From e107104da71630000eec17d3349974312a50a1cf Mon Sep 17 00:00:00 2001 From: Roland Gruber Date: Sat, 7 Mar 2009 16:22:30 +0000 Subject: [PATCH] allow to get login user DN from LDAP --- lam/help/help.inc | 36 ++++++++------ lam/lib/config.inc | 81 +++++++++++++++++++++++++++++-- lam/templates/config/config.js | 43 ++++++++++++++++ lam/templates/config/confmain.php | 50 +++++++++++++++++-- 4 files changed, 188 insertions(+), 22 deletions(-) create mode 100644 lam/templates/config/config.js diff --git a/lam/help/help.inc b/lam/help/help.inc index 1b598482..88dc4218 100644 --- a/lam/help/help.inc +++ b/lam/help/help.inc @@ -52,9 +52,9 @@ $helpArray = array ( // configuration wizard // configuration login // config profile management - "200" => array ("Headline" => _("Configuration wizard") . " - " . _("Login"), + "200" => array ("Headline" => _("Login"), "Text" => _("Please enter the configuration password. This is NOT your LDAP password. It is stored in your .conf-file. If this is the first time you log in, enter \"lam\".")), - "201" => array ("Headline" => _("Configuration wizard") . " - " . _("Server address"), + "201" => array ("Headline" => _("Server address"), "Text" => _("This is the server address of your LDAP server. Use ldap:// for standard LDAP connections and ldaps:// for encrypted (require server certificates) connections. The port value is optional.") . "

" . _("Examples") . @@ -66,51 +66,55 @@ $helpArray = array ( _("Note") . ":

" . _("When using ldaps:// be sure to use exactly the same IP/domain name as in your certificate!")), - "202" => array ("Headline" => _("Configuration wizard") . " - " . _("LDAP suffix"), + "202" => array ("Headline" => _("LDAP suffix"), "Text" => _("This is the suffix of the LDAP tree from where to search for LDAP entries. Only entries in this subtree will be displayed in the account list. When creating a new accont this will be the DN where it is saved.") . "

". _("Example"). ":

". _("ou=People,dc=yourcompany,dc=com will read and store all accounts in this subtree.")), - "203" => array ("Headline" => _("Configuration wizard") . " - " . _("Tree suffix"), + "203" => array ("Headline" => _("Tree suffix"), "Text" => _("This is the suffix for the LDAP tree viewer.") . "

". _("Example"). ":

". _("dc=yourcompany,dc=com")), - "206" => array ("Headline" => _("Configuration wizard") . " - " . _("List attributes"), + "206" => array ("Headline" => _("List attributes"), "Text" => _("This is the list of attributes to show in the account list. The entries can either be predefined values, \"#attribute\", or individual ones, \"attribute:description\". Several entries are separated by semicolons.") . "


" . _("Example") . ": #homeDirectory;#uid;#uidNumber;#gidNumber;mail:Mail address

" . "
" . _("Predefined values") . ":


" . $entry206Example), - "207" => array ("Headline" => _("Configuration wizard") . " - " . _("Valid users"), + "207" => array ("Headline" => _("Valid users"), "Text" => _("This is a list of valid DN entries of all users that are allowed to login to LDAP Account Manager. Please enter one DN per line.") . "

" . _("Example") . ": cn=admin,dc=yourdomain,dc=org;cn=manager,dc=yourdomain,dc=org"), "208" => array ("Headline" => _("Maximum list entries"), "Text" => _("This is the number of rows to show in the account list. If more entries are found the list will be split into several pages.")), - "209" => array ("Headline" => _("Configuration wizard") . " - " . _("Default language"), + "209" => array ("Headline" => _("Default language"), "Text" => _("This defines the language of the login window and sets this language as the default language. Users can change the language at login.")), - "210" => array ("Headline" => _("Configuration wizard") . " - " . _("Script path"), + "210" => array ("Headline" => _("Script path"), "Text" => _("This is the absolute path to an external script for setting quotas and creating home directories.")), - "212" => array ("Headline" => _("Configuration wizard") . " - " . _("Change password"), + "212" => array ("Headline" => _("Change password"), "Text" => _("If you want to change the current preferences password, please enter it here.")), - "214" => array ("Headline" => _("Configuration wizard") . " - " . _("Cache timeout"), + "214" => array ("Headline" => _("Cache timeout"), "Text" => _("This is the time in minutes which LAM caches its LDAP searches. Shorter times will stress LDAP more but decrease the possibility that changes are not identified.")), - "215" => array ("Headline" => _("Configuration wizard") . " - " . _("Access level"), + "215" => array ("Headline" => _("Access level"), "Text" => _("You can specify if LAM allows full write access, password changes or only read access.")), - "216" => array ("Headline" => _("Configuration wizard") . " - " . _("Text for user PDF"), + "216" => array ("Headline" => _("Text for user PDF"), "Text" => _("This text will appear on top of every user PDF file.")), - "217" => array ("Headline" => _("Configuration wizard") . " - " . _("Account types and modules"), + "217" => array ("Headline" => _("Account types and modules"), "Text" => _("Here you can select which plugins you want to use for account management.") . "

" . _("Account types define which sorts of LDAP entries (e.g. users and groups) should be managed. The account modules define which properties (e.g. Unix and Samba) can be edited.")), - "218" => array ("Headline" => _("Configuration wizard") . " - " . _("Script servers"), + "218" => array ("Headline" => _("Script servers"), "Text" => _("This is a list of the servers where the lamdaemon scripts are stored. LDAP Account Manager will make a SSH connection to the servers with the user name and password provided at login. Multiple servers are separated by semicolons. You can append a descriptive name after a colon.") . "
" . _("If your server runs on another port then add a comma and the port number after the server.") . "

" . _("Example") . ": 127.0.0.1:LOCAL;192.168.0.2,12345:Servername;192.168.0.5"), - "219" => array ("Headline" => _("Configuration wizard") . " - " . _("Rights for the home directory"), + "219" => array ("Headline" => _("Rights for the home directory"), "Text" => _("This defines the rights for the home directories which are created by lamdaemon.")), + "220" => array ("Headline" => _("Login method"), + "Text" => _("The number of users who may login to LAM is restricted. This can be either a fixed list of DNs or LAM can search LDAP to find a DN which matches the given user name.")), + "221" => array ("Headline" => _("LDAP search"), + "Text" => _("Please enter the LDAP suffix where LAM should start to search for users. The LDAP filter needs to match the given user name to exactly one DN. The value \"%USER%\" will be replaced by the user name from the login page.")), "230" => array ("Headline" => _("Profile management") . " - " . _("Add profile"), "Text" => _("Please enter the name of the new profile and the password to change its settings. Profile names may contain letters, numbers and -/_.")), "231" => array ("Headline" => _("Profile management") . " - " . _("Rename profile"), @@ -125,7 +129,7 @@ $helpArray = array ( "Text" => _("If you want to change your master configuration password, please enter it here.")), "236" => array ("Headline" => _("Master password"), "Text" => _("Please enter the master configuration password. This is NOT your LDAP password. It is stored in your config.cfg file. If this is the first time you log in, enter \"lam\".")), - "237" => array ("Headline" => _("Configuration wizard") . " - " . _("Base module"), + "237" => array ("Headline" => _("Base module"), "Text" => _("Every account type needs exactly one base module. This module provides a structural object class.")), "238" => array ("Headline" => _("Session timeout"), "Text" => _("This is the time (in minutes) of inactivity after which a user is automatically logged off.")), diff --git a/lam/lib/config.inc b/lam/lib/config.inc index 0bab5666..091dceba 100644 --- a/lam/lib/config.inc +++ b/lam/lib/config.inc @@ -3,7 +3,7 @@ $Id$ This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam) - Copyright (C) 2003 - 2007 Roland Gruber + Copyright (C) 2003 - 2009 Roland Gruber This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -163,9 +163,14 @@ function metaRefresh($page) { */ class LAMConfig { + /* access levels */ const ACCESS_ALL = 100; const ACCESS_PASSWORD_CHANGE = 20; const ACCESS_READ_ONLY = 0; + + /* login method: predefined list or LDAP search */ + const LOGIN_LIST = 'list'; + const LOGIN_SEARCH = 'search'; /** Server address (e.g. ldap://127.0.0.1:389) */ private $ServerURL; @@ -218,12 +223,23 @@ class LAMConfig { /** Name of configuration file */ private $file; - private $accessLevel = 100; + /** access level */ + private $accessLevel = LAMconfig::ACCESS_ALL; + + /** login method */ + private $loginMethod = LAMconfig::LOGIN_LIST; + + /** search suffix for login */ + private $loginSearchSuffix = 'dc=yourdomain,dc=org'; + + /** search filter for login */ + private $loginSearchFilter = 'uid=%USER%'; /** List of all settings in config file */ private $settings = array("ServerURL", "Passwd", "Admins", "treesuffix", "defaultLanguage", "scriptPath", "scriptServer", "scriptRights", "cachetimeout", - "modules", "activeTypes", "types", "accessLevel"); + "modules", "activeTypes", "types", "accessLevel", 'loginMethod', 'loginSearchSuffix', + 'loginSearchFilter'); /** @@ -367,6 +383,9 @@ class LAMConfig { if (!in_array("cachetimeout", $saved)) array_push($file_array, "\n\n# Number of minutes LAM caches LDAP searches.\n" . "cacheTimeout: " . $this->cachetimeout . "\n"); if (!in_array("activeTypes", $saved)) array_push($file_array, "\n\n# List of active account types.\n" . "activeTypes: " . $this->activeTypes . "\n"); if (!in_array("accessLevel", $saved)) array_push($file_array, "\n\n# Access level for this profile.\n" . "accessLevel: " . $this->accessLevel . "\n"); + if (!in_array("loginMethod", $saved)) array_push($file_array, "\n\n# Login method.\n" . "loginMethod: " . $this->loginMethod . "\n"); + if (!in_array("loginSearchSuffix", $saved)) array_push($file_array, "\n\n# Search suffix for LAM login.\n" . "loginSearchSuffix: " . $this->loginSearchSuffix . "\n"); + if (!in_array("loginSearchFilter", $saved)) array_push($file_array, "\n\n# Search filter for LAM login.\n" . "loginSearchFilter: " . $this->loginSearchFilter . "\n"); // check if all module settings were added $m_settings = array_keys($this->moduleSettings); for ($i = 0; $i < sizeof($m_settings); $i++) { @@ -870,6 +889,62 @@ class LAMConfig { public function setAccessLevel($level) { $this->accessLevel = $level; } + + /** + * Returns the login method. + * + * @return String login method + * @see LAMconfig::LOGIN_LIST + * @see LAMconfig::LOGIN_SEARCH + */ + public function getLoginMethod() { + return $this->loginMethod; + } + + /** + * Sets the login method. + * + * @param String $loginMethod + */ + public function setLoginMethod($loginMethod) { + $this->loginMethod = $loginMethod; + } + + /** + * Returns the login search filter. + * + * @return String search filter + */ + public function getLoginSearchFilter() { + return $this->loginSearchFilter; + } + + /** + * Sets the login search filter. + * + * @param String $loginSearchFilter search filter + */ + public function setLoginSearchFilter($loginSearchFilter) { + $this->loginSearchFilter = $loginSearchFilter; + } + + /** + * Returns the login search suffix. + * + * @return String suffix + */ + public function getLoginSearchSuffix() { + return $this->loginSearchSuffix; + } + + /** + * Sets the login search suffix. + * + * @param String $loginSearchSuffix suffix + */ + public function setLoginSearchSuffix($loginSearchSuffix) { + $this->loginSearchSuffix = $loginSearchSuffix; + } } diff --git a/lam/templates/config/config.js b/lam/templates/config/config.js new file mode 100644 index 00000000..d8381361 --- /dev/null +++ b/lam/templates/config/config.js @@ -0,0 +1,43 @@ +/** + +$Id$ + + This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam) + Copyright (C) 2009 Roland Gruber + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA + +*/ + +/** + * The following functions are used for the LAM configuration wizard. + */ + +/** + * Hides/unhides input fields for the login method. + */ +function configLoginMethodChanged() { + selectLoginMethod = document.getElementsByName('loginMethod')[0]; + if ( selectLoginMethod.options[selectLoginMethod.selectedIndex].value == 'list' ) { + document.getElementById('trAdminList').style.display = ''; + document.getElementById('trLoginSearchSuffix').style.display = 'none'; + document.getElementById('trLoginSearchFilter').style.display = 'none'; + } + else { + document.getElementById('trAdminList').style.display = 'none'; + document.getElementById('trLoginSearchSuffix').style.display = ''; + document.getElementById('trLoginSearchFilter').style.display = ''; + } +} diff --git a/lam/templates/config/confmain.php b/lam/templates/config/confmain.php index a08a55a4..564951da 100644 --- a/lam/templates/config/confmain.php +++ b/lam/templates/config/confmain.php @@ -121,8 +121,9 @@ echo ("" . _("LDAP Account Manager Configuration") . "\n"); echo ("\n"); echo "\n"; echo ("\n"); -echo ("\n"); +echo ("\n"); echo "\n"; +echo "\n"; echo ("

