diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml index 9f1c9041..147fa2e5 100644 --- a/lam/docs/manual-sources/howto.xml +++ b/lam/docs/manual-sources/howto.xml @@ -1034,13 +1034,16 @@ Have fun! - + - LAM supports two methods for login. You may either specify a - fixed list of LDAP DNs or let LAM search for the DN in your + LAM supports two methods for login. The first one is to + specify a fixed list of LDAP DNs that are allowed to login. Please + enter one DN per line. + + The second one is to let LAM search for the DN in your directory. E.g. if a user logs in with the user name "joe" then LAM will do an LDAP search for this user name. When it finds a matching DN then it will use this to authenticate the user. The wildcard @@ -1048,8 +1051,23 @@ Have fun! provide login by user name, email address or other LDAP attributes. - You may also change the password of this server - profile. + Additionally, you can enable HTTP authentication when using + "LDAP search". This way the web server is responsible to + authenticate your users. LAM will use the given user name + password + for the LDAP login. To setup HTTP authentication in Apache please + see this link. + + + + + + + + + + You may also change the password of this server profile. + Please just enter the new password in both password fields.
diff --git a/lam/docs/manual-sources/images/configProfiles7.png b/lam/docs/manual-sources/images/configProfiles7.png index 54867c57..e2bfff4f 100644 Binary files a/lam/docs/manual-sources/images/configProfiles7.png and b/lam/docs/manual-sources/images/configProfiles7.png differ diff --git a/lam/docs/manual-sources/images/configProfiles8.png b/lam/docs/manual-sources/images/configProfiles8.png new file mode 100644 index 00000000..099db889 Binary files /dev/null and b/lam/docs/manual-sources/images/configProfiles8.png differ diff --git a/lam/help/help.inc b/lam/help/help.inc index 351c4e7b..79d319bf 100644 --- a/lam/help/help.inc +++ b/lam/help/help.inc @@ -113,6 +113,8 @@ $helpArray = array ( "Text" => _("Please enter the LDAP suffix where LAM should start to search for users. The LDAP filter needs to match the given user name to exactly one DN. The value \"%USER%\" will be replaced by the user name from the login page.")), "222" => array ("Headline" => _("LDAP search limit"), "Text" => _("Here you can set a limit for LDAP searches. This will restrict the number of results for LDAP searches. Please use this if LAM's LDAP queries produce too much load.")), + "223" => array ("Headline" => _("HTTP authentication"), + "Text" => _("If enabled then LAM will use user and password that is provided by the web server via HTTP authentication.")), "230" => array ("Headline" => _("Profile management") . " - " . _("Add profile"), "Text" => _("Please enter the name of the new profile and the password to change its settings. Profile names may contain letters, numbers and -/_.")), "231" => array ("Headline" => _("Profile management") . " - " . _("Rename profile"), diff --git a/lam/lib/config.inc b/lam/lib/config.inc index af116af6..9636644c 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -254,6 +254,9 @@ class LAMConfig { /** search filter for login */ private $loginSearchFilter = 'uid=%USER%'; + /** specifies if HTTP authentication should be used */ + private $httpAuthentication = 'false'; + /** email address for sender of password reset mails */ private $lamProMailFrom = ''; @@ -274,7 +277,7 @@ class LAMConfig { "defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", "modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix', 'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject', - 'lamProMailText', 'lamProMailIsHTML'); + 'lamProMailText', 'lamProMailIsHTML', 'httpAuthentication'); /** @@ -425,6 +428,7 @@ class LAMConfig { if (!in_array("loginMethod", $saved)) array_push($file_array, "\n\n# Login method.\n" . "loginMethod: " . $this->loginMethod . "\n"); if (!in_array("loginSearchSuffix", $saved)) array_push($file_array, "\n\n# Search suffix for LAM login.