added separate IP list for self service

This commit is contained in:
Roland Gruber 2014-01-12 19:58:15 +00:00
parent b99f5b3928
commit 56f4626626
6 changed files with 55 additions and 9 deletions

View File

@ -2,6 +2,9 @@ March 2014 4.5
- IMAP: allow dynamic admin user names by replacing wildcards with LDAP attributes
- Personal: allow to set fields read-only
- Added option to server profile if referrals should be followed (fixes problems with Samba 4 and AD)
- LAM Pro:
-> Separate IP restriction list for self service
18.12.2013 4.4
- PyKota support: users, groups, printers, billing codes
@ -11,14 +14,14 @@ March 2014 4.5
- Unix: switch also additional membership if primary group is changed (RFE 108)
- Windows: fixed user name handling, sAMAccountName now optional
- Apache 2.4 support (requires Apache "version" module)
- added Turkish, Ukrainian and US English translation
- Added Turkish, Ukrainian and US English translation
- LAM Pro:
-> Bind DLZ support
-> Samba/Shadow: display password change date in self service
-> Custom fields: support custom label and icon, auto-completion
-> User self registration: support constant attribute values
-> Self service: allow to set custom field labels
- fixed bugs:
- Fixed bugs:
-> Format of photo in Personal tab (158)
@ -34,14 +37,14 @@ March 2014 4.5
-> Custom fields: read-only fields for admin interface and file upload for binary data
-> Custom scripts: support user self registration
-> Password self reset: Samba 3 sync, identification with login attribute, Samba 4 support
- fixed bugs:
- Fixed bugs:
-> Custom fields: auto-adding object classes via profile editor fixed
-> PHP 5.5 compatibility
-> Lamdaemon: do not show message if home directory to delete was not found (154)
18.06.2013 4.2.1
- fixed bugs:
- Fixed bugs:
-> Unix: suggested user name must be lower case
-> Quota: profile editor does not work in some cases

View File

@ -720,6 +720,10 @@ Have fun!
most installations. If you use LDAP referrals please activate
referral following for your server profile (tab General settings
-&gt; Server settings -&gt; Advanced options).</para>
<para>The self service pages now have an own option for allowed IPs.
If your LAM installation uses IP restrictions please update the LAM
main configuration.</para>
</section>
<section>
@ -994,7 +998,8 @@ Have fun!
<para>You may also set a list of IP addresses which are allowed to
access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
access LAM via an untrusted IP only get blank pages.</para>
access LAM via an untrusted IP only get blank pages. There is a
separate field for LAM Pro self service.</para>
<para id="sessionEncryption">Session encryption will encrypt sensitive
data like passwords in your session files. This is only available when

Binary file not shown.

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 22 KiB

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2012 Roland Gruber
Copyright (C) 2003 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -1400,6 +1400,9 @@ class LAMCfgMain {
/** list of hosts which may access LAM */
public $allowedHosts;
/** list of hosts which may access LAM Pro self service */
public $allowedHostsSelfService;
/** session encryption */
public $encryptSession;
@ -1441,7 +1444,7 @@ class LAMCfgMain {
"logLevel", "logDestination", "allowedHosts", "passwordMinLength",
"passwordMinUpper", "passwordMinLower", "passwordMinNumeric",
"passwordMinClasses", "passwordMinSymbol", "mailEOL", 'errorReporting',
'encryptSession');
'encryptSession', 'allowedHostsSelfService');
/**
* Loads preferences from config file
@ -1453,6 +1456,7 @@ class LAMCfgMain {
$this->logLevel = LOG_NOTICE;
$this->logDestination = "SYSLOG";
$this->allowedHosts = "";
$this->allowedHostsSelfService = '';
$this->encryptSession = 'true';
$this->reload();
}
@ -1521,6 +1525,7 @@ class LAMCfgMain {
if (!in_array("logLevel", $saved)) array_push($file_array, "\n\n# log level\n" . "logLevel: " . $this->logLevel);
if (!in_array("logDestination", $saved)) array_push($file_array, "\n\n# log destination\n" . "logDestination: " . $this->logDestination);
if (!in_array("allowedHosts", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM\n" . "allowedHosts: " . $this->allowedHosts);
if (!in_array("allowedHostsSelfService", $saved)) array_push($file_array, "\n\n# list of hosts which may access LAM Pro self service\n" . "allowedHostsSelfService: " . $this->allowedHostsSelfService);
if (!in_array("encryptSession", $saved)) array_push($file_array, "\n\n# encrypt session data\n" . "encryptSession: " . $this->encryptSession);
if (!in_array("passwordMinLength", $saved)) array_push($file_array, "\n\n# Password: minimum password length\n" . "passwordMinLength: " . $this->passwordMinLength);
if (!in_array("passwordMinUpper", $saved)) array_push($file_array, "\n\n# Password: minimum uppercase characters\n" . "passwordMinUpper: " . $this->passwordMinUpper);

