Merge pull request #24 from LDAPAccountManager/2factor_auth
2factor auth
|
@ -4,15 +4,13 @@
|
|||
<chapter id="a_configuration">
|
||||
<title>Configuration</title>
|
||||
|
||||
<para>After you <link linkend="a_installation">installed</link> LAM you
|
||||
can configure it to fit your needs. The complete configuration can be done
|
||||
inside the application. There is no need to edit configuration
|
||||
files.</para>
|
||||
<para>After you <link linkend="a_installation">installed</link> LAM you can
|
||||
configure it to fit your needs. The complete configuration can be done
|
||||
inside the application. There is no need to edit configuration files.</para>
|
||||
|
||||
<para>Please point you browser to the location where you installed LAM.
|
||||
E.g. for Debian/RPM this is http://yourServer/lam. If you installed LAM
|
||||
via the tar.bz2 then this may vary. You should see the following
|
||||
page:</para>
|
||||
<para>Please point you browser to the location where you installed LAM. E.g.
|
||||
for Debian/RPM this is http://yourServer/lam. If you installed LAM via the
|
||||
tar.bz2 then this may vary. You should see the following page:</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -23,8 +21,8 @@
|
|||
</screenshot>
|
||||
|
||||
<para>If you see an error message then you might need to install an
|
||||
additional PHP extension. Please follow the instructions and reload the
|
||||
page afterwards.</para>
|
||||
additional PHP extension. Please follow the instructions and reload the page
|
||||
afterwards.</para>
|
||||
|
||||
<para>Now you are ready to configure LAM. Click on the "LAM configuration"
|
||||
link to proceed.</para>
|
||||
|
@ -37,18 +35,18 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>Here you can change LAM's general settings, setup server profiles
|
||||
for your LDAP server(s) and configure the <link
|
||||
linkend="a_selfService">self service</link> (LAM Pro). You should start
|
||||
with the general settings and then setup a server profile.</para>
|
||||
<para>Here you can change LAM's general settings, setup server profiles for
|
||||
your LDAP server(s) and configure the <link linkend="a_selfService">self
|
||||
service</link> (LAM Pro). You should start with the general settings and
|
||||
then setup a server profile.</para>
|
||||
|
||||
<section id="generalSettings">
|
||||
<title>General settings</title>
|
||||
|
||||
<para>After selecting "Edit general settings" you will need to enter the
|
||||
<link linkend="a_configPasswords">master configuration password</link>.
|
||||
The default password for new installations is "lam". Now you can edit
|
||||
the general settings.</para>
|
||||
The default password for new installations is "lam". Now you can edit the
|
||||
general settings.</para>
|
||||
|
||||
<section>
|
||||
<title>License (LAM Pro only)</title>
|
||||
|
@ -80,9 +78,9 @@
|
|||
|
||||
<para>You may also set a list of IP addresses which are allowed to
|
||||
access LAM. The IPs can be specified as full IP (e.g. 123.123.123.123)
|
||||
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to
|
||||
access LAM via an untrusted IP only get blank pages. There is a
|
||||
separate field for LAM Pro self service.</para>
|
||||
or with the "*" wildcard (e.g. 123.123.123.*). Users which try to access
|
||||
LAM via an untrusted IP only get blank pages. There is a separate field
|
||||
for LAM Pro self service.</para>
|
||||
|
||||
<para id="sessionEncryption">Session encryption will encrypt sensitive
|
||||
data like passwords in your session files. This is only available when
|
||||
|
@ -102,17 +100,17 @@
|
|||
<para id="conf_sslCert"><emphasis role="bold">SSL certificate
|
||||
setup:</emphasis></para>
|
||||
|
||||
<para>By default, LAM uses the CA certificates that are preinstalled
|
||||
on your system. This will work if you connect via SSL/TLS to an LDAP
|
||||
server that uses a certificate signed by a well-known CA. In case you
|
||||
use your own CA (e.g. company internal CA) you can import the CA
|
||||
certificates here.</para>
|
||||
<para>By default, LAM uses the CA certificates that are preinstalled on
|
||||
your system. This will work if you connect via SSL/TLS to an LDAP server
|
||||
that uses a certificate signed by a well-known CA. In case you use your
|
||||
own CA (e.g. company internal CA) you can import the CA certificates
|
||||
here.</para>
|
||||
|
||||
<para>Please note that this can affect other web applications on the
|
||||
same server if they require different certificates. There seem to be
|
||||
problems on Debian systems and you may also need to restart Apache. In
|
||||
case of any problems please delete the uploaded certificates and use
|
||||
the <link linkend="ssl_certSystem">system setup</link>.</para>
|
||||
case of any problems please delete the uploaded certificates and use the
|
||||
<link linkend="ssl_certSystem">system setup</link>.</para>
|
||||
|
||||
<para>You can either upload a DER/PEM formatted certificate file or
|
||||
import the certificates directly from an LDAP server that is available
|
||||
|
@ -137,10 +135,10 @@
|
|||
<section>
|
||||
<title>Password policy</title>
|
||||
|
||||
<para>This allows you to specify a central password policy for LAM.
|
||||
The policy is valid for all password fields inside LAM admin
|
||||
(excluding tree view) and LAM self service. Configuration passwords do
|
||||
not need to follow this policy.</para>
|
||||
<para>This allows you to specify a central password policy for LAM. The
|
||||
policy is valid for all password fields inside LAM admin (excluding tree
|
||||
view) and LAM self service. Configuration passwords do not need to
|
||||
follow this policy.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -150,23 +148,22 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>You can set the minimum password length and also the complexity
|
||||
of the passwords.</para>
|
||||
<para>You can set the minimum password length and also the complexity of
|
||||
the passwords.</para>
|
||||
</section>
|
||||
|
||||
<section id="conf_logging">
|
||||
<title>Logging</title>
|
||||
|
||||
<para>LAM can log events (e.g. user logins). You can use system
|
||||
logging (syslog for Unix, event viewer for Windows) or log to a
|
||||
separate file. Please note that LAM may log sensitive data (e.g.
|
||||
passwords) at log level "Debug". Production systems should be set to
|
||||
"Warning" or "Error".</para>
|
||||
<para>LAM can log events (e.g. user logins). You can use system logging
|
||||
(syslog for Unix, event viewer for Windows) or log to a separate file.
|
||||
Please note that LAM may log sensitive data (e.g. passwords) at log
|
||||
level "Debug". Production systems should be set to "Warning" or
|
||||
"Error".</para>
|
||||
|
||||
<para>The PHP error reporting is only for developers. By default LAM
|
||||
does not show PHP notice messages in the web pages. You can select to
|
||||
use the php.ini setting here or printing all errors and
|
||||
notices.</para>
|
||||
use the php.ini setting here or printing all errors and notices.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -180,8 +177,7 @@
|
|||
<section>
|
||||
<title>Additional options</title>
|
||||
|
||||
<para id="mailEOL"><emphasis role="bold">Email
|
||||
format</emphasis></para>
|
||||
<para id="mailEOL"><emphasis role="bold">Email format</emphasis></para>
|
||||
|
||||
<para>Some email servers are not standards compatible. If you receive
|
||||
mails that look broken you can change the line endings for sent mails
|
||||
|
@ -189,8 +185,7 @@
|
|||
|
||||
<para>At the moment, this option is only available in LAM Pro as there
|
||||
is no mail sending in the free version. See <link
|
||||
linkend="mailSetup">here</link> for setting up your SMTP
|
||||
server.</para>
|
||||
linkend="mailSetup">here</link> for setting up your SMTP server.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -204,8 +199,8 @@
|
|||
<section>
|
||||
<title>Change master password</title>
|
||||
|
||||
<para>If you would like to change the master configuration password
|
||||
then enter a new password here.</para>
|
||||
<para>If you would like to change the master configuration password then
|
||||
enter a new password here.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -240,13 +235,13 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>Here you can create, rename and delete server profiles. The
|
||||
<link linkend="a_configPasswords">passwords</link> of your server
|
||||
profiles can also be reset.</para>
|
||||
<para>Here you can create, rename and delete server profiles. The <link
|
||||
linkend="a_configPasswords">passwords</link> of your server profiles can
|
||||
also be reset.</para>
|
||||
|
||||
<para>You may also specify the default server profile. This is the
|
||||
server profile which is preselected at the login page. It also
|
||||
specifies the language of the login and configuration pages.</para>
|
||||
server profile which is preselected at the login page. It also specifies
|
||||
the language of the login and configuration pages.</para>
|
||||
|
||||
<para><emphasis role="bold">Templates for new server
|
||||
profiles</emphasis></para>
|
||||
|
@ -287,15 +282,14 @@
|
|||
|
||||
<para>All operations on the profile management page require that you
|
||||
authenticate yourself with the <link
|
||||
linkend="a_configPasswords">configuration master
|
||||
password</link>.</para>
|
||||
linkend="a_configPasswords">configuration master password</link>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Editing a server profile</title>
|
||||
|
||||
<para>Please select you server profile and enter its password to edit
|
||||
a server profile.</para>
|
||||
<para>Please select you server profile and enter its password to edit a
|
||||
server profile.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -316,8 +310,8 @@
|
|||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Account types:</emphasis> list of
|
||||
account types (e.g. users and groups) that you would like to
|
||||
manage and type specific settings (e.g. LDAP suffix)</para>
|
||||
account types (e.g. users and groups) that you would like to manage
|
||||
and type specific settings (e.g. LDAP suffix)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -353,17 +347,17 @@
|
|||
specified with ldaps://. The port value is optional. TLS cannot be
|
||||
combined with ldaps://.</para>
|
||||
|
||||
<para>Hint: If you use a master/slave setup with referrals then
|
||||
point LAM to your master server. Due to bugs in the underlying LDAP
|
||||
<para>Hint: If you use a master/slave setup with referrals then point
|
||||
LAM to your master server. Due to bugs in the underlying LDAP
|
||||
libraries pointing to a slave might cause issues on write
|
||||
operations.</para>
|
||||
|
||||
<para>LAM includes an LDAP browser which allows direct modification
|
||||
of LDAP entries. If you would like to use it then enter the LDAP
|
||||
suffix at "Tree suffix".</para>
|
||||
<para>LAM includes an LDAP browser which allows direct modification of
|
||||
LDAP entries. If you would like to use it then enter the LDAP suffix
|
||||
at "Tree suffix".</para>
|
||||
|
||||
<para>The search limit is used to reduce the number of search
|
||||
results which are returned by your LDAP server.</para>
|
||||
<para>The search limit is used to reduce the number of search results
|
||||
which are returned by your LDAP server.</para>
|
||||
|
||||
<para>The access level specifies if LAM should allow to modify LDAP
|
||||
entries. This feature is only available in LAM Pro. LAM non-Pro
|
||||
|
@ -373,8 +367,8 @@
|
|||
|
||||
<para><emphasis role="bold">Advanced options</emphasis></para>
|
||||
|
||||
<para>Sometimes, you may not want to display the server address on
|
||||
the login page. In this case you can setup a display name here (e.g.
