WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

HTTP authentication

This commit is contained in:
Roland Gruber 2011-08-23 19:05:05 +00:00
parent 302a3fbe27
commit 167588a3d0
8 changed files with 159 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
lam/docs/manual-sources/howto.xml
View File

@ -1034,13 +1034,16 @@ Have fun!
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/configProfiles7.png" />
<imagedata fileref="images/configProfiles8.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>LAM supports two methods for login. You may either specify a
fixed list of LDAP DNs or let LAM search for the DN in your
<para>LAM supports two methods for login. The first one is to
specify a fixed list of LDAP DNs that are allowed to login. Please
enter one DN per line.</para>
<para>The second one is to let LAM search for the DN in your
directory. E.g. if a user logs in with the user name "joe" then LAM
will do an LDAP search for this user name. When it finds a matching
DN then it will use this to authenticate the user. The wildcard
@ -1048,8 +1051,23 @@ Have fun!
provide login by user name, email address or other LDAP
attributes.</para>
<para>You may also change the password of this server
profile.</para>
<para>Additionally, you can enable HTTP authentication when using
"LDAP search". This way the web server is responsible to
authenticate your users. LAM will use the given user name + password
for the LDAP login. To setup HTTP authentication in Apache please
see this <ulink
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/configProfiles7.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>You may also change the password of this server profile.
Please just enter the new password in both password fields.</para>
</section>
<section>

BIN
lam/docs/manual-sources/images/configProfiles7.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 18 KiB

BIN
lam/docs/manual-sources/images/configProfiles8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

2
lam/help/help.inc
View File

@ -113,6 +113,8 @@ $helpArray = array (
"Text" => _("Please enter the LDAP suffix where LAM should start to search for users. The LDAP filter needs to match the given user name to exactly one DN. The value \"%USER%\" will be replaced by the user name from the login page.")),
"222" => array ("Headline" => _("LDAP search limit"),
"Text" => _("Here you can set a limit for LDAP searches. This will restrict the number of results for LDAP searches. Please use this if LAM's LDAP queries produce too much load.")),
"223" => array ("Headline" => _("HTTP authentication"),
"Text" => _("If enabled then LAM will use user and password that is provided by the web server via HTTP authentication.")),
"230" => array ("Headline" => _("Profile management") . " - " . _("Add profile"),
"Text" => _("Please enter the name of the new profile and the password to change its settings. Profile names may contain letters, numbers and -/_.")),
"231" => array ("Headline" => _("Profile management") . " - " . _("Rename profile"),

24
lam/lib/config.inc
View File

@ -254,6 +254,9 @@ class LAMConfig {
/** search filter for login */
private $loginSearchFilter = 'uid=%USER%';
/** specifies if HTTP authentication should be used */
private $httpAuthentication = 'false';
/** email address for sender of password reset mails */
private $lamProMailFrom = '';
@ -274,7 +277,7 @@ class LAMConfig {
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
"modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix',
'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject',
'lamProMailText', 'lamProMailIsHTML');
'lamProMailText', 'lamProMailIsHTML', 'httpAuthentication');
/**
@ -425,6 +428,7 @@ class LAMConfig {
if (!in_array("loginMethod", $saved)) array_push($file_array, "\n\n# Login method.\n" . "loginMethod: " . $this->loginMethod . "\n");
if (!in_array("loginSearchSuffix", $saved)) array_push($file_array, "\n\n# Search suffix for LAM login.\n" . "loginSearchSuffix: " . $this->loginSearchSuffix . "\n");
if (!in_array("loginSearchFilter", $saved)) array_push($file_array, "\n\n# Search filter for LAM login.\n" . "loginSearchFilter: " . $this->loginSearchFilter . "\n");
if (!in_array("httpAuthentication", $saved)) array_push($file_array, "\n\n# HTTP authentication for LAM login.\n" . "httpAuthentication: " . $this->httpAuthentication . "\n");
if (!in_array("lamProMailFrom", $saved)) array_push($file_array, "\n\n# Password mail from\n" . "lamProMailFrom: " . $this->lamProMailFrom . "\n");
if (!in_array("lamProMailReplyTo", $saved)) array_push($file_array, "\n\n# Password mail reply-to\n" . "lamProMailReplyTo: " . $this->lamProMailReplyTo . "\n");
if (!in_array("lamProMailSubject", $saved)) array_push($file_array, "\n\n# Password mail subject\n" . "lamProMailSubject: " . $this->lamProMailSubject . "\n");
@ -1022,6 +1026,24 @@ class LAMConfig {
$this->loginSearchFilter = $loginSearchFilter;
}
/**
* Returns if HTTP authentication should be used.
*
* @return String $httpAuthentication use HTTP authentication ('true' or 'false')
*/
public function getHttpAuthentication() {
return $this->httpAuthentication;
}
/**
* Specifies if HTTP authentication should be used.
*
* @param String $httpAuthentication use HTTP authentication ('true' or 'false')
*/
public function setHttpAuthentication($httpAuthentication) {
$this->httpAuthentication = $httpAuthentication;
}
/**
* Returns the login search suffix.
*

