaps://" or TLS.'));
} }
if (isset($_POST['followReferrals']) && ($_POST['followReferrals'] == 'on')) {
$conf->setFollowReferrals('true');
}
else {
$conf->setFollowReferrals('false');
}
/* if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) { /* if (!$conf->set_cacheTimeout($_POST['cachetimeout'])) {
$errors[] = array("ERROR", _("Cache timeout is invalid!")); $errors[] = array("ERROR", _("Cache timeout is invalid!"));
}*/ }*/