diff options
| author | Simon Rettberg | 2016-05-03 19:03:09 +0200 |
|---|---|---|
| committer | Simon Rettberg | 2016-05-03 19:03:09 +0200 |
| commit | 50404f3b23b7fd6aeae4c9d2f6df0ea25e984e66 (patch) | |
| tree | 05e99fdffa696434960d7c77966c0bc36d6339e8 /modules-available/sysconfig/addmodule_adauth.inc.php | |
| parent | Second half of merge.... (diff) | |
| download | slx-admin-50404f3b23b7fd6aeae4c9d2f6df0ea25e984e66.tar.gz slx-admin-50404f3b23b7fd6aeae4c9d2f6df0ea25e984e66.tar.xz slx-admin-50404f3b23b7fd6aeae4c9d2f6df0ea25e984e66.zip | |
WIP
Diffstat (limited to 'modules-available/sysconfig/addmodule_adauth.inc.php')
| -rw-r--r-- | modules-available/sysconfig/addmodule_adauth.inc.php | 413 |
1 files changed, 413 insertions, 0 deletions
diff --git a/modules-available/sysconfig/addmodule_adauth.inc.php b/modules-available/sysconfig/addmodule_adauth.inc.php new file mode 100644 index 00000000..e295630c --- /dev/null +++ b/modules-available/sysconfig/addmodule_adauth.inc.php @@ -0,0 +1,413 @@ +<?php + +/* + * Wizard for setting up active directory integration for authentication. + */ + +class AdAuth_Start extends AddModule_Base +{ + + protected function renderInternal() + { + $ADAUTH_COMMON_FIELDS = array('title', 'server', 'searchbase', 'binddn', 'bindpw', 'home', 'homeattr', 'ssl', 'certificate'); + $data = array(); + if ($this->edit !== false) { + moduleToArray($this->edit, $data, $ADAUTH_COMMON_FIELDS); + $data['title'] = $this->edit->title(); + $data['edit'] = $this->edit->id(); + } + postToArray($data, $ADAUTH_COMMON_FIELDS, true); + $obdn = Request::post('originalbinddn'); + if (!empty($obdn)) { + $data['binddn'] = $obdn; + } + if (preg_match('/^(.*)\:(636|3269|389|3268)$/', $data['server'], $out)) { + $data['server'] = $out[1]; + } + $data['step'] = 'AdAuth_CheckConnection'; + Render::addDialog(Dictionary::translate('config-module', 'adAuth_title'), false, 'ad-start', $data); + } + +} + +class AdAuth_CheckConnection extends AddModule_Base +{ + + private $scanTask; + private $server; + + protected function preprocessInternal() + { + $this->server = Request::post('server'); + $binddn = Request::post('binddn'); + $ssl = Request::post('ssl', 'off') === 'on'; + if (empty($this->server) || empty($binddn)) { + Message::addError('empty-field'); + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + if (preg_match('/^([^\:]+)\:(\d+)$/', $this->server, $out)) { + $ports = array($out[2]); + $this->server = $out[1]; + } elseif ($ssl) { + $ports = array(636, 3269); + } else { + $ports = array(389, 3268); + } + $this->scanTask = Taskmanager::submit('PortScan', array( + 'host' => $this->server, + 'ports' => $ports, + 'certificate' => Request::post('certificate', '') + )); + if (!isset($this->scanTask['id'])) { + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + } + + protected function renderInternal() + { + $data = array( + 'edit' => Request::post('edit'), + 'title' => Request::post('title'), + 'server' => $this->server, + 'searchbase' => Util::normalizeDn(Request::post('searchbase')), + 'binddn' => Util::normalizeDn(Request::post('binddn')), + 'bindpw' => Request::post('bindpw'), + 'home' => Request::post('home'), + 'homeattr' => Request::post('homeattr'), + 'ssl' => Request::post('ssl'), + 'certificate' => Request::post('certificate', ''), + 'taskid' => $this->scanTask['id'] + ); + $data['prev'] = 'AdAuth_Start'; + if (preg_match('#^\w+[/\\\\]\w+$#', Request::post('binddn')) || strlen(Request::post('searchbase')) < 2) { + $data['next'] = 'AdAuth_SelfSearch'; + } elseif (empty($data['homeattr'])) { + $data['next'] = 'AdAuth_HomeAttrCheck'; + } else { + $data['next'] = 'AdAuth_CheckCredentials'; + } + Render::addDialog(Dictionary::translate('config-module', 'adAuth_title'), false, 'ad_ldap-checkconnection', $data); + } + +} + +class AdAuth_SelfSearch extends AddModule_Base +{ + + private $taskIds; + private $originalBindDn; + + protected function preprocessInternal() + { + $server = Request::post('server'); + $port = Request::post('port'); + $searchbase = Request::post('searchbase', ''); + $binddn = Request::post('binddn'); + $bindpw = Request::post('bindpw'); + $ssl = Request::post('ssl', 'off') === 'on'; + if ($ssl && !Request::post('fingerprint')) { + Message::addError('error-read', 'fingerprint'); + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + if (empty($server) || empty($binddn) || empty($port)) { + Message::addError('empty-field'); + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + $this->originalBindDn = ''; + // Fix bindDN if short name given + // + if ($ssl) { // Use the specific AD ports so the domain\username bind works + $uri = "ldaps://$server:3269/"; + } else { + $uri = "ldap://$server:3268/"; + } + preg_match('#^\w+[/\\\\](\w+)$#', $binddn, $out); + $user = $out[1]; + $this->originalBindDn = str_replace('/', '\\', $binddn); + $selfSearch = Taskmanager::submit('LdapSearch', array( + 'server' => $uri, + 'searchbase' => $searchbase, + 'binddn' => $this->originalBindDn, + 'bindpw' => $bindpw, + 'filter' => "sAMAccountName=$user" + )); + if (!isset($selfSearch['id'])) { + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + $this->taskIds['self-search'] = $selfSearch['id']; + } + + protected function renderInternal() + { + $data = array( + 'edit' => Request::post('edit'), + 'title' => Request::post('title'), + 'server' => Request::post('server'), + 'port' => Request::post('port'), + 'searchbase' => Request::post('searchbase'), + 'binddn' => Request::post('binddn'), + 'bindpw' => Request::post('bindpw'), + 'home' => Request::post('home'), + 'homeattr' => Request::post('homeattr'), + 'ssl' => Request::post('ssl') === 'on', + 'fingerprint' => Request::post('fingerprint'), + 'certificate' => Request::post('certificate', ''), + 'originalbinddn' => $this->originalBindDn, + 'prev' => 'AdAuth_Start' + ); + if (empty($data['homeattr'])) { + $data['next'] = 'AdAuth_HomeAttrCheck'; + } else { + $data['next'] = 'AdAuth_CheckCredentials'; + } + Render::addDialog(Dictionary::translate('config-module', 'adAuth_title'), false, 'ad-selfsearch', + array_merge($this->taskIds, $data)); + } + +} + +class AdAuth_HomeAttrCheck extends AddModule_Base +{ + + private $taskIds; + + protected function preprocessInternal() + { + $server = Request::post('server'); + $port = Request::post('port'); + $searchbase = Request::post('searchbase', ''); + $binddn = Request::post('binddn'); + $bindpw = Request::post('bindpw'); + $ssl = Request::post('ssl', 'off') === 'on'; + if ($ssl && !Request::post('fingerprint')) { + Message::addError('error-read', 'fingerprint'); + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + if (empty($server) || empty($binddn) || empty($port)) { + Message::addError('empty-field'); + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + if ($ssl) { + $uri = "ldaps://$server:$port/"; + } else { + $uri = "ldap://$server:$port/"; + } + preg_match('#^(\w+=[^,]+),#', $binddn, $out); + $filter = $out[1]; + $data = array( + 'server' => $uri, + 'searchbase' => $searchbase, + 'binddn' => $binddn, + 'bindpw' => $bindpw, + 'filter' => $filter + ); + $selfSearch = Taskmanager::submit('LdapSearch', $data); + if (!isset($selfSearch['id'])) { + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + $this->taskIds['self-search'] = $selfSearch['id']; + } + + protected function renderInternal() + { + Render::addDialog(Dictionary::translate('config-module', 'adAuth_title'), false, 'ad-selfsearch', array_merge($this->taskIds, array( + 'edit' => Request::post('edit'), + 'title' => Request::post('title'), + 'server' => Request::post('server'), + 'port' => Request::post('port'), + 'searchbase' => Request::post('searchbase'), + 'binddn' => Request::post('binddn'), + 'bindpw' => Request::post('bindpw'), + 'home' => Request::post('home'), + 'homeattr' => Request::post('homeattr'), + 'ssl' => Request::post('ssl') === 'on', + 'fingerprint' => Request::post('fingerprint'), + 'certificate' => Request::post('certificate', ''), + 'originalbinddn' => Request::post('originalbinddn'), + 'tryHomeAttr' => true, + 'prev' => 'AdAuth_Start', + 'next' => 'AdAuth_CheckCredentials' + )) + ); + } + +} + +class AdAuth_CheckCredentials extends AddModule_Base +{ + + private $taskIds; + + protected function preprocessInternal() + { + $server = Request::post('server'); + $port = Request::post('port'); + $searchbase = Request::post('searchbase', ''); + $binddn = Request::post('binddn'); + $bindpw = Request::post('bindpw'); + $ssl = Request::post('ssl', 'off') === 'on'; + if ($ssl && !Request::post('fingerprint')) { + Message::addError('error-read', 'fingerprint'); + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + if (empty($server) || empty($binddn) || empty($port)) { + Message::addError('empty-field'); + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + // Test query 4 users + if ($ssl) { + $uri = "ldaps://$server:$port/"; + } else { + $uri = "ldap://$server:$port/"; + } + $ldapSearch = Taskmanager::submit('LdapSearch', array( + 'server' => $uri, + 'searchbase' => $searchbase, + 'binddn' => $binddn, + 'bindpw' => $bindpw + )); + if (!isset($ldapSearch['id'])) { + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + $this->taskIds = array( + 'tm-search' => $ldapSearch['id'] + ); + if (isset($selfSearch['id'])) + $this->taskIds['self-search'] = $selfSearch['id']; + } + + protected function renderInternal() + { + Render::addDialog(Dictionary::translate('config-module', 'adAuth_title'), false, 'ad_ldap-checkcredentials', array_merge($this->taskIds, array( + 'edit' => Request::post('edit'), + 'title' => Request::post('title'), + 'server' => Request::post('server') . ':' . Request::post('port'), + 'searchbase' => Request::post('searchbase'), + 'binddn' => Request::post('binddn'), + 'bindpw' => Request::post('bindpw'), + 'home' => Request::post('home'), + 'homeattr' => Request::post('homeattr'), + 'ssl' => Request::post('ssl') === 'on', + 'fingerprint' => Request::post('fingerprint'), + 'certificate' => Request::post('certificate', ''), + 'originalbinddn' => Request::post('originalbinddn'), + 'prev' => 'AdAuth_Start', + 'next' => 'AdAuth_Finish' + )) + ); + } + +} + +class AdAuth_Finish extends AddModule_Base +{ + + private $taskIds; + + protected function preprocessInternal() + { + $binddn = Request::post('binddn'); + $searchbase = Request::post('searchbase'); + if (empty($searchbase)) { + // If no search base was given, determine it from the dn + $originalBindDn = str_replace('\\', '/', trim(Request::post('originalbinddn'))); + if (!preg_match('#^([^/]+)/[^/]+$#', $originalBindDn, $out)) { + Message::addError('value-invalid', 'binddn', $originalBindDn); + Util::redirect('?do=SysConfig&action=addmodule&step=AdAuth_Start'); + } // $out[1] is the domain + // Find the domain in the dn + $i = mb_stripos($binddn, '=' . $out[1] . ','); + if ($i === false) { + Message::addError('value-invalid', 'binddn', $out[1]); + Util::redirect('?do=SysConfig&action=addmodule&step=AdAuth_Start'); + } + // Now find ',' before it so we get the key + $i = mb_strrpos(mb_substr($binddn, 0, $i), ','); + if ($i === false) + $i = -1; + $searchbase = mb_substr($binddn, $i + 1); + } else { + $somedn = Request::post('somedn', false); + if (!empty($somedn)) { + $i = stripos($somedn, $searchbase); + if ($i !== false) { + $searchbase = substr($somedn, $i, strlen($searchbase)); + } + } + } + $title = Request::post('title'); + if (empty($title)) + $title = 'AD: ' . Request::post('server'); + if ($this->edit === false) + $module = ConfigModule::getInstance('AdAuth'); + else + $module = $this->edit; + $ssl = Request::post('ssl', 'off') === 'on'; + $module->setData('server', Request::post('server')); + $module->setData('searchbase', $searchbase); + $module->setData('binddn', $binddn); + $module->setData('bindpw', Request::post('bindpw')); + $module->setData('home', Request::post('home')); + $module->setData('homeattr', Request::post('homeattr')); + $module->setData('certificate', Request::post('certificate')); + $module->setData('ssl', $ssl); + if ($ssl) { + $module->setData('fingerprint', Request::post('fingerprint', '')); + } else { + $module->setData('fingerprint', ''); + } + if ($this->edit !== false) + $ret = $module->update($title); + else + $ret = $module->insert($title); + if (!$ret) { + Message::addError('value-invalid', 'any', 'any'); + $tgz = false; + } else { + $parent = $this->stopOldInstance(); + $tgz = $module->generate($this->edit === false, $parent); + } + if ($tgz === false) { + AddModule_Base::setStep('AdAuth_Start'); // Continues with AdAuth_Start for render() + return; + } + $this->taskIds = array( + 'tm-config' => $tgz, + ); + } + + private function stopOldInstance() + { + if ($this->edit === false) + return NULL; + $list = ConfigTgz::getAllForModule($this->edit->id()); + if (!is_array($list)) + return NULL; + $parent = NULL; + foreach ($list as $tgz) { + if (!$tgz->isActive()) + continue; + $task = Trigger::ldadp($tgz->id(), $parent); + if (isset($task['id'])) + $parent = $task['id']; + } + return $parent; + } + + protected function renderInternal() + { + Render::addDialog(Dictionary::translate('config-module', 'adAuth_title'), false, 'ad-finish', $this->taskIds); + } + +} |