\n" . "loginSearchSuffix: " . $this->loginSearchSuffix . "\n"); if (!in_array("loginSearchFilter", $saved)) array_push($file_array, "\n\n# Search filter for LAM login.\n" . "loginSearchFilter: " . $this->loginSearchFilter . "\n"); + if (!in_array("httpAuthentication", $saved)) array_push($file_array, "\n\n# HTTP authentication for LAM login.\n" . "httpAuthentication: " . $this->httpAuthentication . "\n"); if (!in_array("lamProMailFrom", $saved)) array_push($file_array, "\n\n# Password mail from\n" . "lamProMailFrom: " . $this->lamProMailFrom . "\n"); if (!in_array("lamProMailReplyTo", $saved)) array_push($file_array, "\n\n# Password mail reply-to\n" . "lamProMailReplyTo: " . $this->lamProMailReplyTo . "\n"); if (!in_array("lamProMailSubject", $saved)) array_push($file_array, "\n\n# Password mail subject\n" . "lamProMailSubject: " . $this->lamProMailSubject . "\n"); @@ -1022,6 +1026,24 @@ class LAMConfig { $this->loginSearchFilter = $loginSearchFilter; } + /** + * Returns if HTTP authentication should be used. + * + * @return String $httpAuthentication use HTTP authentication ('true' or 'false') + */ + public function getHttpAuthentication() { + return $this->httpAuthentication; + } + + /** + * Specifies if HTTP authentication should be used. + * + * @param String $httpAuthentication use HTTP authentication ('true' or 'false') + */ + public function setHttpAuthentication($httpAuthentication) { + $this->httpAuthentication = $httpAuthentication; + } + /** * Returns the login search suffix. * diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php index 0cd811da..de0ab46a 100644 --- a/lam/templates/config/confmain.php +++ b/lam/templates/config/confmain.php @@ -358,6 +358,8 @@ $securitySettingsContent->addElement($searchSuffixInput, true); $searchFilterInput = new htmlTableExtendedInputField(_("LDAP filter"), 'loginSearchFilter', $conf->getLoginSearchFilter(), '221'); $searchFilterInput->setRequired(true); $securitySettingsContent->addElement($searchFilterInput, true); +// HTTP authentication +$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true); $securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true); // new password $password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212'); @@ -443,6 +445,12 @@ function checkInput() { $conf->setLoginMethod($_POST['loginMethod']); $conf->setLoginSearchFilter($_POST['loginSearchFilter']); $conf->setLoginSearchSuffix($_POST['loginSearchSuffix']); + if (isset($_POST['httpAuthentication']) && ($_POST['httpAuthentication'] == 'on')) { + $conf->setHttpAuthentication('true'); + } + else { + $conf->setHttpAuthentication('false'); + } if (!$conf->set_Adminstring(implode(";", $adminTextNew))) { $errors[] = array("ERROR", _("List of admin users is empty or invalid!")); } diff --git a/lam/templates/lib/500_lam.js b/lam/templates/lib/500_lam.js index a268cb30..0c8d3ea5 100644 --- a/lam/templates/lib/500_lam.js +++ b/lam/templates/lib/500_lam.js @@ -157,11 +157,13 @@ function configLoginMethodChanged() { jQuery('textarea[name=admins]').parent().parent().show(); jQuery('input[name=loginSearchSuffix]').parent().parent().hide(); jQuery('input[name=loginSearchFilter]').parent().parent().hide(); + jQuery('input[name=httpAuthentication]').parent().parent().hide(); } else { jQuery('textarea[name=admins]').parent().parent().hide(); jQuery('input[name=loginSearchSuffix]').parent().parent().show(); jQuery('input[name=loginSearchFilter]').parent().parent().show(); + jQuery('input[name=httpAuthentication]').parent().parent().show(); } } diff --git a/lam/templates/login.php b/lam/templates/login.php index 2be4722e..ea629a15 100644 --- a/lam/templates/login.php +++ b/lam/templates/login.php @@ -285,7 +285,12 @@ function display_LoginPage($config_object) { echo ''; } else { - echo ''; + if ($config_object->getHttpAuthentication() == 'true') { + echo htmlspecialchars($_SERVER['PHP_AUTH_USER']); + } + else { + echo ''; + } } ?