commit version 22.12.12447
This commit is contained in:
@ -6,7 +6,7 @@
|
||||
*
|
||||
* @package observium
|
||||
* @subpackage authentication
|
||||
* @copyright (C) 2006-2013 Adam Armstrong, (C) 2013-2021 Observium Limited
|
||||
* @copyright (C) 2006-2013 Adam Armstrong, (C) 2013-2022 Observium Limited
|
||||
*
|
||||
*/
|
||||
|
||||
@ -67,7 +67,7 @@ function ldap_search_user($ldap_group, $userdn, $depth = -1) {
|
||||
|
||||
$ldap_search = ldap_search($ds, trim($config['auth_ldap_groupbase'], ', '), $filter, array($config['auth_ldap_attr']['dn']));
|
||||
//r($filter);
|
||||
if (is_resource($ldap_search)) {
|
||||
if (ldap_internal_is_valid($ldap_search)) {
|
||||
$ldap_results = ldap_get_entries($ds, $ldap_search);
|
||||
|
||||
//r($ldap_results);
|
||||
@ -101,30 +101,30 @@ function ldap_search_user($ldap_group, $userdn, $depth = -1) {
|
||||
* Initializes the LDAP connection to the specified server(s). Cycles through all servers, throws error when no server can be reached.
|
||||
* Private function for this LDAP module only.
|
||||
*/
|
||||
function ldap_init()
|
||||
{
|
||||
function ldap_init() {
|
||||
global $ds, $config;
|
||||
|
||||
if (!is_resource($ds))
|
||||
{
|
||||
if (!ldap_internal_is_valid($ds)) {
|
||||
print_debug('LDAP[Connecting to ' . implode(' ',$config['auth_ldap_server']) . ']');
|
||||
$ds = @ldap_connect(implode(' ',$config['auth_ldap_server']), $config['auth_ldap_port']);
|
||||
if ($config['auth_ldap_port'] === 636) {
|
||||
print_debug('LDAP[Port 636. Prepending ldaps:// to server URI]');
|
||||
$ds = @ldap_connect(implode(' ',preg_filter('/^(ldaps:\/\/)?/', 'ldaps://', $config['auth_ldap_server'])), $config['auth_ldap_port']);
|
||||
} else {
|
||||
$ds = @ldap_connect(implode(' ',$config['auth_ldap_server']), $config['auth_ldap_port']);
|
||||
}
|
||||
print_debug("LDAP[Connected]");
|
||||
|
||||
if ($config['auth_ldap_starttls'] &&
|
||||
(in_array($config['auth_ldap_starttls'], [ 'optional', 'require', '1', 1, TRUE ], TRUE)))
|
||||
{
|
||||
(in_array($config['auth_ldap_starttls'], [ 'optional', 'require', '1', 1, TRUE ], TRUE))) {
|
||||
$tls = ldap_start_tls($ds);
|
||||
if ($config['auth_ldap_starttls'] === 'require' && !$tls)
|
||||
{
|
||||
if ($config['auth_ldap_starttls'] === 'require' && !$tls) {
|
||||
session_logout();
|
||||
print_error("Fatal error: LDAP TLS required but not successfully negotiated [" . ldap_error($ds) . "]");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
|
||||
if ($config['auth_ldap_referrals'])
|
||||
{
|
||||
if ($config['auth_ldap_referrals']) {
|
||||
ldap_set_option($ds, LDAP_OPT_REFERRALS, $config['auth_ldap_referrals']);
|
||||
print_debug("LDAP[Referrals][Set to " . $config['auth_ldap_referrals'] . "]");
|
||||
} else {
|
||||
@ -132,8 +132,7 @@ function ldap_init()
|
||||
print_debug("LDAP[Referrals][Disabled]");
|
||||
}
|
||||
|
||||
if ($config['auth_ldap_version'])
|
||||
{
|
||||
if ($config['auth_ldap_version']) {
|
||||
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $config['auth_ldap_version']);
|
||||
print_debug("LDAP[Version][Set to " . $config['auth_ldap_version'] . "]");
|
||||
}
|
||||
@ -385,11 +384,12 @@ function ldap_auth_user_id($username)
|
||||
$filter_params[] = ldap_filter_create('objectClass', $config['auth_ldap_objectclass']);
|
||||
$filter_params[] = ldap_filter_create($config['auth_ldap_attr']['uid'], $username);
|
||||
$filter = ldap_filter_combine($filter_params);
|
||||
|
||||
|
||||
print_debug("LDAP[Filter][$filter][" . trim($config['auth_ldap_suffix'], ', ') . "]");
|
||||
$search = ldap_search($ds, trim($config['auth_ldap_suffix'], ', '), $filter);
|
||||
$entries = is_resource($search) ? ldap_get_entries($ds, $search) : [];
|
||||
//print_vars($entries);
|
||||
//r($search);
|
||||
$entries = ldap_internal_is_valid($search) ? ldap_get_entries($ds, $search) : [];
|
||||
//r($entries);
|
||||
|
||||
if ($entries['count'])
|
||||
{
|
||||
@ -500,7 +500,7 @@ function ldap_auth_user_list($username = NULL) {
|
||||
//$group_filter .= '(memberof='.$group.')';
|
||||
$group_params[] = ldap_filter_create($config['auth_ldap_attr']['memberOf'], $group);
|
||||
}
|
||||
|
||||
|
||||
$filter_params[] = ldap_filter_combine($group_params, '|');
|
||||
|
||||
//$filter = '(&'.$filter.'(|'.$group_filter.'))';
|
||||
@ -566,7 +566,7 @@ function ldap_internal_user_entries($entries, &$userlist) {
|
||||
|
||||
$compare = ldap_search_user($ldap_group, $userdn);
|
||||
//print_warning("$username, $realname, ");
|
||||
//print_vars($compare);
|
||||
//r($compare);
|
||||
|
||||
if ($compare === -1) {
|
||||
print_debug("LDAP[UserList][Compare LDAP error: " . ldap_error($ds) . "]");
|
||||
@ -606,9 +606,9 @@ function ldap_internal_paged_entries($filter, $attributes)
|
||||
do {
|
||||
$search = ldap_search(
|
||||
$ds, trim($config['auth_ldap_suffix'], ', '), $filter, $attributes, 0, 0, 0, LDAP_DEREF_NEVER,
|
||||
[['oid' => LDAP_CONTROL_PAGEDRESULTS, 'value' => ['size' => $page_size, 'cookie' => $cookie]]]
|
||||
[['oid' => LDAP_CONTROL_PAGEDRESULTS, 'value' => [ 'size' => $page_size, 'cookie' => $cookie ]]]
|
||||
);
|
||||
if (is_resource($search)) {
|
||||
if (ldap_internal_is_valid($search)) {
|
||||
ldap_parse_result($ds, $search, $errcode, $matcheddn, $errmsg, $referrals, $controls);
|
||||
print_debug(ldap_error($ds));
|
||||
$entries = array_merge($entries, ldap_get_entries($ds, $search));
|
||||
@ -642,7 +642,7 @@ function ldap_internal_paged_entries($filter, $attributes)
|
||||
|
||||
$search = ldap_search($ds, trim($config['auth_ldap_suffix'], ', '), $filter, $attributes);
|
||||
print_debug(ldap_error($ds));
|
||||
if (is_resource($search)) {
|
||||
if (ldap_internal_is_valid($search)) {
|
||||
$entries = array_merge($entries, ldap_get_entries($ds, $search));
|
||||
//print_vars($filter);
|
||||
//print_vars($search);
|
||||
@ -665,7 +665,7 @@ function ldap_internal_paged_entries($filter, $attributes)
|
||||
$search = ldap_search($ds, trim($config['auth_ldap_suffix'], ', '), $filter, $attributes);
|
||||
print_debug(ldap_error($ds));
|
||||
|
||||
if (is_resource($search)) {
|
||||
if (ldap_internal_is_valid($search)) {
|
||||
$entries = ldap_get_entries($ds, $search);
|
||||
//print_vars($filter);
|
||||
//print_vars($search);
|
||||
@ -800,6 +800,9 @@ function ldap_bind_dn($username = "", $password = "")
|
||||
*/
|
||||
function ldap_internal_dn_from_username($username)
|
||||
{
|
||||
|
||||
//r(debug_backtrace());
|
||||
|
||||
global $config, $ds, $cache;
|
||||
|
||||
if (!isset($cache['ldap']['dn'][$username]))
|
||||
@ -813,7 +816,11 @@ function ldap_internal_dn_from_username($username)
|
||||
print_debug("LDAP[Filter][$filter][" . trim($config['auth_ldap_suffix'], ', ') . "]");
|
||||
|
||||
$search = ldap_search($ds, trim($config['auth_ldap_suffix'], ', '), $filter);
|
||||
if (is_resource($search)) {
|
||||
|
||||
//r($search);
|
||||
//r(ldap_get_entries($ds, $search));
|
||||
|
||||
if (ldap_internal_is_valid($search)) {
|
||||
$entries = ldap_get_entries($ds, $search);
|
||||
|
||||
if ($entries['count']) {
|
||||
@ -1110,6 +1117,16 @@ function ldap_unescape_filter_value($values = array())
|
||||
return $values;
|
||||
}
|
||||
|
||||
function ldap_internal_is_valid($obj) {
|
||||
if (PHP_VERSION_ID >= 80100) {
|
||||
// ldap_bind() returns an LDAP\Connection instance in 8.1; previously, a resource was returned
|
||||
// ldap_search() returns an LDAP\Result instance in 8.1; previously, a resource was returned.
