From 6306b5ddc70ce5bbcf9c9c9769755340e0117de4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ermal=20Lu=E7i?= Date: Wed, 3 Mar 2010 16:16:39 +0000 Subject: Overhaul the user login system to use the Servers tab as its base. Fix quite a few problems down the way. --- usr/local/www/system_authservers.php | 78 +++--- usr/local/www/system_usermanager_settings.php | 283 ++++----------------- .../system_usermanager_settings_ldapacpicker.php | 63 +++-- usr/local/www/system_usermanager_settings_test.php | 80 +++--- usr/local/www/vpn_openvpn_server.php | 8 +- 5 files changed, 180 insertions(+), 332 deletions(-) (limited to 'usr/local') diff --git a/usr/local/www/system_authservers.php b/usr/local/www/system_authservers.php index 428a442..6dbe2b2 100644 --- a/usr/local/www/system_authservers.php +++ b/usr/local/www/system_authservers.php @@ -50,7 +50,9 @@ if (isset($_POST['id'])) if (!is_array($config['system']['authserver'])) $config['system']['authserver'] = array(); -$a_server =& $config['system']['authserver']; +$a_servers = auth_get_authserver_list(); +foreach ($a_servers as $servers) + $a_server[] = $servers; $act = $_GET['act']; if ($_POST['act']) @@ -181,7 +183,7 @@ if ($_POST) { if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['host'])) $input_errors[] = gettext("The host name contains invalid characters."); - if (auth_get_authserver($pconfig['name'])) + if (auth_get_authserver($pconfig['name']) && !isset($id)) $input_errors[] = "A authentication server with the same name already exists."; /* if this is an AJAX caller then handle via JSON */ @@ -244,10 +246,10 @@ if ($_POST) { } } - if (isset($id) && $a_server[$id]) - $a_server[$id] = $server; + if (isset($id) && $config['system']['authserver'][$id]) + $config['system']['authserver'][$id] = $server; else - $a_server[] = $server; + $config['system']['authserver'][] = $server; write_config(); @@ -263,14 +265,15 @@ include("head.inc"); Containers:   - +
NOTE: Semi-Colon separated. This will be prepended to the search base dn above or you can specify full container path.
EXAMPLE: CN=Users;DC=example
EXAMPLE: CN=Users,DC=example,DC=com;OU=OtherUsers,DC=example,DC=com @@ -640,11 +659,12 @@ function radius_srvcschange(){ $type = htmlspecialchars($auth_server_types[$server['type']]); $host = htmlspecialchars($server['host']); ?> - + ondblclick="document.location='system_authservers.php?act=edit&id='" >       + edit server @@ -652,11 +672,11 @@ function radius_srvcschange(){ ')"> delete server + @@ -681,26 +701,22 @@ function radius_srvcschange(){ - + - + diff --git a/usr/local/www/system_usermanager_settings.php b/usr/local/www/system_usermanager_settings.php index 4889d73..7b96d4d 100755 --- a/usr/local/www/system_usermanager_settings.php +++ b/usr/local/www/system_usermanager_settings.php @@ -45,29 +45,20 @@ if($_POST['savetest']) $save_and_test = true; require("guiconfig.inc"); +require_once("auth.inc"); require("priv.defs.inc"); require("priv.inc"); $pconfig['session_timeout'] = &$config['system']['webgui']['session_timeout']; -$pconfig['ldapserver'] = &$config['system']['webgui']['ldapserver']; +$pconfig['authmode'] = &$config['system']['webgui']['authmode']; $pconfig['backend'] = &$config['system']['webgui']['backend']; -$pconfig['ldapbindun'] = &$config['system']['webgui']['ldapbindun']; -$pconfig['ldapbindpw'] = &$config['system']['webgui']['ldapbindpw']; -$pconfig['ldapfilter'] = &$config['system']['webgui']['ldapfilter']; -$pconfig['ldapsearchbase'] = &$config['system']['webgui']['ldapsearchbase']; -$pconfig['ldapauthcontainers'] = &$config['system']['webgui']['ldapauthcontainers']; -$pconfig['ldapgroupattribute'] = &$config['system']['webgui']['ldapgroupattribute']; -$pconfig['ldapnameattribute'] = &$config['system']['webgui']['ldapnameattribute']; // Page title for main admin $pgtitle = array("System","User manager settings"); if ($_POST) { unset($input_errors); - - conf_mount_rw(); - - do_input_validation($_POST, $reqdfields, $reqdfieldsn, &$input_errors); + $pconfig = $_POST; if($_POST['session_timeout']) { $timeout = intval($_POST['session_timeout']); @@ -78,60 +69,23 @@ if ($_POST) { if (!$input_errors) { if($_POST['session_timeout']) - $pconfig['session_timeout'] = intval($_POST['session_timeout']); + $config['system']['webgui']['session_timeout'] = intval($_POST['session_timeout']); else unset($config['system']['webgui']['session_timeout']); - if($_POST['ldapserver']) - $pconfig['ldapserver'] = $_POST['ldapserver']; + if($_POST['authmode']) + $config['system']['webgui']['authmode'] = $_POST['authmode']; else - unset($pconfig['ldapserver']); + unset($config['system']['webgui']['authmode']); if($_POST['backend']) - $pconfig['backend'] = $_POST['backend']; - else - unset($pconfig['backend']); - - if($_POST['ldapbindun']) - $pconfig['ldapbindun'] = $_POST['ldapbindun']; - else - unset($pconfig['ldapbindun']); - - if($_POST['ldapbindpw']) - $pconfig['ldapbindpw'] = $_POST['ldapbindpw']; - else - unset($pconfig['ldapbindpw']); - - if($_POST['ldapfilter']) - $pconfig['ldapfilter'] = $_POST['ldapfilter']; + $config['system']['webgui']['backend'] = $_POST['backend']; else - unset($pconfig['ldapfilter']); - - if($_POST['ldapsearchbase']) - $pconfig['ldapsearchbase'] = $_POST['ldapsearchbase']; - else - unset($pconfig['ldapsearchbase']); - - if($_POST['ldapauthcontainers']) - $pconfig['ldapauthcontainers'] = $_POST['ldapauthcontainers']; - else - unset($pconfig['ldapauthcontainers']); - - if($_POST['ldapgroupattribute']) - $pconfig['ldapgroupattribute'] = $_POST['ldapgroupattribute']; - else - unset($pconfig['ldapgroupattribute']); - if($_POST['ldapnameattribute']) - $pconfig['ldapnameattribute'] = $_POST['ldapnameattribute']; - else - unset($pconfig['ldapgroupattribute']); + unset($config['system']['webgui']['backend']); write_config(); } - - conf_mount_ro(); - } include("head.inc"); @@ -145,77 +99,13 @@ include("head.inc"); \n"; - echo "myRef = window.open('system_usermanager_settings_test.php','mywin', "; + echo "myRef = window.open('system_usermanager_settings_test.php?authserver={$pconfig['authmode']}','mywin', "; echo "'left=20,top=20,width=700,height=550,toolbar=1,resizable=0');\n"; + echo "if (myRef==null || typeof(myRef)=='undefined') aleart('Popup blocker detected. Action aborted.');\n"; echo "\n"; } ?> - - "; + echo "
@@ -224,7 +114,7 @@ include("head.inc"); $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); $tab_array[] = array(gettext("Settings"), true, "system_usermanager_settings.php"); - $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); + $tab_array[] = array(gettext("Servers"), false, "system_authservers.php"); display_top_tabs($tab_array); /* Default to pfsense backend type if none is defined */ @@ -238,110 +128,49 @@ if(!$pconfig['backend'])
- + - - - - - - - - - - - + +
+ Enter 0 to never expire sessions. NOTE: This is a security risk!");?>
+ + + + - - - + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + +
NOTE: login failures or server not available issues will fall back to this type of authenticator. + + + + + +
Session Timeout - -
- Enter 0 to never expire sessions. NOTE: This is a security risk!");?>
-
Authentication primary backend - -
NOTE: login failures or server not available issues will fall back to internal users/group authentication. -
LDAP Server:port - -
Example: ldaps://ldap.example.org:389 or ldap://ldap.example.org:389 -
LDAP Binding username
Authentication Server - -
This account must have read access to the user objects and be able to retrieve groups. -
Example: For Active Directory you would want to use format DOMAIN\username or username@domain. -
Example: eDirectory you would want to use format cn=username,ou=orgunit,o=org. -
LDAP Binding password
Authentication fallback backend - -
LDAP Filter -
- - Show advanced options -
- -
LDAP Naming Attribute -
- - Show advanced options -
- -
Group Membership Attribute Name -
- - Show advanced options -
- -
LDAP Search base - -
Example: DC=example,DC=com -
LDAP Authentication container - - -
NOTE: Semi-Colon separated. -
EXAMPLE: CN=Users,DC=example,DC=com;CN=OtherUsers,DC=example,DC=com -
  - " /> - " /> -
  + " /> + " /> +
@@ -351,13 +180,3 @@ if(!$pconfig['backend']) - diff --git a/usr/local/www/system_usermanager_settings_ldapacpicker.php b/usr/local/www/system_usermanager_settings_ldapacpicker.php index 891b146..729dc6c 100644 --- a/usr/local/www/system_usermanager_settings_ldapacpicker.php +++ b/usr/local/www/system_usermanager_settings_ldapacpicker.php @@ -32,30 +32,41 @@ */ require("guiconfig.inc"); +require_once("auth.inc"); require("priv.defs.inc"); require("priv.inc"); +$ous = array(); +if($_GET) { + $authcfg = array(); + $authcfg['ldap_port'] = $_GET['port']; + $authcfg['ldap_basedn'] = $_GET['basedn']; + $authcfg['host'] = $_GET['host']; + $authcfg['ldap_scope'] = $_GET['scope']; + $authcfg['ldap_binddn'] = $_GET['binddn']; + $authcfg['ldap_bindpw'] = $_GET['bindpw']; + $authcfg['ldap_urltype'] = $_GET['urltype']; + $authcfg['ldap_protver'] = $_GET['proto']; + $authcfg['ldap_authcn'] = explode(";", $_GET['authcn']); + $ous = ldap_get_user_ous(true, $authcfg); +} +?> +\n"; + //this.close(); +--> } - -?> + @@ -78,7 +89,7 @@ if($_POST) { } - "> +
Please select which containers to Authenticate against:

@@ -87,19 +98,17 @@ if($_POST) {

\n"; + echo " \n"; } } ?> @@ -110,7 +119,7 @@ if($_POST) {

- + diff --git a/usr/local/www/system_usermanager_settings_test.php b/usr/local/www/system_usermanager_settings_test.php index 366b16e..6421488 100755 --- a/usr/local/www/system_usermanager_settings_test.php +++ b/usr/local/www/system_usermanager_settings_test.php @@ -39,13 +39,12 @@ ##|-PRIV require("guiconfig.inc"); +require_once("auth.inc"); require("priv.defs.inc"); require("priv.inc"); -$ldapserver = $config['system']['webgui']['ldapserver']; -$ldapbindun = $config['system']['webgui']['ldapbindun']; -$ldapbindpw = $config['system']['webgui']['ldapbindpw']; -$ldapfilter = $config['system']['webgui']['ldapfilter']; +$authserver = $_GET['authserver']; +$authcfg = auth_get_authserver($authserver); ?> @@ -74,44 +73,53 @@ $ldapfilter = $config['system']['webgui']['ldapfilter']; "; -echo "

{$ou}
{$ou}
"; +if (!$authcfg) { + echo "Could not find settings for {$authserver}

"; +} else { + echo "Testing pfSense LDAP settings... One moment please...

"; -echo "

"; -else - echo ""; - -echo ""; -else - echo ""; - -echo ""; -else - echo ""; - -echo "
Attempting connection to {$ldapserver}"; -if(ldap_test_connection()) - echo "OK
failed
Attempting bind to {$ldapserver}"; -if(ldap_test_bind()) - echo "OK
failed
Attempting to fetch Organizational Units from {$ldapserver}"; -$ous = ldap_get_user_ous(true); -if(count($ous)>1) - echo "OK
failed

"; - -if(is_array($ous)) { - echo "Organization units found:

"; echo ""; - foreach($ous as $ou) { - echo ""; + + echo ""; + + echo ""; + + echo ""; + echo "
" . $ou . "
Attempting connection to {$ldapserver}"; + if(ldap_test_connection($authcfg)) { + echo "OK
Attempting bind to {$ldapserver}"; + if(ldap_test_bind($authcfg)) { + echo "OK
Attempting to fetch Organizational Units from {$ldapserver}"; + $ous = ldap_get_user_ous(true, $authcfg); + if(count($ous)>1) { + echo "OK
"; + if(is_array($ous)) { + echo "Organization units found:

"; + echo ""; + foreach($ous as $ou) { + echo ""; + } + } + } else + echo ""; + + echo "
" . $ou . "
failed

"; + + } else { + echo "

failed

"; + } + } else { + echo "failed"; + echo "

"; } - echo ""; } ?> -

- +

+ - - + + diff --git a/usr/local/www/vpn_openvpn_server.php b/usr/local/www/vpn_openvpn_server.php index 734c66c..8909194 100644 --- a/usr/local/www/vpn_openvpn_server.php +++ b/usr/local/www/vpn_openvpn_server.php @@ -44,10 +44,6 @@ if (!is_array($config['openvpn']['openvpn-server'])) $a_server = &$config['openvpn']['openvpn-server']; -if (!is_array($config['system']['authserver'])) - $config['system']['authserver'] = array(); -$auth_servers =& $config['system']['authserver']; - $id = $_GET['id']; if (isset($_POST['id'])) $id = $_POST['id']; @@ -557,10 +553,10 @@ function netbios_change() { - -