> @@ -297,7 +302,14 @@ function display_LoginPage($config_object) { ?>    - + getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($config_object->getHttpAuthentication() == 'true')) { + echo '**********'; + } + else { + echo ''; + } + ?> @@ -432,55 +444,55 @@ if(!empty($_POST['checklogin'])) { $_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object - if($_POST['passwd'] == "") { - logNewMessage(LOG_DEBUG, "Empty password for login"); - $error_message = _("Empty password submitted. Please try again."); - display_LoginPage($_SESSION['config']); // Empty password submitted. Return to login page. - exit(); + $clientSource = $_SERVER['REMOTE_ADDR']; + if (isset($_SERVER['REMOTE_HOST'])) { + $clientSource .= '/' . $_SERVER['REMOTE_HOST']; + } + if (($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($_SESSION['config']->getHttpAuthentication() == 'true')) { + $username = $_SERVER['PHP_AUTH_USER']; + $password = $_SERVER['PHP_AUTH_PW']; } else { - $clientSource = $_SERVER['REMOTE_ADDR']; - if (isset($_SERVER['REMOTE_HOST'])) { - $clientSource .= '/' . $_SERVER['REMOTE_HOST']; + if($_POST['passwd'] == "") { + logNewMessage(LOG_DEBUG, "Empty password for login"); + $error_message = _("Empty password submitted. Please try again."); + display_LoginPage($_SESSION['config']); // Empty password submitted. Return to login page. + exit(); } if (get_magic_quotes_gpc() == 1) { $_POST['passwd'] = stripslashes($_POST['passwd']); } $username = $_POST['username']; - // search user in LDAP if needed - if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) { - $searchFilter = $_SESSION['config']->getLoginSearchFilter(); - $searchFilter = str_replace('%USER%', $username ,$searchFilter); - $searchSuccess = true; - $searchError = ''; - $searchLDAP = new Ldap($_SESSION['config']); - $searchLDAPResult = $searchLDAP->connect('', '', true); - if (! ($searchLDAPResult == 0)) { - $searchSuccess = false; - $searchError = _('Cannot connect to specified LDAP server. Please try again.') . ' ' . @ldap_error($searchLDAP->server()); - } - else { - $searchResult = @ldap_search($searchLDAP->server(), $_SESSION['config']->getLoginSearchSuffix(), $searchFilter, array('dn'), 0, 0, 0, LDAP_DEREF_NEVER); - if ($searchResult) { - $searchInfo = @ldap_get_entries($searchLDAP->server(), $searchResult); - if ($searchInfo) { - cleanLDAPResult($searchInfo); - if (sizeof($searchInfo) == 0) { - $searchSuccess = false; - $searchError = _('Wrong password/user name combination. Please try again.'); - } - elseif (sizeof($searchInfo) > 1) { - $searchSuccess = false; - $searchError = _('The given user name matches multiple LDAP entries.'); - } - else { - $username = $searchInfo[0]['dn']; - } + $password = $_POST['passwd']; + } + // search user in LDAP if needed + if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) { + $searchFilter = $_SESSION['config']->getLoginSearchFilter(); + $searchFilter = str_replace('%USER%', $username ,$searchFilter); + $searchSuccess = true; + $searchError = ''; + $searchLDAP = new Ldap($_SESSION['config']); + $searchLDAPResult = $searchLDAP->connect('', '', true); + if (! ($searchLDAPResult == 0)) { + $searchSuccess = false; + $searchError = _('Cannot connect to specified LDAP server. Please try again.') . ' ' . @ldap_error($searchLDAP->server()); + } + else { + $searchResult = @ldap_search($searchLDAP->server(), $_SESSION['config']->getLoginSearchSuffix(), $searchFilter, array('dn'), 0, 0, 0, LDAP_DEREF_NEVER); + if ($searchResult) { + $searchInfo = @ldap_get_entries($searchLDAP->server(), $searchResult); + if ($searchInfo) { + cleanLDAPResult($searchInfo); + if (sizeof($searchInfo) == 0) { + $searchSuccess = false; + $searchError = _('Wrong password/user name combination. Please try again.'); + } + elseif (sizeof($searchInfo) > 1) { + $searchSuccess = false; + $searchError = _('The given user name matches multiple LDAP entries.'); } else { - $searchSuccess = false; - $searchError = _('Unable to find the user name in LDAP.'); - if (ldap_errno($searchLDAP->server()) != 0) $searchError .