diff options
author | Simon Rettberg | 2016-12-02 19:05:12 +0100 |
---|---|---|
committer | Simon Rettberg | 2016-12-02 19:05:12 +0100 |
commit | 3cdbbdde2499cf1d936c21a1eb2731858674083b (patch) | |
tree | 0efa85294bc9f32c526d5488a45b968fee03e5b6 /modules-available/sysconfig | |
parent | [sysconfig] Add table-hover class to config and module list (diff) | |
download | slx-admin-3cdbbdde2499cf1d936c21a1eb2731858674083b.tar.gz slx-admin-3cdbbdde2499cf1d936c21a1eb2731858674083b.tar.xz slx-admin-3cdbbdde2499cf1d936c21a1eb2731858674083b.zip |
[sysconfig] AD/LDAP: Handle certificates with unknown CA by fingerprint if no cert is supplied
Diffstat (limited to 'modules-available/sysconfig')
4 files changed, 44 insertions, 13 deletions
diff --git a/modules-available/sysconfig/addmodule_ldapauth.inc.php b/modules-available/sysconfig/addmodule_ldapauth.inc.php index 4a204407..2bd4b584 100644 --- a/modules-available/sysconfig/addmodule_ldapauth.inc.php +++ b/modules-available/sysconfig/addmodule_ldapauth.inc.php @@ -46,9 +46,9 @@ class LdapAuth_CheckConnection extends AddModule_Base $ports = array($out[2]); $this->server = $out[1]; } elseif ($ssl) { - $ports = array(636, 3269); + $ports = array(636); } else { - $ports = array(389, 3268); + $ports = array(389); } $this->scanTask = Taskmanager::submit('PortScan', array( 'host' => $this->server, @@ -196,7 +196,8 @@ class LdapAuth_HomeDir extends AddModule_Base $data['shareRemapMode_' . $this->edit->getData('shareRemapMode')] = 'selected="selected"'; $letter = $this->edit->getData('shareHomeDrive'); } else { - $data['shareDownloads'] = $data['shareMedia'] = $data['shareDocuments'] = 'selected="selected"'; + $data['shareDownloads_c'] = $data['shareMedia_c'] = $data['shareDocuments_c'] = $data['shareRemapCreate_c'] = 'checked="checked"'; + $data['shareRemapMode_1'] = 'selected="selected"'; $letter = 'H:'; } $data['drives'] = array(); diff --git a/modules-available/sysconfig/lang/de/template-tags.json b/modules-available/sysconfig/lang/de/template-tags.json index aa345468..b2d5dfd0 100644 --- a/modules-available/sysconfig/lang/de/template-tags.json +++ b/modules-available/sysconfig/lang/de/template-tags.json @@ -105,8 +105,10 @@ "lang_title": "Titel", "lang_to": "Zur", "lang_toSystemConfiguration": "Zur Systemkonfiguration", + "lang_tryingFingerprint": "Das Zertifikat des Servers kann nicht validiert werden. Wenn Sie fortfahren, wird in Zukunft der Fingerprint des Zertifikats f\u00fcr die Validierung genutzt. Wenn sich das Zertifikat \u00e4ndert, m\u00fcssen Sie diesen Wizard erneut durchf\u00fchren, um den Fingerprint zu aktualisieren. Wichtig: Wenn Sie einen Load-Balancer einsetzen, und die dahintergeschalteten Server unterschiedliche Zertifikate besitzen, k\u00f6nnen Sie dieses Verfahren nicht nutzen.", "lang_upload": "Hochladen", "lang_urlLoad": "Bild von URL laden", + "lang_userCertInvalid": "Das von Ihnen angegebene Zertifikat kann nicht zur Verifikation des Servers genutzt werden. Bitte geben Sie das passende Zertifikat an, oder lassen Sie das Feld leer, damit der Wizard versucht, das Zertifikat automatisch zu ermitteln.", "lang_userDirectory": "Benutzerverzeichnis", "lang_userDirectoryInfo1": "Optionale Angabe: Wenn die Clients f\u00fcr die Benutzer ein eigenes Verzeichnis (Homeverzeichnis, Benutzerverzeichnis) von einem Server einbinden sollen, geben Sie bitte hier das Format in UNC-Notation an, also z.B.", "lang_userDirectoryInfo2": "%s ist dabei ein Platzhalter f\u00fcr den Login-Namen des Benutzers.", diff --git a/modules-available/sysconfig/lang/en/template-tags.json b/modules-available/sysconfig/lang/en/template-tags.json index 088c1238..15516bf2 100644 --- a/modules-available/sysconfig/lang/en/template-tags.json +++ b/modules-available/sysconfig/lang/en/template-tags.json @@ -105,8 +105,10 @@ "lang_title": "Title", "lang_to": "To", "lang_toSystemConfiguration": "Go to system configuration", + "lang_tryingFingerprint": "Server does not seem to have a valid certificate. If you continue, its fingerprint will be used for verification. This means you have to re-run this wizard whenever the server's certificate changes. Also note that this method will not work if you're using a load balancer and the servers behind it have individual certificates.", "lang_upload": "Upload", "lang_urlLoad": "Load image from URL", + "lang_userCertInvalid": "The certificate you specified could not be used to verify the server. Please make sure you pass the appropriate certificate to this wizard, or leave the field blank to let the wizard try and determine the proper certificate.", "lang_userDirectory": "User Directory", "lang_userDirectoryInfo1": "Optional: If the clients should embed a separate directory (home directory, user directory) from a server for the user, please enter here the format in UNC notation, eg", "lang_userDirectoryInfo2": "%s is a placeholder for the user's login name.", diff --git a/modules-available/sysconfig/templates/ad_ldap-checkconnection.html b/modules-available/sysconfig/templates/ad_ldap-checkconnection.html index 2c2d31a4..0ee596ab 100644 --- a/modules-available/sysconfig/templates/ad_ldap-checkconnection.html +++ b/modules-available/sysconfig/templates/ad_ldap-checkconnection.html @@ -8,6 +8,8 @@ <div id="self-signed" style="display:none" class="alert alert-info">{{lang_selfSignedNote}}</div> <div id="no-valid-cert" style="display:none" class="alert alert-danger">{{lang_noValidCert}}</div> <div id="no-open-port" style="display:none" class="alert alert-danger">{{lang_noOpenPort}}</div> +<div id="supplied-cert-invalid" style="display:none" class="alert alert-danger">{{lang_userCertInvalid}}</div> +<div id="trying-fingerprint" style="display:none" class="alert alert-warning">{{lang_tryingFingerprint}}</div> <br> <div class="pull-left"> <form role="form" method="post" action="?do=SysConfig&action=addmodule&step={{prev}}"> @@ -52,7 +54,15 @@ <script type="text/javascript"> function isSelfSigned(code) { - return code == 18 || code == 19 || code == 20 || code == 21; + return code == 19; + } + function isIncomplete(code) + { + return code == 18 || code == 20 || code == 21; + } + function isValid(code) + { + return code == 0; } function portScan(task) { @@ -62,28 +72,44 @@ var ssl = $('#ssl').length > 0; var ports = task.data.ports; var verRes = -1; - var cert = ssl && $('#certificate').val().length > 10; + var userCert = ssl && $('#certificate').val().length > 10; + var openPort = false; for (var i = 0; i < ports.length; ++i) { if (!ports[i].open || !ports[i].port) continue; if ($.isNumeric($('#port').val()) && $('#port').val() < ports[i].port) continue; // Prefer the global LDAP ports over the specific AD ports + openPort = true; if (ssl) { if (verRes === -1) verRes = ports[i].verifyResult; if (typeof ports[i].certFingerprint !== 'string' || typeof ports[i].certificateChain !== 'string') continue; if (ports[i].certFingerprint.length < 10 || ports[i].certificateChain.length < 10) continue; - if (ports[i].verifyResult != 0 && (cert || !isSelfSigned(ports[i].verifyResult))) continue; + if (!isValid(ports[i].verifyResult) && userCert) continue; + if (!isValid(ports[i].verifyResult) && !isSelfSigned(ports[i].verifyResult) && !isIncomplete(ports[i].verifyResult)) continue; verRes = ports[i].verifyResult; $('#fingerprint').val(ports[i].certFingerprint); - if (!cert && verRes != 0) $('#certificate').val(ports[i].certificateChain); - else if (!cert && verRes == 0) $('#certificate').val('default'); + if (!userCert && isSelfSigned(verRes)) { + $('#certificate').val(ports[i].certificateChain); + } else if (!userCert && isValid(verRes)) { + $('#certificate').val('default'); + } else if (!userCert) { + $('#certificate').val(''); + } } $('#port').val(ports[i].port); } - if (ssl && verRes != 0 && (cert || !isSelfSigned(verRes))) { - $('#no-valid-cert').css('display', ''); - } else if ($('#port').val() > 0) { + if (openPort && ssl && !isValid(verRes)) { + if (userCert) { + $('#supplied-cert-invalid').show(); + } else if (isSelfSigned(verRes)) { + $('#self-signed').show(); + } else if (isIncomplete(verRes)) { + $('#trying-fingerprint').show(); + } else { + $('#no-valid-cert').show(); + } + } + if (openPort) { $('#nextbutton').show(); - if (ssl && isSelfSigned(verRes)) $('#self-signed').css('display', ''); - else $('#nextform').submit(); + if (!ssl || isValid(verRes)) $('#nextform').submit(); } else { $('#no-open-port').css('display', ''); } |