added host restriction

This commit is contained in:
Roland Gruber 2006-04-25 11:25:07 +00:00
parent f49bf6944f
commit 185d3fd2ce
4 changed files with 80 additions and 27 deletions

View File

@ -134,6 +134,8 @@ $helpArray = array (
"Text" => _("Please select your prefered log level. Messages with a lower level will not be logged.")),
"240" => array ("ext" => "FALSE", "Headline" => _("Log destination"),
"Text" => _("Here you can select where LAM should save its log messages. System logging will go to Syslog on Unix systems and event log on Windows. You can also select an extra file.")),
"241" => array ("ext" => "FALSE", "Headline" => _("Allowed hosts"),
"Text" => _("This is a list of IP addresses from hosts who may access LAM. You can use \"*\" as wildcard (e.g. 192.168.0.*).")),
"250" => array ("ext" => "FALSE", "Headline" => _("Account lists - Filters"),
"Text" => _("Here you can input small filter expressions (e.g. 'value' or 'v*'). LAM will filter case-insensitive.")),
// 300 - 399

View File

@ -728,8 +728,12 @@ class CfgMain {
/** log destination ("SYSLOG":syslog, "/...":file, "NONE":none) */
var $logDestination;
/** list of hosts which may access LAM */
var $allowedHosts;
/** list of data fields to save in config file */
var $settings = array("password", "default", "sessionTimeout", "logLevel", "logDestination");
var $settings = array("password", "default", "sessionTimeout",
"logLevel", "logDestination", "allowedHosts");
/**
* Loads preferences from config file
@ -739,6 +743,7 @@ class CfgMain {
$this->sessionTimeout = 30;
$this->logLevel = LOG_NOTICE;
$this->logDestination = "SYSLOG";
$this->allowedHosts = "";
$this->reload();
}
@ -809,6 +814,7 @@ class CfgMain {
if (!in_array("sessionTimeout", $saved)) array_push($file_array, "\n\n# session timeout in minutes\n" . "sessionTimeout: " . $this->sessionTimeout);
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
$file = @fopen($conffile, "w");
if ($file) {
for ($i = 0; $i < sizeof($file_array); $i++) fputs($file, $file_array[$i]);

View File

@ -33,6 +33,9 @@ include_once('config.inc');
/** ldap connection */
include_once('ldap.inc');
// check client IP address
checkClientIP();
/**
* Starts a session and checks the environment.
* The script is stopped if one of the checks fail.
@ -72,27 +75,26 @@ function startSecureSession() {
*
*/
function checkClientIP() {
}
/**
* Checks if the user is allowed to access LAM at this time.
* The script is stopped if time is exceeded.
*
* @param unknown_type $dn
*/
function checkUserTime($dn) {
}
/**
* Returns a list of DNs of valid LAM users.
*
* @param string $dn configuration DN
* @return array $dn user list
*/
function getValidUserDNs($dn) {
return array("uid=test,o=test", "uid=test2,o=test");
$cfg = new CfgMain();
$allowedHosts = $cfg->allowedHosts;
// skip test if no hosts are defined
if ($allowedHosts == "") return;
$allowedHosts = explode(",", $allowedHosts);
$grantAccess = false;
for ($i = 0; $i < sizeof($allowedHosts); $i++) {
$host = $allowedHosts[$i];
$ipRegex = '^[0-9\\.\\*]+$';
if (!ereg($ipRegex, $host)) continue;
$hostRegex = str_replace(".", "\\.", $host);
$hostRegex = '^' . str_replace("*", ".*", $hostRegex) . '$';
$clientIP = $_SERVER['REMOTE_ADDR'];
if (ereg($hostRegex, $clientIP)) {
// client is allowed to access LAM
$grantAccess = true;
}
}
// stop script is client may not access LAM
if (!$grantAccess) die();
}
/**

View File

@ -89,6 +89,27 @@ if ($_POST['submit']) {
}
// set session timeout
$cfg->sessionTimeout = $_POST['sessionTimeout'];
// set allowed hosts
if (isset($_POST['allowedHosts'])) {
$allowedHosts = $_POST['allowedHosts'];
$allowedHostsList = explode("\n", $allowedHosts);
for ($i = 0; $i < sizeof($allowedHostsList); $i++) {
$allowedHostsList[$i] = trim($allowedHostsList[$i]);
// ignore empty lines
if ($allowedHostsList[$i] == "") {
unset($allowedHostsList[$i]);
continue;
}
// check each line
$ipRegex = '^[0-9\\.\\*]+$';
if (!ereg($ipRegex, $allowedHostsList[$i]) || (strlen($allowedHostsList[$i]) > 15)) {
$errors[] = sprintf(_("The IP address %s is invalid!"), $allowedHostsList[$i]);
}
}
$allowedHosts = implode(",", $allowedHostsList);
}
else $allowedHosts = "";
$cfg->allowedHosts = $allowedHosts;
// set log level
$cfg->logLevel = $_POST['logLevel'];
// set log destination
@ -118,7 +139,7 @@ if ($_POST['submit']) {
<br>
<!-- form for adding/renaming/deleting profiles -->
<form action="mainmanage.php" method="post">
<table border="0">
<table border="0" align="center">
<tr><td>
<fieldset>
<legend><b> <?php echo _("Security settings"); ?> </b></legend>
@ -126,8 +147,10 @@ if ($_POST['submit']) {
<table cellspacing="0" border="0">
<!-- session timeout -->
<tr>
<td align="right">
<td align="left">
<?php echo _("Session timeout"); ?>
</td>
<td>
<SELECT name="sessionTimeout">
<?php
$options = array(5, 10, 20, 30, 60);
@ -151,6 +174,23 @@ if ($_POST['submit']) {
?>
</td>
</tr>
<!-- allowed hosts -->
<tr>
<td align="left">
<?php echo _("Allowed hosts"); ?>
</td>
<td>
<TEXTAREA cols="30" rows="7" name="allowedHosts"><?php echo implode("\n", explode(",", $cfg->allowedHosts)); ?></TEXTAREA>
</td>
<td>&nbsp;
<?PHP
// help link
echo "<a href=\"../help.php?HelpNumber=241\" target=\"lamhelp\">";
echo "<img src=\"../../graphics/help.png\" alt=\"" . _('Help') . "\" title=\"" . _('Help') . "\">";
echo "</a>\n";
?>
</td>
</tr>
</table>
</fieldset>
<BR>
@ -279,10 +319,13 @@ if ($_POST['submit']) {
</table>
</fieldset>
</td></tr>
<TR>
<TD>
<BR>
<input type="submit" name="submit" value=" <?php echo _("Ok"); ?> ">
</TD>
</TR>
</table>
<BR>
<input type="submit" name="submit" value=" <?php echo _("Ok"); ?> ">
</form>
<p><br></p>