HTTP authentication
This commit is contained in:
parent
302a3fbe27
commit
167588a3d0
|
@ -1034,13 +1034,16 @@ Have fun!
|
|||
<screenshot>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/configProfiles7.png" />
|
||||
<imagedata fileref="images/configProfiles8.png" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>LAM supports two methods for login. You may either specify a
|
||||
fixed list of LDAP DNs or let LAM search for the DN in your
|
||||
<para>LAM supports two methods for login. The first one is to
|
||||
specify a fixed list of LDAP DNs that are allowed to login. Please
|
||||
enter one DN per line.</para>
|
||||
|
||||
<para>The second one is to let LAM search for the DN in your
|
||||
directory. E.g. if a user logs in with the user name "joe" then LAM
|
||||
will do an LDAP search for this user name. When it finds a matching
|
||||
DN then it will use this to authenticate the user. The wildcard
|
||||
|
@ -1048,8 +1051,23 @@ Have fun!
|
|||
provide login by user name, email address or other LDAP
|
||||
attributes.</para>
|
||||
|
||||
<para>You may also change the password of this server
|
||||
profile.</para>
|
||||
<para>Additionally, you can enable HTTP authentication when using
|
||||
"LDAP search". This way the web server is responsible to
|
||||
authenticate your users. LAM will use the given user name + password
|
||||
for the LDAP login. To setup HTTP authentication in Apache please
|
||||
see this <ulink
|
||||
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/configProfiles7.png" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>You may also change the password of this server profile.
|
||||
Please just enter the new password in both password fields.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
|
Binary file not shown.
Before Width: | Height: | Size: 17 KiB After Width: | Height: | Size: 18 KiB |
Binary file not shown.
After Width: | Height: | Size: 18 KiB |
|
@ -113,6 +113,8 @@ $helpArray = array (
|
|||
"Text" => _("Please enter the LDAP suffix where LAM should start to search for users. The LDAP filter needs to match the given user name to exactly one DN. The value \"%USER%\" will be replaced by the user name from the login page.")),
|
||||
"222" => array ("Headline" => _("LDAP search limit"),
|
||||
"Text" => _("Here you can set a limit for LDAP searches. This will restrict the number of results for LDAP searches. Please use this if LAM's LDAP queries produce too much load.")),
|
||||
"223" => array ("Headline" => _("HTTP authentication"),
|
||||
"Text" => _("If enabled then LAM will use user and password that is provided by the web server via HTTP authentication.")),
|
||||
"230" => array ("Headline" => _("Profile management") . " - " . _("Add profile"),
|
||||
"Text" => _("Please enter the name of the new profile and the password to change its settings. Profile names may contain letters, numbers and -/_.")),
|
||||
"231" => array ("Headline" => _("Profile management") . " - " . _("Rename profile"),
|
||||
|
|
|
@ -254,6 +254,9 @@ class LAMConfig {
|
|||
/** search filter for login */
|
||||
private $loginSearchFilter = 'uid=%USER%';
|
||||
|
||||
/** specifies if HTTP authentication should be used */
|
||||
private $httpAuthentication = 'false';
|
||||
|
||||
/** email address for sender of password reset mails */
|
||||
private $lamProMailFrom = '';
|
||||
|
||||
|
@ -274,7 +277,7 @@ class LAMConfig {
|
|||
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
|
||||
"modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix',
|
||||
'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject',
|
||||
'lamProMailText', 'lamProMailIsHTML');
|
||||
'lamProMailText', 'lamProMailIsHTML', 'httpAuthentication');
|
||||
|
||||
|
||||
/**
|
||||
|
@ -425,6 +428,7 @@ class LAMConfig {
|
|||
if (!in_array("loginMethod", $saved)) array_push($file_array, "\n\n# Login method.\n" . "loginMethod: " . $this->loginMethod . "\n");
|
||||
if (!in_array("loginSearchSuffix", $saved)) array_push($file_array, "\n\n# Search suffix for LAM login.\n" . "loginSearchSuffix: " . $this->loginSearchSuffix . "\n");
|
||||
if (!in_array("loginSearchFilter", $saved)) array_push($file_array, "\n\n# Search filter for LAM login.\n" . "loginSearchFilter: " . $this->loginSearchFilter . "\n");
|
||||
if (!in_array("httpAuthentication", $saved)) array_push($file_array, "\n\n# HTTP authentication for LAM login.\n" . "httpAuthentication: " . $this->httpAuthentication . "\n");
|
||||
if (!in_array("lamProMailFrom", $saved)) array_push($file_array, "\n\n# Password mail from\n" . "lamProMailFrom: " . $this->lamProMailFrom . "\n");
|
||||
if (!in_array("lamProMailReplyTo", $saved)) array_push($file_array, "\n\n# Password mail reply-to\n" . "lamProMailReplyTo: " . $this->lamProMailReplyTo . "\n");
|
||||
if (!in_array("lamProMailSubject", $saved)) array_push($file_array, "\n\n# Password mail subject\n" . "lamProMailSubject: " . $this->lamProMailSubject . "\n");
|
||||
|
@ -1022,6 +1026,24 @@ class LAMConfig {
|
|||
$this->loginSearchFilter = $loginSearchFilter;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns if HTTP authentication should be used.
