WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added configuration for remote logging

This commit is contained in:
Roland Gruber 2019-02-23 19:44:10 +01:00
parent 4949b1b70a
commit ffe2316003
4 changed files with 96 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lam/help/help.inc
View File

@ -5,7 +5,7 @@ use \LAM\TYPES\TypeManager;
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2006 Michael Duergner Copyright (C) 2003 - 2006 Michael Duergner
2003 - 2018 Roland Gruber 2003 - 2019 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -175,6 +175,8 @@ $helpArray = array (
"Text" => _('Please specify the URL (e.g. "https://api.pwnedpasswords.com/range/{SHA1PREFIX}") of your external password check.')), "Text" => _('Please specify the URL (e.g. "https://api.pwnedpasswords.com/range/{SHA1PREFIX}") of your external password check.')),
"250" => array ("Headline" => _("Filter"), "250" => array ("Headline" => _("Filter"),
"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-insensitive.")), "Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-insensitive.")),
"251" => array ("Headline" => _("Remote serrver"),
"Text" => _("Please enter the syslog remote server in format \"server:port\".")),
"260" => array ("Headline" => _("Additional LDAP filter"), "260" => array ("Headline" => _("Additional LDAP filter"),
"Text" => _('Use this to enter an additional LDAP filter (e.g. "(cn!=admin)") to reduce the number of visible elements for this account type.') "Text" => _('Use this to enter an additional LDAP filter (e.g. "(cn!=admin)") to reduce the number of visible elements for this account type.')
. ' ' . _('You can use the wildcard @@LOGIN_DN@@ which will be substituted with the DN of the user who is currently logged in to LAM.') . ' ' . _('You can use the wildcard @@LOGIN_DN@@ which will be substituted with the DN of the user who is currently logged in to LAM.')

2
lam/lib/config.inc
View File

@ -2309,7 +2309,7 @@ class LAMCfgMain {
/** log level */ /** log level */
public $logLevel; public $logLevel;
/** log destination ("SYSLOG":syslog, "/...":file, "NONE":none) */ /** log destination ("SYSLOG":syslog, "/...":file, "NONE":none, "REMOTE":server:port) */
public $logDestination; public $logDestination;
/** list of hosts which may access LAM */ /** list of hosts which may access LAM */

46
lam/lib/security.inc
View File

@ -249,7 +249,11 @@ function isDebugLoggingEnabled() {
* @param string $message log message * @param string $message log message
*/ */
function logNewMessage($level, $message) { function logNewMessage($level, $message) {
$possibleLevels = array(LOG_DEBUG => 'DEBUG', LOG_NOTICE => 'NOTICE', LOG_WARNING => 'WARNING', LOG_ERR => 'ERROR'); $possibleLevels = array(
LOG_DEBUG => 'DEBUG',
LOG_NOTICE => 'NOTICE',
LOG_WARNING => 'WARNING',
LOG_ERR => 'ERROR');
if (!in_array($level, array_keys($possibleLevels))) { if (!in_array($level, array_keys($possibleLevels))) {
StatusMessage('ERROR', 'Invalid log level!', $level); StatusMessage('ERROR', 'Invalid log level!', $level);
} }
@ -272,6 +276,10 @@ function logNewMessage($level, $message) {
if ($cfg->logDestination == 'SYSLOG') { if ($cfg->logDestination == 'SYSLOG') {
syslog($level, $message); syslog($level, $message);
} }
// remote logging
if (strpos($cfg->logDestination, 'REMOTE') === 0) {
lamLogRemoteMessage($level, $message, $cfg);
}
// log to file // log to file
else { else {
@touch($cfg->logDestination); @touch($cfg->logDestination);
@ -743,4 +751,40 @@ function lamEncryptionAlgo() {
return 'AES256'; return 'AES256';
} }
/**
* Logs a message to a remote logging service.
*
* @param int $level log level
* @param string $message log message
* @param LAMCfgMain $cfgMain main configuration
*/
function lamLogRemoteMessage($level, $message, $cfgMain) {
include_once __DIR__ . '/3rdParty/Monolog/Logger.php';
include_once __DIR__ . '/3rdParty/Monolog/Formatter/LineFormatter.php';
include_once __DIR__ . '/3rdParty/Monolog/Handler/SyslogUdpHandler.php';
$remoteParts = explode(':', $cfgMain->logDestination);
$server = $remoteParts[0];
$port = $remoteParts[1];
$output = "%channel%.%level_name%: %message%";
$formatter = new Monolog\Formatter\LineFormatter($output);
$logger = new Monolog\Logger('lam');
$syslogHandler = new Monolog\Handler\SyslogUdpHandler($server, $port);
$syslogHandler->setFormatter($formatter);
$logger->pushHandler($syslogHandler);
switch ($level) {
case LOG_DEBUG:
$logger->addDebug($message);
break;
case LOG_NOTICE:
$logger->addNotice($message);
break;
case LOG_WARNING:
$logger->addWarning($message);
break;
case LOG_ERR:
$logger->addError($message);
break;
}
}
?> ?>