|
||||
<para>Sometimes, you may not want to display the server address on the
|
||||
login page. In this case you can setup a display name here (e.g.
|
||||
"Production").</para>
|
||||
|
||||
<para>By default LAM will not follow LDAP referrals. This is ok for
|
||||
|
@ -402,14 +396,14 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>LAM can manage user home directories and quotas with an
|
||||
external script. You can specify the home directory server and where
|
||||
the script is located. The default rights for new home directories
|
||||
can be set, too.</para>
|
||||
<para>LAM can manage user home directories and quotas with an external
|
||||
script. You can specify the home directory server and where the script
|
||||
is located. The default rights for new home directories can be set,
|
||||
too.</para>
|
||||
|
||||
<para>You can provide a fixed user name. If you leave the field
|
||||
empty then LAM will use your current account (the account you used
|
||||
to login to LAM).</para>
|
||||
<para>You can provide a fixed user name. If you leave the field empty
|
||||
then LAM will use your current account (the account you used to login
|
||||
to LAM).</para>
|
||||
|
||||
<para>There are two possibilities to connect to your home
|
||||
directory/quota server:</para>
|
||||
|
@ -424,8 +418,8 @@
|
|||
|
||||
<listitem>
|
||||
<para>Password: If you do not set a SSH key then LAM will try to
|
||||
connect with your current account (the password you used to
|
||||
login to LAM).</para>
|
||||
connect with your current account (the password you used to login
|
||||
to LAM).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
|
@ -437,9 +431,9 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para id="profile_mail">LAM Pro users may directly set passwords
|
||||
from list view. You can configure if it should be possible to set
|
||||
specific passwords and showing password on screen is allowed.</para>
|
||||
<para id="profile_mail">LAM Pro users may directly set passwords from
|
||||
list view. You can configure if it should be possible to set specific
|
||||
passwords and showing password on screen is allowed.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -452,9 +446,9 @@
|
|||
<para>LAM Pro users can send out changed passwords to their users.
|
||||
Here you can specify the options for these mails.</para>
|
||||
|
||||
<para>If you select "Allow alternate address" then password mails
|
||||
can be sent to any address (e.g. a secondary address if the user
|
||||
account is also bound to the mailbox).</para>
|
||||
<para>If you select "Allow alternate address" then password mails can
|
||||
be sent to any address (e.g. a secondary address if the user account
|
||||
is also bound to the mailbox).</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -464,7 +458,17 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>LAM supports two methods for login.</para>
|
||||
<para>LAM supports two methods for login:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Fixed list</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>LDAP search</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -479,26 +483,25 @@
|
|||
|
||||
<para>The second one is to let LAM search for the DN in your
|
||||
directory. E.g. if a user logs in with the user name "joe" then LAM
|
||||
will do an LDAP search for this user name. When it finds a matching
|
||||
DN then it will use this to authenticate the user. The wildcard
|
||||
"%USER%" will be replaced by "joe" in this example. This way you can
|
||||
provide login by user name, email address or other LDAP
|
||||
attributes.</para>
|
||||
will do an LDAP search for this user name. When it finds a matching DN
|
||||
then it will use this to authenticate the user. The wildcard "%USER%"
|
||||
will be replaced by "joe" in this example. This way you can provide
|
||||
login by user name, email address or other LDAP attributes.</para>
|
||||
|
||||
<para>Additionally, you can enable HTTP authentication when using
|
||||
"LDAP search". This way the web server is responsible to
|
||||
authenticate your users. LAM will use the given user name + password
|
||||
for the LDAP login. You can also configure this to setup advanced
|
||||
login restrictions (e.g. require group memberships for login). To
|
||||
setup HTTP authentication in Apache please see this <ulink
|
||||
"LDAP search". This way the web server is responsible to authenticate
|
||||
your users. LAM will use the given user name + password for the LDAP
|
||||
login. You can also configure this to setup advanced login
|
||||
restrictions (e.g. require group memberships for login). To setup HTTP
|
||||
authentication in Apache please see this <ulink
|
||||
url="http://httpd.apache.org/docs/2.2/howto/auth.html">link</ulink>
|
||||
and an example for LDAP authentication <link lang=""
|
||||
linkend="apache_http_auth">here</link>.</para>
|
||||
|
||||
<para><emphasis role="bold">Hint:</emphasis> LDAP search with group
|
||||
membership check can be done with either <link
|
||||
linkend="apache_http_auth">HTTP authentication</link> or LDAP
|
||||
overlays like <ulink
|
||||
linkend="apache_http_auth">HTTP authentication</link> or LDAP overlays
|
||||
like <ulink
|
||||
url="http://www.openldap.org/doc/admin24/overlays.html">"memberOf"</ulink>
|
||||
or <ulink
|
||||
url="http://www.openldap.org/doc/admin24/overlays.html">"Dynamic
|
||||
|
@ -514,8 +517,60 @@
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>You may also change the password of this server profile.
|
||||
Please just enter the new password in both password fields.</para>
|
||||
<para><emphasis role="bold">2-factor authentication</emphasis></para>
|
||||
|
||||
<para>LAM supports 2-factor authentication for your users. This means
|
||||
the user will not only authenticate by user+password but also with
|
||||
e.g. a token generated by a mobile device. This adds more security
|
||||
because the token is generated on a physically separated device
|
||||
(typically mobile phone).</para>
|
||||
|
||||
<para>The token is validated by a second application. LAM currently
|
||||
supports:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink
|
||||
url="https://www.privacyidea.org/">privacyIdea</ulink></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>By default LAM will enforce to use a token and reject users that
|
||||
did not setup one. You can set this check to optional. But if a user
|
||||
has setup a token then this will always be required.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/configProfiles11.png" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>After logging in with user + password LAM will ask for the 2nd
|
||||
factor. If the user has setup multiple factors then he can choose one
|
||||
of them.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/configProfiles12.png" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para><emphasis role="bold">Password</emphasis></para>
|
||||
|
||||
<para>You may also change the password of this server profile. Please
|
||||
just enter the new password in both password fields.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/configProfiles13.png" />
|
||||
</imageobject>
|
||||
</mediaobject>
|
||||
</screenshot>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -545,18 +600,18 @@
|
|||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">List attributes:</emphasis> a list
|
||||
of attributes which are shown in the account lists</para>
|
||||
<para><emphasis role="bold">List attributes:</emphasis> a list of
|
||||
attributes which are shown in the account lists</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Additional LDAP filter:</emphasis>
|
||||
LAM will automatically detect the right LDAP entries for each
|
||||
account type. This can be used to further limit the number of
|
||||
visible entries (e.g. if you want to manage only some specific
|
||||
groups). You can use "@@LOGIN_DN@@" as wildcard (e.g.
|
||||
"(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the
|
||||
user who is logged in.</para>
|
||||
<para><emphasis role="bold">Additional LDAP filter:</emphasis> LAM
|
||||
will automatically detect the right LDAP entries for each account
|
||||
type. This can be used to further limit the number of visible
|
||||
entries (e.g. if you want to manage only some specific groups).
|
||||
You can use "@@LOGIN_DN@@" as wildcard (e.g.
|
||||
"(owner=@@LOGIN_DN@@)"). It will be replaced by the DN of the user
|
||||
who is logged in.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
@ -569,32 +624,32 @@
|
|||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Read-only (LAM Pro only):</emphasis>
|
||||
This allows to set a single account type to read-only mode.
|
||||
Please note that this is a restriction on functional level (e.g.
|
||||
group memberships can be changed on user page even if groups are
|
||||
This allows to set a single account type to read-only mode. Please
|
||||
note that this is a restriction on functional level (e.g. group
|
||||
memberships can be changed on user page even if groups are
|
||||
read-only) and is no replacement for setting up proper ACLs on
|
||||
your LDAP server.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Custom label:</emphasis> Here you
|
||||
can set a custom label for the account types. Use this if the
|
||||
standard label does not fit for you (e.g. enter "Servers" for
|
||||
<para><emphasis role="bold">Custom label:</emphasis> Here you can
|
||||
set a custom label for the account types. Use this if the standard
|
||||
label does not fit for you (e.g. enter "Servers" for
|
||||
hosts).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">No new entries (LAM Pro
|
||||
only):</emphasis> Use this if you want to prevent that new
|
||||
accounts of this type are created by your users. The GUI will
|
||||
hide buttons to create new entries and also disable file upload
|
||||
for this type.</para>
|
||||
accounts of this type are created by your users. The GUI will hide
|
||||
buttons to create new entries and also disable file upload for
|
||||
this type.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><emphasis role="bold">Disallow delete (LAM Pro
|
||||
only):</emphasis> Use this if you want to prevent that accounts
|
||||
of this type are deleted by your users.</para>
|
||||
only):</emphasis> Use this if you want to prevent that accounts of
|
||||
this type are deleted by your users.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
|
@ -613,9 +668,9 @@
|
|||
<section>
|
||||
<title>Modules</title>
|
||||
|
||||
<para>The modules specify the active extensions for each account
|
||||
type. E.g. here you can setup if your user entries should be address
|
||||
book entries only or also support Unix or Samba.</para>
|
||||
<para>The modules specify the active extensions for each account type.
