support bind user for login search

This commit is contained in:
Roland Gruber 2011-12-03 19:02:28 +00:00
parent b5e6e5f34a
commit 45f674323a
6 changed files with 100 additions and 27 deletions

View File

@ -1,4 +1,5 @@
March 2012 3.7 March 2012 3.7
- login: support bind user for login search
- Fixed bugs: - Fixed bugs:
-> DHCP: error message not displayed properly (3441975) -> DHCP: error message not displayed properly (3441975)
-> Profile loading not possible if required fields are not filled (3444948) -> Profile loading not possible if required fields are not filled (3444948)

View File

@ -28,6 +28,7 @@ $Id$
* LDAP Account Manager help entries. * LDAP Account Manager help entries.
* *
* @author Michael Duergner * @author Michael Duergner
* @author Roland Gruber
* @package Help * @package Help
*/ */
@ -115,6 +116,8 @@ $helpArray = array (
"Text" => _("Here you can set a limit for LDAP searches. This will restrict the number of results for LDAP searches. Please use this if LAM's LDAP queries produce too much load.")), "Text" => _("Here you can set a limit for LDAP searches. This will restrict the number of results for LDAP searches. Please use this if LAM's LDAP queries produce too much load.")),
"223" => array ("Headline" => _("HTTP authentication"), "223" => array ("Headline" => _("HTTP authentication"),
"Text" => _("If enabled then LAM will use user and password that is provided by the web server via HTTP authentication.")), "Text" => _("If enabled then LAM will use user and password that is provided by the web server via HTTP authentication.")),
"224" => array ("Headline" => _("Bind user and password"),
"Text" => _("Here you can specify the DN and password of the bind user that will be used for the LDAP search. This is required if your LDAP server does not allow anonymous access.")),
"230" => array ("Headline" => _("Profile management") . " - " . _("Add profile"), "230" => array ("Headline" => _("Profile management") . " - " . _("Add profile"),
"Text" => _("Please enter the name of the new profile and the password to change its settings. Profile names may contain letters, numbers and -/_.")), "Text" => _("Please enter the name of the new profile and the password to change its settings. Profile names may contain letters, numbers and -/_.")),
"231" => array ("Headline" => _("Profile management") . " - " . _("Rename profile"), "231" => array ("Headline" => _("Profile management") . " - " . _("Rename profile"),