= ' ' . ldap_error($searchLDAP->server()); + $username = $searchInfo[0]['dn']; } } else { @@ -489,53 +501,58 @@ if(!empty($_POST['checklogin'])) { if (ldap_errno($searchLDAP->server()) != 0) $searchError .= ' ' . ldap_error($searchLDAP->server()); } } - if (!$searchSuccess) { - $error_message = $searchError; - logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in. ' . $searchError . ''); - $searchLDAP->close(); - display_LoginPage($_SESSION['config']); - exit(); - } - $searchLDAP->close(); - } - // try to connect to LDAP - $result = $_SESSION['ldap']->connect($username,$_POST['passwd']); // Connect to LDAP server for verifing username/password - if($result === 0) {// Username/password correct. Do some configuration and load main frame. - $_SESSION['loggedIn'] = true; - // set security settings for session - $_SESSION['sec_session_id'] = session_id(); - $_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR']; - $_SESSION['sec_sessionTime'] = time(); - // logging - logNewMessage(LOG_NOTICE, 'User ' . $_POST['username'] . ' (' . $clientSource . ') successfully logged in.'); - // Load main frame - metaRefresh("./main.php"); - die(); - } - else { - if ($result === False) { - // connection failed - $error_message = _("Cannot connect to specified LDAP server. Please try again."); - logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); - } - elseif ($result == 81) { - // connection failed - $error_message = _("Cannot connect to specified LDAP server. Please try again."); - logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); - } - elseif ($result == 49) { - // user name/password invalid. Return to login page. - $error_message = _("Wrong password/user name combination. Please try again."); - logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (wrong password).'); - } else { - // other errors - $error_message = _("LDAP error, server says:") . "\n
($result) " . ldap_err2str($result); - logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); + $searchSuccess = false; + $searchError = _('Unable to find the user name in LDAP.'); + if (ldap_errno($searchLDAP->server()) != 0) $searchError .= ' ' . ldap_error($searchLDAP->server()); } + } + if (!$searchSuccess) { + $error_message = $searchError; + logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in. ' . $searchError . ''); + $searchLDAP->close(); display_LoginPage($_SESSION['config']); exit(); } + $searchLDAP->close(); + } + // try to connect to LDAP + $result = $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifing username/password + if($result === 0) {// Username/password correct. Do some configuration and load main frame. + $_SESSION['loggedIn'] = true; + // set security settings for session + $_SESSION['sec_session_id'] = session_id(); + $_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR']; + $_SESSION['sec_sessionTime'] = time(); + // logging + logNewMessage(LOG_NOTICE, 'User ' . $username . ' (' . $clientSource . ') successfully logged in.'); + // Load main frame + metaRefresh("./main.php"); + die(); + } + else { + if ($result === False) { + // connection failed + $error_message = _("Cannot connect to specified LDAP server. Please try again."); + logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); + } + elseif ($result == 81) { + // connection failed + $error_message = _("Cannot connect to specified LDAP server. Please try again."); + logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); + } + elseif ($result == 49) { + // user name/password invalid. Return to login page. + $error_message = _("Wrong password/user name combination. Please try again."); + logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (wrong password).'); + } + else { + // other errors + $error_message = _("LDAP error, server says:") . "\n
($result) " . ldap_err2str($result); + logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); + } + display_LoginPage($_SESSION['config']); + exit(); } }