|
||||
E.g. here you can setup if your user entries should be address book
|
||||
entries only or also support Unix or Samba.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -640,9 +695,9 @@
|
|||
|
||||
<para>Depending on the activated account modules there may be
|
||||
additional configuration options available. They can be found on the
|
||||
"Module settings" tab. E.g. the Personal account module allows to
|
||||
hide several input fields and the Unix module requires to specify
|
||||
ranges for UID numbers.</para>
|
||||
"Module settings" tab. E.g. the Personal account module allows to hide
|
||||
several input fields and the Unix module requires to specify ranges
|
||||
for UID numbers.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -657,8 +712,8 @@
|
|||
<section>
|
||||
<title>Cron jobs (LAM Pro)</title>
|
||||
|
||||
<para>LAM Pro can execute common tasks via cron job. This can be used
|
||||
to e.g. notify your users before their passwords expire.</para>
|
||||
<para>LAM Pro can execute common tasks via cron job. This can be used to
|
||||
e.g. notify your users before their passwords expire.</para>
|
||||
|
||||
<section>
|
||||
<title>LDAP and database configuration</title>
|
||||
|
@ -673,8 +728,8 @@
|
|||
<para><emphasis role="bold">SQLite</emphasis></para>
|
||||
|
||||
<para>This is a simple file based database. It needs no special
|
||||
database server. The database file will be located next to the
|
||||
server profile in config directory.</para>
|
||||
database server. The database file will be located next to the server
|
||||
profile in config directory.</para>
|
||||
|
||||
<para>You will need to install the SQLite PDO module for PHP
|
||||
(pdo_sqlite.so). For Debian this is located in package
|
||||
|
@ -722,15 +777,15 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para><literallayout>
|
||||
</literallayout><emphasis role="bold">Test your settings</emphasis></para>
|
||||
|
||||
<para>After the LDAP and database settings are done you can test
|
||||
your settings.</para>
|
||||
<para>After the LDAP and database settings are done you can test your
|
||||
settings.</para>
|
||||
|
||||
<para><emphasis role="bold">Cron entry</emphasis></para>
|
||||
|
||||
<para>LAM also prints the crontab line that you need to run the
|
||||
configured jobs on a daily basis. The command must be run as the
|
||||
same user as your webserver is running. You are free to change the
|
||||
starting time of the script or run it more often.</para>
|
||||
configured jobs on a daily basis. The command must be run as the same
|
||||
user as your webserver is running. You are free to change the starting
|
||||
time of the script or run it more often.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -738,12 +793,12 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
|
||||
<para>To add a new job just click on the "Add job" button and select
|
||||
the job type you need. The list of available jobs depends on your
|
||||
active account modules. E.g. the PPolicy job will only be available
|
||||
if you activated PPolicy user module.</para>
|
||||
active account modules. E.g. the PPolicy job will only be available if
|
||||
you activated PPolicy user module.</para>
|
||||
|
||||
<para>Depending on the job type jobs may be added multiple times
|
||||
with different configurations. For descriptions about the available
|
||||
job types see next chapters.</para>
|
||||
<para>Depending on the job type jobs may be added multiple times with
|
||||
different configurations. For descriptions about the available job
|
||||
types see next chapters.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -760,25 +815,25 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
password expires.</para>
|
||||
|
||||
<para>You need to activate the PPolicy module for users to be able
|
||||
to add this job. The job can be added multiple times (e.g. to send
|
||||
a second warning at a later time).</para>
|
||||
to add this job. The job can be added multiple times (e.g. to send a
|
||||
second warning at a later time).</para>
|
||||
|
||||
<para>LAM calculates the expiration date based on the last
|
||||
password change and the assigned password policy (or the default
|
||||
policy) using attributes pwdMaxAge and pwdExpireWarning.</para>
|
||||
<para>LAM calculates the expiration date based on the last password
|
||||
change and the assigned password policy (or the default policy)
|
||||
using attributes pwdMaxAge and pwdExpireWarning.</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<para>Warning time (pwdExpireWarning) = 14 days, notification
|
||||
period = 10: LAM will send out the email 24 days before the
|
||||
password expires</para>
|
||||
<para>Warning time (pwdExpireWarning) = 14 days, notification period
|
||||
= 10: LAM will send out the email 24 days before the password
|
||||
expires</para>
|
||||
|
||||
<para>Warning time (pwdExpireWarning) = 14 days, notification
|
||||
period = 0: LAM will send out the email 14 days before the
|
||||
password expires</para>
|
||||
<para>Warning time (pwdExpireWarning) = 14 days, notification period
|
||||
= 0: LAM will send out the email 14 days before the password
|
||||
expires</para>
|
||||
|
||||
<para>No warning time (pwdExpireWarning), notification period =
|
||||
10: LAM will send out the email 10 days before the password
|
||||
<para>No warning time (pwdExpireWarning), notification period = 10:
|
||||
LAM will send out the email 10 days before the password
|
||||
expires</para>
|
||||
|
||||
<screenshot>
|
||||
|
@ -797,8 +852,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -859,12 +913,12 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>Wildcards:</para>
|
||||
|
||||
<para>You can enter LDAP attributes as wildcards in the form
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
|
||||
"@@cn@@". For the common name it would be "@@cn@@".</para>
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
|
||||
For the common name it would be "@@cn@@".</para>
|
||||
|
||||
<para>There are also two special wildcards for the expiration
|
||||
date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
|
||||
"31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
<para>There are also two special wildcards for the expiration date.
|
||||
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
|
||||
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
"2016-12-31".</para>
|
||||
</section>
|
||||
|
||||
|
@ -952,12 +1006,12 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>Wildcards:</para>
|
||||
|
||||
<para>You can enter LDAP attributes as wildcards in the form
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
|
||||
"@@cn@@". For the common name it would be "@@cn@@".</para>
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
|
||||
For the common name it would be "@@cn@@".</para>
|
||||
|
||||
<para>There are also two special wildcards for the expiration
|
||||
date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
|
||||
"31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
<para>There are also two special wildcards for the expiration date.
|
||||
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
|
||||
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
"2016-12-31".</para>
|
||||
</section>
|
||||
|
||||
|
@ -967,21 +1021,21 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>This will send your users an email reminder before their
|
||||
password expires.</para>
|
||||
|
||||
<para>You need to activate the Shadow module for users to be able
|
||||
to add this job. The job can be added multiple times (e.g. to send
|
||||
a second warning at a later time).</para>
|
||||
<para>You need to activate the Shadow module for users to be able to
|
||||
add this job. The job can be added multiple times (e.g. to send a
|
||||
second warning at a later time).</para>
|
||||
|
||||
<para>LAM calculates the expiration date based on the last
|
||||
password change, the password warning time (attribute
|
||||
"shadowWarning") and the specified notification period.</para>
|
||||
<para>LAM calculates the expiration date based on the last password
|
||||
change, the password warning time (attribute "shadowWarning") and
|
||||
the specified notification period.</para>
|
||||
|
||||
<para>Examples:</para>
|
||||
|
||||
<para>Warning time = 14, notification period = 10: LAM will send
|
||||
out the email 24 days before the password expires</para>
|
||||
<para>Warning time = 14, notification period = 10: LAM will send out
|
||||
the email 24 days before the password expires</para>
|
||||
|
||||
<para>Warning time = 14, notification period = 0: LAM will send
|
||||
out the email 14 days before the password expires</para>
|
||||
<para>Warning time = 14, notification period = 0: LAM will send out
|
||||
the email 14 days before the password expires</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -999,8 +1053,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1054,21 +1107,21 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>Wildcards:</para>
|
||||
|
||||
<para>You can enter LDAP attributes as wildcards in the form
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
|
||||
"@@cn@@". For the common name it would be "@@cn@@".</para>
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
|
||||
For the common name it would be "@@cn@@".</para>
|
||||
|
||||
<para>There are also two special wildcards for the expiration
|
||||
date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
|
||||
"31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
<para>There are also two special wildcards for the expiration date.
|
||||
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
|
||||
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
"2016-12-31".</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shadow: Delete or move expired accounts</title>
|
||||
|
||||
<para>You can automatically delete or move expired accounts. The
|
||||
job checks Shadow account expiration dates (not password
|
||||
expiration dates).</para>
|
||||
<para>You can automatically delete or move expired accounts. The job
|
||||
checks Shadow account expiration dates (not password expiration
|
||||
dates).</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1086,8 +1139,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1121,11 +1173,11 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
password expires.</para>
|
||||
|
||||
<para>You need to activate the Windows module for users to be able
|
||||
to add this job. The job can be added multiple times (e.g. to send
|
||||
a second warning at a later time).</para>
|
||||
to add this job. The job can be added multiple times (e.g. to send a
|
||||
second warning at a later time).</para>
|
||||
|
||||
<para>LAM calculates the expiration date based on the last
|
||||
password change and the domain policy.</para>
|
||||
<para>LAM calculates the expiration date based on the last password
|
||||
change and the domain policy.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1143,8 +1195,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1198,20 +1249,19 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<para>Wildcards:</para>
|
||||
|
||||
<para>You can enter LDAP attributes as wildcards in the form
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use
|
||||
"@@cn@@". For the common name it would be "@@cn@@".</para>
|
||||
@@ATTRIBUTE_NAME@@. E.g. to add the user's common name use "@@cn@@".
