added host restriction
This commit is contained in:
Roland Gruber
parent
f49bf6944f
commit
185d3fd2ce
|
|
@ -134,6 +134,8 @@ $helpArray = array (
|
||||||
"Text" => _("Please select your prefered log level. Messages with a lower level will not be logged.")),
|
"Text" => _("Please select your prefered log level. Messages with a lower level will not be logged.")),
|
||||||
"240" => array ("ext" => "FALSE", "Headline" => _("Log destination"),
|
"240" => array ("ext" => "FALSE", "Headline" => _("Log destination"),
|
||||||
"Text" => _("Here you can select where LAM should save its log messages. System logging will go to Syslog on Unix systems and event log on Windows. You can also select an extra file.")),
|
"Text" => _("Here you can select where LAM should save its log messages. System logging will go to Syslog on Unix systems and event log on Windows. You can also select an extra file.")),
|
||||||
|
"241" => array ("ext" => "FALSE", "Headline" => _("Allowed hosts"),
|
||||||
|
"Text" => _("This is a list of IP addresses from hosts who may access LAM. You can use \"*\" as wildcard (e.g. 192.168.0.*).")),
|
||||||
"250" => array ("ext" => "FALSE", "Headline" => _("Account lists - Filters"),
|
"250" => array ("ext" => "FALSE", "Headline" => _("Account lists - Filters"),
|
||||||
"Text" => _("Here you can input small filter expressions (e.g. 'value' or 'v*'). LAM will filter case-insensitive.")),
|
"Text" => _("Here you can input small filter expressions (e.g. 'value' or 'v*'). LAM will filter case-insensitive.")),
|
||||||
// 300 - 399
|
// 300 - 399
|
||||||
|
|
|
||||||
|
|
@ -728,8 +728,12 @@ class CfgMain {
|
||||||
/** log destination ("SYSLOG":syslog, "/...":file, "NONE":none) */
|
/** log destination ("SYSLOG":syslog, "/...":file, "NONE":none) */
|
||||||
var $logDestination;
|
var $logDestination;
|
||||||
|
|
||||||
|
/** list of hosts which may access LAM */
|
||||||
|
var $allowedHosts;
|
||||||
|
|
||||||
/** list of data fields to save in config file */
|
/** list of data fields to save in config file */
|
||||||
var $settings = array("password", "default", "sessionTimeout", "logLevel", "logDestination");
|
var $settings = array("password", "default", "sessionTimeout",
|
||||||
|
"logLevel", "logDestination", "allowedHosts");
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Loads preferences from config file
|
* Loads preferences from config file
|
||||||
|
|
@ -739,6 +743,7 @@ class CfgMain {
|
||||||
$this->sessionTimeout = 30;
|
$this->sessionTimeout = 30;
|
||||||
$this->logLevel = LOG_NOTICE;
|
$this->logLevel = LOG_NOTICE;
|
||||||
$this->logDestination = "SYSLOG";
|
$this->logDestination = "SYSLOG";
|
||||||
|
$this->allowedHosts = "";
|
||||||
$this->reload();
|
$this->reload();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
@ -809,6 +814,7 @@ class CfgMain {
|
||||||
if (!in_array("sessionTimeout", $saved)) array_push($file_array, "\n\n# session timeout in minutes\n" . "sessionTimeout: " . $this->sessionTimeout);
|
if (!in_array("sessionTimeout", $saved)) array_push($file_array, "\n\n# session timeout in minutes\n" . "sessionTimeout: " . $this->sessionTimeout);
|
||||||
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
|
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
|
||||||
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
|
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
|
||||||
|
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
|
||||||
$file = @fopen($conffile, "w");
|
$file = @fopen($conffile, "w");
|
||||||
if ($file) {
|
if ($file) {
|
||||||
for ($i = 0; $i < sizeof($file_array); $i++) fputs($file, $file_array[$i]);
|
for ($i = 0; $i < sizeof($file_array); $i++) fputs($file, $file_array[$i]);
|
||||||
|
|
|
||||||
|
|
@ -33,6 +33,9 @@ include_once('config.inc');
|
||||||
/** ldap connection */
|
/** ldap connection */
|
||||||
include_once('ldap.inc');
|
include_once('ldap.inc');
|
||||||
|
|
||||||
|
// check client IP address
|
||||||
|
checkClientIP();
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Starts a session and checks the environment.
|
* Starts a session and checks the environment.
|
||||||
* The script is stopped if one of the checks fail.
|
* The script is stopped if one of the checks fail.
|
||||||
|
|
@ -72,27 +75,26 @@ function startSecureSession() {
|
||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
function checkClientIP() {
|
function checkClientIP() {
|
||||||
|
$cfg = new CfgMain();
|
||||||
}
|
$allowedHosts = $cfg->allowedHosts;
|
||||||
|
// skip test if no hosts are defined
|
||||||
/**
|
if ($allowedHosts == "") return;
|
||||||
* Checks if the user is allowed to access LAM at this time.
|
$allowedHosts = explode(",", $allowedHosts);
|
||||||
* The script is stopped if time is exceeded.
|
$grantAccess = false;
|
||||||
*
|
for ($i = 0; $i < sizeof($allowedHosts); $i++) {
|
||||||
* @param unknown_type $dn
|
$host = $allowedHosts[$i];
|
||||||
*/
|
$ipRegex = '^[0-9\\.\\*]+$';
|
||||||
function checkUserTime($dn) {
|
if (!ereg($ipRegex, $host)) continue;
|
||||||
|
$hostRegex = str_replace(".", "\\.", $host);
|
||||||
}
|
$hostRegex = '^' . str_replace("*", ".*", $hostRegex) . '$';
|
||||||
|
$clientIP = $_SERVER['REMOTE_ADDR'];
|
||||||
/**
|
if (ereg($hostRegex, $clientIP)) {
|
||||||
* Returns a list of DNs of valid LAM users.
