WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

HTTP authentication

This commit is contained in:
Roland Gruber 2011-08-23 19:05:05 +00:00
parent 302a3fbe27
commit 167588a3d0
8 changed files with 159 additions and 90 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
lam/docs/manual-sources/howto.xml
View File

@ -1034,13 +1034,16 @@ Have fun!
<screenshot> <screenshot>
<mediaobject> <mediaobject>
<imageobject> <imageobject>
<imagedata fileref="images/configProfiles7.png" /> <imagedata fileref="images/configProfiles8.png" />
</imageobject> </imageobject>
</mediaobject> </mediaobject>
</screenshot> </screenshot>
<para>LAM supports two methods for login. You may either specify a <para>LAM supports two methods for login. The first one is to
fixed list of LDAP DNs or let LAM search for the DN in your specify a fixed list of LDAP DNs that are allowed to login. Please
enter one DN per line.</para>
<para>The second one is to let LAM search for the DN in your
directory. E.g. if a user logs in with the user name "joe" then LAM directory. E.g. if a user logs in with the user name "joe" then LAM
will do an LDAP search for this user name. When it finds a matching will do an LDAP search for this user name. When it finds a matching
DN then it will use this to authenticate the user. The wildcard DN then it will use this to authenticate the user. The wildcard
@ -1048,8 +1051,23 @@ Have fun!
provide login by user name, email address or other LDAP provide login by user name, email address or other LDAP
attributes.</para> attributes.</para>
<para>You may also change the password of this server <para>Additionally, you can enable HTTP authentication when using
profile.</para> "LDAP search". This way the web server is responsible to
authenticate your users. LAM will use the given user name + password
for the LDAP login. To setup HTTP authentication in Apache please
see this <ulink
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</para>
<screenshot>
<mediaobject>
<imageobject>
<imagedata fileref="images/configProfiles7.png" />
</imageobject>
</mediaobject>
</screenshot>
<para>You may also change the password of this server profile.
Please just enter the new password in both password fields.</para>
</section> </section>
<section> <section>

BIN
lam/docs/manual-sources/images/configProfiles7.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 17 KiB

After

Width:  |  Height:  |  Size: 18 KiB

BIN
lam/docs/manual-sources/images/configProfiles8.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

2
lam/help/help.inc
View File

@ -113,6 +113,8 @@ $helpArray = array (
"Text" => _("Please enter the LDAP suffix where LAM should start to search for users. The LDAP filter needs to match the given user name to exactly one DN. The value \"%USER%\" will be replaced by the user name from the login page.")), "Text" => _("Please enter the LDAP suffix where LAM should start to search for users. The LDAP filter needs to match the given user name to exactly one DN. The value \"%USER%\" will be replaced by the user name from the login page.")),
"222" => array ("Headline" => _("LDAP search limit"), "222" => array ("Headline" => _("LDAP search limit"),
"Text" => _("Here you can set a limit for LDAP searches. This will restrict the number of results for LDAP searches. Please use this if LAM's LDAP queries produce too much load.")), "Text" => _("Here you can set a limit for LDAP searches. This will restrict the number of results for LDAP searches. Please use this if LAM's LDAP queries produce too much load.")),
"223" => array ("Headline" => _("HTTP authentication"),
"Text" => _("If enabled then LAM will use user and password that is provided by the web server via HTTP authentication.")),
"230" => array ("Headline" => _("Profile management") . " - " . _("Add profile"), "230" => array ("Headline" => _("Profile management") . " - " . _("Add profile"),
"Text" => _("Please enter the name of the new profile and the password to change its settings. Profile names may contain letters, numbers and -/_.")), "Text" => _("Please enter the name of the new profile and the password to change its settings. Profile names may contain letters, numbers and -/_.")),
"231" => array ("Headline" => _("Profile management") . " - " . _("Rename profile"), "231" => array ("Headline" => _("Profile management") . " - " . _("Rename profile"),