|
||||
return is_object($obj);
|
||||
}
|
||||
|
||||
return is_resource($obj);
|
||||
}
|
||||
|
||||
/**
|
||||
* Converts all ASCII chars < 32 to "\HEX"
|
||||
*
|
||||
|
||||
@ -1,5 +1,4 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Observium
|
||||
*
|
||||
@ -7,7 +6,7 @@
|
||||
*
|
||||
* @package observium
|
||||
* @subpackage authentication
|
||||
* @copyright (C) 2006-2013 Adam Armstrong, (C) 2013-2019 Observium Limited
|
||||
* @copyright (C) 2006-2013 Adam Armstrong, (C) 2013-2022 Observium Limited
|
||||
*
|
||||
*/
|
||||
|
||||
@ -23,7 +22,7 @@ function mysql_authenticate($username, $password)
|
||||
{
|
||||
global $config;
|
||||
|
||||
$row = dbFetchRow("SELECT `username`, `password` FROM `users` WHERE `username` = ?", array($username));
|
||||
$row = dbFetchRow("SELECT `username`, `password` FROM `users` WHERE `username` = ? AND `type` = ?", [ $username, 'mysql' ]);
|
||||
if ($row['username'] && $row['username'] == $username)
|
||||
{
|
||||
if ($config['auth']['remote_user']) { return 1; }
|
||||
@ -78,12 +77,11 @@ function mysql_auth_can_change_password($username = "")
|
||||
{
|
||||
global $config;
|
||||
|
||||
if ((empty($username) || !mysql_auth_user_exists($username)) && !$config['auth']['remote_user'])
|
||||
{
|
||||
if ((empty($username) || !mysql_auth_user_exists($username)) && !$config['auth']['remote_user']) {
|
||||
return TRUE;
|
||||
} else {
|
||||
return dbFetchCell("SELECT `can_modify_passwd` FROM `users` WHERE `username` = ?", array($username)); // FIXME should return BOOL
|
||||
}
|
||||
|
||||
return dbFetchCell("SELECT `can_modify_passwd` FROM `users` WHERE `username` = ? AND `type` = ?", [ $username, 'mysql' ]); // FIXME should return BOOL
|
||||
}
|
||||
|
||||
/**
|
||||
@ -99,7 +97,7 @@ function mysql_auth_change_password($username,$password)
|
||||
|
||||
// $hash = crypt($password, '$1$' . strgen(8).'$'); // This is old hash, do not used anymore (keep for history)
|
||||
$hash = password_hash($password, PASSWORD_DEFAULT);
|
||||
return dbUpdate(array('password' => $hash), 'users', '`username` = ?', array($username)); // FIXME should return BOOL
|
||||
return dbUpdate([ 'password' => $hash ], 'users', '`username` = ? AND `type` = ?', [ $username, 'mysql' ]); // FIXME should return BOOL
|
||||
}
|
||||
|
||||
/**
|
||||
@ -124,16 +122,22 @@ function mysql_auth_usermanagement()
|
||||
* @param string $description User's description
|
||||
* @return bool TRUE if user addition is successful, FALSE if it is not
|
||||
*/
|
||||
function mysql_adduser($username, $password, $level, $email = "", $realname = "", $can_modify_passwd='1', $description = "")
|
||||
function mysql_adduser($username, $password, $level, $email = "", $realname = "", $can_modify_passwd = '1', $description = "")
|
||||
{
|
||||
if (!mysql_auth_user_exists($username))
|
||||
{
|
||||
// $hash = crypt($password, '$1$' . strgen(8).'$'); // This is old hash, do not used anymore (keep for history)
|
||||
$hash = password_hash($password, PASSWORD_DEFAULT);
|
||||
return dbInsert(array('username' => $username, 'password' => $hash, 'level' => $level, 'email' => $email, 'realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'descr' => $description), 'users');
|
||||
} else {
|
||||
return FALSE;
|
||||
return dbInsert([ 'username' => $username,
|
||||
'password' => $hash,
|
||||
'level' => $level,
|
||||
'email' => $email,
|
||||
'realname' => $realname,
|
||||
'can_modify_passwd' => $can_modify_passwd,
|
||||
'descr' => $description ], 'users');
|
||||
}
|
||||
|
||||
return FALSE;
|
||||
}
|
||||
|
||||
/**
|
||||
@ -145,7 +149,7 @@ function mysql_adduser($username, $password, $level, $email = "", $realname = ""
|
||||
function mysql_auth_user_exists($username)
|
||||
{
|
||||
//return @dbFetchCell("SELECT COUNT(*) FROM `users` WHERE `username` = ?", array($username)); // FIXME should return BOOL
|
||||
return dbExist('users', '`username` = ?', array($username));
|
||||
return dbExist('users', '`username` = ? AND `type` = ?', [ $username, 'mysql' ]);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -156,7 +160,7 @@ function mysql_auth_user_exists($username)
|
||||
*/
|
||||
function mysql_auth_username_by_id($user_id)
|
||||
{
|
||||
return dbFetchCell("SELECT `username` FROM `users` WHERE `user_id` = ?", array($user_id)); // FIXME should return FALSE if not found
|
||||
return dbFetchCell("SELECT `username` FROM `users` WHERE `user_id` = ? AND `type` = ?", [ $user_id, 'mysql' ]); // FIXME should return FALSE if not found
|
||||
}
|
||||
|
||||
/**
|
||||
@ -167,7 +171,7 @@ function mysql_auth_username_by_id($user_id)
|
||||
*/
|
||||
function mysql_auth_user_level($username)
|
||||
{
|
||||
return dbFetchCell("SELECT `level` FROM `users` WHERE `username` = ?", array($username));
|
||||
return dbFetchCell("SELECT `level` FROM `users` WHERE `username` = ? AND `type` = ?", [ $username, 'mysql' ]);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -178,7 +182,7 @@ function mysql_auth_user_level($username)
|
||||
*/
|
||||
function mysql_auth_user_id($username)
|
||||
{
|
||||
return dbFetchCell("SELECT `user_id` FROM `users` WHERE `username` = ?", array($username));
|
||||
return dbFetchCell("SELECT `user_id` FROM `users` WHERE `username` = ? AND `type` = ?", [ $username, 'mysql' ]);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -196,7 +200,7 @@ function mysql_deluser($username)
|
||||
dbDelete('users_prefs', "`user_id` = ?", array($user_id));
|
||||
dbDelete('users_ckeys', "`username` = ?", array($username));
|
||||
|
||||
return dbDelete('users', "`username` = ?", array($username)); // FIXME should return BOOL
|
||||
return dbDelete('users', "`username` = ? AND `type` = ?", [ $username, 'mysql' ]); // FIXME should return BOOL
|
||||
}
|
||||
|
||||
/**
|
||||
@ -206,7 +210,7 @@ function mysql_deluser($username)
|
||||
*/
|
||||
function mysql_auth_user_list()
|
||||
{
|
||||
return dbFetchRows("SELECT * FROM `users`"); // FIXME hardcode list of returned fields as in all other backends; array content should not depend on db changes/column names.