60
lam/templates/config/mainmanage.php
View File

@ -25,7 +25,7 @@ use \htmlHiddenInput;
/* /*
This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/) This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
Copyright (C) 2003 - 2018 Roland Gruber Copyright (C) 2003 - 2019 Roland Gruber
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by it under the terms of the GNU General Public License as published by
@ -96,7 +96,9 @@ if (isset($_POST['submitFormData'])) {
$msg = _("New master password set successfully."); $msg = _("New master password set successfully.");
unset($_SESSION["mainconf_password"]); unset($_SESSION["mainconf_password"]);
} }
else $errors[] = _("Master passwords are different or empty!"); else {
$errors[] = _("Master passwords are different or empty!");
}
} }
// set license // set license
if (isLAMProVersion()) { if (isLAMProVersion()) {
@ -125,7 +127,9 @@ if (isset($_POST['submitFormData'])) {
} }
$allowedHosts = implode(",", $allowedHostsList); $allowedHosts = implode(",", $allowedHostsList);
} }
else $allowedHosts = ""; else {
$allowedHosts = "";
}
$cfg->allowedHosts = $allowedHosts; $cfg->allowedHosts = $allowedHosts;
// set allowed hosts for self service // set allowed hosts for self service
if (isLAMProVersion()) { if (isLAMProVersion()) {
@ -147,7 +151,9 @@ if (isset($_POST['submitFormData'])) {
} }
$allowedHostsSelfService = implode(",", $allowedHostsSelfServiceList); $allowedHostsSelfService = implode(",", $allowedHostsSelfServiceList);
} }
else $allowedHostsSelfService = ""; else {
$allowedHostsSelfService = "";
}
$cfg->allowedHostsSelfService = $allowedHostsSelfService; $cfg->allowedHostsSelfService = $allowedHostsSelfService;
} }
// set session encryption // set session encryption
@ -161,13 +167,26 @@ if (isset($_POST['submitFormData'])) {
// set log level // set log level
$cfg->logLevel = $_POST['logLevel']; $cfg->logLevel = $_POST['logLevel'];
// set log destination // set log destination
if ($_POST['logDestination'] == "none") $cfg->logDestination = "NONE"; if ($_POST['logDestination'] == "none") {
elseif ($_POST['logDestination'] == "syslog") $cfg->logDestination = "SYSLOG"; $cfg->logDestination = "NONE";
}
elseif ($_POST['logDestination'] == "syslog") {
$cfg->logDestination = "SYSLOG";
}
elseif ($_POST['logDestination'] == "remote") {
$cfg->logDestination = "REMOTE:" . $_POST['logRemote'];
$remoteParts = explode(':', $_POST['logRemote']);
if ((sizeof($remoteParts) !== 2) || !get_preg($remoteParts[0], 'DNSname') || !get_preg($remoteParts[1], 'digit')) {
$errors[] = _("Please enter a valid remote server in format \"server:port\".");
}
}
else { else {
if (isset($_POST['logFile']) && ($_POST['logFile'] != "") && preg_match("/^[a-z0-9\\/\\\\:\\._-]+$/i", $_POST['logFile'])) { if (isset($_POST['logFile']) && ($_POST['logFile'] != "") && preg_match("/^[a-z0-9\\/\\\\:\\._-]+$/i", $_POST['logFile'])) {
$cfg->logDestination = $_POST['logFile']; $cfg->logDestination = $_POST['logFile'];
} }
else $errors[] = _("The log file is empty or contains invalid characters! Valid characters are: a-z, A-Z, 0-9, /, \\, ., :, _ and -."); else {
$errors[] = _("The log file is empty or contains invalid characters! Valid characters are: a-z, A-Z, 0-9, /, \\, ., :, _ and -.");
}
} }
// password policies // password policies
$cfg->passwordMinLength = $_POST['passwordMinLength']; $cfg->passwordMinLength = $_POST['passwordMinLength'];
@ -380,9 +399,9 @@ $rulesCountOptions = array(_('all') => '-1', '3' => '3', '4' => '4');
$rulesCountSelect = new htmlResponsiveSelect('passwordRulesCount', $rulesCountOptions, array($cfg->checkedRulesCount), _('Number of rules that must match'), '246'); $rulesCountSelect = new htmlResponsiveSelect('passwordRulesCount', $rulesCountOptions, array($cfg->checkedRulesCount), _('Number of rules that must match'), '246');
$rulesCountSelect->setHasDescriptiveElements(true); $rulesCountSelect->setHasDescriptiveElements(true);
$row->add($rulesCountSelect, 12); $row->add($rulesCountSelect, 12);
$passwordMustNotContainUser = ($cfg->passwordMustNotContainUser === 'true') ? true : false; $passwordMustNotContainUser = ($cfg->passwordMustNotContainUser === 'true');