24
lam/lib/config.inc
View File

@ -254,6 +254,9 @@ class LAMConfig {
/** search filter for login */ /** search filter for login */
private $loginSearchFilter = 'uid=%USER%'; private $loginSearchFilter = 'uid=%USER%';
/** specifies if HTTP authentication should be used */
private $httpAuthentication = 'false';
/** email address for sender of password reset mails */ /** email address for sender of password reset mails */
private $lamProMailFrom = ''; private $lamProMailFrom = '';
@ -274,7 +277,7 @@ class LAMConfig {
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", "defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
"modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix', "modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix',
'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject', 'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject',
'lamProMailText', 'lamProMailIsHTML'); 'lamProMailText', 'lamProMailIsHTML', 'httpAuthentication');
/** /**
@ -425,6 +428,7 @@ class LAMConfig {
if (!in_array("loginMethod", $saved)) array_push($file_array, "\n\n# Login method.\n" . "loginMethod: " . $this->loginMethod . "\n"); if (!in_array("loginMethod", $saved)) array_push($file_array, "\n\n# Login method.\n" . "loginMethod: " . $this->loginMethod . "\n");
if (!in_array("loginSearchSuffix", $saved)) array_push($file_array, "\n\n# Search suffix for LAM login.\n" . "loginSearchSuffix: " . $this->loginSearchSuffix . "\n"); if (!in_array("loginSearchSuffix", $saved)) array_push($file_array, "\n\n# Search suffix for LAM login.\n" . "loginSearchSuffix: " . $this->loginSearchSuffix . "\n");
if (!in_array("loginSearchFilter", $saved)) array_push($file_array, "\n\n# Search filter for LAM login.\n" . "loginSearchFilter: " . $this->loginSearchFilter . "\n"); if (!in_array("loginSearchFilter", $saved)) array_push($file_array, "\n\n# Search filter for LAM login.\n" . "loginSearchFilter: " . $this->loginSearchFilter . "\n");
if (!in_array("httpAuthentication", $saved)) array_push($file_array, "\n\n# HTTP authentication for LAM login.\n" . "httpAuthentication: " . $this->httpAuthentication . "\n");
if (!in_array("lamProMailFrom", $saved)) array_push($file_array, "\n\n# Password mail from\n" . "lamProMailFrom: " . $this->lamProMailFrom . "\n"); if (!in_array("lamProMailFrom", $saved)) array_push($file_array, "\n\n# Password mail from\n" . "lamProMailFrom: " . $this->lamProMailFrom . "\n");
if (!in_array("lamProMailReplyTo", $saved)) array_push($file_array, "\n\n# Password mail reply-to\n" . "lamProMailReplyTo: " . $this->lamProMailReplyTo . "\n"); if (!in_array("lamProMailReplyTo", $saved)) array_push($file_array, "\n\n# Password mail reply-to\n" . "lamProMailReplyTo: " . $this->lamProMailReplyTo . "\n");
if (!in_array("lamProMailSubject", $saved)) array_push($file_array, "\n\n# Password mail subject\n" . "lamProMailSubject: " . $this->lamProMailSubject . "\n"); if (!in_array("lamProMailSubject", $saved)) array_push($file_array, "\n\n# Password mail subject\n" . "lamProMailSubject: " . $this->lamProMailSubject . "\n");
@ -1022,6 +1026,24 @@ class LAMConfig {
$this->loginSearchFilter = $loginSearchFilter; $this->loginSearchFilter = $loginSearchFilter;
} }
/**
* Returns if HTTP authentication should be used.
*
* @return String $httpAuthentication use HTTP authentication ('true' or 'false')
*/
public function getHttpAuthentication() {
return $this->httpAuthentication;
}
/**
* Specifies if HTTP authentication should be used.
*
* @param String $httpAuthentication use HTTP authentication ('true' or 'false')
*/
public function setHttpAuthentication($httpAuthentication) {
$this->httpAuthentication = $httpAuthentication;
}
/** /**
* Returns the login search suffix. * Returns the login search suffix.
* *

