added host restriction

This commit is contained in:
Roland Gruber 2006-04-25 11:25:07 +00:00
parent f49bf6944f
commit 185d3fd2ce
4 changed files with 80 additions and 27 deletions

View File

@ -134,6 +134,8 @@ $helpArray = array (
"Text" => _("Please select your prefered log level. Messages with a lower level will not be logged.")), "Text" => _("Please select your prefered log level. Messages with a lower level will not be logged.")),
"240" => array ("ext" => "FALSE", "Headline" => _("Log destination"), "240" => array ("ext" => "FALSE", "Headline" => _("Log destination"),
"Text" => _("Here you can select where LAM should save its log messages. System logging will go to Syslog on Unix systems and event log on Windows. You can also select an extra file.")), "Text" => _("Here you can select where LAM should save its log messages. System logging will go to Syslog on Unix systems and event log on Windows. You can also select an extra file.")),
"241" => array ("ext" => "FALSE", "Headline" => _("Allowed hosts"),
"Text" => _("This is a list of IP addresses from hosts who may access LAM. You can use \"*\" as wildcard (e.g. 192.168.0.*).")),
"250" => array ("ext" => "FALSE", "Headline" => _("Account lists - Filters"), "250" => array ("ext" => "FALSE", "Headline" => _("Account lists - Filters"),
"Text" => _("Here you can input small filter expressions (e.g. 'value' or 'v*'). LAM will filter case-insensitive.")), "Text" => _("Here you can input small filter expressions (e.g. 'value' or 'v*'). LAM will filter case-insensitive.")),
// 300 - 399 // 300 - 399

View File

@ -728,8 +728,12 @@ class CfgMain {
/** log destination ("SYSLOG":syslog, "/...":file, "NONE":none) */ /** log destination ("SYSLOG":syslog, "/...":file, "NONE":none) */
var $logDestination; var $logDestination;
/** list of hosts which may access LAM */
var $allowedHosts;
/** list of data fields to save in config file */ /** list of data fields to save in config file */
var $settings = array("password", "default", "sessionTimeout", "logLevel", "logDestination"); var $settings = array("password", "default", "sessionTimeout",
"logLevel", "logDestination", "allowedHosts");
/** /**
* Loads preferences from config file * Loads preferences from config file
@ -739,6 +743,7 @@ class CfgMain {
$this->sessionTimeout = 30; $this->sessionTimeout = 30;
$this->logLevel = LOG_NOTICE; $this->logLevel = LOG_NOTICE;
$this->logDestination = "SYSLOG"; $this->logDestination = "SYSLOG";
$this->allowedHosts = "";
$this->reload(); $this->reload();
} }
@ -809,6 +814,7 @@ class CfgMain {
if (!in_array("sessionTimeout", $saved)) array_push($file_array, "\n\n# session timeout in minutes\n" . "sessionTimeout: " . $this->sessionTimeout); if (!in_array("sessionTimeout", $saved)) array_push($file_array, "\n\n# session timeout in minutes\n" . "sessionTimeout: " . $this->sessionTimeout);
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel); if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination); if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
$file = @fopen($conffile, "w"); $file = @fopen($conffile, "w");
if ($file) { if ($file) {
for ($i = 0; $i < sizeof($file_array); $i++) fputs($file, $file_array[$i]); for ($i = 0; $i < sizeof($file_array); $i++) fputs($file, $file_array[$i]);

View File

@ -33,6 +33,9 @@ include_once('config.inc');
/** ldap connection */ /** ldap connection */
include_once('ldap.inc'); include_once('ldap.inc');
// check client IP address
checkClientIP();
/** /**
* Starts a session and checks the environment. * Starts a session and checks the environment.
* The script is stopped if one of the checks fail. * The script is stopped if one of the checks fail.
@ -72,27 +75,26 @@ function startSecureSession() {
* *
*/ */
function checkClientIP() { function checkClientIP() {
$cfg = new CfgMain();
} $allowedHosts = $cfg->allowedHosts;
// skip test if no hosts are defined
/** if ($allowedHosts == "") return;
* Checks if the user is allowed to access LAM at this time. $allowedHosts = explode(",", $allowedHosts);
* The script is stopped if time is exceeded. $grantAccess = false;
* for ($i = 0; $i < sizeof($allowedHosts); $i++) {
* @param unknown_type $dn $host = $allowedHosts[$i];
*/ $ipRegex = '^[0-9\\.\\*]+$';
function checkUserTime($dn) { if (!ereg($ipRegex, $host)) continue;
$hostRegex = str_replace(".", "\\.", $host);
} $hostRegex = '^' . str_replace("*", ".*", $hostRegex) . '$';
$clientIP = $_SERVER['REMOTE_ADDR'];
/** if (ereg($hostRegex, $clientIP)) {
* Returns a list of DNs of valid LAM users. // client is allowed to access LAM
* $grantAccess = true;
* @param string $dn configuration DN }
* @return array $dn user list }
*/ // stop script is client may not access LAM
function getValidUserDNs($dn) { if (!$grantAccess) die();
return array("uid=test,o=test", "uid=test2,o=test");
} }
/** /**