View File

@ -254,6 +254,12 @@ class LAMConfig {
/** search filter for login */ /** search filter for login */
private $loginSearchFilter = 'uid=%USER%'; private $loginSearchFilter = 'uid=%USER%';
/** bind user for login search */
private $loginSearchDN = '';
/** bind password for login search */
private $loginSearchPassword = '';
/** specifies if HTTP authentication should be used */ /** specifies if HTTP authentication should be used */
private $httpAuthentication = 'false'; private $httpAuthentication = 'false';
@ -277,7 +283,7 @@ class LAMConfig {
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", "defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout",
"modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix', "modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix',
'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject', 'loginSearchFilter', 'searchLimit', 'lamProMailFrom', 'lamProMailReplyTo', 'lamProMailSubject',
'lamProMailText', 'lamProMailIsHTML', 'httpAuthentication'); 'lamProMailText', 'lamProMailIsHTML', 'httpAuthentication', 'loginSearchDN', 'loginSearchPassword');
/** /**
@ -428,6 +434,8 @@ class LAMConfig {
if (!in_array("loginMethod", $saved)) array_push($file_array, "\n\n# Login method.\n" . "loginMethod: " . $this->loginMethod . "\n"); if (!in_array("loginMethod", $saved)) array_push($file_array, "\n\n# Login method.\n" . "loginMethod: " . $this->loginMethod . "\n");
if (!in_array("loginSearchSuffix", $saved)) array_push($file_array, "\n\n# Search suffix for LAM login.\n" . "loginSearchSuffix: " . $this->loginSearchSuffix . "\n"); if (!in_array("loginSearchSuffix", $saved)) array_push($file_array, "\n\n# Search suffix for LAM login.\n" . "loginSearchSuffix: " . $this->loginSearchSuffix . "\n");
if (!in_array("loginSearchFilter", $saved)) array_push($file_array, "\n\n# Search filter for LAM login.\n" . "loginSearchFilter: " . $this->loginSearchFilter . "\n"); if (!in_array("loginSearchFilter", $saved)) array_push($file_array, "\n\n# Search filter for LAM login.\n" . "loginSearchFilter: " . $this->loginSearchFilter . "\n");
if (!in_array("loginSearchDN", $saved)) array_push($file_array, "\n\n# Bind DN for login search.\n" . "loginSearchDN: " . $this->loginSearchDN . "\n");
if (!in_array("loginSearchPassword", $saved)) array_push($file_array, "\n\n# Bind password for login search.\n" . "loginSearchPassword: " . $this->loginSearchPassword . "\n");
if (!in_array("httpAuthentication", $saved)) array_push($file_array, "\n\n# HTTP authentication for LAM login.\n" . "httpAuthentication: " . $this->httpAuthentication . "\n"); if (!in_array("httpAuthentication", $saved)) array_push($file_array, "\n\n# HTTP authentication for LAM login.\n" . "httpAuthentication: " . $this->httpAuthentication . "\n");
if (!in_array("lamProMailFrom", $saved)) array_push($file_array, "\n\n# Password mail from\n" . "lamProMailFrom: " . $this->lamProMailFrom . "\n"); if (!in_array("lamProMailFrom", $saved)) array_push($file_array, "\n\n# Password mail from\n" . "lamProMailFrom: " . $this->lamProMailFrom . "\n");
if (!in_array("lamProMailReplyTo", $saved)) array_push($file_array, "\n\n# Password mail reply-to\n" . "lamProMailReplyTo: " . $this->lamProMailReplyTo . "\n"); if (!in_array("lamProMailReplyTo", $saved)) array_push($file_array, "\n\n# Password mail reply-to\n" . "lamProMailReplyTo: " . $this->lamProMailReplyTo . "\n");
@ -1026,24 +1034,6 @@ class LAMConfig {
$this->loginSearchFilter = $loginSearchFilter; $this->loginSearchFilter = $loginSearchFilter;
} }
/**
* Returns if HTTP authentication should be used.
*
* @return String $httpAuthentication use HTTP authentication ('true' or 'false')
*/
public function getHttpAuthentication() {
return $this->httpAuthentication;
}
/**
* Specifies if HTTP authentication should be used.
*
* @param String $httpAuthentication use HTTP authentication ('true' or 'false')
*/
public function setHttpAuthentication($httpAuthentication) {
$this->httpAuthentication = $httpAuthentication;
}
/** /**
* Returns the login search suffix. * Returns the login search suffix.
* *
@ -1062,6 +1052,65 @@ class LAMConfig {
$this->loginSearchSuffix = $loginSearchSuffix; $this->loginSearchSuffix = $loginSearchSuffix;
} }
/**
* Sets the DN for the login search bind user.
*
* @param String $loginSearchDN DN
* @return boolean true if DN is valid
*/
public function setLoginSearchDN($loginSearchDN) {
$this->loginSearchDN = $loginSearchDN;
if (($loginSearchDN == '') || get_preg($loginSearchDN, 'dn')) {
return true;
}
return false;
}
/**
* Returns the DN for the login search bind user.
*
* @return String DN
*/
public function getLoginSearchDN() {
return $this->loginSearchDN;
}
/**
* Sets the password for the login search bind user.
*
* @param String $loginSearchPassword password
*/
public function setLoginSearchPassword($loginSearchPassword) {
$this->loginSearchPassword = $loginSearchPassword;
}
/**
* Returns the password for the login search bind user.
*
* @return String password
*/
public function getLoginSearchPassword() {
return $this->loginSearchPassword;
}
/**
* Returns if HTTP authentication should be used.
*
* @return String $httpAuthentication use HTTP authentication ('true' or 'false')
*/
public function getHttpAuthentication() {
return $this->httpAuthentication;
}
/**
* Specifies if HTTP authentication should be used.
*
* @param String $httpAuthentication use HTTP authentication ('true' or 'false')
*/
public function setHttpAuthentication($httpAuthentication) {
$this->httpAuthentication = $httpAuthentication;
}
/** /**
* Returns the sender address for password reset mails. * Returns the sender address for password reset mails.
* *

View File

@ -358,6 +358,12 @@ $securitySettingsContent->addElement($searchSuffixInput, true);
$searchFilterInput = new htmlTableExtendedInputField(_("LDAP filter"), 'loginSearchFilter', $conf->getLoginSearchFilter(), '221'); $searchFilterInput = new htmlTableExtendedInputField(_("LDAP filter"), 'loginSearchFilter', $conf->getLoginSearchFilter(), '221');
$searchFilterInput->setRequired(true); $searchFilterInput->setRequired(true);
$securitySettingsContent->addElement($searchFilterInput, true); $securitySettingsContent->addElement($searchFilterInput, true);
// login search bind user
$securitySettingsContent->addElement(new htmlTableExtendedInputField(_("Bind user"), 'loginSearchDN', $conf->getLoginSearchDN(), '224'), true);
// login search bind password
$searchPasswordInput = new htmlTableExtendedInputField(_("Bind password"), 'loginSearchPassword', $conf->getLoginSearchPassword(), '224');
$searchPasswordInput->setIsPassword(true);
$securitySettingsContent->addElement($searchPasswordInput, true);
// HTTP authentication // HTTP authentication
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true); $securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true);
$securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true); $securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true);
@ -445,6 +451,10 @@ function checkInput() {
$conf->setLoginMethod($_POST['loginMethod']); $conf->setLoginMethod($_POST['loginMethod']);
$conf->setLoginSearchFilter($_POST['loginSearchFilter']); $conf->setLoginSearchFilter($_POST['loginSearchFilter']);
$conf->setLoginSearchSuffix($_POST['loginSearchSuffix']); $conf->setLoginSearchSuffix($_POST['loginSearchSuffix']);
if (!$conf->setLoginSearchDN($_POST['loginSearchDN'])) {
$errors[] = array("ERROR", _("Please enter a valid bind user."));
}
$conf->setLoginSearchPassword($_POST['loginSearchPassword']);
if (isset($_POST['httpAuthentication']) && ($_POST['httpAuthentication'] == 'on')) { if (isset($_POST['httpAuthentication']) && ($_POST['httpAuthentication'] == 'on')) {
$conf->setHttpAuthentication('true'); $conf->setHttpAuthentication('true');
} }

View File

@ -157,12 +157,16 @@ function configLoginMethodChanged() {
jQuery('textarea[name=admins]').parent().parent().show(); jQuery('textarea[name=admins]').parent().parent().show();
jQuery('input[name=loginSearchSuffix]').parent().parent().hide(); jQuery('input[name=loginSearchSuffix]').parent().parent().hide();
jQuery('input[name=loginSearchFilter]').parent().parent().hide(); jQuery('input[name=loginSearchFilter]').parent().parent().hide();
jQuery('input[name=loginSearchDN]').parent().parent().hide();
jQuery('input[name=loginSearchPassword]').parent().parent().hide();
jQuery('input[name=httpAuthentication]').parent().parent().hide(); jQuery('input[name=httpAuthentication]').parent().parent().hide();
} }
else { else {
jQuery('textarea[name=admins]').parent().parent().hide(); jQuery('textarea[name=admins]').parent().parent().hide();
jQuery('input[name=loginSearchSuffix]').parent().parent().show(); jQuery('input[name=loginSearchSuffix]').parent().parent().show();
jQuery('input[name=loginSearchFilter]').parent().parent().show(); jQuery('input[name=loginSearchFilter]').parent().parent().show();
jQuery('input[name=loginSearchDN]').parent().parent().show();
jQuery('input[name=loginSearchPassword]').parent().parent().show();
jQuery('input[name=httpAuthentication]').parent().parent().show(); jQuery('input[name=httpAuthentication]').parent().parent().show();
} }
} }