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2006 - 2013 Roland Gruber
Copyright (C) 2006 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -32,6 +32,8 @@ $Id$
include_once('config.inc');
/** ldap connection */
include_once('ldap.inc');
/** common functions */
include_once('account.inc');
// check client IP address
checkClientIP();
@ -104,6 +106,11 @@ function checkClientIP() {
if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain'];
else $cfg = new LAMCfgMain();
$allowedHosts = $cfg->allowedHosts;
$url = getCallingURL();
if ((strpos($url, '/selfService/selfService') !== false) || ((strpos($url, '/misc/ajax.php?') !== false) && strpos($url, 'selfservice=1') !== false)) {
// self service pages have separate IP list
$allowedHosts = $cfg->allowedHostsSelfService;
}
// skip test if no hosts are defined
if ($allowedHosts == "") return;
$allowedHosts = explode(",", $allowedHosts);

View File

@ -3,7 +3,7 @@
$Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2013 Roland Gruber
Copyright (C) 2003 - 2014 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -104,6 +104,29 @@ if (isset($_POST['submitFormData'])) {
}
else $allowedHosts = "";
$cfg->allowedHosts = $allowedHosts;
// set allowed hosts for self service
if (isLAMProVersion()) {
if (isset($_POST['allowedHostsSelfService'])) {
$allowedHostsSelfService = $_POST['allowedHostsSelfService'];
$allowedHostsSelfServiceList = explode("\n", $allowedHostsSelfService);
for ($i = 0; $i < sizeof($allowedHostsSelfServiceList); $i++) {
$allowedHostsSelfServiceList[$i] = trim($allowedHostsSelfServiceList[$i]);
// ignore empty lines
if ($allowedHostsSelfServiceList[$i] == "") {
unset($allowedHostsSelfServiceList[$i]);
continue;
}
// check each line
$ipRegex = '/^[0-9a-f\\.:\\*]+$/i';
if (!preg_match($ipRegex, $allowedHostsSelfServiceList[$i]) || (strlen($allowedHostsSelfServiceList[$i]) > 15)) {
$errors[] = sprintf(_("The IP address %s is invalid!"), htmlspecialchars(str_replace('%', '%%', $allowedHostsSelfServiceList[$i])));
}
}
$allowedHostsSelfService = implode(",", $allowedHostsSelfServiceList);
}
else $allowedHostsSelfService = "";
$cfg->allowedHostsSelfService = $allowedHostsSelfService;
}
// set session encryption
if (function_exists('mcrypt_create_iv')) {
$encryptSession = 'false';
@ -271,6 +294,9 @@ $securityTable = new htmlTable();
$options = array(5, 10, 20, 30, 60, 90, 120, 240);
$securityTable->addElement(new htmlTableExtendedSelect('sessionTimeout', $options, array($cfg->sessionTimeout), _("Session timeout"), '238'), true);
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHosts', implode("\n", explode(",", $cfg->allowedHosts)), '30', '7', _("Allowed hosts"), '241'), true);
if (isLAMProVersion()) {
$securityTable->addElement(new htmlTableExtendedInputTextarea('allowedHostsSelfService', implode("\n", explode(",", $cfg->allowedHostsSelfService)), '30', '7', _("Allowed hosts (self service)"), '241'), true);
}
$encryptSession = ($cfg->encryptSession === 'true');
$encryptSessionBox = new htmlTableExtendedInputCheckbox('encryptSession', $encryptSession, _('Encrypt session'), '245');
$encryptSessionBox->setIsEnabled(function_exists('mcrypt_create_iv'));