|
||||
*
|
||||
* @return String $httpAuthentication use HTTP authentication ('true' or 'false')
|
||||
*/
|
||||
public function getHttpAuthentication() {
|
||||
return $this->httpAuthentication;
|
||||
}
|
||||
|
||||
/**
|
||||
* Specifies if HTTP authentication should be used.
|
||||
*
|
||||
* @param String $httpAuthentication use HTTP authentication ('true' or 'false')
|
||||
*/
|
||||
public function setHttpAuthentication($httpAuthentication) {
|
||||
$this->httpAuthentication = $httpAuthentication;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the login search suffix.
|
||||
*
|
||||
|
|
|
@ -358,6 +358,8 @@ $securitySettingsContent->addElement($searchSuffixInput, true);
|
|||
$searchFilterInput = new htmlTableExtendedInputField(_("LDAP filter"), 'loginSearchFilter', $conf->getLoginSearchFilter(), '221');
|
||||
$searchFilterInput->setRequired(true);
|
||||
$securitySettingsContent->addElement($searchFilterInput, true);
|
||||
// HTTP authentication
|
||||
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true);
|
||||
$securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true);
|
||||
// new password
|
||||
$password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212');
|
||||
|
@ -443,6 +445,12 @@ function checkInput() {
|
|||
$conf->setLoginMethod($_POST['loginMethod']);
|
||||
$conf->setLoginSearchFilter($_POST['loginSearchFilter']);
|
||||
$conf->setLoginSearchSuffix($_POST['loginSearchSuffix']);
|
||||
if (isset($_POST['httpAuthentication']) && ($_POST['httpAuthentication'] == 'on')) {
|
||||
$conf->setHttpAuthentication('true');
|
||||
}
|
||||
else {
|
||||
$conf->setHttpAuthentication('false');
|
||||
}
|
||||
if (!$conf->set_Adminstring(implode(";", $adminTextNew))) {
|
||||
$errors[] = array("ERROR", _("List of admin users is empty or invalid!"));
|
||||
}
|
||||
|
|
|
@ -157,11 +157,13 @@ function configLoginMethodChanged() {
|
|||
jQuery('textarea[name=admins]').parent().parent().show();
|
||||
jQuery('input[name=loginSearchSuffix]').parent().parent().hide();
|
||||
jQuery('input[name=loginSearchFilter]').parent().parent().hide();
|
||||
jQuery('input[name=httpAuthentication]').parent().parent().hide();
|
||||
}
|
||||
else {
|
||||
jQuery('textarea[name=admins]').parent().parent().hide();
|
||||
jQuery('input[name=loginSearchSuffix]').parent().parent().show();
|
||||
jQuery('input[name=loginSearchFilter]').parent().parent().show();
|
||||
jQuery('input[name=httpAuthentication]').parent().parent().show();
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -284,9 +284,14 @@ function display_LoginPage($config_object) {
|
|||
}
|
||||
echo '</select>';
|
||||
}
|
||||
else {
|
||||
if ($config_object->getHttpAuthentication() == 'true') {
|
||||
echo htmlspecialchars($_SERVER['PHP_AUTH_USER']);
|
||||
}
|
||||
else {
|
||||
echo '<input type="text" name="username" tabindex="1">';
|
||||
}
|
||||
}
|
||||
?>
|
||||
</td>
|
||||
</tr>
|
||||
|
@ -297,7 +302,14 @@ function display_LoginPage($config_object) {
|
|||
?>
|
||||
</b> </td>
|
||||
<td style="border-style:none" height="35" align="left">
|
||||
<input type="password" name="passwd" tabindex="2">
|
||||
<?php
|
||||
if (($config_object->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($config_object->getHttpAuthentication() == 'true')) {
|
||||
echo '**********';
|
||||
}
|
||||
else {
|
||||
echo '<input type="password" name="passwd" tabindex="2">';
|
||||
}
|
||||
?>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
|
@ -432,21 +444,27 @@ if(!empty($_POST['checklogin'])) {
|
|||
|
||||
$_SESSION['ldap'] = new Ldap($_SESSION['config']); // Create new Ldap object
|
||||
|
||||
$clientSource = $_SERVER['REMOTE_ADDR'];
|
||||
if (isset($_SERVER['REMOTE_HOST'])) {
|
||||
$clientSource .= '/' . $_SERVER['REMOTE_HOST'];
|
||||
}
|
||||
if (($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($_SESSION['config']->getHttpAuthentication() == 'true')) {
|
||||
$username = $_SERVER['PHP_AUTH_USER'];
|
||||
$password = $_SERVER['PHP_AUTH_PW'];
|
||||
}
|
||||
else {
|
||||
if($_POST['passwd'] == "") {
|
||||
logNewMessage(LOG_DEBUG, "Empty password for login");
|
||||
$error_message = _("Empty password submitted. Please try again.");
|
||||
display_LoginPage($_SESSION['config']); // Empty password submitted. Return to login page.
