WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added 2-factor options

This commit is contained in:
Roland Gruber 2017-02-11 18:16:08 +01:00
parent f405f7910b
commit 88050ca3f0
4 changed files with 196 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
lam/lib/2factor.inc
View File

@ -225,6 +225,11 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
*/ */
class TwoFactorProviderService { class TwoFactorProviderService {
/** 2factor authentication disabled */
const TWO_FACTOR_NONE = 'none';
/** 2factor authentication via privacyIDEA */
const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
private $profile; private $profile;
/** /**
@ -244,7 +249,7 @@ class TwoFactorProviderService {
* @throws \Exception unable to get provider * @throws \Exception unable to get provider
*/ */
public function getProvider() { public function getProvider() {
if ($this->profile->twoFactorAuthentication == selfServiceProfile::TWO_FACTOR_PRIVACYIDEA) { if ($this->profile->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) {
return new PrivacyIDEAProvider($this->profile); return new PrivacyIDEAProvider($this->profile);
} }
throw new \Exception('Invalid provider: ' . $this->profile->twoFactorAuthentication); throw new \Exception('Invalid provider: ' . $this->profile->twoFactorAuthentication);

135
lam/lib/config.inc
View File

@ -1,9 +1,10 @@
<?php <?php
use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
/* /*
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2016 Roland Gruber Copyright (C) 2003 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -31,11 +32,13 @@ $Id$
*/ */
/** Used to print messages. */ /** Used to print messages. */
include_once("status.inc"); include_once "status.inc";
/** Used to get module information. */ /** Used to get module information. */
include_once("modules.inc"); include_once "modules.inc";
/** Used to get type information. */ /** Used to get type information. */
include_once("types.inc"); include_once "types.inc";
/** 2-factor */
include_once '2factor.inc';
/** /**
* Sets the environment variables for custom SSL CA certificates. * Sets the environment variables for custom SSL CA certificates.
@ -567,6 +570,13 @@ class LAMConfig {
/** job configuration */ /** job configuration */
private $jobSettings = array(); private $jobSettings = array();
private $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
private $twoFactorAuthenticationURL = 'https://localhost';
private $twoFactorAuthenticationInsecure = false;
private $twoFactorAuthenticationLabel = null;
private $twoFactorAuthenticationOptional = false;
private $twoFactorAuthenticationCaption = '';
/** List of all settings in config file */ /** List of all settings in config file */
private $settings = array("ServerURL", "useTLS", "followReferrals", 'pagedResults', "Passwd", "Admins", "treesuffix", private $settings = array("ServerURL", "useTLS", "followReferrals", 'pagedResults', "Passwd", "Admins", "treesuffix",
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", 'serverDisplayName', "defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", 'serverDisplayName',
@ -576,7 +586,9 @@ class LAMConfig {
'loginSearchPassword', 'timeZone', 'jobsBindUser', 'jobsBindPassword', 'jobsDatabase', 'jobToken', 'jobs', 'loginSearchPassword', 'timeZone', 'jobsBindUser', 'jobsBindPassword', 'jobsDatabase', 'jobToken', 'jobs',
'jobsDBHost', 'jobsDBPort', 'jobsDBUser', 'jobsDBPassword', 'jobsDBName', 'pwdResetAllowSpecificPassword', 'jobsDBHost', 'jobsDBPort', 'jobsDBUser', 'jobsDBPassword', 'jobsDBName', 'pwdResetAllowSpecificPassword',
'pwdResetAllowScreenPassword', 'pwdResetForcePasswordChange', 'pwdResetDefaultPasswordOutput', 'pwdResetAllowScreenPassword', 'pwdResetForcePasswordChange', 'pwdResetDefaultPasswordOutput',
'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword' 'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword', 'twoFactorAuthentication', 'twoFactorAuthenticationURL',
'twoFactorAuthenticationInsecure', 'twoFactorAuthenticationLabel', 'twoFactorAuthenticationOptional',
'twoFactorAuthenticationCaption'
); );
@ -816,6 +828,12 @@ class LAMConfig {
if (!in_array("pwdResetAllowScreenPassword", $saved)) array_push($file_array, "\n" . "pwdResetAllowScreenPassword: " . $this->pwdResetAllowScreenPassword . "\n"); if (!in_array("pwdResetAllowScreenPassword", $saved)) array_push($file_array, "\n" . "pwdResetAllowScreenPassword: " . $this->pwdResetAllowScreenPassword . "\n");
if (!in_array("pwdResetForcePasswordChange", $saved)) array_push($file_array, "\n" . "pwdResetForcePasswordChange: " . $this->pwdResetForcePasswordChange . "\n"); if (!in_array("pwdResetForcePasswordChange", $saved)) array_push($file_array, "\n" . "pwdResetForcePasswordChange: " . $this->pwdResetForcePasswordChange . "\n");