|
||||
For the common name it would be "@@cn@@".</para>
|
||||
|
||||
<para>There are also two special wildcards for the expiration
|
||||
date. @@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g.
|
||||
"31.12.2016". @@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
<para>There are also two special wildcards for the expiration date.
|
||||
@@EXPIRE_DATE_DDMMYYYY@@ will print the date as e.g. "31.12.2016".
|
||||
@@EXPIRE_DATE_YYYYMMDD@@ will print the date as e.g.
|
||||
"2016-12-31".</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Windows: Delete or move expired accounts</title>
|
||||
|
||||
<para>You can automatically delete or move expired
|
||||
accounts.</para>
|
||||
<para>You can automatically delete or move expired accounts.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1229,8 +1279,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1260,8 +1309,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<section>
|
||||
<title>FreeRadius: Delete or move expired accounts</title>
|
||||
|
||||
<para>You can automatically delete or move expired
|
||||
accounts.</para>
|
||||
<para>You can automatically delete or move expired accounts.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1279,8 +1327,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1310,8 +1357,8 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<section>
|
||||
<title>Qmail: Delete or move expired accounts</title>
|
||||
|
||||
<para>You can automatically delete or move expired accounts. The
|
||||
job reads the qmail deletion date of user accounts.</para>
|
||||
<para>You can automatically delete or move expired accounts. The job
|
||||
reads the qmail deletion date of user accounts.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1329,8 +1376,7 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<row>
|
||||
<entry><emphasis role="bold">Option</emphasis></entry>
|
||||
|
||||
<entry><emphasis
|
||||
role="bold">Description</emphasis></entry>
|
||||
<entry><emphasis role="bold">Description</emphasis></entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
|
@ -1377,18 +1423,18 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<section id="confTypicalScenarios">
|
||||
<title>Typical scenarios</title>
|
||||
|
||||
<para>This is a list of typical scenarios how your LDAP environment
|
||||
may look like and how to structure the server profiles for it.</para>
|
||||
<para>This is a list of typical scenarios how your LDAP environment may
|
||||
look like and how to structure the server profiles for it.</para>
|
||||
|
||||
<section>
|
||||
<title>Simple: One LDAP directory managed by a small group of
|
||||
admins</title>
|
||||
|
||||
<para>This is the easiest and most common scenario. You want to
|
||||
manage a single LDAP server and there is only one or a few admins.
|
||||
In this case just create one server profile and you are done. The
|
||||
admins may be either specified as a fixed list or by using an LDAP
|
||||
search at login time.</para>
|
||||
<para>This is the easiest and most common scenario. You want to manage
|
||||
a single LDAP server and there is only one or a few admins. In this
|
||||
case just create one server profile and you are done. The admins may
|
||||
be either specified as a fixed list or by using an LDAP search at
|
||||
login time.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1404,11 +1450,10 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
groups</title>
|
||||
|
||||
<para>Large organisations may have one big LDAP directory for all
|
||||
user/group accounts. But the users are managed by different groups
|
||||
of admins (e.g. departments, locations, subsidiaries, ...). The
|
||||
users are typically divided into organisational units in the LDAP
|
||||
tree. Admins may only manage the users in their part of the
|
||||
tree.</para>
|
||||
user/group accounts. But the users are managed by different groups of
|
||||
admins (e.g. departments, locations, subsidiaries, ...). The users are
|
||||
typically divided into organisational units in the LDAP tree. Admins
|
||||
may only manage the users in their part of the tree.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
@ -1418,16 +1463,15 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para>In this situation it is recommended to create one server
|
||||
profile for each admin group (e.g. department). Setup the LDAP
|
||||
suffixes in the server profiles to point to the needed
|
||||
organisational units. E.g. use
|
||||
<para>In this situation it is recommended to create one server profile
|
||||
for each admin group (e.g. department). Setup the LDAP suffixes in the
|
||||
server profiles to point to the needed organisational units. E.g. use
|
||||
ou=people,ou=department1,dc=company,dc=com or
|
||||
ou=department1,ou=people,dc=company,dc=com as LDAP suffix for users.
|
||||
Do the same for groups, hosts, ... This way each admin group will
|
||||
only see its own users. You may want to use LDAP search for the LAM
|
||||
login in this scenario. This will prevent that you need to update a
|
||||
server profile if the number of admins changes.</para>
|
||||
Do the same for groups, hosts, ... This way each admin group will only
|
||||
see its own users. You may want to use LDAP search for the LAM login
|
||||
in this scenario. This will prevent that you need to update a server
|
||||
profile if the number of admins changes.</para>
|
||||
|
||||
<para><emphasis role="bold">Attention:</emphasis> LAM's feature to
|
||||
automatically find free UIDs/GIDs for new users/groups will not work
|
||||
|
@ -1456,8 +1500,8 @@ mysql> GRANT ALL PRIVILEGES ON lam_cron.* TO 'lam_cron'@'localhost';
|
|||
<section>
|
||||
<title>Single LDAP directory with lots of users (>10 000)</title>
|
||||
|
||||
<para>LAM was tested to work with 10 000 users. If you have a lot
|
||||
more users then you have basically two options.</para>
|
||||
<para>LAM was tested to work with 10 000 users. If you have a lot more
|
||||
users then you have basically two options.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
|
|
After Width: | Height: | Size: 32 KiB |
After Width: | Height: | Size: 17 KiB |
After Width: | Height: | Size: 6.4 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 30 KiB |
Before Width: | Height: | Size: 18 KiB After Width: | Height: | Size: 24 KiB |
|
@ -1,6 +1,7 @@
|
|||
<?php
|
||||
namespace LAM\LIB\TWO_FACTOR;
|
||||
use \selfServiceProfile;
|
||||
use \LAMConfig;
|
||||
|
||||
/*
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
|
@ -58,15 +59,15 @@ interface TwoFactorProvider {
|
|||
*/
|
||||
class PrivacyIDEAProvider implements TwoFactorProvider {
|
||||
|
||||
private $profile;
|
||||
private $config;
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param selfServiceProfile $profile profile
|
||||
* @param TwoFactorConfiguration $config configuration
|
||||
*/
|
||||
public function __construct(&$profile) {
|
||||
$this->profile = $profile;
|
||||
public function __construct(&$config) {
|
||||
$this->config = $config;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -99,7 +100,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
|
|||
*/
|
||||
private function authenticate($user, $password) {
|
||||
$curl = $this->getCurl();
|
||||
$url = $this->profile->twoFactorAuthenticationURL . "/auth";
|
||||
$url = $this->config->twoFactorAuthenticationURL . "/auth";
|
||||
curl_setopt($curl, CURLOPT_URL, $url);
|
||||
$header = array('Accept: application/json');
|
||||
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
|
||||
|
@ -137,7 +138,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
|
|||
*/
|
||||
private function getCurl() {
|
||||
$curl = curl_init();
|
||||
if ($this->profile->twoFactorAuthenticationInsecure) {
|
||||
if ($this->config->twoFactorAuthenticationInsecure) {
|
||||
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);
|
||||
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);
|
||||
}
|
||||
|
@ -154,7 +155,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
|
|||
*/
|
||||
private function getSerialsForUser($user, $token) {
|
||||
$curl = $this->getCurl();
|
||||
$url = $this->profile->twoFactorAuthenticationURL . "/token/?user=" . $user;
|
||||
$url = $this->config->twoFactorAuthenticationURL . "/token/?user=" . $user;
|
||||
curl_setopt($curl, CURLOPT_URL, $url);
|
||||
$header = array('Authorization: ' . $token, 'Accept: application/json');
|
||||
curl_setopt($curl, CURLOPT_HTTPHEADER, $header);
|
||||
|
@ -192,7 +193,7 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
|
|||
*/
|
||||
private function verify($token, $serial, $twoFactorInput) {
|
||||
$curl = $this->getCurl();
|
||||
$url = $this->profile->twoFactorAuthenticationURL . "/validate/check";
|
||||
$url = $this->config->twoFactorAuthenticationURL . "/validate/check";
|
||||
curl_setopt($curl, CURLOPT_URL, $url);
|
||||
$options = array(
|
||||
'pass' => $twoFactorInput,
|
||||
|
@ -225,15 +226,25 @@ class PrivacyIDEAProvider implements TwoFactorProvider {
|
|||
*/
|
||||
class TwoFactorProviderService {
|
||||
|
||||
private $profile;
|
||||
/** 2factor authentication disabled */
|
||||
const TWO_FACTOR_NONE = 'none';
|
||||
/** 2factor authentication via privacyIDEA */
|
||||
const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
|
||||
|
||||
private $config;
|
||||
|
||||
/**
|
||||
* Constructor.
|
||||
*
|
||||
* @param selfServiceProfile $profile profile
|
||||
* @param selfServiceProfile|LAMConfig $configObj profile
|
||||
*/
|
||||
public function __construct(&$profile) {
|
||||
$this->profile = $profile;
|
||||
public function __construct(&$configObj) {
|
||||
if ($configObj instanceof selfServiceProfile) {
|
||||
$this->config = $this->getConfigSelfService($configObj);
|
||||
}
|
||||
else {
|
||||
$this->config = $this->getConfigAdmin($configObj);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -244,10 +255,49 @@ class TwoFactorProviderService {
|
|||
* @throws \Exception unable to get provider
|
||||
*/
|
||||
public function getProvider() {
|
||||
if ($this->profile->twoFactorAuthentication == selfServiceProfile::TWO_FACTOR_PRIVACYIDEA) {
|
||||
return new PrivacyIDEAProvider($this->profile);
|
||||
if ($this->config->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA) {
|
||||
return new PrivacyIDEAProvider($this->config);
|
||||
}
|
||||
throw new \Exception('Invalid provider: ' . $this->profile->twoFactorAuthentication);
|
||||
throw new \Exception('Invalid provider: ' . $this->config->twoFactorAuthentication);
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the configuration from self service.