". "\"LDAP

\n
\n

 

\n"); @@ -394,15 +395,55 @@ echo ("
\n"); // security setings echo ("
" . _("Security settings") . "
\n"); echo ("\n"); +// login method +echo ("". + "\n"); +$tabindex++; +echo "\n"; // admin list $adminText = implode("\n", explode(";", $conf->get_Adminstring())); -echo ("". - "\n"); + "\n"; echo "\n"; $tabindex++; +// login search suffix +echo "". + "\n"; +echo "\n"; +$tabindex++; +// login search filter +echo "". + "\n"; +echo "\n"; +$tabindex++; echo ("\n"); @@ -481,6 +522,9 @@ function saveSettings() { if (trim($adminText[$i]) == "") continue; $adminTextNew[] = trim($adminText[$i]); } + $conf->setLoginMethod($_POST['loginMethod']); + $conf->setLoginSearchFilter($_POST['loginSearchFilter']); + $conf->setLoginSearchSuffix($_POST['loginSearchSuffix']); if (!$conf->set_Adminstring(implode(";", $adminTextNew))) { $errors[] = array("ERROR", _("List of admin users is empty or invalid!")); }
". + _("Login method") . ": "; +printHelpLink(getHelp('', '220'), '220'); +echo "
". +echo "
\n"; +echo "". _("List of valid users") . " *: "; printHelpLink(getHelp('', '207'), '207'); echo "
\n"; +echo "". + _("LDAP suffix") . " *: getLoginSearchSuffix() . "\" size=50>"; +printHelpLink(getHelp('', '221'), '221'); +echo "
\n"; +echo "". + _("LDAP filter") . " *: getLoginSearchFilter() . "\" size=50>"; +printHelpLink(getHelp('', '221'), '221'); +echo "