if (!in_array("pwdResetDefaultPasswordOutput", $saved)) array_push($file_array, "\n" . "pwdResetDefaultPasswordOutput: " . $this->pwdResetDefaultPasswordOutput . "\n"); if (!in_array("pwdResetDefaultPasswordOutput", $saved)) array_push($file_array, "\n" . "pwdResetDefaultPasswordOutput: " . $this->pwdResetDefaultPasswordOutput . "\n");
if (!in_array("twoFactorAuthentication", $saved)) array_push($file_array, "\n" . "twoFactorAuthentication: " . $this->twoFactorAuthentication . "\n");
if (!in_array("twoFactorAuthenticationURL", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationURL: " . $this->twoFactorAuthenticationURL . "\n");
if (!in_array("twoFactorAuthenticationInsecure", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationInsecure: " . $this->twoFactorAuthenticationInsecure . "\n");
if (!in_array("twoFactorAuthenticationLabel", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationLabel: " . $this->twoFactorAuthenticationLabel . "\n");
if (!in_array("twoFactorAuthenticationOptional", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationOptional: " . $this->twoFactorAuthenticationOptional . "\n");
if (!in_array("twoFactorAuthenticationCaption", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationCaption: " . $this->twoFactorAuthenticationCaption . "\n");
// check if all module settings were added // check if all module settings were added
$m_settings = array_keys($this->moduleSettings); $m_settings = array_keys($this->moduleSettings);
for ($i = 0; $i < sizeof($m_settings); $i++) { for ($i = 0; $i < sizeof($m_settings); $i++) {
@ -2044,6 +2062,113 @@ class LAMConfig {
public function setPwdResetDefaultPasswordOutput($pwdResetDefaultPasswordOutput) { public function setPwdResetDefaultPasswordOutput($pwdResetDefaultPasswordOutput) {
$this->pwdResetDefaultPasswordOutput = $pwdResetDefaultPasswordOutput; $this->pwdResetDefaultPasswordOutput = $pwdResetDefaultPasswordOutput;
} }
/**
* Returns the authentication type.
*
* @return string $twoFactorAuthentication authentication type
*/
public function getTwoFactorAuthentication() {
return $this->twoFactorAuthentication;
}
/**
* Sets the authentication type.
*
* @param string $twoFactorAuthentication authentication type
*/
public function setTwoFactorAuthentication($twoFactorAuthentication) {
$this->twoFactorAuthentication = $twoFactorAuthentication;
}
/**
* Returns the authentication URL.
*
* @return string $twoFactorAuthenticationURL authentication URL
*/
public function getTwoFactorAuthenticationURL() {
return $this->twoFactorAuthenticationURL;
}
/**
* Sets the authentication URL.
*
* @param string $twoFactorAuthenticationURL authentication URL
*/
public function setTwoFactorAuthenticationURL($twoFactorAuthenticationURL) {
$this->twoFactorAuthenticationURL = $twoFactorAuthenticationURL;
}
/**
* Returns if SSL certificate verification is turned off.
*
* @return bool $twoFactorAuthenticationInsecure SSL certificate verification is turned off
*/
public function getTwoFactorAuthenticationInsecure() {
return $this->twoFactorAuthenticationInsecure;
}
/**
* Sets if SSL certificate verification is turned off.
*
* @param boolean $twoFactorAuthenticationInsecure SSL certificate verification is turned off
*/
public function setTwoFactorAuthenticationInsecure($twoFactorAuthenticationInsecure) {
$this->twoFactorAuthenticationInsecure = $twoFactorAuthenticationInsecure;
}
/**
* Returns the authentication label.
*
* @return string $twoFactorAuthenticationLabel authentication label
*/
public function getTwoFactorAuthenticationLabel() {
return $this->twoFactorAuthenticationLabel;
}
/**
* Sets the authentication label.
*
* @param string $twoFactorAuthenticationLabel authentication label
*/
public function setTwoFactorAuthenticationLabel($twoFactorAuthenticationLabel) {
$this->twoFactorAuthenticationLabel = $twoFactorAuthenticationLabel;
}
/**
* Returns if 2nd factor is optional.
*
* @return bool $twoFactorAuthenticationOptional 2nd factor is optional
*/
public function getTwoFactorAuthenticationOptional() {
return $this->twoFactorAuthenticationOptional;
}
/**
* Sets if 2nd factor is optional.
*
* @param boolean $twoFactorAuthenticationOptional 2nd factor is optional
*/
public function setTwoFactorAuthenticationOptional($twoFactorAuthenticationOptional) {
$this->twoFactorAuthenticationOptional = $twoFactorAuthenticationOptional;
}
/**
* Returns the caption HTML.
*
* @return string $twoFactorAuthenticationCaption caption HTML
*/
public function getTwoFactorAuthenticationCaption() {
return $this->twoFactorAuthenticationCaption;
}
/**
* Sets the caption HTML.
*
* @param string $twoFactorAuthenticationCaption caption HTML
*/
public function setTwoFactorAuthenticationCaption($twoFactorAuthenticationCaption) {
$this->twoFactorAuthenticationCaption = $twoFactorAuthenticationCaption;
}
} }

