diff options
| author | jim-p <jimp@pfsense.org> | 2013-07-17 10:13:08 -0400 |
|---|---|---|
| committer | jim-p <jimp@pfsense.org> | 2013-07-17 10:15:21 -0400 |
| commit | 298020b2b6efa75c863bafef9a078c285a2b9ed6 (patch) | |
| tree | 0928d0aba3581f77c7f42e6bcadbdc7d2b7c4c2e | |
| parent | f8b00778586e22385bb5311f95cdb75de2f5f88e (diff) | |
| download | pfsense-298020b2b6efa75c863bafef9a078c285a2b9ed6.zip pfsense-298020b2b6efa75c863bafef9a078c285a2b9ed6.tar.gz | |
Add LDAP server options to control UTF8-encoding of parameters. Fixes #2227. While I'm here, add a checkbox to prevent the stripping of @ from the LDAP username if the user wants the full name transmitted.
| -rw-r--r-- | etc/inc/auth.inc | 24 | ||||
| -rw-r--r-- | usr/local/www/system_authservers.php | 41 |
2 files changed, 60 insertions, 5 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 059307f..67fd8b1 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -765,6 +765,8 @@ function ldap_test_bind($authcfg) { ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; if ($ldapanon == true) { if (!($res = @ldap_bind($ldap))) { @ldap_close($ldap); @@ -836,6 +838,8 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) { ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; if ($ldapanon == true) { if (!($res = @ldap_bind($ldap))) { log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind anonymously to server %s."), $ldapname)); @@ -885,7 +889,7 @@ function ldap_get_groups($username, $authcfg) { if(!$username) return false; - if(stristr($username, "@")) { + if(!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) { $username_split = explode("@", $username); $username = $username_split[0]; } @@ -948,6 +952,8 @@ function ldap_get_groups($username, $authcfg) { ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver); /* bind as user that has rights to read group attributes */ + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; if ($ldapanon == true) { if (!($res = @ldap_bind($ldap))) { log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind anonymously to server %s."), $ldapname)); @@ -1007,7 +1013,7 @@ function ldap_backed($username, $passwd, $authcfg) { if(!function_exists("ldap_connect")) return; - if(stristr($username, "@")) { + if(!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) { $username_split = explode("@", $username); $username = $username_split[0]; } @@ -1083,6 +1089,8 @@ function ldap_backed($username, $passwd, $authcfg) { /* ok, its up. now, lets bind as the bind user so we can search it */ $error = false; + $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun; + $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw; if ($ldapanon == true) { if (!($res = @ldap_bind($ldap))) $error = true; @@ -1112,9 +1120,12 @@ function ldap_backed($username, $passwd, $authcfg) { log_auth(sprintf(gettext("Now Searching for %s in directory."), $username)); /* Iterate through the user containers for search */ foreach ($ldac_splits as $i => $ldac_split) { + $ldac_split = isset($authcfg['ldap_utf8']) ? utf8_encode($ldac_split) : $ldac_split; + $ldapfilter = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapfilter) : $ldapfilter; + $ldapsearchbasedn = isset($authcfg['ldap_utf8']) ? utf8_encode("{$ldac_split},{$ldapbasedn}") : "{$ldac_split},{$ldapbasedn}"; /* Make sure we just use the first user we find */ if ($debug) - log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, $ldac_split, $ldapfilter)); + log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, utf8_decode($ldac_split), utf8_decode($ldapfilter))); if ($ldapscope == "one") $ldapfunc = "ldap_list"; else @@ -1123,7 +1134,7 @@ function ldap_backed($username, $passwd, $authcfg) { if (stristr($ldac_split, "DC=") || empty($ldapbasedn)) $search = @$ldapfunc($ldap,$ldac_split,$ldapfilter); else - $search = @$ldapfunc($ldap,"{$ldac_split},{$ldapbasedn}",$ldapfilter); + $search = @$ldapfunc($ldap,$ldapsearchbasedn,$ldapfilter); if (!$search) { log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap))); continue; @@ -1146,14 +1157,17 @@ function ldap_backed($username, $passwd, $authcfg) { } /* Now lets bind as the user we found */ + $passwd = isset($authcfg['ldap_utf8']) ? utf8_encode($passwd) : $passwd; if (!($res = @ldap_bind($ldap, $userdn, $passwd))) { log_error(sprintf(gettext('ERROR! Could not login to server %1$s as user %2$s: %3$s'), $ldapname, $username, ldap_error($ldap))); @ldap_unbind($ldap); return false; } - if ($debug) + if ($debug) { + $userdn = isset($authcfg['ldap_utf8']) ? utf8_decode($userdn) : $userdn; log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn)); + } /* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */ @ldap_unbind($ldap); diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index 9ed49a9..2984d8c 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -107,6 +107,8 @@ if ($act == "edit") { $pconfig['ldap_attr_user'] = $a_server[$id]['ldap_attr_user']; $pconfig['ldap_attr_group'] = $a_server[$id]['ldap_attr_group']; $pconfig['ldap_attr_member'] = $a_server[$id]['ldap_attr_member']; + $pconfig['ldap_utf8'] = isset($a_server[$id]['ldap_utf8']); + $pconfig['ldap_nostrip_at'] = isset($a_server[$id]['ldap_nostrip_at']); if (!$pconfig['ldap_binddn'] || !$pconfig['ldap_bindpw']) $pconfig['ldap_anon'] = true; @@ -247,6 +249,15 @@ if ($_POST) { $server['ldap_attr_user'] = $pconfig['ldap_attr_user']; $server['ldap_attr_group'] = $pconfig['ldap_attr_group']; $server['ldap_attr_member'] = $pconfig['ldap_attr_member']; + if ($pconfig['ldap_utf8'] == "yes") + $server['ldap_utf8'] = true; + else + unset($server['ldap_utf8']); + if ($pconfig['ldap_nostrip_at'] == "yes") + $server['ldap_nostrip_at'] = true; + else + unset($server['ldap_nostrip_at']); + if (!$pconfig['ldap_anon']) { $server['ldap_binddn'] = $pconfig['ldap_binddn']; @@ -680,6 +691,36 @@ function select_clicked() { <input name="ldap_attr_member" type="text" class="formfld unknown" id="ldap_attr_member" size="20" value="<?=htmlspecialchars($pconfig['ldap_attr_member']);?>"/> </td> </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("UTF8 Encode");?></td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="2" summary="utf8 encoding"> + <tr> + <td> + <input name="ldap_utf8" type="checkbox" id="ldap_utf8" value="yes" <?php if ($pconfig['ldap_utf8']) echo "checked=\"checked\""; ?> /> + </td> + <td> + <?=gettext("UTF8 encode LDAP parameters before sending them to the server. Required to support international characters, but may not be supported by every LDAP server.");?> + </td> + </tr> + </table> + </td> + </tr> + <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Username Alterations");?></td> + <td width="78%" class="vtable"> + <table border="0" cellspacing="0" cellpadding="2" summary="username alterations"> + <tr> + <td> + <input name="ldap_nostrip_at" type="checkbox" id="ldap_nostrip_at" value="yes" <?php if ($pconfig['ldap_nostrip_at']) echo "checked=\"checked\""; ?> /> + </td> + <td> + <?=gettext("Do not strip away parts of the username after the @ symbol, e.g. user@host becomes user when unchecked.");?> + </td> + </tr> + </table> + </td> + </tr> </table> <table width="100%" border="0" cellpadding="6" cellspacing="0" id="radius" style="display:none" summary=""> |