|
||||
*
|
||||
* @param selfServiceProfile $profile profile
|
||||
* @return TwoFactorConfiguration configuration
|
||||
*/
|
||||
private function getConfigSelfService(&$profile) {
|
||||
$config = new TwoFactorConfiguration();
|
||||
$config->twoFactorAuthentication = $profile->twoFactorAuthentication;
|
||||
$config->twoFactorAuthenticationInsecure = $profile->twoFactorAuthenticationInsecure;
|
||||
$config->twoFactorAuthenticationURL = $profile->twoFactorAuthenticationURL;
|
||||
return $config;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the configuration for admin interface.
|
||||
*
|
||||
* @param LAMConfig $conf configuration
|
||||
* @return TwoFactorConfiguration configuration
|
||||
*/
|
||||
private function getConfigAdmin($conf) {
|
||||
$config = new TwoFactorConfiguration();
|
||||
$config->twoFactorAuthentication = $conf->getTwoFactorAuthentication();
|
||||
$config->twoFactorAuthenticationInsecure = $conf->getTwoFactorAuthenticationInsecure();
|
||||
$config->twoFactorAuthenticationURL = $conf->getTwoFactorAuthenticationURL();
|
||||
return $config;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
/**
|
||||
* Configuration settings for 2-factor authentication.
|
||||
*
|
||||
* @author Roland Gruber
|
||||
*/
|
||||
class TwoFactorConfiguration {
|
||||
public $twoFactorAuthentication = null;
|
||||
public $twoFactorAuthenticationURL = null;
|
||||
public $twoFactorAuthenticationInsecure = false;
|
||||
}
|
||||
|
|
|
@ -1467,6 +1467,22 @@ function validateReCAPTCHA($secretKey) {
|
|||
return $responseJSON->{'success'} === true;
|
||||
}
|
||||
|
||||
/**
|
||||
* Checks if the user is logged in. Stops script execution if not.
|
||||
*
|
||||
* @param boolean $check2ndFactor check if the 2nd factor was provided if required
|
||||
*/
|
||||
function enforceUserIsLoggedIn($check2ndFactor = true) {
|
||||
if (!isset($_SESSION['loggedIn']) || ($_SESSION['loggedIn'] !== true)) {
|
||||
logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login: ' . $_SERVER["SCRIPT_FILENAME"]);
|
||||
die();
|
||||
}
|
||||
if ($check2ndFactor && isset($_SESSION['2factorRequired'])) {
|
||||
die();
|
||||
logNewMessage(LOG_WARNING, 'Detected unauthorized access to page that requires login (2nd factor not provided): ' . $_SERVER["SCRIPT_FILENAME"]);
|
||||
}
|
||||
}
|
||||
|
||||
class LAMException extends Exception {
|
||||
|
||||
private $title;
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
<?php
|
||||
use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
|
||||
/*
|
||||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2016 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -31,11 +32,13 @@ $Id$
|
|||
*/
|
||||
|
||||
/** Used to print messages. */
|
||||
include_once("status.inc");
|
||||
include_once "status.inc";
|
||||
/** Used to get module information. */
|
||||
include_once("modules.inc");
|
||||
include_once "modules.inc";
|
||||
/** Used to get type information. */
|
||||
include_once("types.inc");
|
||||
include_once "types.inc";
|
||||
/** 2-factor */
|
||||
include_once '2factor.inc';
|
||||
|
||||
/**
|
||||
* Sets the environment variables for custom SSL CA certificates.
|
||||
|
@ -567,6 +570,13 @@ class LAMConfig {
|
|||
/** job configuration */
|
||||
private $jobSettings = array();
|
||||
|
||||
private $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
|
||||
private $twoFactorAuthenticationURL = 'https://localhost';
|
||||
private $twoFactorAuthenticationInsecure = false;
|
||||
private $twoFactorAuthenticationLabel = null;
|
||||
private $twoFactorAuthenticationOptional = false;
|
||||
private $twoFactorAuthenticationCaption = '';
|
||||
|
||||
/** List of all settings in config file */
|
||||
private $settings = array("ServerURL", "useTLS", "followReferrals", 'pagedResults', "Passwd", "Admins", "treesuffix",
|
||||
"defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", 'serverDisplayName',
|
||||
|
@ -576,7 +586,9 @@ class LAMConfig {
|
|||
'loginSearchPassword', 'timeZone', 'jobsBindUser', 'jobsBindPassword', 'jobsDatabase', 'jobToken', 'jobs',
|
||||
'jobsDBHost', 'jobsDBPort', 'jobsDBUser', 'jobsDBPassword', 'jobsDBName', 'pwdResetAllowSpecificPassword',
|
||||
'pwdResetAllowScreenPassword', 'pwdResetForcePasswordChange', 'pwdResetDefaultPasswordOutput',
|
||||
'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword'
|
||||
'scriptUserName', 'scriptSSHKey', 'scriptSSHKeyPassword', 'twoFactorAuthentication', 'twoFactorAuthenticationURL',
|
||||
'twoFactorAuthenticationInsecure', 'twoFactorAuthenticationLabel', 'twoFactorAuthenticationOptional',
|
||||
'twoFactorAuthenticationCaption'
|
||||
);
|
||||
|
||||
|
||||
|
@ -816,6 +828,12 @@ class LAMConfig {
|
|||
if (!in_array("pwdResetAllowScreenPassword", $saved)) array_push($file_array, "\n" . "pwdResetAllowScreenPassword: " . $this->pwdResetAllowScreenPassword . "\n");
|
||||
if (!in_array("pwdResetForcePasswordChange", $saved)) array_push($file_array, "\n" . "pwdResetForcePasswordChange: " . $this->pwdResetForcePasswordChange . "\n");
|
||||
if (!in_array("pwdResetDefaultPasswordOutput", $saved)) array_push($file_array, "\n" . "pwdResetDefaultPasswordOutput: " . $this->pwdResetDefaultPasswordOutput . "\n");
|
||||
if (!in_array("twoFactorAuthentication", $saved)) array_push($file_array, "\n" . "twoFactorAuthentication: " . $this->twoFactorAuthentication . "\n");
|
||||
if (!in_array("twoFactorAuthenticationURL", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationURL: " . $this->twoFactorAuthenticationURL . "\n");
|
||||
if (!in_array("twoFactorAuthenticationInsecure", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationInsecure: " . $this->twoFactorAuthenticationInsecure . "\n");
|
||||
if (!in_array("twoFactorAuthenticationLabel", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationLabel: " . $this->twoFactorAuthenticationLabel . "\n");
|
||||
if (!in_array("twoFactorAuthenticationOptional", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationOptional: " . $this->twoFactorAuthenticationOptional . "\n");
|
||||
if (!in_array("twoFactorAuthenticationCaption", $saved)) array_push($file_array, "\n" . "twoFactorAuthenticationCaption: " . $this->twoFactorAuthenticationCaption . "\n");
|
||||
// check if all module settings were added
|
||||
$m_settings = array_keys($this->moduleSettings);
|
||||
for ($i = 0; $i < sizeof($m_settings); $i++) {
|
||||
|
@ -2044,6 +2062,116 @@ class LAMConfig {
|
|||
public function setPwdResetDefaultPasswordOutput($pwdResetDefaultPasswordOutput) {
|
||||
$this->pwdResetDefaultPasswordOutput = $pwdResetDefaultPasswordOutput;
|
||||
}
|
||||
/**
|
||||
* Returns the authentication type.
|
||||
*
|
||||
* @return string $twoFactorAuthentication authentication type
|
||||
*/
|
||||
public function getTwoFactorAuthentication() {
|
||||
if (empty($this->twoFactorAuthentication)) {
|
||||
return TwoFactorProviderService::TWO_FACTOR_NONE;
|
||||
}
|
||||
return $this->twoFactorAuthentication;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the authentication type.
|
||||
*
|
||||
* @param string $twoFactorAuthentication authentication type
|
||||
*/
|
||||
public function setTwoFactorAuthentication($twoFactorAuthentication) {
|
||||
$this->twoFactorAuthentication = $twoFactorAuthentication;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the authentication URL.
|
||||
*
|
||||
* @return string $twoFactorAuthenticationURL authentication URL
|
||||
*/
|
||||
public function getTwoFactorAuthenticationURL() {
|
||||
return $this->twoFactorAuthenticationURL;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the authentication URL.
|
||||
*
|
||||
* @param string $twoFactorAuthenticationURL authentication URL
|
||||
*/
|
||||
public function setTwoFactorAuthenticationURL($twoFactorAuthenticationURL) {
|
||||
$this->twoFactorAuthenticationURL = $twoFactorAuthenticationURL;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns if SSL certificate verification is turned off.
|
||||
*
|
||||
* @return bool $twoFactorAuthenticationInsecure SSL certificate verification is turned off
|
||||
*/
|
||||
public function getTwoFactorAuthenticationInsecure() {
|
||||
return $this->twoFactorAuthenticationInsecure;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets if SSL certificate verification is turned off.
|
||||
*
|
||||
* @param boolean $twoFactorAuthenticationInsecure SSL certificate verification is turned off
|
||||
*/
|
||||
public function setTwoFactorAuthenticationInsecure($twoFactorAuthenticationInsecure) {
|
||||
$this->twoFactorAuthenticationInsecure = $twoFactorAuthenticationInsecure;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the authentication label.
|
||||
*
|
||||
* @return string $twoFactorAuthenticationLabel authentication label
|
||||
*/
|
||||
public function getTwoFactorAuthenticationLabel() {
|
||||
return $this->twoFactorAuthenticationLabel;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the authentication label.
