added separate IP list for self service
This commit is contained in:
Roland Gruber
parent
b99f5b3928
commit
56f4626626
11
lam/HISTORY
11
lam/HISTORY
|
|
@ -2,6 +2,9 @@ March 2014 4.5
|
|||
- IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes
|
||||
- Personal: allow to set fields read-only
|
||||
- Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD)
|
||||
- LAM Pro:
|
||||
-> Separate IP restriction list for self service
|
||||
|
||||
|
||||
18.12.2013 4.4
|
||||
- PyKota support: users, groups, printers, billing codes
|
||||
|
|
@ -11,14 +14,14 @@ March 2014 4.5
|
|||
- Unix: switch also additional membership if primary group is changed (RFE 108)
|
||||
- Windows: fixed user name handling, sAMAccountName now optional
|
||||
- Apache 2.4 support (requires Apache "version" module)
|
||||
- added Turkish, Ukrainian and US English translation
|
||||
- Added Turkish, Ukrainian and US English translation
|
||||
- LAM Pro:
|
||||
-> Bind DLZ support
|
||||
-> Samba/Shadow: display password change date in self service
|
||||
-> Custom fields: support custom label and icon, auto-completion
|
||||
-> User self registration: support constant attribute values
|
||||
-> Self service: allow to set custom field labels
|
||||
- fixed bugs:
|
||||
- Fixed bugs:
|
||||
-> Format of photo in Personal tab (158)
|
||||
|
||||
|
||||
|
|
@ -34,14 +37,14 @@ March 2014 4.5
|
|||
-> Custom fields: read-only fields for admin interface and file upload for binary data
|
||||
-> Custom scripts: support user self registration
|
||||
-> Password self reset: Samba 3 sync, identification with login attribute, Samba 4 support
|
||||
- fixed bugs:
|
||||
- Fixed bugs:
|
||||
-> Custom fields: auto-adding object classes via profile editor fixed
|
||||
-> PHP 5.5 compatibility
|
||||
-> Lamdaemon: do not show message if home directory to delete was not found (154)
|
||||
|
||||
|
||||
18.06.2013 4.2.1
|
||||
- fixed bugs:
|
||||
- Fixed bugs:
|
||||
-> Unix: suggested user name must be lower case
|
||||
-> Quota: profile editor does not work in some cases
|
||||
|
||||
|
|
|
|||
|
|
@ -720,6 +720,10 @@ Have fun!
|
|||
most installations. If you use LDAP referrals please activate
|
||||
referral following for your server profile (tab General settings
|
||||
-> Server settings -> Advanced options).</para>
|
||||
|
||||
<para>The self service pages now have an own option for allowed IPs.
|
||||
If your LAM installation uses IP restrictions please update the LAM
|
||||
main configuration.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
|
@ -994,7 +998,8 @@ Have fun!
|
|||
<para>You may also set a list of IP addresses which are allowed to
|
||||
access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
|
||||
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
|
||||
access LAM via an untrusted IP only get blank pages.</para>
|
||||
access LAM via an untrusted IP only get blank pages. There is a
|
||||
separate field for LAM Pro self service.</para>
|
||||
|
||||
<para id="sessionEncryption">Session encryption will encrypt sensitive
|
||||
data like passwords in your session files. This is only available when
|
||||
|
|
|
|||
Binary file not shown.