8
lam/templates/config/confmain.php
View File

@ -358,6 +358,8 @@ $securitySettingsContent->addElement($searchSuffixInput, true);
$searchFilterInput = new htmlTableExtendedInputField(_("LDAP filter"), 'loginSearchFilter', $conf->getLoginSearchFilter(), '221');
$searchFilterInput->setRequired(true);
$securitySettingsContent->addElement($searchFilterInput, true);
// HTTP authentication
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true);
$securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true);
// new password
$password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212');
@ -443,6 +445,12 @@ function checkInput() {
$conf->setLoginMethod($_POST['loginMethod']);
$conf->setLoginSearchFilter($_POST['loginSearchFilter']);
$conf->setLoginSearchSuffix($_POST['loginSearchSuffix']);
if (isset($_POST['httpAuthentication']) && ($_POST['httpAuthentication'] == 'on')) {
$conf->setHttpAuthentication('true');
}
else {
$conf->setHttpAuthentication('false');
}
if (!$conf->set_Adminstring(implode(";", $adminTextNew))) {
$errors[] = array("ERROR", _("List of admin users is empty or invalid!"));
}

2
lam/templates/lib/500_lam.js
View File

@ -157,11 +157,13 @@ function configLoginMethodChanged() {
jQuery('textarea[name=admins]').parent().parent().show();
jQuery('input[name=loginSearchSuffix]').parent().parent().hide();
jQuery('input[name=loginSearchFilter]').parent().parent().hide();
jQuery('input[name=httpAuthentication]').parent().parent().hide();
}
else {
jQuery('textarea[name=admins]').parent().parent().hide();
jQuery('input[name=loginSearchSuffix]').parent().parent().show();
jQuery('input[name=loginSearchFilter]').parent().parent().show();
jQuery('input[name=httpAuthentication]').parent().parent().show();
}
}