View File

@ -269,7 +269,7 @@ function display_LoginPage($config_object) {
<tr> <tr>
<td style="border-style:none" height="35" align="right"><b> <td style="border-style:none" height="35" align="right"><b>
<?php <?php
echo _("User name") . ":"; echo _("User name");
?> ?>
</b>&nbsp;&nbsp;</td> </b>&nbsp;&nbsp;</td>
<td style="border-style:none" height="35" align="left"> <td style="border-style:none" height="35" align="left">
@ -298,7 +298,7 @@ function display_LoginPage($config_object) {
<tr> <tr>
<td style="border-style:none" height="35" align="right"><b> <td style="border-style:none" height="35" align="right"><b>
<?php <?php
echo _("Password") . ":"; echo _("Password");
?> ?>
</b>&nbsp;&nbsp;</td> </b>&nbsp;&nbsp;</td>
<td style="border-style:none" height="35" align="left"> <td style="border-style:none" height="35" align="left">
@ -315,7 +315,7 @@ function display_LoginPage($config_object) {
<tr> <tr>
<td style="border-style:none" align="right"><b> <td style="border-style:none" align="right"><b>
<?php <?php
echo _("Language") . ":"; echo _("Language");
?> ?>
</b>&nbsp;&nbsp;</td> </b>&nbsp;&nbsp;</td>
<td style="border-style:none" height="35" align="left"> <td style="border-style:none" height="35" align="left">
@ -370,8 +370,8 @@ function display_LoginPage($config_object) {
<td height="30" style="white-space: nowrap"> <td height="30" style="white-space: nowrap">
<b> <b>
<?php <?php
echo _("LDAP server") . ": "; echo _("LDAP server");
?></b> ?></b>&nbsp;&nbsp;
</td> </td>
<td width="100%" height="30"> <td width="100%" height="30">
<?php echo $config_object->get_ServerURL(); ?> <?php echo $config_object->get_ServerURL(); ?>
@ -381,8 +381,8 @@ function display_LoginPage($config_object) {
<td height="30" style="white-space: nowrap"> <td height="30" style="white-space: nowrap">
<b> <b>
<?php <?php
echo _("Server profile") . ": "; echo _("Server profile");
?></b> ?></b>&nbsp;&nbsp;
</td> </td>
<td height="30"> <td height="30">
<select name="profile" size="1" tabindex="5" onchange="loginProfileChanged(this)"> <select name="profile" size="1" tabindex="5" onchange="loginProfileChanged(this)">
@ -469,10 +469,16 @@ if(!empty($_POST['checklogin'])) {
if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) { if ($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) {
$searchFilter = $_SESSION['config']->getLoginSearchFilter(); $searchFilter = $_SESSION['config']->getLoginSearchFilter();
$searchFilter = str_replace('%USER%', $username ,$searchFilter); $searchFilter = str_replace('%USER%', $username ,$searchFilter);
$searchDN = '';
$searchPassword = '';
if (($_SESSION['config']->getLoginSearchDN() != null) && ($_SESSION['config']->getLoginSearchDN() != '')) {
$searchDN = $_SESSION['config']->getLoginSearchDN();
$searchPassword = $_SESSION['config']->getLoginSearchPassword();
}
$searchSuccess = true; $searchSuccess = true;
$searchError = ''; $searchError = '';
$searchLDAP = new Ldap($_SESSION['config']); $searchLDAP = new Ldap($_SESSION['config']);
$searchLDAPResult = $searchLDAP->connect('', '', true); $searchLDAPResult = $searchLDAP->connect($searchDN, $searchPassword, true);
if (! ($searchLDAPResult == 0)) { if (! ($searchLDAPResult == 0)) {
$searchSuccess = false; $searchSuccess = false;
$searchError = _('Cannot connect to specified LDAP server. Please try again.') . ' ' . @ldap_error($searchLDAP->server()); $searchError = _('Cannot connect to specified LDAP server. Please try again.') . ' ' . @ldap_error($searchLDAP->server());