|
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 22 KiB |
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2012 Roland Gruber
|
||||
Copyright (C) 2003 - 2014 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
|
@ -1400,6 +1400,9 @@ class LAMCfgMain {
|
|||
/** list of hosts which may access LAM */
|
||||
public $allowedHosts;
|
||||
|
||||
/** list of hosts which may access LAM Pro self service */
|
||||
public $allowedHostsSelfService;
|
||||
|
||||
/** session encryption */
|
||||
public $encryptSession;
|
||||
|
||||
|
|
@ -1441,7 +1444,7 @@ class LAMCfgMain {
|
|||
"logLevel", "logDestination", "allowedHosts", "passwordMinLength",
|
||||
"passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
|
||||
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting',
|
||||
'encryptSession');
|
||||
'encryptSession', 'allowedHostsSelfService');
|
||||
|
||||
/**
|
||||
* Loads preferences from config file
|
||||
|
|
@ -1453,6 +1456,7 @@ class LAMCfgMain {
|
|||
$this->logLevel = LOG_NOTICE;
|
||||
$this->logDestination = "SYSLOG";
|
||||
$this->allowedHosts = "";
|
||||
$this->allowedHostsSelfService = '';
|
||||
$this->encryptSession = 'true';
|
||||
$this->reload();
|
||||
}
|
||||
|
|
@ -1521,6 +1525,7 @@ class LAMCfgMain {
|
|||
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
|
||||
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
|
||||
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
|
||||
if (!in_array("allowedHostsSelfService", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM Pro self service\n" . "allowedHostsSelfService: " . $this->allowedHostsSelfService);
|
||||
if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession);
|
||||
if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
|
||||
if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2006 - 2013 Roland Gruber
|
||||
Copyright (C) 2006 - 2014 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
|
@ -32,6 +32,8 @@ $Id$
|
|||
include_once('config.inc');
|
||||
/** ldap connection */
|
||||
include_once('ldap.inc');
|
||||
/** common functions */
|
||||
include_once('account.inc');
|
||||
|
||||
// check client IP address
|
||||
checkClientIP();
|
||||
|
|
@ -104,6 +106,11 @@ function checkClientIP() {
|
|||
if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain'];
|
||||
else $cfg = new LAMCfgMain();
|
||||
$allowedHosts = $cfg->allowedHosts;
|
||||
$url = getCallingURL();
|
||||
if ((strpos($url, '/selfService/selfService') !== false) || ((strpos($url, '/misc/ajax.php?') !== false) && strpos($url, 'selfservice=1') !== false)) {
|
||||
// self service pages have separate IP list
|
||||
$allowedHosts = $cfg->allowedHostsSelfService;
|
||||
}
|
||||
// skip test if no hosts are defined
|
||||
if ($allowedHosts == "") return;
|
||||
$allowedHosts = explode(",", $allowedHosts);
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2013 Roland Gruber
|
||||
Copyright (C) 2003 - 2014 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
|
@ -104,6 +104,29 @@ if (isset($_POST['submitFormData'])) {
|
|||
}
|
||||
else $allowedHosts = "";
|
||||
$cfg->allowedHosts = $allowedHosts;
|
||||
// set allowed hosts for self service
|
||||
if (isLAMProVersion()) {
|
||||
if (isset($_POST['allowedHostsSelfService'])) {
|
||||
$allowedHostsSelfService = $_POST['allowedHostsSelfService'];
|
||||
$allowedHostsSelfServiceList = explode("\n", $allowedHostsSelfService);
|
||||
for ($i = 0; $i < sizeof($allowedHostsSelfServiceList); $i++) {
|
||||
$allowedHostsSelfServiceList[$i] = trim($allowedHostsSelfServiceList[$i]);
|
||||
// ignore empty lines
|
||||
if ($allowedHostsSelfServiceList[$i] == "") {
|
||||
unset($allowedHostsSelfServiceList[$i]);
|
||||
continue;
|
||||
}
|
||||
// check each line
|
||||
$ipRegex = '/^[0-9a-f\\.:\\*]+$/i';
|
||||
if (!preg_match($ipRegex, $allowedHostsSelfServiceList[$i]) || (strlen($allowedHostsSelfServiceList[$i]) > 15)) {
|
||||
$errors[] = sprintf(_("The IP address %s is invalid!"), htmlspecialchars(str_replace('%', '%%', $allowedHostsSelfServiceList[$i])));
|
||||
}
|
||||
}
|
||||
$allowedHostsSelfService = implode(",", $allowedHostsSelfServiceList);
|
||||
}
|
||||
else $allowedHostsSelfService = "";
|
||||
$cfg->allowedHostsSelfService = $allowedHostsSelfService;
|
||||
}
|
||||
// set session encryption
|
||||
if (function_exists('mcrypt_create_iv')) {
|
||||
$encryptSession = 'false';
|
||||
|
|
@ -271,6 +294,9 @@ $securityTable = new htmlTable();
|
|||
$options = array(5, 10, 20, 30, 60, 90, 120, 240);
|
||||
$securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
|
||||
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
|
||||
if (isLAMProVersion()) {
|
||||
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHostsSelfService', implode("\n", explode(",", $cfg->allowedHostsSelfService)), '30', '7', _("Allowed hosts (self service)"), '241'), true);
|
||||
}
|
||||
$encryptSession = ($cfg->encryptSession === 'true');
|
||||
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
|
||||
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));
|
||||
|
|
|
|||
Loading…
Reference in New Issue