2009-06-16 17:32:50 +02:00
< ? php
/* $Id$ */
/*
2011-08-28 04:37:24 +02:00
Copyright ( C ) 2010 Ermal Lu<EFBFBD> i
2010-03-02 18:23:27 +01:00
All rights reserved .
Copyright ( C ) 2007 , 2008 Scott Ullrich < sullrich @ gmail . com >
All rights reserved .
2009-06-16 17:32:50 +02:00
Copyright ( C ) 2005 - 2006 Bill Marquette < bill . marquette @ gmail . com >
All rights reserved .
Copyright ( C ) 2006 Paul Taylor < paultaylor @ winn - dixie . com >.
All rights reserved .
Copyright ( C ) 2003 - 2006 Manuel Kasper < mk @ neon1 . net >.
All rights reserved .
Redistribution and use in source and binary forms , with or without
modification , are permitted provided that the following conditions are met :
1. Redistributions of source code must retain the above copyright notice ,
this list of conditions and the following disclaimer .
2. Redistributions in binary form must reproduce the above copyright
notice , this list of conditions and the following disclaimer in the
documentation and / or other materials provided with the distribution .
THIS SOFTWARE IS PROVIDED `` AS IS '' AND ANY EXPRESS OR IMPLIED WARRANTIES ,
INCLUDING , BUT NOT LIMITED TO , THE IMPLIED WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED . IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT , INDIRECT , INCIDENTAL , SPECIAL , EXEMPLARY ,
OR CONSEQUENTIAL DAMAGES ( INCLUDING , BUT NOT LIMITED TO , PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES ; LOSS OF USE , DATA , OR PROFITS ; OR BUSINESS
INTERRUPTION ) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY , WHETHER IN
CONTRACT , STRICT LIABILITY , OR TORT ( INCLUDING NEGLIGENCE OR OTHERWISE )
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE , EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE .
2009-09-12 21:34:07 +02:00
pfSense_BUILDER_BINARIES : / usr / sbin / pw / bin / cp
pfSense_MODULE : auth
2009-06-16 17:32:50 +02:00
*/
/*
* NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP . php
* file courtesy of Michael Retterklieber .
*/
2010-08-16 00:42:48 +02:00
if ( ! $do_not_include_config_gui_inc )
require_once ( " config.gui.inc " );
2009-06-16 17:32:50 +02:00
2010-11-29 23:39:46 +01:00
// Will be changed to false if security checks fail
$security_passed = true ;
2010-07-06 20:26:56 +02:00
/* If this function doesn 't exist, we' re being called from Captive Portal or
another internal subsystem which does not include authgui . inc */
2010-07-06 22:32:09 +02:00
if ( function_exists ( " display_error_form " ) && ! isset ( $config [ 'system' ][ 'webgui' ][ 'nodnsrebindcheck' ])) {
2014-03-15 01:28:10 +01:00
/* DNS ReBinding attack prevention. https://redmine.pfsense.org/issues/708 */
2010-07-06 20:26:56 +02:00
$found_host = false ;
2011-03-14 18:44:28 +01:00
2011-08-21 13:03:50 +02:00
/* Either a IPv6 address with or without a alternate port */
if ( strstr ( $_SERVER [ 'HTTP_HOST' ], " ] " )) {
$http_host_port = explode ( " ] " , $_SERVER [ 'HTTP_HOST' ]);
2011-03-14 18:44:28 +01:00
/* v6 address has more parts, drop the last part */
if ( count ( $http_host_port ) > 1 ) {
array_pop ( $http_host_port );
$http_host = str_replace ( array ( " [ " , " ] " ), " " , implode ( " : " , $http_host_port ));
} else {
2011-08-21 13:03:50 +02:00
$http_host = str_replace ( array ( " [ " , " ] " ), " " , implode ( " : " , $http_host_port ));
2011-03-14 18:44:28 +01:00
}
2010-07-06 21:26:52 +02:00
} else {
2011-08-21 18:45:40 +02:00
$http_host = explode ( " : " , $_SERVER [ 'HTTP_HOST' ]);
$http_host = $http_host [ 0 ];
2010-07-06 21:26:52 +02:00
}
2010-07-09 15:19:03 +02:00
if ( is_ipaddr ( $http_host ) or $_SERVER [ 'SERVER_ADDR' ] == " 127.0.0.1 " or
2011-03-14 18:44:28 +01:00
strcasecmp ( $http_host , " localhost " ) == 0 or $_SERVER [ 'SERVER_ADDR' ] == " ::1 " )
2010-11-29 23:39:46 +01:00
$found_host = true ;
if ( strcasecmp ( $http_host , $config [ 'system' ][ 'hostname' ] . " . " . $config [ 'system' ][ 'domain' ]) == 0 or
strcasecmp ( $http_host , $config [ 'system' ][ 'hostname' ]) == 0 )
2010-11-18 13:22:13 +01:00
$found_host = true ;
2010-11-29 23:39:46 +01:00
if ( is_array ( $config [ 'dyndnses' ][ 'dyndns' ]) && ! $found_host )
2010-07-06 20:26:56 +02:00
foreach ( $config [ 'dyndnses' ][ 'dyndns' ] as $dyndns )
2010-11-29 23:39:46 +01:00
if ( strcasecmp ( $dyndns [ 'host' ], $http_host ) == 0 ) {
2010-07-06 20:26:56 +02:00
$found_host = true ;
2010-11-29 23:39:46 +01:00
break ;
}
2010-07-06 21:26:52 +02:00
2013-07-02 22:54:25 +02:00
if ( is_array ( $config [ 'dnsupdates' ][ 'dnsupdate' ]) && ! $found_host )
foreach ( $config [ 'dnsupdates' ][ 'dnsupdate' ] as $rfc2136 )
if ( strcasecmp ( $rfc2136 [ 'host' ], $http_host ) == 0 ) {
$found_host = true ;
break ;
}
2010-11-29 23:39:46 +01:00
if ( ! empty ( $config [ 'system' ][ 'webgui' ][ 'althostnames' ]) && ! $found_host ) {
2010-07-06 23:03:44 +02:00
$althosts = explode ( " " , $config [ 'system' ][ 'webgui' ][ 'althostnames' ]);
foreach ( $althosts as $ah )
2010-11-29 23:39:46 +01:00
if ( strcasecmp ( $ah , $http_host ) == 0 or strcasecmp ( $ah , $_SERVER [ 'SERVER_ADDR' ]) == 0 ) {
2010-07-06 23:03:44 +02:00
$found_host = true ;
2010-11-29 23:39:46 +01:00
break ;
}
2010-07-06 17:51:47 +02:00
}
2010-07-01 23:12:56 +02:00
2010-11-29 23:39:46 +01:00
if ( $found_host == false ) {
if ( ! security_checks_disabled ()) {
2014-03-14 21:24:03 +01:00
display_error_form ( " 501 " , gettext ( " Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br />Try accessing the router by IP address instead of by hostname. " ));
2010-11-29 23:39:46 +01:00
exit ;
}
$security_passed = false ;
}
}
2010-11-29 23:36:43 +01:00
2010-11-29 23:39:46 +01:00
// If the HTTP_REFERER is something other than ourselves then disallow.
if ( function_exists ( " display_error_form " ) && ! isset ( $config [ 'system' ][ 'webgui' ][ 'nohttpreferercheck' ])) {
if ( $_SERVER [ 'HTTP_REFERER' ]) {
if ( file_exists ( " { $g [ 'tmp_path' ] } /setupwizard_lastreferrer " )) {
if ( $_SERVER [ 'HTTP_REFERER' ] == file_get_contents ( " { $g [ 'tmp_path' ] } /setupwizard_lastreferrer " )) {
unlink ( " { $g [ 'tmp_path' ] } /setupwizard_lastreferrer " );
header ( " Refresh: 1; url=index.php " );
echo " <!DOCTYPE html PUBLIC \" -//W3C//DTD XHTML 1.0 Transitional//EN \" \n \" http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd \" > " ;
echo " <html><head><title> " . gettext ( " Redirecting... " ) . " </title></head><body> " . gettext ( " Redirecting to the dashboard... " ) . " </body></html> " ;
exit ;
}
}
$found_host = false ;
$referrer_host = parse_url ( $_SERVER [ 'HTTP_REFERER' ], PHP_URL_HOST );
2011-08-21 13:13:11 +02:00
$referrer_host = str_replace ( array ( " [ " , " ] " ), " " , $referrer_host );
2010-11-29 23:39:46 +01:00
if ( $referrer_host ) {
if ( strcasecmp ( $referrer_host , $config [ 'system' ][ 'hostname' ] . " . " . $config [ 'system' ][ 'domain' ]) == 0
|| strcasecmp ( $referrer_host , $config [ 'system' ][ 'hostname' ]) == 0 )
$found_host = true ;
2013-07-02 22:56:58 +02:00
2010-11-29 23:39:46 +01:00
if ( ! empty ( $config [ 'system' ][ 'webgui' ][ 'althostnames' ]) && ! $found_host ) {
$althosts = explode ( " " , $config [ 'system' ][ 'webgui' ][ 'althostnames' ]);
foreach ( $althosts as $ah ) {
if ( strcasecmp ( $referrer_host , $ah ) == 0 ) {
$found_host = true ;
break ;
}
}
}
2013-07-02 22:56:58 +02:00
if ( is_array ( $config [ 'dyndnses' ][ 'dyndns' ]) && ! $found_host )
foreach ( $config [ 'dyndnses' ][ 'dyndns' ] as $dyndns )
if ( strcasecmp ( $dyndns [ 'host' ], $referrer_host ) == 0 ) {
$found_host = true ;
break ;
}
if ( is_array ( $config [ 'dnsupdates' ][ 'dnsupdate' ]) && ! $found_host )
foreach ( $config [ 'dnsupdates' ][ 'dnsupdate' ] as $rfc2136 )
if ( strcasecmp ( $rfc2136 [ 'host' ], $referrer_host ) == 0 ) {
$found_host = true ;
break ;
}
2010-11-29 23:39:46 +01:00
if ( ! $found_host ) {
$interface_list_ips = get_configured_ip_addresses ();
foreach ( $interface_list_ips as $ilips ) {
if ( strcasecmp ( $referrer_host , $ilips ) == 0 ) {
$found_host = true ;
break ;
}
}
2011-08-21 13:13:11 +02:00
$interface_list_ipv6s = get_configured_ipv6_addresses ();
foreach ( $interface_list_ipv6s as $ilipv6s ) {
if ( strcasecmp ( $referrer_host , $ilipv6s ) == 0 ) {
$found_host = true ;
break ;
}
}
2011-01-10 04:45:21 +01:00
if ( $referrer_host == " 127.0.0.1 " || $referrer_host == " localhost " ) {
// allow SSH port forwarded connections and links from localhost
$found_host = true ;
}
2010-11-29 23:39:46 +01:00
}
}
2010-11-10 17:56:23 +01:00
if ( $found_host == false ) {
2010-11-29 23:39:46 +01:00
if ( ! security_checks_disabled ()) {
display_error_form ( " 501 " , " An HTTP_REFERER was detected other than what is defined in System -> Advanced ( " . htmlspecialchars ( $_SERVER [ 'HTTP_REFERER' ]) . " ). You can disable this check if needed in System -> Advanced -> Admin. " );
2010-11-21 17:32:33 +01:00
exit ;
}
2010-11-29 23:39:46 +01:00
$security_passed = false ;
}
} else
$security_passed = false ;
2010-11-10 17:56:23 +01:00
}
2010-11-29 23:39:46 +01:00
if ( function_exists ( " display_error_form " ) && $security_passed )
/* Security checks passed, so it should be OK to turn them back on */
restore_security_checks ();
unset ( $security_passed );
2009-06-16 17:32:50 +02:00
$groupindex = index_groups ();
$userindex = index_users ();
function index_groups () {
global $g , $debug , $config , $groupindex ;
$groupindex = array ();
2010-09-08 19:04:45 +02:00
if ( is_array ( $config [ 'system' ][ 'group' ])) {
2009-06-16 17:32:50 +02:00
$i = 0 ;
foreach ( $config [ 'system' ][ 'group' ] as $groupent ) {
$groupindex [ $groupent [ 'name' ]] = $i ;
$i ++ ;
}
}
return ( $groupindex );
}
function index_users () {
global $g , $debug , $config ;
2010-09-08 19:04:45 +02:00
if ( is_array ( $config [ 'system' ][ 'user' ])) {
2009-06-16 17:32:50 +02:00
$i = 0 ;
foreach ( $config [ 'system' ][ 'user' ] as $userent ) {
$userindex [ $userent [ 'name' ]] = $i ;
$i ++ ;
}
}
return ( $userindex );
}
function & getUserEntry ( $name ) {
global $debug , $config , $userindex ;
if ( isset ( $userindex [ $name ]))
return $config [ 'system' ][ 'user' ][ $userindex [ $name ]];
}
function & getUserEntryByUID ( $uid ) {
global $debug , $config ;
2011-06-28 21:26:41 +02:00
if ( is_array ( $config [ 'system' ][ 'user' ]))
foreach ( $config [ 'system' ][ 'user' ] as & $user )
if ( $user [ 'uid' ] == $uid )
return $user ;
2009-06-16 17:32:50 +02:00
return false ;
}
function & getGroupEntry ( $name ) {
global $debug , $config , $groupindex ;
if ( isset ( $groupindex [ $name ]))
return $config [ 'system' ][ 'group' ][ $groupindex [ $name ]];
}
function & getGroupEntryByGID ( $gid ) {
global $debug , $config ;
2011-06-28 21:26:41 +02:00
if ( is_array ( $config [ 'system' ][ 'group' ]))
foreach ( $config [ 'system' ][ 'group' ] as & $group )
if ( $group [ 'gid' ] == $gid )
return $group ;
2009-06-16 17:32:50 +02:00
return false ;
}
2009-06-18 14:40:11 +02:00
function get_user_privileges ( & $user ) {
$privs = $user [ 'priv' ];
if ( ! is_array ( $privs ))
$privs = array ();
$names = local_user_get_groups ( $user , true );
foreach ( $names as $name ) {
$group = getGroupEntry ( $name );
if ( is_array ( $group [ 'priv' ]))
$privs = array_merge ( $privs , $group [ 'priv' ]);
}
return $privs ;
}
function userHasPrivilege ( $userent , $privid = false ) {
if ( ! $privid || ! is_array ( $userent ))
return false ;
$privs = get_user_privileges ( $userent );
if ( ! is_array ( $privs ))
return false ;
if ( ! in_array ( $privid , $privs ))
return false ;
return true ;
}
2009-06-16 17:32:50 +02:00
function local_backed ( $username , $passwd ) {
$user = getUserEntry ( $username );
if ( ! $user )
return false ;
2010-03-03 17:16:39 +01:00
if ( is_account_disabled ( $username ) || is_account_expired ( $username ))
2010-03-02 11:21:12 +01:00
return false ;
2009-06-16 17:32:50 +02:00
if ( $user [ 'password' ])
{
$passwd = crypt ( $passwd , $user [ 'password' ]);
if ( $passwd == $user [ 'password' ])
return true ;
}
if ( $user [ 'md5-hash' ])
{
$passwd = md5 ( $passwd );
if ( $passwd == $user [ 'md5-hash' ])
return true ;
}
return false ;
}
function local_sync_accounts () {
global $debug , $config ;
conf_mount_rw ();
/* remove local users to avoid uid conflicts */
$fd = popen ( " /usr/sbin/pw usershow -a " , " r " );
if ( $fd ) {
while ( ! feof ( $fd )) {
$line = explode ( " : " , fgets ( $fd ));
2012-01-25 21:28:57 +01:00
if ((( ! strncmp ( $line [ 0 ], " _ " , 1 )) || ( $line [ 2 ] < 2000 ) || ( $line [ 2 ] > 65000 )) && ( $line [ 0 ] != " admin " ))
2009-06-16 17:32:50 +02:00
continue ;
2013-11-14 18:53:44 +01:00
/*
* If a crontab was created to user , pw userdel will be interactive and
* can cause issues . Just remove crontab before run it when necessary
*/
unlink_if_exists ( " /var/cron/tabs/ { $line [ 0 ] } " );
2013-11-14 18:44:21 +01:00
$cmd = " /usr/sbin/pw userdel -n ' { $line [ 0 ] } ' " ;
2009-06-16 17:32:50 +02:00
if ( $debug )
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " Running: %s " ), $cmd ));
2009-06-16 17:32:50 +02:00
mwexec ( $cmd );
}
pclose ( $fd );
}
/* remove local groups to avoid gid conflicts */
$gids = array ();
$fd = popen ( " /usr/sbin/pw groupshow -a " , " r " );
if ( $fd ) {
while ( ! feof ( $fd )) {
$line = explode ( " : " , fgets ( $fd ));
if ( ! strncmp ( $line [ 0 ], " _ " , 1 ))
continue ;
if ( $line [ 2 ] < 2000 )
continue ;
if ( $line [ 2 ] > 65000 )
continue ;
$cmd = " /usr/sbin/pw groupdel { $line [ 2 ] } " ;
if ( $debug )
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " Running: %s " ), $cmd ));
2009-06-16 17:32:50 +02:00
mwexec ( $cmd );
}
pclose ( $fd );
}
/* make sure the all group exists */
$allgrp = getGroupEntryByGID ( 1998 );
local_group_set ( $allgrp , true );
2010-07-12 22:54:29 +02:00
/* sync all local users */
if ( is_array ( $config [ 'system' ][ 'user' ]))
foreach ( $config [ 'system' ][ 'user' ] as $user )
local_user_set ( $user );
2010-07-14 15:14:33 +02:00
/* sync all local groups */
if ( is_array ( $config [ 'system' ][ 'group' ]))
foreach ( $config [ 'system' ][ 'group' ] as $group )
local_group_set ( $group );
2009-06-16 17:32:50 +02:00
conf_mount_ro ();
}
function local_user_set ( & $user ) {
global $g , $debug ;
2011-09-29 01:48:07 +02:00
if ( empty ( $user [ 'password' ])) {
log_error ( " There is something wrong in your config because user { $user [ 'name' ] } password is missing! " );
return ;
}
2009-07-06 18:07:45 +02:00
conf_mount_rw ();
2009-06-16 17:32:50 +02:00
$home_base = " /home/ " ;
$user_uid = $user [ 'uid' ];
$user_name = $user [ 'name' ];
2009-12-24 23:40:55 +01:00
$user_home = " { $home_base } { $user_name } " ;
2009-06-16 17:32:50 +02:00
$user_shell = " /etc/rc.initial " ;
$user_group = " nobody " ;
// Ensure $home_base exists and is writable
if ( ! is_dir ( $home_base ))
mkdir ( $home_base , 0755 );
2010-07-12 23:11:24 +02:00
$lock_account = false ;
2009-06-16 17:32:50 +02:00
/* configure shell type */
2010-07-12 23:31:14 +02:00
/* Cases here should be ordered by most privileged to least privileged. */
2010-07-12 18:52:25 +02:00
if ( userHasPrivilege ( $user , " user-shell-access " ) || userHasPrivilege ( $user , " page-all " )) {
2010-06-29 22:51:25 +02:00
$user_shell = " /bin/tcsh " ;
2010-07-12 22:56:42 +02:00
} elseif ( userHasPrivilege ( $user , " user-copy-files " )) {
2010-07-12 18:52:25 +02:00
$user_shell = " /usr/local/bin/scponly " ;
2010-07-12 23:31:14 +02:00
} elseif ( userHasPrivilege ( $user , " user-ssh-tunnel " )) {
$user_shell = " /usr/local/sbin/ssh_tunnel_shell " ;
2011-04-08 14:59:50 +02:00
} elseif ( userHasPrivilege ( $user , " user-ipsec-xauth-dialin " )) {
$user_shell = " /sbin/nologin " ;
2010-07-12 22:56:42 +02:00
} else {
$user_shell = " /sbin/nologin " ;
2010-07-12 23:11:24 +02:00
$lock_account = true ;
}
/* Lock out disabled or expired users, unless it's root/admin. */
if (( is_account_disabled ( $user_name ) || is_account_expired ( $user_name )) && ( $user_uid != 0 )) {
$user_shell = " /sbin/nologin " ;
$lock_account = true ;
2009-06-16 17:32:50 +02:00
}
/* root user special handling */
if ( $user_uid == 0 ) {
$cmd = " /usr/sbin/pw usermod -q -n root -s /bin/sh -H 0 " ;
if ( $debug )
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " Running: %s " ), $cmd ));
2009-06-16 17:32:50 +02:00
$fd = popen ( $cmd , " w " );
fwrite ( $fd , $user [ 'password' ]);
pclose ( $fd );
$user_group = " wheel " ;
2010-06-25 19:08:09 +02:00
$user_home = " /root " ;
2010-06-29 22:51:25 +02:00
$user_shell = " /etc/rc.initial " ;
2009-06-16 17:32:50 +02:00
}
/* read from pw db */
2012-01-23 20:13:43 +01:00
$fd = popen ( " /usr/sbin/pw usershow -n { $user_name } 2>&1 " , " r " );
2009-06-16 17:32:50 +02:00
$pwread = fgets ( $fd );
pclose ( $fd );
2012-01-23 20:13:43 +01:00
$userattrs = explode ( " : " , trim ( $pwread ));
2009-06-16 17:32:50 +02:00
/* determine add or mod */
2012-01-23 20:13:43 +01:00
if (( $userattrs [ 0 ] != $user [ 'name' ]) || ( ! strncmp ( $pwread , " pw: " , 3 ))) {
2010-07-06 19:55:10 +02:00
$user_op = " useradd -m -k /etc/skel -o " ;
2010-05-10 16:42:22 +02:00
} else {
2009-06-16 17:32:50 +02:00
$user_op = " usermod " ;
2010-05-10 16:42:22 +02:00
}
2009-06-16 17:32:50 +02:00
2012-03-12 20:28:04 +01:00
$comment = str_replace ( array ( " : " , " ! " , " @ " ), " " , $user [ 'descr' ]);
2009-06-16 17:32:50 +02:00
/* add or mod pw db */
$cmd = " /usr/sbin/pw { $user_op } -q -u { $user_uid } -n { $user_name } " .
2009-12-24 23:41:36 +01:00
" -g { $user_group } -s { $user_shell } -d { $user_home } " .
2012-03-12 20:28:04 +01:00
" -c " . escapeshellarg ( $comment ) . " -H 0 2>&1 " ;
2009-06-16 17:32:50 +02:00
if ( $debug )
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " Running: %s " ), $cmd ));
2009-06-16 17:32:50 +02:00
$fd = popen ( $cmd , " w " );
fwrite ( $fd , $user [ 'password' ]);
pclose ( $fd );
/* create user directory if required */
if ( ! is_dir ( $user_home )) {
mkdir ( $user_home , 0700 );
2011-01-26 11:17:31 +01:00
mwexec ( " /bin/cp /root/.* { $home_base } / " , true );
2009-06-16 17:32:50 +02:00
}
2013-07-15 15:58:08 +02:00
@ chown ( $user_home , $user_name );
@ chgrp ( $user_home , $user_group );
2009-06-16 17:32:50 +02:00
/* write out ssh authorized key file */
if ( $user [ 'authorizedkeys' ]) {
2009-06-10 20:03:22 +02:00
if ( ! is_dir ( " { $user_home } /.ssh " )) {
2013-07-15 15:58:08 +02:00
@ mkdir ( " { $user_home } /.ssh " , 0700 );
@ chown ( " { $user_home } /.ssh " , $user_name );
2009-06-10 20:03:22 +02:00
}
$keys = base64_decode ( $user [ 'authorizedkeys' ]);
2013-07-15 15:58:08 +02:00
@ file_put_contents ( " { $user_home } /.ssh/authorized_keys " , $keys );
@ chown ( " { $user_home } /.ssh/authorized_keys " , $user_name );
2010-12-04 00:56:28 +01:00
} else
unlink_if_exists ( " { $user_home } /.ssh/authorized_keys " );
2010-07-12 23:11:24 +02:00
$un = $lock_account ? " " : " un " ;
2010-12-04 01:24:46 +01:00
exec ( " /usr/sbin/pw { $un } lock { $user_name } -q " );
2009-07-06 18:07:45 +02:00
conf_mount_ro ();
2009-06-16 17:32:50 +02:00
}
function local_user_del ( $user ) {
global $debug ;
2009-07-06 18:07:45 +02:00
2009-06-16 17:32:50 +02:00
/* remove all memberships */
2010-03-11 17:57:25 +01:00
local_user_set_groups ( $user );
2009-06-16 17:32:50 +02:00
2010-07-12 18:40:25 +02:00
/* Don't remove /root */
if ( $user [ 'uid' ] != 0 )
$rmhome = " -r " ;
2012-01-23 20:13:43 +01:00
/* read from pw db */
$fd = popen ( " /usr/sbin/pw usershow -n { $user [ 'name' ] } 2>&1 " , " r " );
$pwread = fgets ( $fd );
pclose ( $fd );
$userattrs = explode ( " : " , trim ( $pwread ));
if ( $userattrs [ 0 ] != $user [ 'name' ]) {
log_error ( " Tried to remove user { $user [ 'name' ] } but got user { $userattrs [ 0 ] } instead. Bailing. " );
return ;
}
2009-06-16 17:32:50 +02:00
/* delete from pw db */
2012-01-23 20:13:43 +01:00
$cmd = " /usr/sbin/pw userdel -n { $user [ 'name' ] } { $rmhome } " ;
2009-06-16 17:32:50 +02:00
if ( $debug )
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " Running: %s " ), $cmd ));
2010-05-24 19:49:12 +02:00
mwexec ( $cmd );
2009-07-06 18:07:45 +02:00
2010-05-24 19:49:12 +02:00
/* Delete user from groups needs a call to write_config() */
local_group_del_user ( $user );
2009-06-16 17:32:50 +02:00
}
function local_user_set_password ( & $user , $password ) {
$user [ 'password' ] = crypt ( $password );
$user [ 'md5-hash' ] = md5 ( $password );
// Converts ascii to unicode.
$astr = ( string ) $password ;
$ustr = '' ;
for ( $i = 0 ; $i < strlen ( $astr ); $i ++ ) {
$a = ord ( $astr { $i }) << 8 ;
$ustr .= sprintf ( " %X " , $a );
}
// Generate the NT-HASH from the unicode string
2012-01-19 20:50:15 +01:00
$user [ 'nt-hash' ] = bin2hex ( hash ( " md4 " , $ustr ));
2009-06-16 17:32:50 +02:00
}
function local_user_get_groups ( $user , $all = false ) {
global $debug , $config ;
$groups = array ();
if ( ! is_array ( $config [ 'system' ][ 'group' ]))
return $groups ;
foreach ( $config [ 'system' ][ 'group' ] as $group )
if ( $all || ( ! $all && ( $group [ 'name' ] != " all " )))
if ( is_array ( $group [ 'member' ]))
if ( in_array ( $user [ 'uid' ], $group [ 'member' ]))
$groups [] = $group [ 'name' ];
2010-07-28 19:41:11 +02:00
if ( $all )
$groups [] = " all " ;
2009-06-16 17:32:50 +02:00
sort ( $groups );
return $groups ;
}
function local_user_set_groups ( $user , $new_groups = NULL ) {
global $debug , $config , $groupindex ;
if ( ! is_array ( $config [ 'system' ][ 'group' ]))
return ;
2010-07-12 19:37:01 +02:00
$cur_groups = local_user_get_groups ( $user , true );
2009-06-16 17:32:50 +02:00
$mod_groups = array ();
if ( ! is_array ( $new_groups ))
$new_groups = array ();
if ( ! is_array ( $cur_groups ))
$cur_groups = array ();
/* determine which memberships to add */
foreach ( $new_groups as $groupname ) {
2014-11-13 12:10:44 +01:00
if ( $groupname == '' || in_array ( $groupname , $cur_groups ))
2009-06-16 17:32:50 +02:00
continue ;
$group = & $config [ 'system' ][ 'group' ][ $groupindex [ $groupname ]];
$group [ 'member' ][] = $user [ 'uid' ];
$mod_groups [] = $group ;
}
2010-11-29 23:39:46 +01:00
unset ( $group );
2009-06-16 17:32:50 +02:00
/* determine which memberships to remove */
foreach ( $cur_groups as $groupname ) {
if ( in_array ( $groupname , $new_groups ))
2010-06-22 16:29:45 +02:00
continue ;
2010-09-28 17:12:37 +02:00
if ( ! isset ( $config [ 'system' ][ 'group' ][ $groupindex [ $groupname ]]))
continue ;
2009-06-16 17:32:50 +02:00
$group = & $config [ 'system' ][ 'group' ][ $groupindex [ $groupname ]];
2010-08-02 22:04:21 +02:00
if ( is_array ( $group [ 'member' ])) {
$index = array_search ( $user [ 'uid' ], $group [ 'member' ]);
array_splice ( $group [ 'member' ], $index , 1 );
$mod_groups [] = $group ;
}
2009-06-16 17:32:50 +02:00
}
2010-11-29 23:39:46 +01:00
unset ( $group );
2009-06-16 17:32:50 +02:00
/* sync all modified groups */
foreach ( $mod_groups as $group )
local_group_set ( $group );
}
2010-05-24 19:49:12 +02:00
function local_group_del_user ( $user ) {
global $config ;
if ( ! is_array ( $config [ 'system' ][ 'group' ]))
return ;
foreach ( $config [ 'system' ][ 'group' ] as $group ) {
if ( is_array ( $group [ 'member' ])) {
foreach ( $group [ 'member' ] as $idx => $uid ) {
if ( $user [ 'uid' ] == $uid )
unset ( $config [ 'system' ][ 'group' ][ 'member' ][ $idx ]);
}
}
}
}
2009-06-16 17:32:50 +02:00
function local_group_set ( $group , $reset = false ) {
global $debug ;
$group_name = $group [ 'name' ];
$group_gid = $group [ 'gid' ];
2014-11-11 21:35:29 +01:00
$group_members = '' ;
2010-08-17 22:44:10 +02:00
if ( ! $reset && ! empty ( $group [ 'member' ]) && count ( $group [ 'member' ]) > 0 )
2009-06-16 17:32:50 +02:00
$group_members = implode ( " , " , $group [ 'member' ]);
2014-11-11 21:36:57 +01:00
if ( empty ( $group_name ))
2014-11-11 21:35:29 +01:00
return ;
2009-06-16 17:32:50 +02:00
/* read from group db */
$fd = popen ( " /usr/sbin/pw groupshow { $group_name } 2>&1 " , " r " );
$pwread = fgets ( $fd );
pclose ( $fd );
/* determine add or mod */
if ( ! strncmp ( $pwread , " pw: " , 3 ))
$group_op = " groupadd " ;
else
$group_op = " groupmod " ;
/* add or mod group db */
$cmd = " /usr/sbin/pw { $group_op } { $group_name } -g { $group_gid } -M { $group_members } 2>&1 " ;
if ( $debug )
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " Running: %s " ), $cmd ));
2010-05-24 19:49:12 +02:00
mwexec ( $cmd );
2009-06-16 17:32:50 +02:00
}
function local_group_del ( $group ) {
global $debug ;
/* delete from group db */
$cmd = " /usr/sbin/pw groupdel { $group [ 'name' ] } " ;
if ( $debug )
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " Running: %s " ), $cmd ));
2010-05-24 19:49:12 +02:00
mwexec ( $cmd );
2009-06-16 17:32:50 +02:00
}
2010-03-03 17:16:39 +01:00
function ldap_test_connection ( $authcfg ) {
2009-06-16 17:32:50 +02:00
global $debug , $config , $g ;
2010-03-02 18:07:06 +01:00
if ( $authcfg ) {
if ( strstr ( $authcfg [ 'ldap_urltype' ], " Standard " ))
$ldapproto = " ldap " ;
else
$ldapproto = " ldaps " ;
2012-07-01 00:11:17 +02:00
$ldapserver = " { $ldapproto } :// " . ldap_format_host ( $authcfg [ 'host' ]);
2010-03-02 18:07:06 +01:00
$ldapport = $authcfg [ 'ldap_port' ];
2011-10-25 17:05:11 +02:00
if ( ! empty ( $ldapport ))
$ldapserver .= " : { $ldapport } " ;
2010-03-02 18:07:06 +01:00
$ldapbasedn = $authcfg [ 'ldap_basedn' ];
$ldapbindun = $authcfg [ 'ldap_binddn' ];
$ldapbindpw = $authcfg [ 'ldap_bindpw' ];
2010-03-03 17:16:39 +01:00
} else
return false ;
2009-06-16 17:32:50 +02:00
2010-03-02 18:07:06 +01:00
/* first check if there is even an LDAP server populated */
if ( ! $ldapserver )
return false ;
2011-07-15 15:10:40 +02:00
/* Setup CA environment if needed. */
ldap_setup_caenv ( $authcfg );
2010-03-02 18:07:06 +01:00
/* connect and see if server is up */
$error = false ;
2011-10-25 17:05:11 +02:00
if ( ! ( $ldap = ldap_connect ( $ldapserver )))
$error = true ;
2010-03-02 18:07:06 +01:00
if ( $error == true ) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! Could not connect to server %s. " ), $ldapname ));
2010-03-02 18:07:06 +01:00
return false ;
}
2009-06-16 17:32:50 +02:00
return true ;
}
2011-07-15 15:10:40 +02:00
function ldap_setup_caenv ( $authcfg ) {
global $g ;
2011-10-05 16:10:28 +02:00
require_once ( " certs.inc " );
2011-07-15 15:10:40 +02:00
unset ( $caref );
2011-08-08 18:24:06 +02:00
if ( empty ( $authcfg [ 'ldap_caref' ]) || ! strstr ( $authcfg [ 'ldap_urltype' ], " SSL " )) {
2011-07-15 15:10:40 +02:00
putenv ( 'LDAPTLS_REQCERT=never' );
return ;
} else {
2011-08-08 18:24:06 +02:00
$caref = lookup_ca ( $authcfg [ 'ldap_caref' ]);
2011-07-15 15:10:40 +02:00
if ( ! $caref ) {
2011-08-08 18:24:06 +02:00
log_error ( sprintf ( gettext ( " LDAP: Could not lookup CA by reference for host %s. " ), $authcfg [ 'ldap_caref' ]));
2011-07-15 15:10:40 +02:00
/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */
putenv ( 'LDAPTLS_REQCERT=hard' );
return ;
}
if ( ! is_dir ( " { $g [ 'varrun_path' ] } /certs " ))
@ mkdir ( " { $g [ 'varrun_path' ] } /certs " );
2013-01-14 22:27:33 +01:00
if ( file_exists ( " { $g [ 'varrun_path' ] } /certs/ { $caref [ 'refid' ] } .ca " ))
@ unlink ( " { $g [ 'varrun_path' ] } /certs/ { $caref [ 'refid' ] } .ca " );
file_put_contents ( " { $g [ 'varrun_path' ] } /certs/ { $caref [ 'refid' ] } .ca " , base64_decode ( $caref [ 'crt' ]));
@ chmod ( " { $g [ 'varrun_path' ] } /certs/ { $caref [ 'refid' ] } .ca " , 0600 );
2011-07-15 15:10:40 +02:00
putenv ( 'LDAPTLS_REQCERT=hard' );
/* XXX: Probably even the hashed link should be created for this? */
2011-11-14 14:42:16 +01:00
putenv ( " LDAPTLS_CACERTDIR= { $g [ 'varrun_path' ] } /certs " );
2013-01-14 22:27:33 +01:00
putenv ( " LDAPTLS_CACERT= { $g [ 'varrun_path' ] } /certs/ { $caref [ 'refid' ] } .ca " );
2011-07-15 15:10:40 +02:00
}
}
2010-03-03 17:16:39 +01:00
function ldap_test_bind ( $authcfg ) {
2009-06-16 17:32:50 +02:00
global $debug , $config , $g ;
2010-03-02 18:07:06 +01:00
if ( $authcfg ) {
if ( strstr ( $authcfg [ 'ldap_urltype' ], " Standard " ))
$ldapproto = " ldap " ;
else
$ldapproto = " ldaps " ;
2012-07-01 00:11:17 +02:00
$ldapserver = " { $ldapproto } :// " . ldap_format_host ( $authcfg [ 'host' ]);
2010-03-02 18:07:06 +01:00
$ldapport = $authcfg [ 'ldap_port' ];
2011-10-25 17:05:11 +02:00
if ( ! empty ( $ldapport ))
$ldapserver .= " : { $ldapport } " ;
2010-03-02 18:07:06 +01:00
$ldapbasedn = $authcfg [ 'ldap_basedn' ];
$ldapbindun = $authcfg [ 'ldap_binddn' ];
$ldapbindpw = $authcfg [ 'ldap_bindpw' ];
$ldapver = $authcfg [ 'ldap_protver' ];
if ( empty ( $ldapbndun ) || empty ( $ldapbindpw ))
$ldapanon = true ;
else
$ldapanon = false ;
2010-03-03 17:16:39 +01:00
} else
return false ;
2010-03-02 18:07:06 +01:00
/* first check if there is even an LDAP server populated */
if ( ! $ldapserver )
return false ;
2011-07-15 15:10:40 +02:00
/* Setup CA environment if needed. */
ldap_setup_caenv ( $authcfg );
2010-03-02 18:07:06 +01:00
/* connect and see if server is up */
$error = false ;
2011-10-25 17:05:11 +02:00
if ( ! ( $ldap = ldap_connect ( $ldapserver )))
$error = true ;
2010-03-02 18:07:06 +01:00
if ( $error == true ) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! Could not connect to server %s. " ), $ldapname ));
2010-03-02 18:07:06 +01:00
return false ;
}
2009-06-16 17:32:50 +02:00
ldap_set_option ( $ldap , LDAP_OPT_REFERRALS , 0 );
2013-04-02 20:36:23 +02:00
ldap_set_option ( $ldap , LDAP_OPT_DEREF , LDAP_DEREF_SEARCHING );
2010-03-02 18:07:06 +01:00
ldap_set_option ( $ldap , LDAP_OPT_PROTOCOL_VERSION , ( int ) $ldapver );
2013-07-17 16:13:08 +02:00
$ldapbindun = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldapbindun ) : $ldapbindun ;
$ldapbindpw = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldapbindpw ) : $ldapbindpw ;
2010-03-02 18:07:06 +01:00
if ( $ldapanon == true ) {
2010-03-03 17:16:39 +01:00
if ( ! ( $res = @ ldap_bind ( $ldap ))) {
@ ldap_close ( $ldap );
2010-03-02 18:07:06 +01:00
return false ;
2010-03-03 17:16:39 +01:00
}
} else if ( ! ( $res = @ ldap_bind ( $ldap , $ldapbindun , $ldapbindpw ))) {
@ ldap_close ( $ldap );
2009-06-16 17:32:50 +02:00
return false ;
2010-03-03 17:16:39 +01:00
}
2009-06-16 17:32:50 +02:00
2010-03-03 17:16:39 +01:00
@ ldap_unbind ( $ldap );
2010-03-02 18:07:06 +01:00
2009-06-16 17:32:50 +02:00
return true ;
}
2010-03-03 17:16:39 +01:00
function ldap_get_user_ous ( $show_complete_ou = true , $authcfg ) {
2009-06-16 17:32:50 +02:00
global $debug , $config , $g ;
if ( ! function_exists ( " ldap_connect " ))
return ;
2010-04-27 16:55:56 +02:00
$ous = array ();
2010-03-02 18:07:06 +01:00
if ( $authcfg ) {
if ( strstr ( $authcfg [ 'ldap_urltype' ], " Standard " ))
$ldapproto = " ldap " ;
else
$ldapproto = " ldaps " ;
2012-07-01 00:11:17 +02:00
$ldapserver = " { $ldapproto } :// " . ldap_format_host ( $authcfg [ 'host' ]);
2010-03-02 18:07:06 +01:00
$ldapport = $authcfg [ 'ldap_port' ];
2011-10-25 17:05:11 +02:00
if ( ! empty ( $ldapport ))
$ldapserver .= " : { $ldapport } " ;
2010-03-02 18:07:06 +01:00
$ldapbasedn = $authcfg [ 'ldap_basedn' ];
$ldapbindun = $authcfg [ 'ldap_binddn' ];
$ldapbindpw = $authcfg [ 'ldap_bindpw' ];
$ldapver = $authcfg [ 'ldap_protver' ];
if ( empty ( $ldapbindun ) || empty ( $ldapbindpw ))
$ldapanon = true ;
else
$ldapanon = false ;
$ldapname = $authcfg [ 'name' ];
$ldapfallback = false ;
$ldapscope = $authcfg [ 'ldap_scope' ];
2010-03-03 17:16:39 +01:00
} else
return false ;
2009-06-16 17:32:50 +02:00
2010-03-02 18:07:06 +01:00
/* first check if there is even an LDAP server populated */
if ( ! $ldapserver ) {
2010-08-13 21:23:37 +02:00
log_error ( gettext ( " ERROR! ldap_get_user_ous() backed selected with no LDAP authentication server defined. " ));
2010-03-02 18:07:06 +01:00
return $ous ;
}
2011-07-15 15:10:40 +02:00
/* Setup CA environment if needed. */
ldap_setup_caenv ( $authcfg );
2010-03-02 18:07:06 +01:00
/* connect and see if server is up */
$error = false ;
2011-10-25 17:05:11 +02:00
if ( ! ( $ldap = ldap_connect ( $ldapserver )))
$error = true ;
2010-03-02 18:07:06 +01:00
if ( $error == true ) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! Could not connect to server %s. " ), $ldapname ));
2010-03-02 18:07:06 +01:00
return $ous ;
}
$ldapfilter = " (|(ou=*)(cn=Users)) " ;
2009-06-16 17:32:50 +02:00
ldap_set_option ( $ldap , LDAP_OPT_REFERRALS , 0 );
2013-04-02 20:36:23 +02:00
ldap_set_option ( $ldap , LDAP_OPT_DEREF , LDAP_DEREF_SEARCHING );
2010-03-02 18:07:06 +01:00
ldap_set_option ( $ldap , LDAP_OPT_PROTOCOL_VERSION , ( int ) $ldapver );
2009-06-16 17:32:50 +02:00
2013-07-17 16:13:08 +02:00
$ldapbindun = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldapbindun ) : $ldapbindun ;
$ldapbindpw = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldapbindpw ) : $ldapbindpw ;
2010-03-02 18:07:06 +01:00
if ( $ldapanon == true ) {
if ( ! ( $res = @ ldap_bind ( $ldap ))) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! ldap_get_user_ous() could not bind anonymously to server %s. " ), $ldapname ));
2010-03-03 17:16:39 +01:00
@ ldap_close ( $ldap );
2010-03-02 18:07:06 +01:00
return $ous ;
}
} else if ( ! ( $res = @ ldap_bind ( $ldap , $ldapbindun , $ldapbindpw ))) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! ldap_get_user_ous() could not bind to server %s. " ), $ldapname ));
2010-03-03 17:16:39 +01:00
@ ldap_close ( $ldap );
2010-03-02 18:07:06 +01:00
return $ous ;
2009-06-16 17:32:50 +02:00
}
2010-03-02 18:07:06 +01:00
if ( $ldapscope == " one " )
$ldapfunc = " ldap_list " ;
else
$ldapfunc = " ldap_search " ;
2009-06-16 17:32:50 +02:00
2010-04-27 16:55:56 +02:00
$search = @ $ldapfunc ( $ldap , $ldapbasedn , $ldapfilter );
$info = @ ldap_get_entries ( $ldap , $search );
2009-06-16 17:32:50 +02:00
if ( is_array ( $info )) {
foreach ( $info as $inf ) {
if ( ! $show_complete_ou ) {
2012-01-19 20:33:41 +01:00
$inf_split = explode ( " , " , $inf [ 'dn' ]);
2009-06-16 17:32:50 +02:00
$ou = $inf_split [ 0 ];
$ou = str_replace ( " OU= " , " " , $ou );
2010-03-02 18:07:06 +01:00
$ou = str_replace ( " CN= " , " " , $ou );
2009-06-16 17:32:50 +02:00
} else
if ( $inf [ 'dn' ])
$ou = $inf [ 'dn' ];
if ( $ou )
$ous [] = $ou ;
}
}
2010-03-03 17:16:39 +01:00
@ ldap_unbind ( $ldap );
2009-06-16 17:32:50 +02:00
return $ous ;
}
2010-03-03 17:16:39 +01:00
function ldap_get_groups ( $username , $authcfg ) {
2009-06-16 17:32:50 +02:00
global $debug , $config ;
if ( ! function_exists ( " ldap_connect " ))
return ;
if ( ! $username )
return false ;
2013-07-17 16:13:08 +02:00
if ( ! isset ( $authcfg [ 'ldap_nostrip_at' ]) && stristr ( $username , " @ " )) {
2012-01-20 12:16:46 +01:00
$username_split = explode ( " @ " , $username );
2009-06-16 17:32:50 +02:00
$username = $username_split [ 0 ];
}
if ( stristr ( $username , " \\ " )) {
2012-01-19 20:33:41 +01:00
$username_split = explode ( " \\ " , $username );
2009-06-16 17:32:50 +02:00
$username = $username_split [ 0 ];
}
//log_error("Getting LDAP groups for {$username}.");
2010-03-02 18:07:06 +01:00
if ( $authcfg ) {
if ( strstr ( $authcfg [ 'ldap_urltype' ], " Standard " ))
$ldapproto = " ldap " ;
else
$ldapproto = " ldaps " ;
2012-07-01 00:11:17 +02:00
$ldapserver = " { $ldapproto } :// " . ldap_format_host ( $authcfg [ 'host' ]);
2010-03-02 18:07:06 +01:00
$ldapport = $authcfg [ 'ldap_port' ];
2011-10-25 17:05:11 +02:00
if ( ! empty ( $ldapport ))
$ldapserver .= " : { $ldapport } " ;
2010-03-02 18:07:06 +01:00
$ldapbasedn = $authcfg [ 'ldap_basedn' ];
$ldapbindun = $authcfg [ 'ldap_binddn' ];
$ldapbindpw = $authcfg [ 'ldap_bindpw' ];
$ldapauthcont = $authcfg [ 'ldap_authcn' ];
$ldapnameattribute = strtolower ( $authcfg [ 'ldap_attr_user' ]);
$ldapgroupattribute = strtolower ( $authcfg [ 'ldap_attr_member' ]);
$ldapfilter = " ( { $ldapnameattribute } = { $username } ) " ;
$ldaptype = " " ;
$ldapver = $authcfg [ 'ldap_protver' ];
if ( empty ( $ldapbindun ) || empty ( $ldapbindpw ))
$ldapanon = true ;
else
$ldapanon = false ;
$ldapname = $authcfg [ 'name' ];
$ldapfallback = false ;
$ldapscope = $authcfg [ 'ldap_scope' ];
2010-03-03 17:16:39 +01:00
} else
return false ;
2010-03-02 18:07:06 +01:00
2009-06-16 17:32:50 +02:00
$ldapdn = $_SESSION [ 'ldapdn' ];
2010-03-02 18:07:06 +01:00
2009-06-16 17:32:50 +02:00
/*Convert attribute to lowercase. php ldap arrays put everything in lowercase */
$ldapgroupattribute = strtolower ( $ldapgroupattribute );
2010-03-02 18:07:06 +01:00
$memberof = array ();
2009-06-16 17:32:50 +02:00
2011-07-15 15:10:40 +02:00
/* Setup CA environment if needed. */
ldap_setup_caenv ( $authcfg );
2009-06-16 17:32:50 +02:00
/* connect and see if server is up */
2010-03-02 18:07:06 +01:00
$error = false ;
2011-10-25 17:05:11 +02:00
if ( ! ( $ldap = ldap_connect ( $ldapserver )))
$error = true ;
2010-03-02 18:07:06 +01:00
if ( $error == true ) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! ldap_get_groups() Could not connect to server %s. " ), $ldapname ));
2010-03-02 18:07:06 +01:00
return memberof ;
}
2009-06-16 17:32:50 +02:00
ldap_set_option ( $ldap , LDAP_OPT_REFERRALS , 0 );
2013-04-02 20:36:23 +02:00
ldap_set_option ( $ldap , LDAP_OPT_DEREF , LDAP_DEREF_SEARCHING );
2010-03-02 18:07:06 +01:00
ldap_set_option ( $ldap , LDAP_OPT_PROTOCOL_VERSION , ( int ) $ldapver );
2009-06-16 17:32:50 +02:00
/* bind as user that has rights to read group attributes */
2013-07-17 16:13:08 +02:00
$ldapbindun = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldapbindun ) : $ldapbindun ;
$ldapbindpw = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldapbindpw ) : $ldapbindpw ;
2010-03-02 18:07:06 +01:00
if ( $ldapanon == true ) {
2010-03-03 17:16:39 +01:00
if ( ! ( $res = @ ldap_bind ( $ldap ))) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! ldap_get_groups() could not bind anonymously to server %s. " ), $ldapname ));
2010-03-03 17:16:39 +01:00
@ ldap_close ( $ldap );
2010-03-02 18:07:06 +01:00
return false ;
2010-03-03 17:16:39 +01:00
}
2010-03-02 18:07:06 +01:00
} else if ( ! ( $res = @ ldap_bind ( $ldap , $ldapbindun , $ldapbindpw ))) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! ldap_get_groups() could not bind to server %s. " ), $ldapname ));
2010-03-03 17:16:39 +01:00
@ ldap_close ( $ldap );
2010-03-02 18:07:06 +01:00
return memberof ;
2009-06-16 17:32:50 +02:00
}
/* get groups from DN found */
/* use ldap_read instead of search so we don't have to do a bunch of extra work */
/* since we know the DN is in $_SESSION['ldapdn'] */
//$search = ldap_read($ldap, $ldapdn, "(objectclass=*)", array($ldapgroupattribute));
2010-03-02 18:07:06 +01:00
if ( $ldapscope == " one " )
$ldapfunc = " ldap_list " ;
else
$ldapfunc = " ldap_search " ;
2010-04-27 16:55:56 +02:00
$search = @ $ldapfunc ( $ldap , $ldapdn , $ldapfilter , array ( $ldapgroupattribute ));
$info = @ ldap_get_entries ( $ldap , $search );
2009-06-16 17:32:50 +02:00
$countem = $info [ " count " ];
if ( is_array ( $info [ 0 ][ $ldapgroupattribute ])) {
/* Iterate through the groups and throw them into an array */
foreach ( $info [ 0 ][ $ldapgroupattribute ] as $member ) {
if ( stristr ( $member , " CN= " ) !== false ) {
2012-01-19 20:33:41 +01:00
$membersplit = explode ( " , " , $member );
2009-06-16 17:32:50 +02:00
$memberof [] = preg_replace ( " /CN=/i " , " " , $membersplit [ 0 ]);
}
}
}
/* Time to close LDAP connection */
2010-03-03 17:16:39 +01:00
@ ldap_unbind ( $ldap );
2009-06-16 17:32:50 +02:00
$groups = print_r ( $memberof , true );
//log_error("Returning groups ".$groups." for user $username");
return $memberof ;
}
2012-07-01 00:11:17 +02:00
function ldap_format_host ( $host ) {
return is_ipaddrv6 ( $host ) ? " [ $host ] " : $host ;
}
2010-03-03 17:16:39 +01:00
function ldap_backed ( $username , $passwd , $authcfg ) {
2009-06-16 17:32:50 +02:00
global $debug , $config ;
if ( ! $username )
return ;
if ( ! function_exists ( " ldap_connect " ))
return ;
2013-07-17 16:13:08 +02:00
if ( ! isset ( $authcfg [ 'ldap_nostrip_at' ]) && stristr ( $username , " @ " )) {
2012-01-20 12:16:46 +01:00
$username_split = explode ( " @ " , $username );
2009-06-16 17:32:50 +02:00
$username = $username_split [ 0 ];
}
if ( stristr ( $username , " \\ " )) {
2012-01-19 20:33:41 +01:00
$username_split = explode ( " \\ " , $username );
2009-06-16 17:32:50 +02:00
$username = $username_split [ 0 ];
}
2010-03-02 18:07:06 +01:00
if ( $authcfg ) {
if ( strstr ( $authcfg [ 'ldap_urltype' ], " Standard " ))
$ldapproto = " ldap " ;
else
$ldapproto = " ldaps " ;
2012-07-01 00:11:17 +02:00
$ldapserver = " { $ldapproto } :// " . ldap_format_host ( $authcfg [ 'host' ]);
2010-03-02 18:07:06 +01:00
$ldapport = $authcfg [ 'ldap_port' ];
2011-10-25 17:05:11 +02:00
if ( ! empty ( $ldapport ))
$ldapserver .= " : { $ldapport } " ;
2010-03-02 18:07:06 +01:00
$ldapbasedn = $authcfg [ 'ldap_basedn' ];
$ldapbindun = $authcfg [ 'ldap_binddn' ];
$ldapbindpw = $authcfg [ 'ldap_bindpw' ];
if ( empty ( $ldapbindun ) || empty ( $ldapbindpw ))
$ldapanon = true ;
else
$ldapanon = false ;
$ldapauthcont = $authcfg [ 'ldap_authcn' ];
$ldapnameattribute = strtolower ( $authcfg [ 'ldap_attr_user' ]);
2011-08-28 04:37:24 +02:00
$ldapextendedqueryenabled = $authcfg [ 'ldap_extended_enabled' ];
$ldapextendedquery = $authcfg [ 'ldap_extended_query' ];
$ldapfilter = " " ;
if ( ! $ldapextendedqueryenabled )
{
$ldapfilter = " ( { $ldapnameattribute } = { $username } ) " ;
}
else
{
$ldapfilter =
" (&( { $ldapnameattribute } = { $username } )( { $ldapextendedquery } )) " ;
}
2010-03-02 18:07:06 +01:00
$ldaptype = " " ;
$ldapver = $authcfg [ 'ldap_protver' ];
$ldapname = $authcfg [ 'name' ];
$ldapscope = $authcfg [ 'ldap_scope' ];
2010-03-03 17:16:39 +01:00
} else
return false ;
2009-06-16 17:32:50 +02:00
/* first check if there is even an LDAP server populated */
if ( ! $ldapserver ) {
2010-03-02 18:07:06 +01:00
if ( $ldapfallback ) {
2010-08-13 21:23:37 +02:00
log_error ( gettext ( " ERROR! ldap_backed() called with no LDAP authentication server defined. Defaulting to local user database. Visit System -> User Manager. " ));
2010-03-02 18:07:06 +01:00
return local_backed ( $username , $passwd );
} else
2010-08-13 21:23:37 +02:00
log_error ( gettext ( " ERROR! ldap_backed() called with no LDAP authentication server defined. " ));
2010-03-02 18:07:06 +01:00
return false ;
2009-06-16 17:32:50 +02:00
}
2011-07-15 15:10:40 +02:00
/* Setup CA environment if needed. */
ldap_setup_caenv ( $authcfg );
2011-11-14 14:42:16 +01:00
ldap_set_option ( $ldap , LDAP_OPT_REFERRALS , 0 );
2013-04-02 20:36:23 +02:00
ldap_set_option ( $ldap , LDAP_OPT_DEREF , LDAP_DEREF_SEARCHING );
2011-11-14 14:42:16 +01:00
ldap_set_option ( $ldap , LDAP_OPT_PROTOCOL_VERSION , ( int ) $ldapver );
2009-06-16 17:32:50 +02:00
/* Make sure we can connect to LDAP */
2010-03-02 18:07:06 +01:00
$error = false ;
2011-10-25 17:05:11 +02:00
if ( ! ( $ldap = ldap_connect ( $ldapserver )))
2010-03-02 18:07:06 +01:00
$error = true ;
if ( $error == true ) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! Could not connect to server %s. " ), $ldapname ));
2010-03-02 18:07:06 +01:00
return false ;
2009-06-16 17:32:50 +02:00
}
2010-03-02 18:07:06 +01:00
2009-06-16 17:32:50 +02:00
/* ok, its up. now, lets bind as the bind user so we can search it */
2010-03-02 18:07:06 +01:00
$error = false ;
2013-07-17 16:13:08 +02:00
$ldapbindun = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldapbindun ) : $ldapbindun ;
$ldapbindpw = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldapbindpw ) : $ldapbindpw ;
2010-03-02 18:07:06 +01:00
if ( $ldapanon == true ) {
if ( ! ( $res = @ ldap_bind ( $ldap )))
$error = true ;
2012-07-27 23:19:41 +02:00
} else if ( ! ( $res = @ ldap_bind ( $ldap , $ldapbindun , $ldapbindpw )))
2010-03-02 18:07:06 +01:00
$error = true ;
if ( $error == true ) {
2010-03-03 17:16:39 +01:00
@ ldap_close ( $ldap );
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " ERROR! Could not bind to server %s. " ), $ldapname ));
2010-03-02 18:07:06 +01:00
return false ;
2009-06-16 17:32:50 +02:00
}
/* Get LDAP Authcontainers and split em up. */
2012-01-19 20:33:41 +01:00
$ldac_splits = explode ( " ; " , $ldapauthcont );
2009-06-16 17:32:50 +02:00
/* setup the usercount so we think we havn't found anyone yet */
$usercount = 0 ;
/*****************************************************************/
/* We First find the user based on username and filter */
/* Then, once we find the first occurance of that person */
/* We set seesion variables to ponit to the OU and DN of the */
/* Person. To later be used by ldap_get_groups. */
/* that way we don't have to search twice. */
/*****************************************************************/
2012-11-19 20:21:28 +01:00
if ( $debug )
log_auth ( sprintf ( gettext ( " Now Searching for %s in directory. " ), $username ));
2010-03-02 18:07:06 +01:00
/* Iterate through the user containers for search */
foreach ( $ldac_splits as $i => $ldac_split ) {
2013-07-17 16:13:08 +02:00
$ldac_split = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldac_split ) : $ldac_split ;
$ldapfilter = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $ldapfilter ) : $ldapfilter ;
$ldapsearchbasedn = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( " { $ldac_split } , { $ldapbasedn } " ) : " { $ldac_split } , { $ldapbasedn } " ;
2010-03-02 18:07:06 +01:00
/* Make sure we just use the first user we find */
2012-11-19 20:21:28 +01:00
if ( $debug )
2013-07-17 16:13:08 +02:00
log_auth ( sprintf ( gettext ( 'Now Searching in server %1$s, container %2$s with filter %3$s.' ), $ldapname , utf8_decode ( $ldac_split ), utf8_decode ( $ldapfilter )));
2010-03-02 18:07:06 +01:00
if ( $ldapscope == " one " )
$ldapfunc = " ldap_list " ;
else
$ldapfunc = " ldap_search " ;
/* Support legacy auth container specification. */
2010-11-29 23:39:46 +01:00
if ( stristr ( $ldac_split , " DC= " ) || empty ( $ldapbasedn ))
$search = @ $ldapfunc ( $ldap , $ldac_split , $ldapfilter );
else
2013-07-17 16:13:08 +02:00
$search = @ $ldapfunc ( $ldap , $ldapsearchbasedn , $ldapfilter );
2010-03-02 18:07:06 +01:00
if ( ! $search ) {
2010-08-13 21:23:37 +02:00
log_error ( sprintf ( gettext ( " Search resulted in error: %s " ), ldap_error ( $ldap )));
2010-03-02 18:07:06 +01:00
continue ;
2009-06-16 17:32:50 +02:00
}
2010-03-02 18:07:06 +01:00
$info = ldap_get_entries ( $ldap , $search );
$matches = $info [ 'count' ];
2009-06-16 17:32:50 +02:00
if ( $matches == 1 ){
2010-03-02 18:07:06 +01:00
$userdn = $_SESSION [ 'ldapdn' ] = $info [ 0 ][ 'dn' ];
$_SESSION [ 'ldapou' ] = $ldac_split [ $i ];
$_SESSION [ 'ldapon' ] = " true " ;
$usercount = 1 ;
break ;
2009-06-16 17:32:50 +02:00
}
}
2010-03-02 18:07:06 +01:00
if ( $usercount != 1 ){
2010-03-03 17:16:39 +01:00
@ ldap_unbind ( $ldap );
2010-08-13 21:23:37 +02:00
log_error ( gettext ( " ERROR! Either LDAP search failed, or multiple users were found. " ));
2010-03-02 18:07:06 +01:00
return false ;
2009-06-16 17:32:50 +02:00
}
2010-03-02 18:07:06 +01:00
2009-06-16 17:32:50 +02:00
/* Now lets bind as the user we found */
2013-07-17 16:13:08 +02:00
$passwd = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_encode ( $passwd ) : $passwd ;
2010-03-02 18:07:06 +01:00
if ( ! ( $res = @ ldap_bind ( $ldap , $userdn , $passwd ))) {
2013-03-06 14:37:27 +01:00
log_error ( sprintf ( gettext ( 'ERROR! Could not login to server %1$s as user %2$s: %3$s' ), $ldapname , $username , ldap_error ( $ldap )));
2010-03-03 17:16:39 +01:00
@ ldap_unbind ( $ldap );
2010-03-02 18:07:06 +01:00
return false ;
2009-06-16 17:32:50 +02:00
}
2013-07-17 16:13:08 +02:00
if ( $debug ) {
$userdn = isset ( $authcfg [ 'ldap_utf8' ]) ? utf8_decode ( $userdn ) : $userdn ;
2012-11-19 20:23:29 +01:00
log_auth ( sprintf ( gettext ( 'Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.' ), $username , $ldapname , $userdn ));
2013-07-17 16:13:08 +02:00
}
2010-03-02 18:07:06 +01:00
/* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */
2010-03-03 17:16:39 +01:00
@ ldap_unbind ( $ldap );
2009-06-16 17:32:50 +02:00
return true ;
}
2012-06-05 21:37:45 +02:00
function radius_backed ( $username , $passwd , $authcfg , & $attributes = array ()) {
2010-03-02 11:21:12 +01:00
global $debug , $config ;
2009-06-16 17:32:50 +02:00
$ret = false ;
2010-07-28 23:02:38 +02:00
require_once ( " radius.inc " );
2009-06-16 17:32:50 +02:00
$rauth = new Auth_RADIUS_PAP ( $username , $passwd );
2010-03-02 18:07:06 +01:00
if ( $authcfg ) {
$radiusservers = array ();
$radiusservers [ 0 ][ 'ipaddr' ] = $authcfg [ 'host' ];
$radiusservers [ 0 ][ 'port' ] = $authcfg [ 'radius_auth_port' ];
$radiusservers [ 0 ][ 'sharedsecret' ] = $authcfg [ 'radius_secret' ];
2013-02-13 21:54:27 +01:00
$radiusservers [ 0 ][ 'timeout' ] = $authcfg [ 'radius_timeout' ];
2010-03-02 18:07:06 +01:00
} else
2010-03-03 17:16:39 +01:00
return false ;
2010-03-02 18:07:06 +01:00
2009-06-16 17:32:50 +02:00
/* Add a new servers to our instance */
2013-02-13 21:54:27 +01:00
foreach ( $radiusservers as $radsrv ) {
$timeout = ( is_numeric ( $radsrv [ 'timeout' ])) ? $radsrv [ 'timeout' ] : 5 ;
$rauth -> addServer ( $radsrv [ 'ipaddr' ], $radsrv [ 'port' ], $radsrv [ 'sharedsecret' ], $timeout );
}
2009-06-16 17:32:50 +02:00
2010-03-12 17:23:14 +01:00
if ( PEAR :: isError ( $rauth -> start ())) {
2009-06-16 17:32:50 +02:00
$retvalue [ 'auth_val' ] = 1 ;
$retvalue [ 'error' ] = $rauth -> getError ();
if ( $debug )
2014-03-14 21:24:03 +01:00
printf ( gettext ( " Radius start: %s<br /> \n " ), $retvalue [ 'error' ]);
2009-06-16 17:32:50 +02:00
}
// XXX - billm - somewhere in here we need to handle securid challenge/response
/* Send request */
$result = $rauth -> send ();
if ( PEAR :: isError ( $result )) {
$retvalue [ 'auth_val' ] = 1 ;
$retvalue [ 'error' ] = $result -> getMessage ();
if ( $debug )
2014-03-14 21:24:03 +01:00
printf ( gettext ( " Radius send failed: %s<br /> \n " ), $retvalue [ 'error' ]);
2009-06-16 17:32:50 +02:00
} else if ( $result === true ) {
2012-06-05 21:37:45 +02:00
if ( $rauth -> getAttributes ())
$attributes = $rauth -> listAttributes ();
2009-06-16 17:32:50 +02:00
$retvalue [ 'auth_val' ] = 2 ;
if ( $debug )
2014-03-14 21:24:03 +01:00
printf ( gettext ( " Radius Auth succeeded " ) . " <br /> \n " );
2009-06-16 17:32:50 +02:00
$ret = true ;
} else {
$retvalue [ 'auth_val' ] = 3 ;
if ( $debug )
2014-03-14 21:24:03 +01:00
printf ( gettext ( " Radius Auth rejected " ) . " <br /> \n " );
2009-06-16 17:32:50 +02:00
}
// close OO RADIUS_AUTHENTICATION
$rauth -> close ();
return $ret ;
}
2009-11-27 23:54:06 +01:00
function get_user_expiration_date ( $username ) {
2010-03-02 11:21:12 +01:00
$user = getUserEntry ( $username );
if ( $user [ 'expires' ])
return $user [ 'expires' ];
}
function is_account_expired ( $username ) {
$expirydate = get_user_expiration_date ( $username );
if ( $expirydate ) {
if ( strtotime ( " -1 day " ) > strtotime ( date ( " m/d/Y " , strtotime ( $expirydate ))))
return true ;
2009-11-27 23:54:06 +01:00
}
2010-03-02 11:21:12 +01:00
return false ;
2009-11-27 23:54:06 +01:00
}
2009-11-28 01:02:39 +01:00
function is_account_disabled ( $username ) {
2010-03-02 11:21:12 +01:00
$user = getUserEntry ( $username );
if ( isset ( $user [ 'disabled' ]))
return true ;
2009-11-28 01:02:39 +01:00
return false ;
}
2010-03-02 18:07:06 +01:00
function auth_get_authserver ( $name ) {
global $config ;
if ( is_array ( $config [ 'system' ][ 'authserver' ])) {
foreach ( $config [ 'system' ][ 'authserver' ] as $authcfg ) {
if ( $authcfg [ 'name' ] == $name )
return $authcfg ;
}
}
2010-03-03 17:16:39 +01:00
if ( $name == " Local Database " )
2013-01-05 18:01:52 +01:00
return array ( " name " => gettext ( " Local Database " ), " type " => " Local Auth " , " host " => $config [ 'system' ][ 'hostname' ]);
2010-03-03 17:16:39 +01:00
}
function auth_get_authserver_list () {
global $config ;
$list = array ();
if ( is_array ( $config [ 'system' ][ 'authserver' ])) {
foreach ( $config [ 'system' ][ 'authserver' ] as $authcfg ) {
/* Add support for disabled entries? */
$list [ $authcfg [ 'name' ]] = $authcfg ;
}
}
2013-01-05 18:01:52 +01:00
$list [ " Local Database " ] = array ( " name " => gettext ( " Local Database " ), " type " => " Local Auth " , " host " => $config [ 'system' ][ 'hostname' ]);
2010-03-03 17:16:39 +01:00
return $list ;
2010-03-02 18:07:06 +01:00
}
2010-03-09 18:54:00 +01:00
function getUserGroups ( $username , $authcfg ) {
global $config ;
$allowed_groups = array ();
switch ( $authcfg [ 'type' ]) {
case 'ldap' :
$allowed_groups = @ ldap_get_groups ( $username , $authcfg );
break ;
case 'radius' :
break ;
default :
$user = getUserEntry ( $username );
$allowed_groups = @ local_user_get_groups ( $user , true );
break ;
}
$member_groups = array ();
if ( is_array ( $config [ 'system' ][ 'group' ])) {
foreach ( $config [ 'system' ][ 'group' ] as $group )
if ( in_array ( $group [ 'name' ], $allowed_groups ))
$member_groups [] = $group [ 'name' ];
}
return $member_groups ;
}
2012-06-05 21:37:45 +02:00
function authenticate_user ( $username , $password , $authcfg = NULL , & $attributes = array ()) {
2010-03-02 18:07:06 +01:00
if ( ! $authcfg ) {
return local_backed ( $username , $password );
}
$authenticated = false ;
switch ( $authcfg [ 'type' ]) {
case 'ldap' :
if ( ldap_backed ( $username , $password , $authcfg ))
$authenticated = true ;
break ;
case 'radius' :
2012-06-05 21:37:45 +02:00
if ( radius_backed ( $username , $password , $authcfg , $attributes ))
2010-03-02 18:07:06 +01:00
$authenticated = true ;
break ;
default :
/* lookup user object by name */
if ( local_backed ( $username , $password ))
$authenticated = true ;
break ;
}
return $authenticated ;
}
2010-03-03 17:16:39 +01:00
function session_auth () {
2013-12-20 23:08:34 +01:00
global $config , $_SESSION , $page ;
2009-06-16 17:32:50 +02:00
2012-05-09 19:08:17 +02:00
// Handle HTTPS httponly and secure flags
2014-06-18 12:38:12 +02:00
$currentCookieParams = session_get_cookie_params ();
session_set_cookie_params (
$currentCookieParams [ " lifetime " ],
$currentCookieParams [ " path " ],
NULL ,
( $config [ 'system' ][ 'webgui' ][ 'protocol' ] == " https " ),
true
);
2012-05-09 19:08:17 +02:00
2012-02-08 08:59:09 +01:00
if ( ! session_id ())
session_start ();
2009-06-16 17:32:50 +02:00
2014-07-18 19:18:50 +02:00
// Detect protocol change
if ( ! isset ( $_POST [ 'login' ]) && ! empty ( $_SESSION [ 'Logged_In' ]) && $_SESSION [ 'protocol' ] != $config [ 'system' ][ 'webgui' ][ 'protocol' ])
return false ;
2009-06-16 17:32:50 +02:00
/* Validate incoming login request */
2012-05-30 22:51:11 +02:00
if ( isset ( $_POST [ 'login' ]) && ! empty ( $_POST [ 'usernamefld' ]) && ! empty ( $_POST [ 'passwordfld' ])) {
2010-03-03 17:16:39 +01:00
$authcfg = auth_get_authserver ( $config [ 'system' ][ 'webgui' ][ 'authmode' ]);
if ( authenticate_user ( $_POST [ 'usernamefld' ], $_POST [ 'passwordfld' ], $authcfg ) ||
authenticate_user ( $_POST [ 'usernamefld' ], $_POST [ 'passwordfld' ])) {
2014-06-17 19:27:45 +02:00
// Generate a new id to avoid session fixation
2014-06-17 19:26:50 +02:00
session_regenerate_id ();
2010-03-03 17:16:39 +01:00
$_SESSION [ 'Logged_In' ] = " True " ;
$_SESSION [ 'Username' ] = $_POST [ 'usernamefld' ];
$_SESSION [ 'last_access' ] = time ();
2014-07-18 19:18:50 +02:00
$_SESSION [ 'protocol' ] = $config [ 'system' ][ 'webgui' ][ 'protocol' ];
2011-03-02 08:47:46 +01:00
if ( ! isset ( $config [ 'system' ][ 'webgui' ][ 'quietlogin' ])) {
2011-03-25 12:49:04 +01:00
log_auth ( sprintf ( gettext ( " Successful login for user '%1 \$ s' from: %2 \$ s " ), $_POST [ 'usernamefld' ], $_SERVER [ 'REMOTE_ADDR' ]));
2011-03-02 08:47:46 +01:00
}
2010-04-20 23:14:25 +02:00
if ( isset ( $_POST [ 'postafterlogin' ]))
return true ;
2010-06-17 23:54:10 +02:00
else {
if ( empty ( $page ))
$page = " / " ;
header ( " Location: { $page } " );
}
2010-06-17 23:44:53 +02:00
exit ;
2010-03-02 11:21:12 +01:00
} else {
/* give the user an error message */
$_SESSION [ 'Login_Error' ] = " Username or Password incorrect " ;
2010-12-10 22:53:22 +01:00
log_auth ( " webConfigurator authentication error for ' { $_POST [ 'usernamefld' ] } ' from { $_SERVER [ 'REMOTE_ADDR' ] } " );
2010-03-02 11:21:12 +01:00
if ( isAjax ()) {
echo " showajaxmessage(' { $_SESSION [ 'Login_Error' ] } '); " ;
return ;
2009-06-16 17:32:50 +02:00
}
}
}
/* Show login page if they aren't logged in */
2010-03-03 18:21:39 +01:00
if ( empty ( $_SESSION [ 'Logged_In' ]))
2009-06-16 17:32:50 +02:00
return false ;
/* If session timeout isn't set, we don't mark sessions stale */
2010-04-27 16:07:48 +02:00
if ( ! isset ( $config [ 'system' ][ 'webgui' ][ 'session_timeout' ])) {
2010-02-25 00:29:14 +01:00
/* Default to 4 hour timeout if one is not set */
if ( $_SESSION [ 'last_access' ] < ( time () - 14400 )) {
$_GET [ 'logout' ] = true ;
$_SESSION [ 'Logout' ] = true ;
2010-03-29 18:48:10 +02:00
} else
$_SESSION [ 'last_access' ] = time ();
2010-04-27 16:07:48 +02:00
} else if ( intval ( $config [ 'system' ][ 'webgui' ][ 'session_timeout' ]) == 0 ) {
/* only update if it wasn't ajax */
if ( ! isAjax ())
$_SESSION [ 'last_access' ] = time ();
2010-02-25 00:29:14 +01:00
} else {
2009-06-16 17:32:50 +02:00
/* Check for stale session */
if ( $_SESSION [ 'last_access' ] < ( time () - ( $config [ 'system' ][ 'webgui' ][ 'session_timeout' ] * 60 ))) {
$_GET [ 'logout' ] = true ;
$_SESSION [ 'Logout' ] = true ;
} else {
/* only update if it wasn't ajax */
if ( ! isAjax ())
$_SESSION [ 'last_access' ] = time ();
}
}
/* user hit the logout button */
if ( isset ( $_GET [ 'logout' ])) {
if ( $_SESSION [ 'Logout' ])
2010-10-01 15:17:13 +02:00
log_error ( sprintf ( gettext ( " Session timed out for user '%1 \$ s' from: %2 \$ s " ), $_SESSION [ 'Username' ], $_SERVER [ 'REMOTE_ADDR' ]));
2009-06-16 17:32:50 +02:00
else
2010-10-01 15:17:13 +02:00
log_error ( sprintf ( gettext ( " User logged out for user '%1 \$ s' from: %2 \$ s " ), $_SESSION [ 'Username' ], $_SERVER [ 'REMOTE_ADDR' ]));
2009-06-16 17:32:50 +02:00
/* wipe out $_SESSION */
$_SESSION = array ();
if ( isset ( $_COOKIE [ session_name ()]))
setcookie ( session_name (), '' , time () - 42000 , '/' );
/* and destroy it */
session_destroy ();
2012-01-19 20:33:41 +01:00
$scriptName = explode ( " / " , $_SERVER [ " SCRIPT_FILENAME " ]);
2009-06-16 17:32:50 +02:00
$scriptElms = count ( $scriptName );
$scriptName = $scriptName [ $scriptElms - 1 ];
if ( isAjax ())
return false ;
/* redirect to page the user is on, it'll prompt them to login again */
2014-06-13 13:59:57 +02:00
header ( " Location: { $scriptName } " );
2009-06-16 17:32:50 +02:00
return false ;
}
/*
* this is for debugging purpose if you do not want to use Ajax
* to submit a HTML form . It basically diables the observation
* of the submit event and hence does not trigger Ajax .
*/
2010-06-17 23:44:53 +02:00
if ( $_GET [ 'disable_ajax' ])
2009-06-16 17:32:50 +02:00
$_SESSION [ 'NO_AJAX' ] = " True " ;
/*
* Same to re - enable Ajax .
*/
2010-06-17 23:44:53 +02:00
if ( $_GET [ 'enable_ajax' ])
2009-06-16 17:32:50 +02:00
unset ( $_SESSION [ 'NO_AJAX' ]);
return true ;
}
2012-05-30 22:51:11 +02:00
?>