WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added separate IP list for self service

This commit is contained in:
Roland Gruber 2014-01-12 19:58:15 +00:00
parent b99f5b3928
commit 56f4626626
6 changed files with 55 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
lam/HISTORY
View File

@ -2,6 +2,9 @@ March 2014 4.5
- IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes - IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes
- Personal: allow to set fields read-only - Personal: allow to set fields read-only
- Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD) - Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD)
- LAM Pro:
-> Separate IP restriction list for self service
18.12.2013 4.4 18.12.2013 4.4
- PyKota support: users, groups, printers, billing codes - PyKota support: users, groups, printers, billing codes
@ -11,14 +14,14 @@ March 2014 4.5
- Unix: switch also additional membership if primary group is changed (RFE 108) - Unix: switch also additional membership if primary group is changed (RFE 108)
- Windows: fixed user name handling, sAMAccountName now optional - Windows: fixed user name handling, sAMAccountName now optional
- Apache 2.4 support (requires Apache "version" module) - Apache 2.4 support (requires Apache "version" module)
- added Turkish, Ukrainian and US English translation - Added Turkish, Ukrainian and US English translation
- LAM Pro: - LAM Pro:
-> Bind DLZ support -> Bind DLZ support
-> Samba/Shadow: display password change date in self service -> Samba/Shadow: display password change date in self service
-> Custom fields: support custom label and icon, auto-completion -> Custom fields: support custom label and icon, auto-completion
-> User self registration: support constant attribute values -> User self registration: support constant attribute values
-> Self service: allow to set custom field labels -> Self service: allow to set custom field labels
- fixed bugs: - Fixed bugs:
-> Format of photo in Personal tab (158) -> Format of photo in Personal tab (158)
@ -34,14 +37,14 @@ March 2014 4.5
-> Custom fields: read-only fields for admin interface and file upload for binary data -> Custom fields: read-only fields for admin interface and file upload for binary data
-> Custom scripts: support user self registration -> Custom scripts: support user self registration
-> Password self reset: Samba 3 sync, identification with login attribute, Samba 4 support -> Password self reset: Samba 3 sync, identification with login attribute, Samba 4 support
- fixed bugs: - Fixed bugs:
-> Custom fields: auto-adding object classes via profile editor fixed -> Custom fields: auto-adding object classes via profile editor fixed
-> PHP 5.5 compatibility -> PHP 5.5 compatibility
-> Lamdaemon: do not show message if home directory to delete was not found (154) -> Lamdaemon: do not show message if home directory to delete was not found (154)
18.06.2013 4.2.1 18.06.2013 4.2.1
- fixed bugs: - Fixed bugs:
-> Unix: suggested user name must be lower case -> Unix: suggested user name must be lower case
-> Quota: profile editor does not work in some cases -> Quota: profile editor does not work in some cases

7
lam/docs/manual-sources/howto.xml
View File

@ -720,6 +720,10 @@ Have fun!
most installations. If you use LDAP referrals please activate most installations. If you use LDAP referrals please activate
referral following for your server profile (tab General settings referral following for your server profile (tab General settings
-&gt; Server settings -&gt; Advanced options).</para> -&gt; Server settings -&gt; Advanced options).</para>
<para>The self service pages now have an own option for allowed IPs.
If your LAM installation uses IP restrictions please update the LAM
main configuration.</para>
</section> </section>
<section> <section>
@ -994,7 +998,8 @@ Have fun!
<para>You may also set a list of IP addresses which are allowed to <para>You may also set a list of IP addresses which are allowed to
access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123) access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
access LAM via an untrusted IP only get blank pages.</para> access LAM via an untrusted IP only get blank pages. There is a
separate field for LAM Pro self service.</para>
<para id="sessionEncryption">Session encryption will encrypt sensitive <para id="sessionEncryption">Session encryption will encrypt sensitive
data like passwords in your session files. This is only available when data like passwords in your session files. This is only available when

BIN
lam/docs/manual-sources/images/configGeneral1.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 22 KiB