|
// client is allowed to access LAM
|
||||||
*
|
$grantAccess = true;
|
||||||
* @param string $dn configuration DN
|
}
|
||||||
* @return array $dn user list
|
}
|
||||||
*/
|
// stop script is client may not access LAM
|
||||||
function getValidUserDNs($dn) {
|
if (!$grantAccess) die();
|
||||||
return array("uid=test,o=test", "uid=test2,o=test");
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
||||||
|
|
@ -89,6 +89,27 @@ if ($_POST['submit']) {
|
||||||
}
|
}
|
||||||
// set session timeout
|
// set session timeout
|
||||||
$cfg->sessionTimeout = $_POST['sessionTimeout'];
|
$cfg->sessionTimeout = $_POST['sessionTimeout'];
|
||||||
|
// set allowed hosts
|
||||||
|
if (isset($_POST['allowedHosts'])) {
|
||||||
|
$allowedHosts = $_POST['allowedHosts'];
|
||||||
|
$allowedHostsList = explode("\n", $allowedHosts);
|
||||||
|
for ($i = 0; $i < sizeof($allowedHostsList); $i++) {
|
||||||
|
$allowedHostsList[$i] = trim($allowedHostsList[$i]);
|
||||||
|
// ignore empty lines
|
||||||
|
if ($allowedHostsList[$i] == "") {
|
||||||
|
unset($allowedHostsList[$i]);
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
// check each line
|
||||||
|
$ipRegex = '^[0-9\\.\\*]+$';
|
||||||
|
if (!ereg($ipRegex, $allowedHostsList[$i]) || (strlen($allowedHostsList[$i]) > 15)) {
|
||||||
|
$errors[] = sprintf(_("The IP address %s is invalid!"), $allowedHostsList[$i]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$allowedHosts = implode(",", $allowedHostsList);
|
||||||
|
}
|
||||||
|
else $allowedHosts = "";
|
||||||
|
$cfg->allowedHosts = $allowedHosts;
|
||||||
// set log level
|
// set log level
|
||||||
$cfg->logLevel = $_POST['logLevel'];
|
$cfg->logLevel = $_POST['logLevel'];
|
||||||
// set log destination
|
// set log destination
|
||||||
|
|
@ -118,7 +139,7 @@ if ($_POST['submit']) {
|
||||||
<br>
|
<br>
|
||||||
<!-- form for adding/renaming/deleting profiles -->
|
<!-- form for adding/renaming/deleting profiles -->
|
||||||
<form action="mainmanage.php" method="post">
|
<form action="mainmanage.php" method="post">
|
||||||
<table border="0">
|
<table border="0" align="center">
|
||||||
<tr><td>
|
<tr><td>
|
||||||
<fieldset>
|
<fieldset>
|
||||||
<legend><b> <?php echo _("Security settings"); ?> </b></legend>
|
<legend><b> <?php echo _("Security settings"); ?> </b></legend>
|
||||||
|
|
@ -126,8 +147,10 @@ if ($_POST['submit']) {
|
||||||
<table cellspacing="0" border="0">
|
<table cellspacing="0" border="0">
|
||||||
<!-- session timeout -->
|
<!-- session timeout -->
|
||||||
<tr>
|
<tr>
|
||||||
<td align="right">
|
<td align="left">
|
||||||
<?php echo _("Session timeout"); ?>
|
<?php echo _("Session timeout"); ?>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
<SELECT name="sessionTimeout">
|
<SELECT name="sessionTimeout">
|
||||||
<?php
|
<?php
|
||||||
$options = array(5, 10, 20, 30, 60);
|
$options = array(5, 10, 20, 30, 60);
|
||||||
|
|
@ -151,6 +174,23 @@ if ($_POST['submit']) {
|
||||||
?>
|
?>
|
||||||
</td>
|
</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
<!-- allowed hosts -->
|
||||||
|
<tr>
|
||||||
|
<td align="left">
|
||||||
|
<?php echo _("Allowed hosts"); ?>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<TEXTAREA cols="30" rows="7" name="allowedHosts"><?php echo implode("\n", explode(",", $cfg->allowedHosts)); ?></TEXTAREA>
|
||||||
|
</td>
|
||||||
|
<td>
|
||||||
|
<?PHP
|
||||||
|
// help link
|
||||||
|
echo "<a href=\"../help.php?HelpNumber=241\" target=\"lamhelp\">";
|
||||||
|
echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" . _('Help') . "\">";
|
||||||
|
echo "</a>\n";
|
||||||
|
?>
|
||||||
|
</td>
|
||||||
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
</fieldset>
|
</fieldset>
|
||||||
<BR>
|
<BR>
|
||||||
|
|
@ -279,10 +319,13 @@ if ($_POST['submit']) {
|
||||||
</table>
|
</table>
|
||||||
</fieldset>
|
</fieldset>
|
||||||
</td></tr>
|
</td></tr>
|
||||||
|
<TR>
|
||||||
|
<TD>
|
||||||
|
<BR>
|
||||||
|
<input type="submit" name="submit" value=" <?php echo _("Ok"); ?> ">
|
||||||
|
</TD>
|
||||||
|
</TR>
|
||||||
</table>
|
</table>
|
||||||
<BR>
|
|
||||||
|
|
||||||
<input type="submit" name="submit" value=" <?php echo _("Ok"); ?> ">
|
|
||||||
|
|
||||||
</form>
|
</form>
|
||||||
<p><br></p>
|
<p><br></p>
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue