From d0a97c47a95c84e9efda7d8da9fae1de799f1608 Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Tue, 1 Jan 2019 10:54:31 +0100 Subject: [PATCH] YubiKey for self service --- lam/lib/2factor.inc | 20 ++++++++++++++++++-- lam/lib/selfService.inc | 38 +++++++++++++++++++++++++++++++++++++- 2 files changed, 55 insertions(+), 3 deletions(-) diff --git a/lam/lib/2factor.inc b/lam/lib/2factor.inc index c8e74394..d57416d2 100644 --- a/lam/lib/2factor.inc +++ b/lam/lib/2factor.inc @@ -5,7 +5,7 @@ use \LAMConfig; /* This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2017 - 2018 Roland Gruber + Copyright (C) 2017 - 2019 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -249,7 +249,12 @@ class YubicoProvider implements TwoFactorProvider { */ public function getSerials($user, $password) { $keyAttributeName = strtolower($this->config->twoFactorAuthenticationSerialAttributeName); - $loginDn = $_SESSION['ldap']->getUserName(); + if (isset($_SESSION['selfService_clientDN'])) { + $loginDn = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService'); + } + else { + $loginDn = $_SESSION['ldap']->getUserName(); + } $handle = getLDAPServerHandle(); $ldapData = ldapGetDN($loginDn, array($keyAttributeName), $handle); if (empty($ldapData[$keyAttributeName])) { @@ -346,6 +351,17 @@ class TwoFactorProviderService { $tfConfig->twoFactorAuthentication = $profile->twoFactorAuthentication; $tfConfig->twoFactorAuthenticationInsecure = $profile->twoFactorAuthenticationInsecure; $tfConfig->twoFactorAuthenticationURL = $profile->twoFactorAuthenticationURL; + $tfConfig->twoFactorAuthenticationClientId = $profile->twoFactorAuthenticationClientId; + $tfConfig->twoFactorAuthenticationSecretKey = $profile->twoFactorAuthenticationSecretKey; + if ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_YUBICO) { + $moduleSettings = $profile->moduleSettings; + if (!empty($moduleSettings['yubiKeyUser_attributeName'][0])) { + $tfConfig->twoFactorAuthenticationSerialAttributeName = $moduleSettings['yubiKeyUser_attributeName'][0]; + } + else { + $tfConfig->twoFactorAuthenticationSerialAttributeName = 'yubiKeyId'; + } + } return $tfConfig; } diff --git a/lam/lib/selfService.inc b/lam/lib/selfService.inc index 5c79ebd5..459ba591 100644 --- a/lam/lib/selfService.inc +++ b/lam/lib/selfService.inc @@ -3,7 +3,7 @@ use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService; /* This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) - Copyright (C) 2006 - 2018 Roland Gruber + Copyright (C) 2006 - 2019 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -300,6 +300,38 @@ function isSelfService() { return session_name() == 'SELFSERVICE'; } +/** + * Opens the LDAP connection and returns the handle. No bind is done. + * + * @param selfServiceProfile $profile profile + * @return handle LDAP handle or null if connection failed + */ +function openSelfServiceLdapConnection($profile) { + $server = connectToLDAP($profile->serverURL, $profile->useTLS); + if ($server != null) { + // follow referrals + ldap_set_option($server, LDAP_OPT_REFERRALS, $profile->followReferrals); + } + return $server; +} + +/** + * Binds the LDAP connections with given user and password. + * + * @param handle $handle LDAP handle + * @param selfServiceProfile profile + * @param string $userDn bind DN + * @param string $password bind password + * @return boolean binding successful + */ +function bindLdapUser($handle, $profile, $userDn, $password) { + if ($profile->useForAllOperations) { + $userDn = $profile->LDAPUser; + $password = deobfuscateText($profile->LDAPPassword); + } + return @ldap_bind($handle, $userDn, $password); +} + /** * Includes all settings of a self service profile. @@ -391,6 +423,8 @@ class selfServiceProfile { public $twoFactorAuthenticationLabel = null; public $twoFactorAuthenticationOptional = false; public $twoFactorAuthenticationCaption = ''; + public $twoFactorAuthenticationClientId = ''; + public $twoFactorAuthenticationSecretKey = ''; /** provider for captcha (-/google) */ public $captchaProvider = '-'; @@ -445,6 +479,8 @@ class selfServiceProfile { $this->twoFactorAuthenticationLabel = null; $this->twoFactorAuthenticationOptional = false; $this->twoFactorAuthenticationCaption = ''; + $this->twoFactorAuthenticationClientId = ''; + $this->twoFactorAuthenticationSecretKey = ''; $this->captchaProvider = '-'; $this->reCaptchaSiteKey = ''; $this->reCaptchaSecretKey = '';