8
lam/templates/config/confmain.php
View File

@ -358,6 +358,8 @@ $securitySettingsContent->addElement($searchSuffixInput, true);
$searchFilterInput = new htmlTableExtendedInputField(_("LDAP filter"), 'loginSearchFilter', $conf->getLoginSearchFilter(), '221'); $searchFilterInput = new htmlTableExtendedInputField(_("LDAP filter"), 'loginSearchFilter', $conf->getLoginSearchFilter(), '221');
$searchFilterInput->setRequired(true); $searchFilterInput->setRequired(true);
$securitySettingsContent->addElement($searchFilterInput, true); $securitySettingsContent->addElement($searchFilterInput, true);
// HTTP authentication
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true);
$securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true); $securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true);
// new password // new password
$password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212'); $password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212');
@ -443,6 +445,12 @@ function checkInput() {
$conf->setLoginMethod($_POST['loginMethod']); $conf->setLoginMethod($_POST['loginMethod']);
$conf->setLoginSearchFilter($_POST['loginSearchFilter']); $conf->setLoginSearchFilter($_POST['loginSearchFilter']);
$conf->setLoginSearchSuffix($_POST['loginSearchSuffix']); $conf->setLoginSearchSuffix($_POST['loginSearchSuffix']);
if (isset($_POST['httpAuthentication']) && ($_POST['httpAuthentication'] == 'on')) {
$conf->setHttpAuthentication('true');
}
else {
$conf->setHttpAuthentication('false');
}
if (!$conf->set_Adminstring(implode(";", $adminTextNew))) { if (!$conf->set_Adminstring(implode(";", $adminTextNew))) {
$errors[] = array("ERROR", _("List of admin users is empty or invalid!")); $errors[] = array("ERROR", _("List of admin users is empty or invalid!"));
} }

2
lam/templates/lib/500_lam.js
View File

@ -157,11 +157,13 @@ function configLoginMethodChanged() {
jQuery('textarea[name=admins]').parent().parent().show(); jQuery('textarea[name=admins]').parent().parent().show();
jQuery('input[name=loginSearchSuffix]').parent().parent().hide(); jQuery('input[name=loginSearchSuffix]').parent().parent().hide();
jQuery('input[name=loginSearchFilter]').parent().parent().hide(); jQuery('input[name=loginSearchFilter]').parent().parent().hide();
jQuery('input[name=httpAuthentication]').parent().parent().hide();
} }
else { else {
jQuery('textarea[name=admins]').parent().parent().hide(); jQuery('textarea[name=admins]').parent().parent().hide();
jQuery('input[name=loginSearchSuffix]').parent().parent().show(); jQuery('input[name=loginSearchSuffix]').parent().parent().show();
jQuery('input[name=loginSearchFilter]').parent().parent().show(); jQuery('input[name=loginSearchFilter]').parent().parent().show();
jQuery('input[name=httpAuthentication]').parent().parent().show();
} }
} }

45
lam/templates/login.php
View File

@ -284,9 +284,14 @@ function display_LoginPage($config_object) {
} }
echo '</select>'; echo '</select>';
} }
else {
if ($config_object->getHttpAuthentication() == 'true') {
echo htmlspecialchars($_SERVER['PHP_AUTH_USER']);
}
else { else {
echo '<input type="text" name="username" tabindex="1">'; echo '<input type="text" name="username" tabindex="1">';
} }
}
?> ?>
</td> </td>
</tr> </tr>
@ -297,7 +302,14 @@ function display_LoginPage($config_object) {
?> ?>
</b>&nbsp;&nbsp;</td> </b>&nbsp;&nbsp;</td>
<td style="border-style:none" height="35" align="left"> <td style="border-style:none" height="35" align="left">
<input type="password" name="passwd" tabindex="2"> <?php
if (($config_object->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($config_object->getHttpAuthentication() == 'true')) {
echo '**********';
}
else {
echo '<input type="password" name="passwd" tabindex="2">';
}
?>
</td> </td>
</tr> </tr>
<tr> <tr>
@ -432,21 +444,27 @@ if(!empty($_POST['checklogin'])) {
$_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object $_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object
$clientSource = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['REMOTE_HOST'])) {
$clientSource .= '/' . $_SERVER['REMOTE_HOST'];
}
if (($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($_SESSION['config']->getHttpAuthentication() == 'true')) {
$username = $_SERVER['PHP_AUTH_USER'];
$password = $_SERVER['PHP_AUTH_PW'];
}
else {
if($_POST['passwd'] == "") { if($_POST['passwd'] == "") {
logNewMessage(LOG_DEBUG, "Empty password for login"); logNewMessage(LOG_DEBUG, "Empty password for login");
$error_message = _("Empty password submitted. Please try again."); $error_message = _("Empty password submitted. Please try again.");
display_LoginPage($_SESSION['config']); // Empty password submitted. Return to login page. display_LoginPage($_SESSION['config']); // Empty password submitted. Return to login page.
exit(); exit();
} }
else {
$clientSource = $_SERVER['REMOTE_ADDR'];
if (isset($_SERVER['REMOTE_HOST'])) {
$clientSource .= '/' . $_SERVER['REMOTE_HOST'];
}
if (get_magic_quotes_gpc() == 1) { if (get_magic_quotes_gpc() == 1) {
$_POST['passwd'] = stripslashes($_POST['passwd']); $_POST['passwd'] = stripslashes($_POST['passwd']);
} }
$username = $_POST['username']; $username = $_POST['username'];
$password = $_POST['passwd'];
}
// search user in LDAP if needed // search user in LDAP if needed
if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) { if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) {
$searchFilter = $_SESSION['config']->getLoginSearchFilter(); $searchFilter = $_SESSION['config']->getLoginSearchFilter();
@ -491,7 +509,7 @@ if(!empty($_POST['checklogin'])) {
} }
if (!$searchSuccess) { if (!$searchSuccess) {
$error_message = $searchError; $error_message = $searchError;
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in. ' . $searchError . ''); logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
$searchLDAP->close(); $searchLDAP->close();
display_LoginPage($_SESSION['config']); display_LoginPage($_SESSION['config']);
exit(); exit();
@ -499,7 +517,7 @@ if(!empty($_POST['checklogin'])) {
$searchLDAP->close(); $searchLDAP->close();
} }
// try to connect to LDAP // try to connect to LDAP
$result = $_SESSION['ldap']->connect($username,$_POST['passwd']); // Connect to LDAP server for verifing username/password $result = $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifing username/password
if($result === 0) {// Username/password correct. Do some configuration and load main frame. if($result === 0) {// Username/password correct. Do some configuration and load main frame.
$_SESSION['loggedIn'] = true; $_SESSION['loggedIn'] = true;
// set security settings for session // set security settings for session
@ -507,7 +525,7 @@ if(!empty($_POST['checklogin'])) {
$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR']; $_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
$_SESSION['sec_sessionTime'] = time(); $_SESSION['sec_sessionTime'] = time();
// logging // logging
logNewMessage(LOG_NOTICE, 'User ' . $_POST['username'] . ' (' . $clientSource . ') successfully logged in.'); logNewMessage(LOG_NOTICE, 'User ' . $username . ' (' . $clientSource . ') successfully logged in.');
// Load main frame // Load main frame
metaRefresh("./main.php"); metaRefresh("./main.php");
die(); die();
@ -516,28 +534,27 @@ if(!empty($_POST['checklogin'])) {
if ($result === False) { if ($result === False) {
// connection failed // connection failed
$error_message = _("Cannot connect to specified LDAP server. Please try again."); $error_message = _("Cannot connect to specified LDAP server. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
} }
elseif ($result == 81) { elseif ($result == 81) {
// connection failed // connection failed
$error_message = _("Cannot connect to specified LDAP server. Please try again."); $error_message = _("Cannot connect to specified LDAP server. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
} }
elseif ($result == 49) { elseif ($result == 49) {
// user name/password invalid. Return to login page. // user name/password invalid. Return to login page.
$error_message = _("Wrong password/user name combination. Please try again."); $error_message = _("Wrong password/user name combination. Please try again.");
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (wrong password).'); logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (wrong password).');
} }
else { else {
// other errors // other errors
$error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result); $error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result);
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').'); logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
} }
display_LoginPage($_SESSION['config']); display_LoginPage($_SESSION['config']);
exit(); exit();
} }
} }
}
display_LoginPage($_SESSION["config"]); display_LoginPage($_SESSION["config"]);