|
||||
return dbFetchRows("SELECT * FROM `users` WHERE `type` = ?", [ 'mysql' ]); // FIXME hardcode list of returned fields as in all other backends; array content should not depend on db changes/column names.
|
||||
}
|
||||
|
||||
/**
|
||||
@ -217,7 +221,7 @@ function mysql_auth_user_list()
|
||||
*/
|
||||
function mysql_auth_user_info($username)
|
||||
{
|
||||
return dbFetchRow("SELECT * FROM `users` WHERE `username` = ?", array($username));
|
||||
return dbFetchRow("SELECT * FROM `users` WHERE `username` = ? AND `type` = ?", [ $username, 'mysql' ]);
|
||||
}
|
||||
|
||||
// EOF
|
||||
|
||||
@ -1,5 +1,4 @@
|
||||
<?php
|
||||
|
||||
/**
|
||||
* Observium
|
||||
*
|
||||
@ -7,7 +6,7 @@
|
||||
*
|
||||
* @package observium
|
||||
* @subpackage authentication
|
||||
* @copyright (C) 2006-2013 Adam Armstrong, (C) 2013-2019 Observium Limited
|
||||
* @copyright (C) 2006-2013 Adam Armstrong, (C) 2013-2022 Observium Limited
|
||||
*
|
||||
*/
|
||||
|
||||
@ -219,14 +218,14 @@ function radius_adduser($username, $password, $level, $email = "", $realname = "
|
||||
|
||||
/**
|
||||
* Check if a user, specified by username, exists in the user backend.
|
||||
* This is not currently possible using the RADIUS backend.
|
||||
* This will only return users that have logged in at least once and inserted into MySQL
|
||||
*
|
||||
* @param string $username Username to check
|
||||
* @return bool TRUE if the user exists, FALSE if they do not
|
||||
*/
|
||||
function radius_auth_user_exists($username)
|
||||
{
|
||||
return FALSE;
|
||||
return dbExist('users', '`username` = ? AND `type` = ?', [ $username, 'radius' ]);
|
||||
}
|
||||
|
||||
/**
|
||||
@ -246,7 +245,7 @@ function radius_auth_user_level($username)
|
||||
|
||||
if (!isset($cache['radius']['level'][$username]))
|
||||
{
|
||||
if ($config['auth_radius_groupmemberattr'] == 18 || strtolower($config['auth_radius_groupmemberattr']) == 'reply-message')
|
||||
if ($config['auth_radius_groupmemberattr'] == 18 || strtolower($config['auth_radius_groupmemberattr']) === 'reply-message')
|
||||
{
|
||||
// Reply-Message (18)
|
||||
$attribute = RADIUS_REPLY_MESSAGE;
|
||||
@ -285,7 +284,18 @@ function radius_auth_user_level($username)
|
||||
$rad_userlevel = 10;
|
||||
}
|
||||
}
|
||||
//r($rad_userlevel);
|
||||
|
||||
// If we don't already have an entry for this RADIUS user in the MySQL database, create one
|
||||
if (!radius_auth_user_exists($username)){
|
||||
$user_id = radius_auth_user_id($username);
|
||||
create_mysql_user($username, $user_id, $rad_userlevel, 'radius');
|
||||
} else {
|
||||
// Update the user's level in MySQL if it doesn't match. This is really informational only.
|
||||
if (dbFetchCell("SELECT `level` FROM `users` WHERE `username` = ? AND `type` = ?", [ $username, 'radius' ]) != $rad_userlevel) {
|
||||
$user_id = radius_auth_user_id($username);
|
||||
dbUpdate([ 'level' => $rad_userlevel, 'user_id' => $user_id ], 'users', '`username` = ? AND `type` = ?', [ $username, 'radius' ]);
|
||||
}
|
||||
}
|
||||
|
||||
return $rad_userlevel;
|
||||
}
|
||||
@ -324,8 +334,8 @@ function radius_deluser($username)
|
||||
*/
|
||||
function radius_auth_user_list()
|
||||
{
|
||||
$userlist = array();
|
||||
return $userlist;
|
||||
// Send list of users from MySQL
|
||||
return dbFetchRows("SELECT * FROM `users` WHERE `type` = ?", [ 'radius' ]);
|
||||
}
|
||||
|
||||
// EOF
|
||||
|
||||
Reference in New Issue
Block a user