Subversion Repositories ALCASAR

Compare Revisions

Ignore whitespace Rev 2713 → Rev 2714

/CHANGELOG
6,6 → 6,7
- Replace DNSmasq server with Unbound
- Add LDAPS (LDAP SSL) support.
- Add a global group named "default" for all users (the "ldap" group still exists for users authenticated through LDAP).
- Add LDAP filter.
 
ACC
- Add the DHCP relay configuration in ACC.
/scripts/alcasar-ldap.sh
20,6 → 20,7
LDAP_PASSWORD=$(grep '^LDAP_PASSWORD=' $CONF_FILE | cut -d"=" -f2-) # its password
LDAP_BASE=$(grep '^LDAP_BASE=' $CONF_FILE | cut -d"=" -f2-) # Where to find the users (cn=**,dc=**,dc=**)
LDAP_UID=$(grep '^LDAP_UID=' $CONF_FILE | cut -d"=" -f2) # 'samaccountname' for A.D. - 'UID' for LDAP
LDAP_FILTER=$(grep '^LDAP_FILTER=' $CONF_FILE | cut -d"=" -f2-) # LDAP filter
LDAP_SSL=$(grep '^LDAP_SSL=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL status
LDAP_CERT_REQUIRED=$(grep '^LDAP_CERT_REQUIRED=' $CONF_FILE | cut -d"=" -f2-) # LDAP SSL certificate verifying
 
51,7 → 52,8
$SED "s/^\tidentity =.*/\tidentity = \"${LDAP_USER//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tpassword =.*/\tpassword = \"${LDAP_PASSWORD//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\tbase_dn =.*/\tbase_dn = \"${LDAP_BASE//\"/\\\\\\\"}\"/g" $LDAP_MODULE
$SED "s/^\t\tfilter =.*/\t\tfilter = \"(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})\"/g" $LDAP_MODULE
[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
$SED "s/^\t\tfilter =.*/\t\tfilter = \"(\&(${LDAP_UID//\"/\\\\\\\"}=%{%{Stripped-User-Name}:-%{User-Name}})($filter))\"/g" $LDAP_MODULE
if [ ! -e /etc/raddb/mods-enabled/ldap ]; then
ln -s $LDAP_MODULE /etc/raddb/mods-enabled/ldap
fi
104,7 → 106,8
else
protocol='ldap'
fi
/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "($LDAP_UID=*)" 1.1
[ -n "$LDAP_FILTER" ] && filter="$LDAP_FILTER" || filter='&'
/usr/bin/ldapsearch $debugOpt -LLL -H "$protocol://$LDAP_SERVER" -x -D "$LDAP_USER" -w "$LDAP_PASSWORD" -b "$LDAP_BASE" "(&($LDAP_UID=*)($filter))" 1.1
;;
*)
echo "Argument inconnu : $1";
/web/acc/admin/ldap.php
128,7 → 128,7
$l_checkingConf = "Checking this configuration...";
}
 
function ldap_checkServerConfig($f_ldap_server, $f_ldap_identity, $f_ldap_password, $f_ldap_basedn, $f_ldap_uid, $f_ldap_ssl, $f_ldap_cert, $f_ldap_cert_required) {
function ldap_checkServerConfig($f_ldap_server, $f_ldap_identity, $f_ldap_password, $f_ldap_basedn, $f_ldap_base_filter, $f_ldap_uid, $f_ldap_ssl, $f_ldap_cert, $f_ldap_cert_required) {
// Socket to the LDAP port of the server
if (!$sock = @fsockopen($f_ldap_server, (($f_ldap_ssl) ? 636 : 389), $num, $error, 2)) {
// no network connection
171,7 → 171,8
}
 
// if ok, try to query the directory of users
$query = $f_ldap_uid.'=*';
$filter = ((!empty($f_ldap_base_filter)) ? $f_ldap_base_filter : '&');
$query = "(&($f_ldap_uid=*)($filter))";
$ldap_result = @ldap_search($ldapconn, $f_ldap_basedn, $query);
if ($ldap_result) {
$ldap_users_count = ldap_count_entries($ldapconn, $ldap_result);
300,7 → 301,7
if (!empty($varErrors)) {
$response['errors'] = $varErrors;
} else {
$result = ldap_checkServerConfig($ldap_server, $ldap_user, $ldap_password, $ldap_base_dn, $ldap_uid, $ldap_ssl, $ldap_cert_tmpFilename, $ldap_cert_required);
$result = ldap_checkServerConfig($ldap_server, $ldap_user, $ldap_password, $ldap_base_dn, $ldap_base_filter, $ldap_uid, $ldap_ssl, $ldap_cert_tmpFilename, $ldap_cert_required);
 
if (($result === 0) && ($ldap_ssl && $ldap_cert_required && ((isset($ldap_cert) && ($ldap_cert['error'] === UPLOAD_ERR_OK)) || (file_exists($LDAPS_CERT_LOC))))) {
if (filter_var($ldap_server, FILTER_VALIDATE_IP) !== false) {
315,7 → 316,7
$response['warnings'][] = str_replace("§cert_domainName§", $cert_domainName, $l_ldap_cert_cn_diff_dn);
}
}
$res = ldap_checkServerConfig($cert_domainName, $ldap_user, $ldap_password, $ldap_base_dn, $ldap_uid, $ldap_ssl, $ldap_cert_tmpFilename, $ldap_cert_required);
$res = ldap_checkServerConfig($cert_domainName, $ldap_user, $ldap_password, $ldap_base_dn, $ldap_base_filter, $ldap_uid, $ldap_ssl, $ldap_cert_tmpFilename, $ldap_cert_required);
if ($res > 1) {
$result = $res;
}