diff --git a/lam/HISTORY b/lam/HISTORY
index d3357ce9..4a26def9 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -2,6 +2,9 @@ March 2014 4.5
- IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes
- Personal: allow to set fields read-only
- Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD)
+ - LAM Pro:
+ -> Separate IP restriction list for self service
+
18.12.2013 4.4
- PyKota support: users, groups, printers, billing codes
@@ -11,14 +14,14 @@ March 2014 4.5
- Unix: switch also additional membership if primary group is changed (RFE 108)
- Windows: fixed user name handling, sAMAccountName now optional
- Apache 2.4 support (requires Apache "version" module)
- - added Turkish, Ukrainian and US English translation
+ - Added Turkish, Ukrainian and US English translation
- LAM Pro:
-> Bind DLZ support
-> Samba/Shadow: display password change date in self service
-> Custom fields: support custom label and icon, auto-completion
-> User self registration: support constant attribute values
-> Self service: allow to set custom field labels
- - fixed bugs:
+ - Fixed bugs:
-> Format of photo in Personal tab (158)
@@ -34,14 +37,14 @@ March 2014 4.5
-> Custom fields: read-only fields for admin interface and file upload for binary data
-> Custom scripts: support user self registration
-> Password self reset: Samba 3 sync, identification with login attribute, Samba 4 support
- - fixed bugs:
+ - Fixed bugs:
-> Custom fields: auto-adding object classes via profile editor fixed
-> PHP 5.5 compatibility
-> Lamdaemon: do not show message if home directory to delete was not found (154)
18.06.2013 4.2.1
- - fixed bugs:
+ - Fixed bugs:
-> Unix: suggested user name must be lower case
-> Quota: profile editor does not work in some cases
diff --git a/lam/docs/manual-sources/howto.xml b/lam/docs/manual-sources/howto.xml
index 49a65384..521d4e9e 100644
--- a/lam/docs/manual-sources/howto.xml
+++ b/lam/docs/manual-sources/howto.xml
@@ -720,6 +720,10 @@ Have fun!
most installations. If you use LDAP referrals please activate
referral following for your server profile (tab General settings
-> Server settings -> Advanced options).
+
+ The self service pages now have an own option for allowed IPs.
+ If your LAM installation uses IP restrictions please update the LAM
+ main configuration.
@@ -994,7 +998,8 @@ Have fun!
You may also set a list of IP addresses which are allowed to
access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
- access LAM via an untrusted IP only get blank pages.
+ access LAM via an untrusted IP only get blank pages. There is a
+ separate field for LAM Pro self service.
Session encryption will encrypt sensitive
data like passwords in your session files. This is only available when
diff --git a/lam/docs/manual-sources/images/configGeneral1.png b/lam/docs/manual-sources/images/configGeneral1.png
index 46cf276f..121da807 100644
Binary files a/lam/docs/manual-sources/images/configGeneral1.png and b/lam/docs/manual-sources/images/configGeneral1.png differ
diff --git a/lam/lib/config.inc b/lam/lib/config.inc
index ddcefb0e..1753ff0d 100644
--- a/lam/lib/config.inc
+++ b/lam/lib/config.inc
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2012 Roland Gruber
+ Copyright (C) 2003 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -1400,6 +1400,9 @@ class LAMCfgMain {
/** list of hosts which may access LAM */
public $allowedHosts;
+ /** list of hosts which may access LAM Pro self service */
+ public $allowedHostsSelfService;
+
/** session encryption */
public $encryptSession;
@@ -1441,7 +1444,7 @@ class LAMCfgMain {
"logLevel", "logDestination", "allowedHosts", "passwordMinLength",
"passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting',
- 'encryptSession');
+ 'encryptSession', 'allowedHostsSelfService');