|
||||
exit();
|
||||
}
|
||||
else {
|
||||
$clientSource = $_SERVER['REMOTE_ADDR'];
|
||||
if (isset($_SERVER['REMOTE_HOST'])) {
|
||||
$clientSource .= '/' . $_SERVER['REMOTE_HOST'];
|
||||
}
|
||||
if (get_magic_quotes_gpc() == 1) {
|
||||
$_POST['passwd'] = stripslashes($_POST['passwd']);
|
||||
}
|
||||
$username = $_POST['username'];
|
||||
$password = $_POST['passwd'];
|
||||
}
|
||||
// search user in LDAP if needed
|
||||
if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) {
|
||||
$searchFilter = $_SESSION['config']->getLoginSearchFilter();
|
||||
|
@ -491,7 +509,7 @@ if(!empty($_POST['checklogin'])) {
|
|||
}
|
||||
if (!$searchSuccess) {
|
||||
$error_message = $searchError;
|
||||
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
|
||||
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in. ' . $searchError . '');
|
||||
$searchLDAP->close();
|
||||
display_LoginPage($_SESSION['config']);
|
||||
exit();
|
||||
|
@ -499,7 +517,7 @@ if(!empty($_POST['checklogin'])) {
|
|||
$searchLDAP->close();
|
||||
}
|
||||
// try to connect to LDAP
|
||||
$result = $_SESSION['ldap']->connect($username,$_POST['passwd']); // Connect to LDAP server for verifing username/password
|
||||
$result = $_SESSION['ldap']->connect($username, $password); // Connect to LDAP server for verifing username/password
|
||||
if($result === 0) {// Username/password correct. Do some configuration and load main frame.
|
||||
$_SESSION['loggedIn'] = true;
|
||||
// set security settings for session
|
||||
|
@ -507,7 +525,7 @@ if(!empty($_POST['checklogin'])) {
|
|||
$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
|
||||
$_SESSION['sec_sessionTime'] = time();
|
||||
// logging
|
||||
logNewMessage(LOG_NOTICE, 'User ' . $_POST['username'] . ' (' . $clientSource . ') successfully logged in.');
|
||||
logNewMessage(LOG_NOTICE, 'User ' . $username . ' (' . $clientSource . ') successfully logged in.');
|
||||
// Load main frame
|
||||
metaRefresh("./main.php");
|
||||
die();
|
||||
|
@ -516,28 +534,27 @@ if(!empty($_POST['checklogin'])) {
|
|||
if ($result === False) {
|
||||
// connection failed
|
||||
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
|
||||
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
||||
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
||||
}
|
||||
elseif ($result == 81) {
|
||||
// connection failed
|
||||
$error_message = _("Cannot connect to specified LDAP server. Please try again.");
|
||||
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
||||
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
||||
}
|
||||
elseif ($result == 49) {
|
||||
// user name/password invalid. Return to login page.
|
||||
$error_message = _("Wrong password/user name combination. Please try again.");
|
||||
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (wrong password).');
|
||||
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (wrong password).');
|
||||
}
|
||||
else {
|
||||
// other errors
|
||||
$error_message = _("LDAP error, server says:") . "\n<br>($result) " . ldap_err2str($result);
|
||||
logNewMessage(LOG_ERR, 'User ' . $_POST['username'] . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
||||
logNewMessage(LOG_ERR, 'User ' . $username . ' (' . $clientSource . ') failed to log in (LDAP error: ' . ldap_err2str($result) . ').');
|
||||
}
|
||||
display_LoginPage($_SESSION['config']);
|
||||
exit();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
display_LoginPage($_SESSION["config"]);
|
||||
|
||||
|
|
Loading…
Reference in New Issue