|
||||
*
|
||||
* @param string $twoFactorAuthenticationLabel authentication label
|
||||
*/
|
||||
public function setTwoFactorAuthenticationLabel($twoFactorAuthenticationLabel) {
|
||||
$this->twoFactorAuthenticationLabel = $twoFactorAuthenticationLabel;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns if 2nd factor is optional.
|
||||
*
|
||||
* @return bool $twoFactorAuthenticationOptional 2nd factor is optional
|
||||
*/
|
||||
public function getTwoFactorAuthenticationOptional() {
|
||||
return $this->twoFactorAuthenticationOptional;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets if 2nd factor is optional.
|
||||
*
|
||||
* @param boolean $twoFactorAuthenticationOptional 2nd factor is optional
|
||||
*/
|
||||
public function setTwoFactorAuthenticationOptional($twoFactorAuthenticationOptional) {
|
||||
$this->twoFactorAuthenticationOptional = $twoFactorAuthenticationOptional;
|
||||
}
|
||||
|
||||
/**
|
||||
* Returns the caption HTML.
|
||||
*
|
||||
* @return string $twoFactorAuthenticationCaption caption HTML
|
||||
*/
|
||||
public function getTwoFactorAuthenticationCaption() {
|
||||
return $this->twoFactorAuthenticationCaption;
|
||||
}
|
||||
|
||||
/**
|
||||
* Sets the caption HTML.
|
||||
*
|
||||
* @param string $twoFactorAuthenticationCaption caption HTML
|
||||
*/
|
||||
public function setTwoFactorAuthenticationCaption($twoFactorAuthenticationCaption) {
|
||||
$this->twoFactorAuthenticationCaption = $twoFactorAuthenticationCaption;
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
<?PHP
|
||||
<?php
|
||||
use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
|
||||
/*
|
||||
$Id$
|
||||
|
||||
|
@ -31,9 +32,11 @@ $Id$
|
|||
*/
|
||||
|
||||
/** modules */
|
||||
include_once("modules.inc");
|
||||
include_once "modules.inc";
|
||||
/** account types */
|
||||
include_once("types.inc");
|
||||
include_once "types.inc";
|
||||
/** 2-factor */
|
||||
include_once '2factor.inc';
|
||||
|
||||
/**
|
||||
* Returns if this is a LAM Pro installation.
|
||||
|
@ -302,11 +305,6 @@ function isSelfService() {
|
|||
*/
|
||||
class selfServiceProfile {
|
||||
|
||||
/** 2factor authentication disabled */
|
||||
const TWO_FACTOR_NONE = 'none';
|
||||
/** 2factor authentication via privacyIDEA */
|
||||
const TWO_FACTOR_PRIVACYIDEA = 'privacyidea';
|
||||
|
||||
/** server address */
|
||||
public $serverURL;
|
||||
|
||||
|
@ -381,7 +379,7 @@ class selfServiceProfile {
|
|||
|
||||
public $timeZone = 'Europe/London';
|
||||
|
||||
public $twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE;
|
||||
public $twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
|
||||
public $twoFactorAuthenticationURL = 'https://localhost';
|
||||
public $twoFactorAuthenticationInsecure = false;
|
||||
public $twoFactorAuthenticationLabel = null;
|
||||
|
@ -425,7 +423,7 @@ class selfServiceProfile {
|
|||
$this->enforceLanguage = true;
|
||||
$this->followReferrals = 0;
|
||||
$this->timeZone = 'Europe/London';
|
||||
$this->twoFactorAuthentication = selfServiceProfile::TWO_FACTOR_NONE;
|
||||
$this->twoFactorAuthentication = TwoFactorProviderService::TWO_FACTOR_NONE;
|
||||
$this->twoFactorAuthenticationURL = 'https://localhost';
|
||||
$this->twoFactorAuthenticationInsecure = false;
|
||||
$this->twoFactorAuthenticationLabel = null;
|
||||
|
|
|
@ -21,6 +21,7 @@ function app_session_start() {
|
|||
include_once '../../../../lib/config.inc';
|
||||
include_once '../../../../lib/ldap.inc';
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
$config_file = CONFDIR.'config.php';
|
||||
$config = check_config($config_file);
|
||||
# If we came via index.php, then set our $config.
|
||||
|
|
|
@ -4,7 +4,7 @@ $Id$
|
|||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2006 Tilo Lutz
|
||||
2005 - 2016 Roland Gruber
|
||||
2005 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -47,6 +47,7 @@ include_once('../../lib/modules.inc');
|
|||
|
||||
// Start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// Redirect to startpage if user is not loged in
|
||||
if (!isLoggedIn()) {
|
||||
|
|
|
@ -1,9 +1,10 @@
|
|||
<?php
|
||||
use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
|
||||
/*
|
||||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2016 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -37,6 +38,8 @@ include_once("../../lib/config.inc");
|
|||
include_once("../../lib/modules.inc");
|
||||
/** access to tools */
|
||||
include_once("../../lib/tools.inc");
|
||||
/** 2-factor */
|
||||
include_once '../../lib/2facto.inc';
|
||||
|
||||
// start session
|
||||
if (strtolower(session_module_name()) == 'files') {
|
||||
|
@ -523,8 +526,40 @@ $searchPasswordInput->setIsPassword(true);
|
|||
$securitySettingsContent->addElement($searchPasswordInput, true);
|
||||
// HTTP authentication
|
||||
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('httpAuthentication', ($conf->getHttpAuthentication() == 'true'), _('HTTP authentication'), '223', true), true);
|
||||
$securitySettingsContent->addElement(new htmlSpacer(null, '10px'), true);
|
||||
$securitySettingsContent->addElement(new htmlSpacer(null, '30px'), true);
|
||||
|
||||
// 2factor authentication
|
||||
if (extension_loaded('curl')) {
|
||||
$securitySettingsContent->addElement(new htmlSubTitle(_("2-factor authentication")), true);
|
||||
$twoFactorOptions = array(
|
||||
_('None') => TwoFactorProviderService::TWO_FACTOR_NONE,
|
||||
_('privacyIDEA') => TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA,
|
||||
);
|
||||
$twoFactorSelect = new htmlTableExtendedSelect('twoFactor', $twoFactorOptions, array($conf->getTwoFactorAuthentication()), _('Provider'), '514');
|
||||
$twoFactorSelect->setHasDescriptiveElements(true);
|
||||
$twoFactorSelect->setTableRowsToHide(array(
|
||||
TwoFactorProviderService::TWO_FACTOR_NONE => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
|
||||
));
|
||||
$twoFactorSelect->setTableRowsToShow(array(
|
||||
TwoFactorProviderService::TWO_FACTOR_PRIVACYIDEA => array('twoFactorURL', 'twoFactorInsecure', 'twoFactorLabel', 'twoFactorOptional', 'twoFactorCaption')
|
||||
));
|
||||
$securitySettingsContent->addElement($twoFactorSelect, true);
|
||||
$twoFactorUrl = new htmlTableExtendedInputField(_("Base URL"), 'twoFactorURL', $conf->getTwoFactorAuthenticationURL(), '515');
|
||||
$twoFactorUrl->setRequired(true);
|
||||
$securitySettingsContent->addElement($twoFactorUrl, true);
|
||||
$twoFactorLabel = new htmlTableExtendedInputField(_("Label"), 'twoFactorLabel', $conf->getTwoFactorAuthenticationLabel(), '517');
|
||||
$securitySettingsContent->addElement($twoFactorLabel, true);
|
||||
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorOptional', $conf->getTwoFactorAuthenticationOptional(), _('Optional'), '519'), true);
|
||||
$securitySettingsContent->addElement(new htmlTableExtendedInputCheckbox('twoFactorInsecure', $conf->getTwoFactorAuthenticationInsecure(), _('Disable certificate check'), '516'), true);
|
||||
$securitySettingsContent->addElement(new htmlSpacer(null, '5px'), true);
|
||||
$twoFactorCaption = new htmlTableExtendedInputTextarea('twoFactorCaption', $conf->getTwoFactorAuthenticationCaption(), '80', '4', _("Caption"), '518');
|
||||
$twoFactorCaption->setIsRichEdit(true);
|
||||
$twoFactorCaption->alignment = htmlElement::ALIGN_TOP;
|
||||
$securitySettingsContent->addElement($twoFactorCaption, true);
|
||||
}
|
||||
|
||||
// new password
|
||||
$securitySettingsContent->addElement(new htmlSubTitle(_("Profile password")), true);
|
||||
$password1 = new htmlTableExtendedInputField(_("New password"), 'passwd1', null, '212');
|
||||
$password1->setIsPassword(true);
|
||||
$password2 = new htmlTableExtendedInputField(_("Reenter password"), 'passwd2');
|
||||
|
@ -551,10 +586,12 @@ $buttonContainer->addElement($cancelButton, true);
|
|||
$buttonContainer->addElement(new htmlSpacer(null, '10px'), true);
|
||||
parseHtml(null, $buttonContainer, array(), false, $tabindex, 'user');
|
||||
|
||||
echo "</form>\n";
|
||||
echo "</body>\n";
|
||||
echo "</html>\n";
|
||||
|
||||
?>
|
||||
</form>
|
||||
<script type="text/javascript" src="../lib/extra/ckeditor/ckeditor.js"></script>
|
||||
</body>
|
||||
</html>
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Checks user input and saves the entered settings.