9
lam/lib/config.inc
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2012 Roland Gruber Copyright (C) 2003 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -1400,6 +1400,9 @@ class LAMCfgMain {
/** list of hosts which may access LAM */ /** list of hosts which may access LAM */
public $allowedHosts; public $allowedHosts;
/** list of hosts which may access LAM Pro self service */
public $allowedHostsSelfService;
/** session encryption */ /** session encryption */
public $encryptSession; public $encryptSession;
@ -1441,7 +1444,7 @@ class LAMCfgMain {
"logLevel", "logDestination", "allowedHosts", "passwordMinLength", "logLevel", "logDestination", "allowedHosts", "passwordMinLength",
"passwordMinUpper", "passwordMinLower", "passwordMinNumeric", "passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting', "passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting',
'encryptSession'); 'encryptSession', 'allowedHostsSelfService');
/** /**
* Loads preferences from config file * Loads preferences from config file
@ -1453,6 +1456,7 @@ class LAMCfgMain {
$this->logLevel = LOG_NOTICE; $this->logLevel = LOG_NOTICE;
$this->logDestination = "SYSLOG"; $this->logDestination = "SYSLOG";
$this->allowedHosts = ""; $this->allowedHosts = "";
$this->allowedHostsSelfService = '';
$this->encryptSession = 'true'; $this->encryptSession = 'true';
$this->reload(); $this->reload();
} }
@ -1521,6 +1525,7 @@ class LAMCfgMain {
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel); if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination); if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts); if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
if (!in_array("allowedHostsSelfService", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM Pro self service\n" . "allowedHostsSelfService: " . $this->allowedHostsSelfService);
if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession); if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession);
if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength); if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper); if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);

9
lam/lib/security.inc
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2006 - 2013 Roland Gruber Copyright (C) 2006 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -32,6 +32,8 @@ $Id$
include_once('config.inc'); include_once('config.inc');
/** ldap connection */ /** ldap connection */
include_once('ldap.inc'); include_once('ldap.inc');
/** common functions */
include_once('account.inc');
// check client IP address // check client IP address
checkClientIP(); checkClientIP();
@ -104,6 +106,11 @@ function checkClientIP() {
if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain']; if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain'];
else $cfg = new LAMCfgMain(); else $cfg = new LAMCfgMain();
$allowedHosts = $cfg->allowedHosts; $allowedHosts = $cfg->allowedHosts;
$url = getCallingURL();
if ((strpos($url, '/selfService/selfService') !== false) || ((strpos($url, '/misc/ajax.php?') !== false) && strpos($url, 'selfservice=1') !== false)) {
// self service pages have separate IP list
$allowedHosts = $cfg->allowedHostsSelfService;
}
// skip test if no hosts are defined // skip test if no hosts are defined
if ($allowedHosts == "") return; if ($allowedHosts == "") return;
$allowedHosts = explode(",", $allowedHosts); $allowedHosts = explode(",", $allowedHosts);

28
lam/templates/config/mainmanage.php
View File

@ -3,7 +3,7 @@
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2013 Roland Gruber Copyright (C) 2003 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -104,6 +104,29 @@ if (isset($_POST['submitFormData'])) {
} }
else $allowedHosts = ""; else $allowedHosts = "";
$cfg->allowedHosts = $allowedHosts; $cfg->allowedHosts = $allowedHosts;
// set allowed hosts for self service
if (isLAMProVersion()) {
if (isset($_POST['allowedHostsSelfService'])) {
$allowedHostsSelfService = $_POST['allowedHostsSelfService'];
$allowedHostsSelfServiceList = explode("\n", $allowedHostsSelfService);
for ($i = 0; $i < sizeof($allowedHostsSelfServiceList); $i++) {
$allowedHostsSelfServiceList[$i] = trim($allowedHostsSelfServiceList[$i]);
// ignore empty lines
if ($allowedHostsSelfServiceList[$i] == "") {
unset($allowedHostsSelfServiceList[$i]);
continue;
}
// check each line
$ipRegex = '/^[0-9a-f\\.:\\*]+$/i';
if (!preg_match($ipRegex, $allowedHostsSelfServiceList[$i]) || (strlen($allowedHostsSelfServiceList[$i]) > 15)) {
$errors[] = sprintf(_("The IP address %s is invalid!"), htmlspecialchars(str_replace('%', '%%', $allowedHostsSelfServiceList[$i])));
}
}
$allowedHostsSelfService = implode(",", $allowedHostsSelfServiceList);
}
else $allowedHostsSelfService = "";
$cfg->allowedHostsSelfService = $allowedHostsSelfService;
}
// set session encryption // set session encryption
if (function_exists('mcrypt_create_iv')) { if (function_exists('mcrypt_create_iv')) {
$encryptSession = 'false'; $encryptSession = 'false';
@ -271,6 +294,9 @@ $securityTable = new htmlTable();
$options = array(5, 10, 20, 30, 60, 90, 120, 240); $options = array(5, 10, 20, 30, 60, 90, 120, 240);
$securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true); $securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true); $securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
if (isLAMProVersion()) {
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHostsSelfService', implode("\n", explode(",", $cfg->allowedHostsSelfService)), '30', '7', _("Allowed hosts (self service)"), '241'), true);
}
$encryptSession = ($cfg->encryptSession === 'true'); $encryptSession = ($cfg->encryptSession === 'true');
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245'); $encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv')); $encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));