summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--etc/inc/auth.inc24
-rw-r--r--usr/local/www/system_authservers.php41
2 files changed, 60 insertions, 5 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc
index 059307f..67fd8b1 100644
--- a/etc/inc/auth.inc
+++ b/etc/inc/auth.inc
@@ -765,6 +765,8 @@ function ldap_test_bind($authcfg) {
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
+ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+ $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
if ($ldapanon == true) {
if (!($res = @ldap_bind($ldap))) {
@ldap_close($ldap);
@@ -836,6 +838,8 @@ function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
+ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+ $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
if ($ldapanon == true) {
if (!($res = @ldap_bind($ldap))) {
log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind anonymously to server %s."), $ldapname));
@@ -885,7 +889,7 @@ function ldap_get_groups($username, $authcfg) {
if(!$username)
return false;
- if(stristr($username, "@")) {
+ if(!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
$username_split = explode("@", $username);
$username = $username_split[0];
}
@@ -948,6 +952,8 @@ function ldap_get_groups($username, $authcfg) {
ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
/* bind as user that has rights to read group attributes */
+ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+ $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
if ($ldapanon == true) {
if (!($res = @ldap_bind($ldap))) {
log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind anonymously to server %s."), $ldapname));
@@ -1007,7 +1013,7 @@ function ldap_backed($username, $passwd, $authcfg) {
if(!function_exists("ldap_connect"))
return;
- if(stristr($username, "@")) {
+ if(!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
$username_split = explode("@", $username);
$username = $username_split[0];
}
@@ -1083,6 +1089,8 @@ function ldap_backed($username, $passwd, $authcfg) {
/* ok, its up. now, lets bind as the bind user so we can search it */
$error = false;
+ $ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
+ $ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
if ($ldapanon == true) {
if (!($res = @ldap_bind($ldap)))
$error = true;
@@ -1112,9 +1120,12 @@ function ldap_backed($username, $passwd, $authcfg) {
log_auth(sprintf(gettext("Now Searching for %s in directory."), $username));
/* Iterate through the user containers for search */
foreach ($ldac_splits as $i => $ldac_split) {
+ $ldac_split = isset($authcfg['ldap_utf8']) ? utf8_encode($ldac_split) : $ldac_split;
+ $ldapfilter = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapfilter) : $ldapfilter;
+ $ldapsearchbasedn = isset($authcfg['ldap_utf8']) ? utf8_encode("{$ldac_split},{$ldapbasedn}") : "{$ldac_split},{$ldapbasedn}";
/* Make sure we just use the first user we find */
if ($debug)
- log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, $ldac_split, $ldapfilter));
+ log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, utf8_decode($ldac_split), utf8_decode($ldapfilter)));
if ($ldapscope == "one")
$ldapfunc = "ldap_list";
else
@@ -1123,7 +1134,7 @@ function ldap_backed($username, $passwd, $authcfg) {
if (stristr($ldac_split, "DC=") || empty($ldapbasedn))
$search = @$ldapfunc($ldap,$ldac_split,$ldapfilter);
else
- $search = @$ldapfunc($ldap,"{$ldac_split},{$ldapbasedn}",$ldapfilter);
+ $search = @$ldapfunc($ldap,$ldapsearchbasedn,$ldapfilter);
if (!$search) {
log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));
continue;
@@ -1146,14 +1157,17 @@ function ldap_backed($username, $passwd, $authcfg) {
}
/* Now lets bind as the user we found */
+ $passwd = isset($authcfg['ldap_utf8']) ? utf8_encode($passwd) : $passwd;
if (!($res = @ldap_bind($ldap, $userdn, $passwd))) {
log_error(sprintf(gettext('ERROR! Could not login to server %1$s as user %2$s: %3$s'), $ldapname, $username, ldap_error($ldap)));
@ldap_unbind($ldap);
return false;
}
- if ($debug)
+ if ($debug) {
+ $userdn = isset($authcfg['ldap_utf8']) ? utf8_decode($userdn) : $userdn;
log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn));
+ }
/* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */
@ldap_unbind($ldap);
diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php
index 9ed49a9..2984d8c 100644
--- a/usr/local/www/system_authservers.php
+++ b/usr/local/www/system_authservers.php
@@ -107,6 +107,8 @@ if ($act == "edit") {
$pconfig['ldap_attr_user'] = $a_server[$id]['ldap_attr_user'];
$pconfig['ldap_attr_group'] = $a_server[$id]['ldap_attr_group'];
$pconfig['ldap_attr_member'] = $a_server[$id]['ldap_attr_member'];
+ $pconfig['ldap_utf8'] = isset($a_server[$id]['ldap_utf8']);
+ $pconfig['ldap_nostrip_at'] = isset($a_server[$id]['ldap_nostrip_at']);
if (!$pconfig['ldap_binddn'] || !$pconfig['ldap_bindpw'])
$pconfig['ldap_anon'] = true;
@@ -247,6 +249,15 @@ if ($_POST) {
$server['ldap_attr_user'] = $pconfig['ldap_attr_user'];
$server['ldap_attr_group'] = $pconfig['ldap_attr_group'];
$server['ldap_attr_member'] = $pconfig['ldap_attr_member'];
+ if ($pconfig['ldap_utf8'] == "yes")
+ $server['ldap_utf8'] = true;
+ else
+ unset($server['ldap_utf8']);
+ if ($pconfig['ldap_nostrip_at'] == "yes")
+ $server['ldap_nostrip_at'] = true;
+ else
+ unset($server['ldap_nostrip_at']);
+
if (!$pconfig['ldap_anon']) {
$server['ldap_binddn'] = $pconfig['ldap_binddn'];
@@ -680,6 +691,36 @@ function select_clicked() {
<input name="ldap_attr_member" type="text" class="formfld unknown" id="ldap_attr_member" size="20" value="<?=htmlspecialchars($pconfig['ldap_attr_member']);?>"/>
</td>
</tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?=gettext("UTF8 Encode");?></td>
+ <td width="78%" class="vtable">
+ <table border="0" cellspacing="0" cellpadding="2" summary="utf8 encoding">
+ <tr>
+ <td>
+ <input name="ldap_utf8" type="checkbox" id="ldap_utf8" value="yes" <?php if ($pconfig['ldap_utf8']) echo "checked=\"checked\""; ?> />
+ </td>
+ <td>
+ <?=gettext("UTF8 encode LDAP parameters before sending them to the server. Required to support international characters, but may not be supported by every LDAP server.");?>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
+ <tr>
+ <td width="22%" valign="top" class="vncell"><?=gettext("Username Alterations");?></td>
+ <td width="78%" class="vtable">
+ <table border="0" cellspacing="0" cellpadding="2" summary="username alterations">
+ <tr>
+ <td>
+ <input name="ldap_nostrip_at" type="checkbox" id="ldap_nostrip_at" value="yes" <?php if ($pconfig['ldap_nostrip_at']) echo "checked=\"checked\""; ?> />
+ </td>
+ <td>
+ <?=gettext("Do not strip away parts of the username after the @ symbol, e.g. user@host becomes user when unchecked.");?>
+ </td>
+ </tr>
+ </table>
+ </td>
+ </tr>
</table>
<table width="100%" border="0" cellpadding="6" cellspacing="0" id="radius" style="display:none" summary="">
OpenPOWER on IntegriCloud