View File

@ -89,6 +89,27 @@ if ($_POST['submit']) {
} }
// set session timeout // set session timeout
$cfg->sessionTimeout = $_POST['sessionTimeout']; $cfg->sessionTimeout = $_POST['sessionTimeout'];
// set allowed hosts
if (isset($_POST['allowedHosts'])) {
$allowedHosts = $_POST['allowedHosts'];
$allowedHostsList = explode("\n", $allowedHosts);
for ($i = 0; $i < sizeof($allowedHostsList); $i++) {
$allowedHostsList[$i] = trim($allowedHostsList[$i]);
// ignore empty lines
if ($allowedHostsList[$i] == "") {
unset($allowedHostsList[$i]);
continue;
}
// check each line
$ipRegex = '^[0-9\\.\\*]+$';
if (!ereg($ipRegex, $allowedHostsList[$i]) || (strlen($allowedHostsList[$i]) > 15)) {
$errors[] = sprintf(_("The IP address %s is invalid!"), $allowedHostsList[$i]);
}
}
$allowedHosts = implode(",", $allowedHostsList);
}
else $allowedHosts = "";
$cfg->allowedHosts = $allowedHosts;
// set log level // set log level
$cfg->logLevel = $_POST['logLevel']; $cfg->logLevel = $_POST['logLevel'];
// set log destination // set log destination
@ -118,7 +139,7 @@ if ($_POST['submit']) {
<br> <br>
<!-- form for adding/renaming/deleting profiles --> <!-- form for adding/renaming/deleting profiles -->
<form action="mainmanage.php" method="post"> <form action="mainmanage.php" method="post">
<table border="0"> <table border="0" align="center">
<tr><td> <tr><td>
<fieldset> <fieldset>
<legend><b> <?php echo _("Security settings"); ?> </b></legend> <legend><b> <?php echo _("Security settings"); ?> </b></legend>
@ -126,8 +147,10 @@ if ($_POST['submit']) {
<table cellspacing="0" border="0"> <table cellspacing="0" border="0">
<!-- session timeout --> <!-- session timeout -->
<tr> <tr>
<td align="right"> <td align="left">
<?php echo _("Session timeout"); ?> <?php echo _("Session timeout"); ?>
</td>
<td>
<SELECT name="sessionTimeout"> <SELECT name="sessionTimeout">
<?php <?php
$options = array(5, 10, 20, 30, 60); $options = array(5, 10, 20, 30, 60);
@ -151,6 +174,23 @@ if ($_POST['submit']) {
?> ?>
</td> </td>
</tr> </tr>
<!-- allowed hosts -->
<tr>
<td align="left">
<?php echo _("Allowed hosts"); ?>
</td>
<td>
<TEXTAREA cols="30" rows="7" name="allowedHosts"><?php echo implode("\n", explode(",", $cfg->allowedHosts)); ?></TEXTAREA>
</td>
<td>&nbsp;
<?PHP
// help link
echo "<a href=\"../help.php?HelpNumber=241\" target=\"lamhelp\">";
echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" . _('Help') . "\">";
echo "</a>\n";
?>
</td>
</tr>
</table> </table>
</fieldset> </fieldset>
<BR> <BR>
@ -279,10 +319,13 @@ if ($_POST['submit']) {
</table> </table>
</fieldset> </fieldset>
</td></tr> </td></tr>
<TR>
<TD>
<BR>
<input type="submit" name="submit" value=" <?php echo _("Ok"); ?> ">
</TD>
</TR>
</table> </table>
<BR>
<input type="submit" name="submit" value=" <?php echo _("Ok"); ?> ">
</form> </form>
<p><br></p> <p><br></p>