18
lam/lib/selfService.inc
View File

@ -1,4 +1,5 @@
<?PHP <?php
use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
/* /*
$Id$ $Id$
@ -31,9 +32,11 @@ $Id$
*/ */
/** modules */ /** modules */
include_once("modules.inc"); include_once "modules.inc";
/** account types */ /** account types */
include_once("types.inc"); include_once "types.inc";
/** 2-factor */
include_once '2factor.inc';
/** /**
* Returns if this is a LAM Pro installation. * Returns if this is a LAM Pro installation.
@ -302,11 +305,6 @@ function isSelfService() {
*/ */
class selfServiceProfile { class selfServiceProfile {
/** 2factor authentication disabled */
const TWO_FACTOR_NONE = 'none';
/** 2factor authentication via privacyIDEA */
const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
/** server address */ /** server address */
public $serverURL; public $serverURL;
@ -381,7 +379,7 @@ class selfServiceProfile {
public $timeZone = 'Europe/London'; public $timeZone = 'Europe/London';
public $twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE; public $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
public $twoFactorAuthenticationURL = 'https://localhost'; public $twoFactorAuthenticationURL = 'https://localhost';
public $twoFactorAuthenticationInsecure = false; public $twoFactorAuthenticationInsecure = false;
public $twoFactorAuthenticationLabel = null; public $twoFactorAuthenticationLabel = null;
@ -425,7 +423,7 @@ class selfServiceProfile {
$this->enforceLanguage = true; $this->enforceLanguage = true;
$this->followReferrals = 0; $this->followReferrals = 0;
$this->timeZone = 'Europe/London'; $this->timeZone = 'Europe/London';
$this->twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE; $this->twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
$this->twoFactorAuthenticationURL = 'https://localhost'; $this->twoFactorAuthenticationURL = 'https://localhost';
$this->twoFactorAuthenticationInsecure = false; $this->twoFactorAuthenticationInsecure = false;
$this->twoFactorAuthenticationLabel = null; $this->twoFactorAuthenticationLabel = null;