185
lam/templates/login.php
View File

@ -285,7 +285,12 @@ function display_LoginPage($config_object) {
echo '</select>';
}
else {
echo '<input type="text" name="username" tabindex="1">';
if ($config_object->getHttpAuthentication() == 'true') {
echo htmlspecialchars($_SERVER['PHP_AUTH_USER']);
}
else {
echo '<input type="text" name="username" tabindex="1">';
}
}
?>
</td>
@ -297,7 +302,14 @@ function display_LoginPage($config_object) {
?>
</b>&nbsp;&nbsp;</td>
<td style="border-style:none" height="35" align="left">
<input type="password" name="passwd" tabindex="2">
<?php
if (($config_object->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($config_object->getHttpAuthentication() == 'true')) {
echo '**********';
}
else {
echo '<input type="password" name="passwd" tabindex="2">';
}
?>
</td>
</tr>
<tr>
@ -432,55 +444,55 @@ if(!empty($_POST['checklogin'])) {
$_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object
if($_POST['passwd'] == "") {
logNewMessage(LOG_DEBUG, "Empty password for login");
$error_message = _("Empty password submitted. Please try again.");
display_LoginPage($_SESSION['config']); // Empty password submitted. Return to login page.
exit();
$clientSource = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['REMOTE_HOST'])) {
$clientSource .= '/' . $_SERVER['REMOTE_HOST'];
}
if (($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($_SESSION['config']->getHttpAuthentication() == 'true')) {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
}
else {
$clientSource = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['REMOTE_HOST'])) {
$clientSource .= '/' . $_SERVER['REMOTE_HOST'];
if($_POST['passwd'] == "") {
logNewMessage(LOG_DEBUG, "Empty password for login");
$error_message = _("Empty password submitted. Please try again.");
display_LoginPage($_SESSION['config']); // Empty password submitted. Return to login page.
exit();
}
if (get_magic_quotes_gpc() == 1) {
$_POST['passwd'] = stripslashes($_POST['passwd']);
}
$username = $_POST['username'];
// search user in LDAP if needed
if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) {
$searchFilter = $_SESSION['config']->getLoginSearchFilter();
$searchFilter = str_replace('%USER%', $username ,$searchFilter);
$searchSuccess = true;
$searchError = '';
$searchLDAP = new Ldap($_SESSION['config']);
$searchLDAPResult = $searchLDAP->connect('', '', true);
if (! ($searchLDAPResult == 0)) {
$searchSuccess = false;
$searchError = _('Cannot connect to specified LDAP server. Please try again.') . ' ' . @ldap_error($searchLDAP->server());
}
else {
$searchResult = @ldap_search($searchLDAP->server(), $_SESSION['config']->getLoginSearchSuffix(), $searchFilter, array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
if ($searchResult) {
$searchInfo = @ldap_get_entries($searchLDAP->server(), $searchResult);
if ($searchInfo) {
cleanLDAPResult($searchInfo);
if (sizeof($searchInfo) == 0) {
$searchSuccess = false;
$searchError = _('Wrong password/user name combination. Please try again.');
}
elseif (sizeof($searchInfo) > 1) {
$searchSuccess = false;
$searchError = _('The given user name matches multiple LDAP entries.');
}
else {
$username = $searchInfo[0]['dn'];
}
$password = $_POST['passwd'];
}
// search user in LDAP if needed
if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) {
$searchFilter = $_SESSION['config']->getLoginSearchFilter();
$searchFilter = str_replace('%USER%', $username ,$searchFilter);
$searchSuccess = true;
$searchError = '';
$searchLDAP = new Ldap($_SESSION['config']);
$searchLDAPResult = $searchLDAP->connect('', '', true);
if (! ($searchLDAPResult == 0)) {
$searchSuccess = false;
$searchError = _('Cannot connect to specified LDAP server. Please try again.') . ' ' . @ldap_error($searchLDAP->server());
}
else {
$searchResult = @ldap_search($searchLDAP->server(), $_SESSION['config']->getLoginSearchSuffix(), $searchFilter, array('dn'), 0, 0, 0, LDAP_DEREF_NEVER);
if ($searchResult) {
$searchInfo = @ldap_get_entries($searchLDAP->server(), $searchResult);
if ($searchInfo) {
cleanLDAPResult($searchInfo);
if (sizeof($searchInfo) == 0) {
$searchSuccess = false;
$searchError = _('Wrong password/user name combination. Please try again.');
}
elseif (sizeof($searchInfo) > 1) {
$searchSuccess = false;
$searchError = _('The given user name matches multiple LDAP entries.');
}
else {
$searchSuccess = false;
$searchError = _('Unable to find the user name in LDAP.');
if (ldap_errno($searchLDAP->server()) != 0) $searchError .= ' ' . ldap_error($searchLDAP->server());
$username = $searchInfo[0]['dn'];
}
}
else {
@ -489,53 +501,58 @@ if(!empty($_POST['checklogin'])) {
if (ldap_errno($searchLDAP->server()) != 0) $searchError .= ' ' . ldap_error($searchLDAP->server());
}
}
if (!$searchSuccess) {
$error_message = $searchError;
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
$searchLDAP->close();
display_LoginPage($_SESSION['config']);
exit();
}
$searchLDAP->close();
}
// try to connect to LDAP
$result = $_SESSION['ldap']->connect($username,$_POST['passwd']); // Connect to LDAP server for verifing username/password
if($result === 0) {// Username/password correct. Do some configuration and load main frame.
$_SESSION['loggedIn'] = true;
// set security settings for session
$_SESSION['sec_session_id'] = session_id();
$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['sec_sessionTime'] = time();
// logging
logNewMessage(LOG_NOTICE, 'User ' . $_POST['username'] . ' (' . $clientSource . ') successfully logged in.');
// Load main frame
metaRefresh("./main.php");
die();
}
else {
if ($result === False) {
// connection failed
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
}
elseif ($result == 81) {
// connection failed
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
}
elseif ($result == 49) {
// user name/password invalid. Return to login page.
$error_message = _("Wrong password/user name combination. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (wrong password).');
}
else {
// other errors
$error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result);
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
$searchSuccess = false;
$searchError = _('Unable to find the user name in LDAP.');
if (ldap_errno($searchLDAP->server()) != 0) $searchError .= ' ' . ldap_error($searchLDAP->server());
}
}
if (!$searchSuccess) {
$error_message = $searchError;
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
$searchLDAP->close();
display_LoginPage($_SESSION['config']);
exit();
}
$searchLDAP->close();
}
// try to connect to LDAP
$result = $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifing username/password
if($result === 0) {// Username/password correct. Do some configuration and load main frame.
$_SESSION['loggedIn'] = true;
// set security settings for session
$_SESSION['sec_session_id'] = session_id();
$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['sec_sessionTime'] = time();
// logging
logNewMessage(LOG_NOTICE, 'User ' . $username . ' (' . $clientSource . ') successfully logged in.');
// Load main frame
metaRefresh("./main.php");
die();
}
else {
if ($result === False) {
// connection failed
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
}
elseif ($result == 81) {
// connection failed
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
}
elseif ($result == 49) {
// user name/password invalid. Return to login page.
$error_message = _("Wrong password/user name combination. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (wrong password).');
}
else {
// other errors
$error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result);
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
}
display_LoginPage($_SESSION['config']);
exit();
}
}