/**
* Loads preferences from config file
@@ -1453,6 +1456,7 @@ class LAMCfgMain {
$this->logLevel = LOG_NOTICE;
$this->logDestination = "SYSLOG";
$this->allowedHosts = "";
+ $this->allowedHostsSelfService = '';
$this->encryptSession = 'true';
$this->reload();
}
@@ -1521,6 +1525,7 @@ class LAMCfgMain {
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
+ if (!in_array("allowedHostsSelfService", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM Pro self service\n" . "allowedHostsSelfService: " . $this->allowedHostsSelfService);
if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession);
if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);
diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index d5ffa5ca..8ee5ea5e 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2006 - 2013 Roland Gruber
+ Copyright (C) 2006 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -32,6 +32,8 @@ $Id$
include_once('config.inc');
/** ldap connection */
include_once('ldap.inc');
+/** common functions */
+include_once('account.inc');
// check client IP address
checkClientIP();
@@ -104,6 +106,11 @@ function checkClientIP() {
if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain'];
else $cfg = new LAMCfgMain();
$allowedHosts = $cfg->allowedHosts;
+ $url = getCallingURL();
+ if ((strpos($url, '/selfService/selfService') !== false) || ((strpos($url, '/misc/ajax.php?') !== false) && strpos($url, 'selfservice=1') !== false)) {
+ // self service pages have separate IP list
+ $allowedHosts = $cfg->allowedHostsSelfService;
+ }
// skip test if no hosts are defined
if ($allowedHosts == "") return;
$allowedHosts = explode(",", $allowedHosts);
diff --git a/lam/templates/config/mainmanage.php b/lam/templates/config/mainmanage.php
index cf7ae048..a3f5078f 100644
--- a/lam/templates/config/mainmanage.php
+++ b/lam/templates/config/mainmanage.php
@@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
- Copyright (C) 2003 - 2013 Roland Gruber
+ Copyright (C) 2003 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@@ -104,6 +104,29 @@ if (isset($_POST['submitFormData'])) {
}
else $allowedHosts = "";
$cfg->allowedHosts = $allowedHosts;
+ // set allowed hosts for self service
+ if (isLAMProVersion()) {
+ if (isset($_POST['allowedHostsSelfService'])) {
+ $allowedHostsSelfService = $_POST['allowedHostsSelfService'];
+ $allowedHostsSelfServiceList = explode("\n", $allowedHostsSelfService);
+ for ($i = 0; $i < sizeof($allowedHostsSelfServiceList); $i++) {
+ $allowedHostsSelfServiceList[$i] = trim($allowedHostsSelfServiceList[$i]);
+ // ignore empty lines
+ if ($allowedHostsSelfServiceList[$i] == "") {
+ unset($allowedHostsSelfServiceList[$i]);
+ continue;
+ }
+ // check each line
+ $ipRegex = '/^[0-9a-f\\.:\\*]+$/i';
+ if (!preg_match($ipRegex, $allowedHostsSelfServiceList[$i]) || (strlen($allowedHostsSelfServiceList[$i]) > 15)) {
+ $errors[] = sprintf(_("The IP address %s is invalid!"), htmlspecialchars(str_replace('%', '%%', $allowedHostsSelfServiceList[$i])));
+ }
+ }
+ $allowedHostsSelfService = implode(",", $allowedHostsSelfServiceList);
+ }
+ else $allowedHostsSelfService = "";
+ $cfg->allowedHostsSelfService = $allowedHostsSelfService;
+ }
// set session encryption
if (function_exists('mcrypt_create_iv')) {
$encryptSession = 'false';
@@ -271,6 +294,9 @@ $securityTable = new htmlTable();
$options = array(5, 10, 20, 30, 60, 90, 120, 240);
$securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
+if (isLAMProVersion()) {
+ $securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHostsSelfService', implode("\n", explode(",", $cfg->allowedHostsSelfService)), '30', '7', _("Allowed hosts (self service)"), '241'), true);
+}
$encryptSession = ($cfg->encryptSession === 'true');
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));