58
lam/templates/config/confmain.php
View File

@ -1,9 +1,10 @@
<?php <?php
use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
/* /*
$Id$ $Id$
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2016 Roland Gruber Copyright (C) 2003 - 2017 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -37,6 +38,8 @@ include_once("../../lib/config.inc");
include_once("../../lib/modules.inc"); include_once("../../lib/modules.inc");
/** access to tools */ /** access to tools */
include_once("../../lib/tools.inc"); include_once("../../lib/tools.inc");
/** 2-factor */
include_once '../../lib/2facto.inc';
// start session // start session
if (strtolower(session_module_name()) == 'files') { if (strtolower(session_module_name()) == 'files') {
@ -523,8 +526,40 @@ $searchPasswordInput->setIsPassword(true);
$securitySettingsContent->addElement($searchPasswordInput, true); $securitySettingsContent->addElement($searchPasswordInput, true);
// HTTP authentication // HTTP authentication
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true); $securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true);
$securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true); $securitySettingsContent->addElement(new htmlSpacer(null, '30px'), true);
// 2factor authentication
if (extension_loaded('curl')) {
$securitySettingsContent->addElement(new htmlSubTitle(_("2-factor authentication")), true);
$twoFactorOptions = array(
_('None') => TwoFactorProviderService::TWO_FACTOR_NONE,
_('privacyIDEA') => TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA,
);
$twoFactorSelect = new htmlTableExtendedSelect('twoFactor', $twoFactorOptions, array($conf->getTwoFactorAuthentication()), _('Provider'), '514');
$twoFactorSelect->setHasDescriptiveElements(true);
$twoFactorSelect->setTableRowsToHide(array(
TwoFactorProviderService::TWO_FACTOR_NONE => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
));
$twoFactorSelect->setTableRowsToShow(array(
TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
));
$securitySettingsContent->addElement($twoFactorSelect, true);
$twoFactorUrl = new htmlTableExtendedInputField(_("Base URL"), 'twoFactorURL', $conf->getTwoFactorAuthenticationURL(), '515');
$twoFactorUrl->setRequired(true);
$securitySettingsContent->addElement($twoFactorUrl, true);
$twoFactorLabel = new htmlTableExtendedInputField(_("Label"), 'twoFactorLabel', $conf->getTwoFactorAuthenticationLabel(), '517');
$securitySettingsContent->addElement($twoFactorLabel, true);
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorOptional', $conf->getTwoFactorAuthenticationOptional(), _('Optional'), '519'), true);
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorInsecure', $conf->getTwoFactorAuthenticationInsecure(), _('Disable certificate check'), '516'), true);
$securitySettingsContent->addElement(new htmlSpacer(null, '5px'), true);
$twoFactorCaption = new htmlTableExtendedInputTextarea('twoFactorCaption', $conf->getTwoFactorAuthenticationCaption(), '80', '4', _("Caption"), '518');
$twoFactorCaption->setIsRichEdit(true);
$twoFactorCaption->alignment = htmlElement::ALIGN_TOP;
$securitySettingsContent->addElement($twoFactorCaption, true);
}
// new password // new password
$securitySettingsContent->addElement(new htmlSubTitle(_("Profile password")), true);
$password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212'); $password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212');
$password1->setIsPassword(true); $password1->setIsPassword(true);
$password2 = new htmlTableExtendedInputField(_("Reenter password"), 'passwd2'); $password2 = new htmlTableExtendedInputField(_("Reenter password"), 'passwd2');
@ -551,10 +586,12 @@ $buttonContainer->addElement($cancelButton, true);
$buttonContainer->addElement(new htmlSpacer(null, '10px'), true); $buttonContainer->addElement(new htmlSpacer(null, '10px'), true);
parseHtml(null, $buttonContainer, array(), false, $tabindex, 'user'); parseHtml(null, $buttonContainer, array(), false, $tabindex, 'user');
echo "</form>\n"; ?>
echo "</body>\n"; </form>
echo "</html>\n"; <script type="text/javascript" src="../lib/extra/ckeditor/ckeditor.js"></script>
</body>
</html>
<?php
/** /**
* Checks user input and saves the entered settings. * Checks user input and saves the entered settings.
@ -711,6 +748,15 @@ function checkInput() {
} }
} }
$conf->setToolSettings($toolSettings); $conf->setToolSettings($toolSettings);
// 2-factor
if (extension_loaded('curl')) {
$conf->setTwoFactorAuthentication($_POST['twoFactor']);
$conf->setTwoFactorAuthenticationURL($_POST['twoFactorURL']);
$conf->setTwoFactorAuthenticationInsecure(isset($_POST['twoFactorInsecure']) && ($_POST['twoFactorInsecure'] == 'on'));
$conf->setTwoFactorAuthenticationLabel($_POST['twoFactorLabel']);
$conf->setTwoFactorAuthenticationOptional(isset($_POST['twoFactorOptional']) && ($_POST['twoFactorOptional'] == 'on'));
$conf->setTwoFactorAuthenticationCaption(str_replace(array("\r", "\n"), array('', ''), $_POST['twoFactorCaption']));
}
// check if password was changed // check if password was changed
if (isset($_POST['passwd1']) && ($_POST['passwd1'] != '')) { if (isset($_POST['passwd1']) && ($_POST['passwd1'] != '')) {
if ($_POST['passwd1'] != $_POST['passwd2']) { if ($_POST['passwd1'] != $_POST['passwd2']) {