|
||||
|
@ -711,6 +748,15 @@ function checkInput() {
|
|||
}
|
||||
}
|
||||
$conf->setToolSettings($toolSettings);
|
||||
// 2-factor
|
||||
if (extension_loaded('curl')) {
|
||||
$conf->setTwoFactorAuthentication($_POST['twoFactor']);
|
||||
$conf->setTwoFactorAuthenticationURL($_POST['twoFactorURL']);
|
||||
$conf->setTwoFactorAuthenticationInsecure(isset($_POST['twoFactorInsecure']) && ($_POST['twoFactorInsecure'] == 'on'));
|
||||
$conf->setTwoFactorAuthenticationLabel($_POST['twoFactorLabel']);
|
||||
$conf->setTwoFactorAuthenticationOptional(isset($_POST['twoFactorOptional']) && ($_POST['twoFactorOptional'] == 'on'));
|
||||
$conf->setTwoFactorAuthenticationCaption(str_replace(array("\r", "\n"), array('', ''), $_POST['twoFactorCaption']));
|
||||
}
|
||||
// check if password was changed
|
||||
if (isset($_POST['passwd1']) && ($_POST['passwd1'] != '')) {
|
||||
if ($_POST['passwd1'] != $_POST['passwd2']) {
|
||||
|
|
|
@ -49,6 +49,7 @@ include_once('../lib/modules.inc');
|
|||
|
||||
// Start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
if (!checkIfWriteAccessIsAllowed()) {
|
||||
die();
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2015 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -39,6 +39,7 @@ include_once("../lib/status.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
if (!checkIfWriteAccessIsAllowed()) {
|
||||
die();
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2007 - 2013 Roland Gruber
|
||||
Copyright (C) 2007 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -39,6 +39,7 @@ include_once("../../lib/status.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
setlanguage();
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2016 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -38,6 +38,7 @@ include_once("../../lib/config.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
setlanguage();
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2010 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -39,6 +39,7 @@ include_once("../../lib/status.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
setlanguage();
|
||||
|
||||
|
|
|
@ -1,4 +1,6 @@
|
|||
<?php
|
||||
use LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
|
||||
|
||||
/*
|
||||
$Id$
|
||||
|
||||
|
@ -324,6 +326,14 @@ function display_LoginPage($config_object, $cfgMain) {
|
|||
StatusMessage("INFO", _("Your settings were successfully saved."), htmlspecialchars($_GET['selfserviceSaveOk']));
|
||||
echo "<br>";
|
||||
}
|
||||
if (isset($_GET['2factor']) && ($_GET['2factor'] == 'error')) {
|
||||
StatusMessage('ERROR', _("Unable to start 2-factor authentication."));
|
||||
echo "<br>";
|
||||
}
|
||||
elseif (isset($_GET['2factor']) && ($_GET['2factor'] == 'noToken')) {
|
||||
StatusMessage('ERROR', _("Unable to start 2-factor authentication because no tokens were found."));
|
||||
echo "<br>";
|
||||
}
|
||||
if (!empty($config_object)) {
|
||||
?>
|
||||
<br><br>
|
||||
|
@ -636,8 +646,20 @@ if(!empty($_POST['checklogin'])) {
|
|||
addSecurityTokenToSession();
|
||||
// logging
|
||||
logNewMessage(LOG_NOTICE, 'User ' . $username . ' (' . $clientSource . ') successfully logged in.');
|
||||
// Load main frame
|
||||
// Load main frame or 2 factor page
|
||||
if ($_SESSION['config']->getTwoFactorAuthentication() == TwoFactorProviderService::TWO_FACTOR_NONE) {
|
||||
metaRefresh("./main.php");
|
||||
}
|
||||
else {
|
||||
$_SESSION['2factorRequired'] = true;
|
||||
if (($_SESSION['config']->getLoginMethod() == LAMConfig::LOGIN_SEARCH) && ($_SESSION['config']->getHttpAuthentication() == 'true')) {
|
||||
$_SESSION['user2factor'] = $_SERVER['PHP_AUTH_USER'];
|
||||
}
|
||||
else {
|
||||
$_SESSION['user2factor'] = $_POST['username'];
|
||||
}
|
||||
metaRefresh("./login2Factor.php");
|
||||
}
|
||||
die();
|
||||
}
|
||||
else {
|
||||
|
|
|
@ -0,0 +1,241 @@
|
|||
<?php
|
||||
namespace LAM\LOGIN;
|
||||
use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
|
||||
use \htmlResponsiveRow;
|
||||
use \htmlGroup;
|
||||
use \htmlOutputText;
|
||||
use \htmlSpacer;
|
||||
use \htmlSelect;
|
||||
use \htmlInputField;
|
||||
use \htmlButton;
|
||||
/*
|
||||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
the Free Software Foundation; either version 2 of the License, or
|
||||
(at your option) any later version.
|
||||
|
||||
This program is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
|
||||
|
||||
*/
|
||||
|
||||
/**
|
||||
* This page redirects to the correct start page after checking 2nd factor.
|
||||
*
|
||||
* @package main
|
||||
* @author Roland Gruber
|
||||
*/
|
||||
|
||||
/** config object */
|
||||
include_once '../lib/config.inc';
|
||||
|
||||
// start session
|
||||
startSecureSession();
|
||||
|
||||
setlanguage();
|
||||
|
||||
$config = $_SESSION['config'];
|
||||
$ldap = $_SESSION['ldap'];
|
||||
$credentials = $ldap->decrypt_login();
|
||||
$password = $credentials[1];
|
||||
$user = $_SESSION['user2factor'];
|
||||
if (get_preg($user, 'dn')) {
|
||||
$user = extractRDNValue($user);
|
||||
}
|
||||
|
||||
// get serials
|
||||
try {
|
||||
$service = new TwoFactorProviderService($config);
|
||||
$provider = $service->getProvider();
|
||||
$serials = $provider->getSerials($user, $password);
|
||||
}
|
||||
catch (\Exception $e) {
|
||||
logNewMessage(LOG_ERR, 'Unable to get 2-factor serials for ' . $user . ' ' . $e->getMessage());
|
||||
metaRefresh("login.php?2factor=error");
|
||||
die();
|
||||
}
|
||||
|
||||
$twoFactorLabel = empty($config->getTwoFactorAuthenticationLabel()) ? _('PIN+Token') : $config->getTwoFactorAuthenticationLabel();
|
||||
|
||||
if (sizeof($serials) == 0) {
|
||||
if ($config->getTwoFactorAuthenticationOptional()) {
|
||||
unset($_SESSION['2factorRequired']);
|
||||
unset($_SESSION['user2factor']);
|
||||
metaRefresh("main.php");
|
||||
die();
|
||||
}
|
||||
else {
|
||||
metaRefresh("login.php?2factor=noToken");
|
||||
die();
|
||||
}
|
||||
}
|
||||
|
||||
if (isset($_POST['logout'])) {
|
||||
// destroy session
|
||||
session_destroy();
|
||||
unset($_SESSION);
|
||||
// redirect to login page
|
||||
metaRefresh("login.php");
|
||||
exit();
|
||||
}
|
||||
|
||||
if (isset($_POST['submit'])) {
|
||||
$twoFactorInput = $_POST['2factor'];
|
||||
$serial = $_POST['serial'];
|
||||
if (empty($twoFactorInput) || !in_array($serial, $serials)) {
|
||||
$errorMessage = _(sprintf('Please enter "%s".', $twoFactorLabel));
|
||||
}
|
||||
else {
|
||||
$twoFactorValid = false;
|
||||
try {
|
||||
$twoFactorValid = $provider->verify2ndFactor($user, $password, $serial, $twoFactorInput);
|
||||
}
|
||||
catch (\Exception $e) {
|
||||
logNewMessage(LOG_WARNING, '2-factor verification failed: ' . $e->getMessage());
|
||||
}
|
||||
if ($twoFactorValid) {
|
||||
unset($_SESSION['2factorRequired']);
|
||||
unset($_SESSION['user2factor']);
|
||||
metaRefresh("main.php");
|
||||
die();
|
||||
}
|
||||
else {
|
||||
$errorMessage = _(sprintf('Verification failed.', $twoFactorLabel));
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
?>
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
||||
<html class="no-js">
|
||||
<head>
|
||||
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||
<meta http-equiv="pragma" content="no-cache">
|
||||
<meta http-equiv="cache-control" content="no-cache">
|
||||
<title><?php echo _("Login"); ?></title>
|
||||
<link rel="stylesheet" type="text/css" href="../style/responsive/105_normalize.css">
|
||||
<link rel="stylesheet" type="text/css" href="../style/responsive/110_foundation.css">
|
||||
<?php
|
||||
// include all CSS files
|
||||
$cssDirName = dirname(__FILE__) . '/../style';
|
||||
$cssDir = dir($cssDirName);
|
||||
$cssFiles = array();
|
||||
$cssEntry = $cssDir->read();
|
||||
while ($cssEntry !== false) {
|
||||
if (substr($cssEntry, strlen($cssEntry) - 4, 4) == '.css') {
|
||||
$cssFiles[] = $cssEntry;
|
||||
}
|
||||
$cssEntry = $cssDir->read();
|
||||
}
|
||||
sort($cssFiles);
|
||||
foreach ($cssFiles as $cssEntry) {
|
||||
echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"../style/" . $cssEntry . "\">\n";
|
||||
}
|
||||
if (isset($profile->additionalCSS) && ($profile->additionalCSS != '')) {
|
||||
$CSSlinks = explode("\n", $profile->additionalCSS);
|
||||
for ($i = 0; $i < sizeof($CSSlinks); $i++) {
|
||||
$CSSlinks[$i] = trim($CSSlinks[$i]);
|
||||
if ($CSSlinks[$i] == '') {
|
||||
continue;
|
||||
}
|
||||
echo "<link rel=\"stylesheet\" type=\"text/css\" href=\"" . $CSSlinks[$i] . "\">\n";
|
||||
}
|
||||
}
|
||||
?>
|
||||
</head>
|
||||
<body class="admin">
|
||||
<?php
|
||||
|
||||
// include all JavaScript files
|
||||
$jsDirName = dirname(__FILE__) . '/lib';
|
||||
$jsDir = dir($jsDirName);
|
||||
$jsFiles = array();
|
||||
while ($jsEntry = $jsDir->read()) {
|
||||
if (substr($jsEntry, strlen($jsEntry) - 3, 3) != '.js') continue;
|
||||
$jsFiles[] = $jsEntry;
|
||||
}
|
||||
sort($jsFiles);
|
||||
foreach ($jsFiles as $jsEntry) {
|
||||
echo "<script type=\"text/javascript\" src=\"lib/" . $jsEntry . "\"></script>\n";
|
||||
}
|
||||
?>
|
||||
|
||||
<script type="text/javascript" src="lib/extra/responsive/200_modernizr.js"></script>
|
||||
