| 775 |
stephane |
1 |
<?php
|
|
|
2 |
/*
|
|
|
3 |
This class handled of ldap configuration.
|
|
|
4 |
WARNING! This class can't says if the configuration is valid or not.
|
|
|
5 |
*/
|
|
|
6 |
|
|
|
7 |
class ldapConfig
|
|
|
8 |
{
|
|
|
9 |
protected $_items = Array();
|
|
|
10 |
protected $_tls = array();
|
|
|
11 |
protected $instanceName;
|
|
|
12 |
|
|
|
13 |
public function __construct($instanceName=null) {
|
|
|
14 |
if ($instanceName!== null)
|
|
|
15 |
$this->instanceName = $instanceName;
|
|
|
16 |
// LDAP setting
|
|
|
17 |
$this->_items['protocol'] = 'ldap://';
|
|
|
18 |
$this->_items['host'] = 'test';
|
|
|
19 |
$this->_items['server'] = $this->_items['protocol'].$this->_items['host'];
|
|
|
20 |
$this->_items['port'] = '389';//not use yet (689 = ldaps)
|
|
|
21 |
$this->_items['identity'] = '';
|
|
|
22 |
$this->_items['password'] = '';
|
|
|
23 |
$this->_items['basedn'] = 'dc=example,dc=com';
|
|
|
24 |
$this->_items['filter'] = '(uid=%{Stripped-User-Name:-%{User-Name}})';
|
|
|
25 |
$this->_items['base_filter'] = '';
|
|
|
26 |
$this->_items['ldap_connections_number'] = '5';
|
|
|
27 |
$this->_items['timeout'] = '4';
|
|
|
28 |
$this->_items['timelimit'] = '3';
|
|
|
29 |
$this->_items['net_timeout'] = '1';
|
|
|
30 |
// TLS setting related items
|
|
|
31 |
$this->_tls['start_tls'] = 'no'; // if no all tls config are comments
|
|
|
32 |
$this->_tls['cacertfile'] = '#';
|
|
|
33 |
$this->_tls['cacertdir'] = '#';
|
|
|
34 |
$this->_tls['certfile'] = '#';
|
|
|
35 |
$this->_tls['keyfile'] = '#';
|
|
|
36 |
$this->_tls['randfile'] = '#';
|
|
|
37 |
$this->_tls['require_cert'] = '#';
|
|
|
38 |
// others ldap setting (optional)
|
|
|
39 |
$this->_items['default_profile'] = '#';
|
|
|
40 |
$this->_items['profile_attribute'] = '#';
|
|
|
41 |
$this->_items['access_attr'] = '#';
|
|
|
42 |
// Mapping of RADIUS dictionary attributes to LDAP
|
|
|
43 |
// directory attributes.
|
|
|
44 |
$this->_items['dictionary_mapping'] = '${confdir}/ldap.attrmap';
|
|
|
45 |
// for ldap like NOVEL
|
|
|
46 |
$this->_items['password_attribute'] = '#';
|
|
|
47 |
$this->_items['edir_account_policy_check'] = 'no';
|
|
|
48 |
// Group membership checking. Disabled by default.
|
|
|
49 |
$this->_items['groupname_attribute'] = '#';
|
|
|
50 |
$this->_items['groupmembership_filter'] = '#';
|
|
|
51 |
$this->_items['groupmembership_attribute'] = '#';
|
|
|
52 |
$this->_items['compare_check_items'] = '#';
|
|
|
53 |
$this->_items['do_xlat'] = '#';
|
|
|
54 |
$this->_items['access_attr_used_for_allow'] = '#';
|
|
|
55 |
// auth option
|
|
|
56 |
$this->_items['set_auth_type'] = '#';
|
|
|
57 |
// debug option
|
|
|
58 |
$this->_items['ldap_debug'] = '#';
|
|
|
59 |
}
|
|
|
60 |
|
|
|
61 |
public function __get($attr){ // to get an $item
|
|
|
62 |
if ($attr==='tls'){
|
|
|
63 |
return $this->_tls;
|
|
|
64 |
} elseif (array_key_exists($attr, $this->_items)){
|
|
|
65 |
return $this->_items[$attr];
|
|
|
66 |
} elseif (array_key_exists($attr, $this->_tls)){
|
|
|
67 |
return $this->_tls[$attr];
|
|
|
68 |
}
|
|
|
69 |
// nothing else!
|
|
|
70 |
}
|
|
|
71 |
public function __set($attr, $value){// to set an $item
|
|
|
72 |
if (array_key_exists($attr, $this->_items)){
|
|
|
73 |
$this->_items[$attr] = $value;
|
|
|
74 |
} elseif (array_key_exists($attr, $this->_tls)){
|
|
|
75 |
$this->_tls[$attr] = $value;
|
|
|
76 |
}
|
|
|
77 |
}
|
|
|
78 |
public function load($confFile){
|
|
|
79 |
// use here the parsing class
|
|
|
80 |
require_once("configreader.php");
|
|
|
81 |
|
|
|
82 |
$r = new configReader($confFile);
|
|
|
83 |
|
|
|
84 |
/*
|
|
|
85 |
loading only if the file containt only one ldap instance.
|
|
|
86 |
If more instance are found, we use the default values instead.
|
|
|
87 |
*/
|
|
|
88 |
if (is_object($r->ldap)){
|
|
|
89 |
$this->instanceName = $r->ldap->getInstanceName();
|
|
|
90 |
$items = $r->ldap->getpair();
|
|
|
91 |
foreach ($this->_items as $key => $value){
|
|
|
92 |
if (array_key_exists($key, $items))
|
|
|
93 |
$this->_items[$key] = $items[$key];
|
|
|
94 |
}
|
|
|
95 |
if (is_object($r->ldap->tls)){
|
|
|
96 |
$tls = $r->ldap->tls->getpair();
|
|
|
97 |
foreach ($this->_tls as $key => $value){
|
|
|
98 |
if (array_key_exists($key, $tls))
|
|
|
99 |
$this->_tls[$key] = $tls[$key];
|
|
|
100 |
}
|
|
|
101 |
}
|
|
|
102 |
}
|
|
|
103 |
}
|
|
|
104 |
public function __toString() {
|
|
|
105 |
return $this->save(null, true);
|
|
|
106 |
}
|
|
|
107 |
protected function _noComment($name, $value, $quote = false){
|
|
|
108 |
if ($value !== '#'){
|
|
|
109 |
if ($quote === true){
|
|
|
110 |
return $name." = \"".$value."\"";
|
|
|
111 |
} else {
|
|
|
112 |
return $name." = ".$value;
|
|
|
113 |
}
|
|
|
114 |
}
|
|
|
115 |
}
|
|
|
116 |
public function save($savefile = null, $returnconfig = false){
|
|
|
117 |
// make config file
|
|
|
118 |
$config = "
|
|
|
119 |
# Lightweight Directory Access Protocol (LDAP)
|
|
|
120 |
#
|
|
|
121 |
# This module definition allows you to use LDAP for
|
|
|
122 |
# authorization and authentication.
|
|
|
123 |
#
|
|
|
124 |
# See raddb/sites-available/default for reference to the
|
|
|
125 |
# ldap module in the authorize and authenticate sections.
|
|
|
126 |
#
|
|
|
127 |
# However, LDAP can be used for authentication ONLY when the
|
|
|
128 |
# Access-Request packet contains a clear-text User-Password
|
|
|
129 |
# attribute. LDAP authentication will NOT work for any other
|
|
|
130 |
# authentication method.
|
|
|
131 |
#
|
|
|
132 |
# This means that LDAP servers don't understand EAP. If you
|
|
|
133 |
# force \"Auth-Type = LDAP\", and then send the server a
|
|
|
134 |
# request containing EAP authentication, then authentication
|
|
|
135 |
# WILL NOT WORK.
|
|
|
136 |
#
|
|
|
137 |
# The solution is to use the default configuration, which does
|
|
|
138 |
# work.
|
|
|
139 |
#
|
|
|
140 |
# Setting \"Auth-Type = LDAP\" is ALMOST ALWAYS WRONG. We
|
|
|
141 |
# really can't emphasize this enough.
|
|
|
142 |
#
|
|
|
143 |
ldap ".$this->instanceName."{
|
|
|
144 |
#
|
|
|
145 |
# Note that this needs to match the name in the LDAP
|
|
|
146 |
# server certificate, if you're using ldaps.
|
|
|
147 |
server = \"".$this->_items['server']."\"
|
|
|
148 |
identity = \"".$this->_items['identity']."\"
|
|
|
149 |
password = ".$this->_items['password']."
|
|
|
150 |
basedn = \"".$this->_items['basedn']."\"
|
|
|
151 |
filter = \"".$this->_items['filter']."\"
|
|
|
152 |
base_filter = \"".$this->_items['base_filter']."\"
|
|
|
153 |
|
|
|
154 |
# How many connections to keep open to the LDAP server.
|
|
|
155 |
# This saves time over opening a new LDAP socket for
|
|
|
156 |
# every authentication request.
|
|
|
157 |
ldap_connections_number = ".$this->_items['ldap_connections_number']."
|
|
|
158 |
|
|
|
159 |
# seconds to wait for LDAP query to finish. default: 20
|
|
|
160 |
timeout = ".$this->_items['timeout']."
|
|
|
161 |
|
|
|
162 |
# seconds LDAP server has to process the query (server-side
|
|
|
163 |
# time limit). default: 20
|
|
|
164 |
#
|
|
|
165 |
# LDAP_OPT_TIMELIMIT is set to this value.
|
|
|
166 |
timelimit = ".$this->_items['timelimit']."
|
|
|
167 |
|
|
|
168 |
#
|
|
|
169 |
# seconds to wait for response of the server. (network
|
|
|
170 |
# failures) default: 10
|
|
|
171 |
#
|
|
|
172 |
# LDAP_OPT_NETWORK_TIMEOUT is set to this value.
|
|
|
173 |
net_timeout = ".$this->_items['net_timeout']."
|
|
|
174 |
|
|
|
175 |
#
|
|
|
176 |
# This subsection configures the tls related items
|
|
|
177 |
# that control how FreeRADIUS connects to an LDAP
|
|
|
178 |
# server. It contains all of the \"tls_*\" configuration
|
|
|
179 |
# entries used in older versions of FreeRADIUS. Those
|
|
|
180 |
# configuration entries can still be used, but we recommend
|
|
|
181 |
# using these.
|
|
|
182 |
#
|
|
|
183 |
tls {
|
|
|
184 |
# Set this to 'yes' to use TLS encrypted connections
|
|
|
185 |
# to the LDAP database by using the StartTLS extended
|
|
|
186 |
# operation.
|
|
|
187 |
#
|
|
|
188 |
# The StartTLS operation is supposed to be
|
|
|
189 |
# used with normal ldap connections instead of
|
|
|
190 |
# using ldaps (port 689) connections
|
|
|
191 |
start_tls = ".$this->_tls['start_tls']."
|
|
|
192 |
|
|
|
193 |
# cacertfile = /path/to/cacert.pem
|
|
|
194 |
# cacertdir = /path/to/ca/dir/
|
|
|
195 |
# certfile = /path/to/radius.crt
|
|
|
196 |
# keyfile = /path/to/radius.key
|
|
|
197 |
# randfile = /path/to/rnd
|
|
|
198 |
".$this->_noComment("cacertfile", $this->_tls['cacertfile'])."
|
|
|
199 |
".$this->_noComment("cacertdir", $this->_tls['cacertdir'])."
|
|
|
200 |
".$this->_noComment("certfile", $this->_tls['certfile'])."
|
|
|
201 |
".$this->_noComment("keyfile", $this->_tls['keyfile'])."
|
|
|
202 |
".$this->_noComment("randfile", $this->_tls['randfile'])."
|
|
|
203 |
# Certificate Verification requirements. Can be:
|
|
|
204 |
# \"never\" (don't even bother trying)
|
|
|
205 |
# \"allow\" (try, but don't fail if the cerificate
|
|
|
206 |
# can't be verified)
|
|
|
207 |
# \"demand\" (fail if the certificate doesn't verify.)
|
|
|
208 |
#
|
|
|
209 |
# The default is \"allow\"
|
|
|
210 |
# require_cert = \"demand\"
|
|
|
211 |
".$this->_noComment("require_cert", $this->_tls['require_cert'], true)."
|
|
|
212 |
}
|
|
|
213 |
|
|
|
214 |
# default_profile = \"cn=radprofile,ou=dialup,o=My Org,c=UA\"
|
|
|
215 |
# profile_attribute = \"radiusProfileDn\"
|
|
|
216 |
# access_attr = \"dialupAccess\"
|
|
|
217 |
".$this->_noComment("default_profile", $this->_items['default_profile'], true)."
|
|
|
218 |
".$this->_noComment("profile_attribute", $this->_items['profile_attribute'], true)."
|
|
|
219 |
".$this->_noComment("access_attr", $this->_items['access_attr'], true)."
|
|
|
220 |
# Mapping of RADIUS dictionary attributes to LDAP
|
|
|
221 |
# directory attributes.
|
|
|
222 |
dictionary_mapping = ".$this->_items['dictionary_mapping']."
|
|
|
223 |
|
|
|
224 |
# Set password_attribute = nspmPassword to get the
|
|
|
225 |
# user's password from a Novell eDirectory
|
|
|
226 |
# backend. This will work ONLY IF FreeRADIUS has been
|
|
|
227 |
# built with the --with-edir configure option.
|
|
|
228 |
#
|
|
|
229 |
# See also the following links:
|
|
|
230 |
#
|
|
|
231 |
# http://www.novell.com/coolsolutions/appnote/16745.html
|
|
|
232 |
# https://secure-support.novell.com/KanisaPlatform/Publishing/558/3009668_f.SAL_Public.html
|
|
|
233 |
#
|
|
|
234 |
# Novell may require TLS encrypted sessions before returning
|
|
|
235 |
# the user's password.
|
|
|
236 |
#
|
|
|
237 |
# password_attribute = userPassword
|
|
|
238 |
".$this->_noComment("access_attr", $this->_items['access_attr'])."
|
|
|
239 |
# Un-comment the following to disable Novell
|
|
|
240 |
# eDirectory account policy check and intruder
|
|
|
241 |
# detection. This will work *only if* FreeRADIUS is
|
|
|
242 |
# configured to build with --with-edir option.
|
|
|
243 |
#
|
|
|
244 |
edir_account_policy_check = no
|
|
|
245 |
".$this->_noComment("access_attr", $this->_items['access_attr'])."
|
|
|
246 |
#
|
|
|
247 |
# Group membership checking. Disabled by default.
|
|
|
248 |
#
|
|
|
249 |
# groupname_attribute = cn
|
|
|
250 |
# groupmembership_filter = \"(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))\"
|
|
|
251 |
# groupmembership_attribute = radiusGroupName
|
|
|
252 |
".$this->_noComment("groupname_attribute", $this->_items['groupname_attribute'])."
|
|
|
253 |
".$this->_noComment("groupmembership_filter", $this->_items['groupmembership_filter'], true)."
|
|
|
254 |
".$this->_noComment("groupmembership_attribute", $this->_items['groupmembership_attribute'])."
|
|
|
255 |
# compare_check_items = yes
|
|
|
256 |
# do_xlat = yes
|
|
|
257 |
# access_attr_used_for_allow = yes
|
|
|
258 |
".$this->_noComment("compare_check_items", $this->_items['compare_check_items'])."
|
|
|
259 |
".$this->_noComment("do_xlat", $this->_items['do_xlat'])."
|
|
|
260 |
".$this->_noComment("access_attr_used_for_allow", $this->_items['access_attr_used_for_allow'])."
|
|
|
261 |
#
|
|
|
262 |
# By default, if the packet contains a User-Password,
|
|
|
263 |
# and no other module is configured to handle the
|
|
|
264 |
# authentication, the LDAP module sets itself to do
|
|
|
265 |
# LDAP bind for authentication.
|
|
|
266 |
#
|
|
|
267 |
# THIS WILL ONLY WORK FOR PAP AUTHENTICATION.
|
|
|
268 |
#
|
|
|
269 |
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
|
|
|
270 |
#
|
|
|
271 |
# You can disable this behavior by setting the following
|
|
|
272 |
# configuration entry to \"no\".
|
|
|
273 |
#
|
|
|
274 |
# allowed values: {no, yes}
|
|
|
275 |
# set_auth_type = yes
|
|
|
276 |
# set_auth_type = no
|
|
|
277 |
".$this->_noComment("set_auth_type", $this->_items['set_auth_type'])."
|
|
|
278 |
# ldap_debug: debug flag for LDAP SDK
|
|
|
279 |
# (see OpenLDAP documentation). Set this to enable
|
|
|
280 |
# huge amounts of LDAP debugging on the screen.
|
|
|
281 |
# You should only use this if you are an LDAP expert.
|
|
|
282 |
#
|
|
|
283 |
# default: 0x0000 (no debugging messages)
|
|
|
284 |
# Example:(LDAP_DEBUG_FILTER+LDAP_DEBUG_CONNS)
|
|
|
285 |
#ldap_debug = 0x0028
|
|
|
286 |
".$this->_noComment("ldap_debug", $this->_items['ldap_debug'])."
|
|
|
287 |
}
|
|
|
288 |
";
|
|
|
289 |
if ($savefile !== null){
|
|
|
290 |
// save config file
|
|
|
291 |
if (is_file($savefile)){
|
|
|
292 |
// save the file
|
|
|
293 |
if (!is_writable($savefile))
|
|
|
294 |
return false;
|
|
|
295 |
$updatedFile = fopen( $savefile, 'w' );
|
|
|
296 |
fwrite( $updatedFile, $config );
|
|
|
297 |
fclose( $updatedFile );
|
|
|
298 |
} else {
|
|
|
299 |
// create a new file
|
|
|
300 |
$newFile = fopen($savefile, 'w') or die("can't create file");
|
|
|
301 |
fwrite( $newFile, $config );
|
|
|
302 |
fclose( $newFile );
|
|
|
303 |
}
|
|
|
304 |
}
|
|
|
305 |
// test $returnconfig
|
|
|
306 |
if (($returnconfig===true)||($returnconfig==="yes")){
|
|
|
307 |
return $config;
|
|
|
308 |
}else{
|
|
|
309 |
return true;
|
|
|
310 |
}
|
|
|
311 |
}
|
|
|
312 |
}
|
|
|
313 |
?>
|