$row->add(new htmlResponsiveInputCheckbox('passwordMustNotContainUser',$passwordMustNotContainUser , _('Password must not contain user name'), '247'), 12); $row->add(new htmlResponsiveInputCheckbox('passwordMustNotContainUser',$passwordMustNotContainUser , _('Password must not contain user name'), '247'), 12);
$passwordMustNotContain3Chars = ($cfg->passwordMustNotContain3Chars === 'true') ? true : false; $passwordMustNotContain3Chars = ($cfg->passwordMustNotContain3Chars === 'true');
$row->add(new htmlResponsiveInputCheckbox('passwordMustNotContain3Chars', $passwordMustNotContain3Chars, _('Password must not contain part of user/first/last name'), '248'), 12); $row->add(new htmlResponsiveInputCheckbox('passwordMustNotContain3Chars', $passwordMustNotContain3Chars, _('Password must not contain part of user/first/last name'), '248'), 12);
if (function_exists('curl_init')) { if (function_exists('curl_init')) {
$row->addVerticalSpacer('1rem'); $row->addVerticalSpacer('1rem');
@ -395,9 +414,15 @@ $levelOptions = array(_("Debug") => LOG_DEBUG, _("Notice") => LOG_NOTICE, _("War
$levelSelect = new htmlResponsiveSelect('logLevel', $levelOptions, array($cfg->logLevel), _("Log level"), '239'); $levelSelect = new htmlResponsiveSelect('logLevel', $levelOptions, array($cfg->logLevel), _("Log level"), '239');
$levelSelect->setHasDescriptiveElements(true); $levelSelect->setHasDescriptiveElements(true);
$row->add($levelSelect, 12); $row->add($levelSelect, 12);
$destinationOptions = array(_("No logging") => "none", _("System logging") => "syslog", _("File") => 'file'); $destinationOptions = array(
_("No logging") => "none",
_("System logging") => "syslog",
_("File") => 'file',
_("Remote") => 'remote',
);
$destinationSelected = 'file'; $destinationSelected = 'file';
$destinationPath = $cfg->logDestination; $destinationPath = $cfg->logDestination;
$destinationRemote = '';
if ($cfg->logDestination == 'NONE') { if ($cfg->logDestination == 'NONE') {
$destinationSelected = 'none'; $destinationSelected = 'none';
$destinationPath = ''; $destinationPath = '';
@ -406,17 +431,27 @@ elseif ($cfg->logDestination == 'SYSLOG') {
$destinationSelected = 'syslog'; $destinationSelected = 'syslog';
$destinationPath = ''; $destinationPath = '';
} }
elseif (strpos($cfg->logDestination, 'REMOTE') === 0) {
$destinationSelected = 'remote';
$remoteParts = explode(':', $cfg->logDestination, 2);
$destinationRemote = empty($remoteParts[1]) ? '' : $remoteParts[1];
$destinationPath = '';
}
$logDestinationSelect = new htmlResponsiveSelect('logDestination', $destinationOptions, array($destinationSelected), _("Log destination"), '240'); $logDestinationSelect = new htmlResponsiveSelect('logDestination', $destinationOptions, array($destinationSelected), _("Log destination"), '240');
$logDestinationSelect->setTableRowsToHide(array( $logDestinationSelect->setTableRowsToHide(array(
'none' => array('logFile'), 'none' => array('logFile', 'logRemote'),
'syslog' => array('logFile'), 'syslog' => array('logFile', 'logRemote'),
'remote' => array('logFile'),
'file' => array('logRemote'),
)); ));
$logDestinationSelect->setTableRowsToShow(array( $logDestinationSelect->setTableRowsToShow(array(
'file' => array('logFile'), 'file' => array('logFile'),
'remote' => array('logRemote'),
)); ));
$logDestinationSelect->setHasDescriptiveElements(true); $logDestinationSelect->setHasDescriptiveElements(true);
$row->add($logDestinationSelect, 12); $row->add($logDestinationSelect, 12);
$row->add(new htmlResponsiveInputField(_('File'), 'logFile', $destinationPath), 12); $row->add(new htmlResponsiveInputField(_('File'), 'logFile', $destinationPath), 12);
$row->add(new htmlResponsiveInputField(_('Remote server'), 'logRemote', $destinationRemote, '251'), 12);
$errorLogOptions = array( $errorLogOptions = array(
_('PHP system setting') => LAMCfgMain::ERROR_REPORTING_SYSTEM, _('PHP system setting') => LAMCfgMain::ERROR_REPORTING_SYSTEM,
_('default') => LAMCfgMain::ERROR_REPORTING_DEFAULT, _('default') => LAMCfgMain::ERROR_REPORTING_DEFAULT,
@ -472,7 +507,6 @@ parseHtml(null, $box, array(), false, $tabindex, 'user');
* @return String formated time * @return String formated time
*/ */
function formatSSLTimestamp($time) { function formatSSLTimestamp($time) {
$matches = array();
if (!empty($time)) { if (!empty($time)) {
$timeZone = 'UTC'; $timeZone = 'UTC';
$sysTimeZone = @date_default_timezone_get(); $sysTimeZone = @date_default_timezone_get();