<script type="text/javascript" src="lib/extra/responsive/250_foundation.js"></script>
|
||||
<table border=0 width="100%" class="lamHeader ui-corner-all">
|
||||
<tr>
|
||||
<td align="left" height="30">
|
||||
<a class="lamLogo" href="http://www.ldap-account-manager.org/" target="new_window">LDAP Account Manager</a>
|
||||
</td>
|
||||
<td align="right" height=20>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<br><br>
|
||||
|
||||
<form enctype="multipart/form-data" action="login2Factor.php" method="post" autocomplete="off">
|
||||
<?php
|
||||
echo $config->getTwoFactorAuthenticationCaption();
|
||||
|
||||
?>
|
||||
<div class="centeredTable">
|
||||
<div class="roundedShadowBox limitWidth">
|
||||
<?php
|
||||
|
||||
$group = new htmlGroup();
|
||||
$row = new htmlResponsiveRow();
|
||||
// error
|
||||
if (!empty($errorMessage)) {
|
||||
$row->add(new \htmlStatusMessage('ERROR', $errorMessage), 12);
|
||||
$row->add(new htmlSpacer('1em', '1em'), 12);
|
||||
}
|
||||
// serial
|
||||
$row->add(new htmlOutputText(_('Serial number')), 12, 12, 12, 'text-left');
|
||||
$serialSelect = new htmlSelect('serial', $serials);
|
||||
$row->add($serialSelect, 12);
|
||||
// token
|
||||
$row->add(new htmlOutputText($twoFactorLabel), 12, 12, 12, 'text-left');
|
||||
$twoFactorInput = new htmlInputField('2factor', '');
|
||||
$twoFactorInput->setFieldSize(null);
|
||||
$twoFactorInput->setIsPassword(true);
|
||||
$row->add($twoFactorInput, 12);
|
||||
$row->add(new htmlSpacer('1em', '1em'), 12);
|
||||
$submit = new htmlButton('submit', _("Submit"));
|
||||
$submit->setCSSClasses(array('fullwidth'));
|
||||
$row->add($submit, 12, 12, 12, 'fullwidth');
|
||||
$row->add(new htmlSpacer('0.5em', '0.5em'), 12);
|
||||
$logout = new htmlButton('logout', _("Cancel"));
|
||||
$logout->setCSSClasses(array('fullwidth'));
|
||||
$row->add($logout, 12);
|
||||
$group->addElement($row);
|
||||
|
||||
$tabindex = 1;
|
||||
addSecurityTokenToMetaHTML($group);
|
||||
parseHtml(null, $group, array(), false, $tabindex, 'user');
|
||||
|
||||
?>
|
||||
</div>
|
||||
</div>
|
||||
</form>
|
||||
<br><br>
|
||||
|
||||
<script type="text/javascript">
|
||||
$(document).foundation();
|
||||
myElement = document.getElementsByName('2factor')[0];
|
||||
myElement.focus();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2006 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -44,6 +44,7 @@ include_once("../lib/ldap.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// log message
|
||||
$ldapUser = $_SESSION['ldap']->decrypt_login();
|
||||
|
|
|
@ -4,7 +4,7 @@ namespace LAM\INIT;
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2016 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -36,6 +36,7 @@ include_once '../lib/profiles.inc';
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
setlanguage();
|
||||
|
||||
|
|
|
@ -63,6 +63,7 @@ class lamAjax {
|
|||
validateSecurityToken(false);
|
||||
|
||||
if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) {
|
||||
enforceUserIsLoggedIn();
|
||||
if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) {
|
||||
if (!isset($_SESSION['account'])) die();
|
||||
$module = $_SESSION['account']->getAccountModule($_GET['module']);
|
||||
|
@ -82,12 +83,13 @@ class lamAjax {
|
|||
}
|
||||
|
||||
$jsonInput = $_POST['jsonInput'];
|
||||
if ($function == 'passwordStrengthCheck') {
|
||||
lamAjax::checkPasswordStrength($jsonInput);
|
||||
}
|
||||
enforceUserIsLoggedIn();
|
||||
if ($function == 'passwordChange') {
|
||||
lamAjax::managePasswordChange($jsonInput);
|
||||
}
|
||||
elseif ($function == 'passwordStrengthCheck') {
|
||||
lamAjax::checkPasswordStrength($jsonInput);
|
||||
}
|
||||
elseif ($function == 'upload') {
|
||||
include_once('../../lib/upload.inc');
|
||||
$typeManager = new \LAM\TYPES\TypeManager();
|
||||
|
|
|
@ -21,7 +21,7 @@ use \htmlInputTextarea;
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2013 - 2016 Roland Gruber
|
||||
Copyright (C) 2013 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -57,6 +57,7 @@ include_once("../lib/status.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// die if no write access
|
||||
if (!checkIfWriteAccessIsAllowed()) die();
|
||||
|
|
|
@ -50,6 +50,7 @@ include_once("../lib/status.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// die if no write access
|
||||
if (!checkIfWriteAccessIsAllowed()) die();
|
||||
|
|
|
@ -15,13 +15,12 @@ use \htmlInputFileUpload;
|
|||
use \htmlHelpLink;
|
||||
use \htmlInputField;
|
||||
use \htmlHiddenInput;
|
||||
use \htmlDiv;
|
||||
/*
|
||||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2006 Michael Duergner
|
||||
2005 - 2016 Roland Gruber
|
||||
2005 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -60,6 +59,7 @@ include_once("../../lib/modules.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// die if no write access
|
||||
if (!checkIfWriteAccessIsAllowed()) die();
|
||||
|
|
|
@ -19,7 +19,7 @@ $Id$
|
|||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2006 Michael Duergner
|
||||
2007 - 2016 Roland Gruber
|
||||
2007 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -62,6 +62,7 @@ include_once('../../lib/xml_parser.inc');
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// die if no write access
|
||||
if (!checkIfWriteAccessIsAllowed()) die();
|
||||
|
|
|
@ -18,7 +18,7 @@ use \htmlInputField;
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2016 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -54,6 +54,7 @@ include_once("../../lib/config.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// die if no write access
|
||||
if (!checkIfWriteAccessIsAllowed()) die();
|
||||
|
|
|
@ -12,7 +12,7 @@ use \htmlHiddenInput;
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2016 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -52,6 +52,7 @@ include_once("../../lib/status.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// die if no write access
|
||||
if (!checkIfWriteAccessIsAllowed()) die();
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
Copyright (C) 2004 David Smith
|
||||
modified to fit for LDAP Account Manager 2005 - 2012 Roland Gruber
|
||||
modified to fit for LDAP Account Manager 2005 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -42,6 +42,7 @@ require_once("../../lib/schema.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
checkIfToolIsActive('toolSchemaBrowser');
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2009 - 2012 Roland Gruber
|
||||
Copyright (C) 2009 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -35,6 +35,7 @@ include_once("../lib/config.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
checkIfToolIsActive('toolServerInformation');
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2006 - 2012 Roland Gruber
|
||||
Copyright (C) 2006 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -35,6 +35,7 @@ include_once("../../lib/config.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// die if no write access
|
||||
if (!checkIfWriteAccessIsAllowed()) die();
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2006 - 2016 Roland Gruber
|
||||
Copyright (C) 2006 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -36,6 +36,7 @@ include_once("../../lib/config.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// die if no write access
|
||||
if (!checkIfWriteAccessIsAllowed()) die();
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2007 - 2016 Roland Gruber
|
||||
Copyright (C) 2007 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -39,6 +39,7 @@ include_once("../../lib/schema.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// die if no write access
|
||||
if (!checkIfWriteAccessIsAllowed()) die();
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2003 - 2011 Roland Gruber
|
||||
Copyright (C) 2003 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -37,6 +37,7 @@ include_once("../lib/tools.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
setlanguage();
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
$Id$
|
||||
|
||||
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
|
||||
Copyright (C) 2010 - 2011 Roland Gruber
|
||||
Copyright (C) 2010 - 2017 Roland Gruber
|
||||
|
||||
This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License as published by
|
||||
|
@ -36,6 +36,7 @@ include_once("../../lib/config.inc");
|
|||
|
||||
// start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
setlanguage();
|
||||
|
||||
|
|
|
@ -48,6 +48,7 @@ include_once('../../lib/modules.inc');
|
|||
|
||||
// Start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// check if this tool may be run
|
||||
checkIfToolIsActive('toolFileUpload');
|
||||
|
|
|
@ -45,6 +45,7 @@ include_once('../../lib/pdf.inc');
|
|||
|
||||
// Start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// check if this tool may be run
|
||||
checkIfToolIsActive('toolFileUpload');
|
||||
|
|
|
@ -62,6 +62,7 @@ include_once('../../lib/upload.inc');
|
|||
|
||||
// Start session
|
||||
startSecureSession();
|
||||
enforceUserIsLoggedIn();
|
||||
|
||||
// check if this tool may be run
|
||||
checkIfToolIsActive('toolFileUpload');
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
/*.jpg
|