YubiKey for self service

This commit is contained in:
Roland Gruber 2019-01-01 10:54:31 +01:00
parent 89ab8d0f1f
commit d0a97c47a9
2 changed files with 55 additions and 3 deletions

View File

@ -5,7 +5,7 @@ use \LAMConfig;
/* /*
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2017 - 2018 Roland Gruber Copyright (C) 2017 - 2019 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -249,7 +249,12 @@ class YubicoProvider implements TwoFactorProvider {
*/ */
public function getSerials($user, $password) { public function getSerials($user, $password) {
$keyAttributeName = strtolower($this->config->twoFactorAuthenticationSerialAttributeName); $keyAttributeName = strtolower($this->config->twoFactorAuthenticationSerialAttributeName);
if (isset($_SESSION['selfService_clientDN'])) {
$loginDn = lamDecrypt($_SESSION['selfService_clientDN'], 'SelfService');
}
else {
$loginDn = $_SESSION['ldap']->getUserName(); $loginDn = $_SESSION['ldap']->getUserName();
}
$handle = getLDAPServerHandle(); $handle = getLDAPServerHandle();
$ldapData = ldapGetDN($loginDn, array($keyAttributeName), $handle); $ldapData = ldapGetDN($loginDn, array($keyAttributeName), $handle);
if (empty($ldapData[$keyAttributeName])) { if (empty($ldapData[$keyAttributeName])) {
@ -346,6 +351,17 @@ class TwoFactorProviderService {
$tfConfig->twoFactorAuthentication = $profile->twoFactorAuthentication; $tfConfig->twoFactorAuthentication = $profile->twoFactorAuthentication;
$tfConfig->twoFactorAuthenticationInsecure = $profile->twoFactorAuthenticationInsecure; $tfConfig->twoFactorAuthenticationInsecure = $profile->twoFactorAuthenticationInsecure;
$tfConfig->twoFactorAuthenticationURL = $profile->twoFactorAuthenticationURL; $tfConfig->twoFactorAuthenticationURL = $profile->twoFactorAuthenticationURL;
$tfConfig->twoFactorAuthenticationClientId = $profile->twoFactorAuthenticationClientId;
$tfConfig->twoFactorAuthenticationSecretKey = $profile->twoFactorAuthenticationSecretKey;
if ($tfConfig->twoFactorAuthentication == TwoFactorProviderService::TWO_FACTOR_YUBICO) {
$moduleSettings = $profile->moduleSettings;
if (!empty($moduleSettings['yubiKeyUser_attributeName'][0])) {
$tfConfig->twoFactorAuthenticationSerialAttributeName = $moduleSettings['yubiKeyUser_attributeName'][0];
}
else {
$tfConfig->twoFactorAuthenticationSerialAttributeName = 'yubiKeyId';
}
}
return $tfConfig; return $tfConfig;
} }

View File

@ -3,7 +3,7 @@ use \LAM\LIB\TWO_FACTOR\TwoFactorProviderService;
/* /*
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2006 - 2018 Roland Gruber Copyright (C) 2006 - 2019 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -300,6 +300,38 @@ function isSelfService() {
return session_name() == 'SELFSERVICE'; return session_name() == 'SELFSERVICE';
} }
/**
* Opens the LDAP connection and returns the handle. No bind is done.
*
* @param selfServiceProfile $profile profile
* @return handle LDAP handle or null if connection failed
*/
function openSelfServiceLdapConnection($profile) {
$server = connectToLDAP($profile->serverURL, $profile->useTLS);
if ($server != null) {
// follow referrals
ldap_set_option($server, LDAP_OPT_REFERRALS, $profile->followReferrals);
}
return $server;
}
/**
* Binds the LDAP connections with given user and password.
*
* @param handle $handle LDAP handle
* @param selfServiceProfile profile
* @param string $userDn bind DN
* @param string $password bind password
* @return boolean binding successful
*/
function bindLdapUser($handle, $profile, $userDn, $password) {
if ($profile->useForAllOperations) {
$userDn = $profile->LDAPUser;
$password = deobfuscateText($profile->LDAPPassword);
}
return @ldap_bind($handle, $userDn, $password);
}
/** /**
* Includes all settings of a self service profile. * Includes all settings of a self service profile.
@ -391,6 +423,8 @@ class selfServiceProfile {
public $twoFactorAuthenticationLabel = null; public $twoFactorAuthenticationLabel = null;
public $twoFactorAuthenticationOptional = false; public $twoFactorAuthenticationOptional = false;
public $twoFactorAuthenticationCaption = ''; public $twoFactorAuthenticationCaption = '';
public $twoFactorAuthenticationClientId = '';
public $twoFactorAuthenticationSecretKey = '';
/** provider for captcha (-/google) */ /** provider for captcha (-/google) */
public $captchaProvider = '-'; public $captchaProvider = '-';
@ -445,6 +479,8 @@ class selfServiceProfile {
$this->twoFactorAuthenticationLabel = null; $this->twoFactorAuthenticationLabel = null;
$this->twoFactorAuthenticationOptional = false; $this->twoFactorAuthenticationOptional = false;
$this->twoFactorAuthenticationCaption = ''; $this->twoFactorAuthenticationCaption = '';
$this->twoFactorAuthenticationClientId = '';
$this->twoFactorAuthenticationSecretKey = '';
$this->captchaProvider = '-'; $this->captchaProvider = '-';
$this->reCaptchaSiteKey = ''; $this->reCaptchaSiteKey = '';
$this->reCaptchaSecretKey = ''; $this->reCaptchaSecretKey = '';