Could not connect to the LDAP server. Please check the LDAP configuration.'); } else { $modal = new Modal("Select LDAP containers for authentication", "containers", true); $group = new Form_MultiCheckboxGroup('Containers'); if (is_array($ous)) { $idx = 0; foreach ($ous as $ou) { $group->add(new Form_MultiCheckbox( 'ou' . $idx, '', $ou, in_array($ou, $authcfg['ldap_authcn']), $ou )); $idx++; } } $modal->add($group); // Create a "Save button" $btnsv = new Form_Button( 'svcontbtn', 'Save', null, 'fa-save' ); $btnsv->removeClass("btn-default)")->addClass("btn-primary"); $modal->addInput(new Form_StaticText( '', $btnsv )); print($modal); } exit; } $id = $_REQUEST['id']; if (!is_array($config['system']['authserver'])) { $config['system']['authserver'] = array(); } $a_server = array_values(auth_get_authserver_list()); if (!is_array($config['ca'])) { $config['ca'] = array(); } $a_ca =& $config['ca']; $act = $_REQUEST['act']; if ($_POST['act'] == "del") { if (!$a_server[$_POST['id']]) { pfSenseHeader("system_authservers.php"); exit; } /* Remove server from main list. */ $serverdeleted = $a_server[$_POST['id']]['name']; foreach ($config['system']['authserver'] as $k => $as) { if ($config['system']['authserver'][$k]['name'] == $serverdeleted) { unset($config['system']['authserver'][$k]); } } /* Remove server from temp list used later on this page. */ unset($a_server[$_POST['id']]); $a_server = array_values($a_server); $savemsg = sprintf(gettext("Authentication Server %s deleted."), htmlspecialchars($serverdeleted)); write_config($savemsg); } if ($act == "edit") { if (isset($id) && $a_server[$id]) { $pconfig['type'] = $a_server[$id]['type']; $pconfig['name'] = $a_server[$id]['name']; if ($pconfig['type'] == "ldap") { $pconfig['ldap_caref'] = $a_server[$id]['ldap_caref']; $pconfig['ldap_host'] = $a_server[$id]['host']; $pconfig['ldap_port'] = $a_server[$id]['ldap_port']; $pconfig['ldap_timeout'] = $a_server[$id]['ldap_timeout']; $pconfig['ldap_urltype'] = $a_server[$id]['ldap_urltype']; $pconfig['ldap_protver'] = $a_server[$id]['ldap_protver']; $pconfig['ldap_scope'] = $a_server[$id]['ldap_scope']; $pconfig['ldap_basedn'] = $a_server[$id]['ldap_basedn']; $pconfig['ldap_authcn'] = $a_server[$id]['ldap_authcn']; $pconfig['ldap_extended_enabled'] = $a_server[$id]['ldap_extended_enabled']; $pconfig['ldap_extended_query'] = $a_server[$id]['ldap_extended_query']; $pconfig['ldap_binddn'] = $a_server[$id]['ldap_binddn']; $pconfig['ldap_bindpw'] = $a_server[$id]['ldap_bindpw']; $pconfig['ldap_attr_user'] = $a_server[$id]['ldap_attr_user']; $pconfig['ldap_attr_group'] = $a_server[$id]['ldap_attr_group']; $pconfig['ldap_attr_member'] = $a_server[$id]['ldap_attr_member']; $pconfig['ldap_attr_groupobj'] = $a_server[$id]['ldap_attr_groupobj']; $pconfig['ldap_utf8'] = isset($a_server[$id]['ldap_utf8']); $pconfig['ldap_nostrip_at'] = isset($a_server[$id]['ldap_nostrip_at']); $pconfig['ldap_rfc2307'] = isset($a_server[$id]['ldap_rfc2307']); if (!$pconfig['ldap_binddn'] || !$pconfig['ldap_bindpw']) { $pconfig['ldap_anon'] = true; } } if ($pconfig['type'] == "radius") { $pconfig['radius_protocol'] = $a_server[$id]['radius_protocol']; $pconfig['radius_host'] = $a_server[$id]['host']; $pconfig['radius_auth_port'] = $a_server[$id]['radius_auth_port']; $pconfig['radius_acct_port'] = $a_server[$id]['radius_acct_port']; $pconfig['radius_secret'] = $a_server[$id]['radius_secret']; $pconfig['radius_timeout'] = $a_server[$id]['radius_timeout']; if ($pconfig['radius_auth_port'] && $pconfig['radius_acct_port']) { $pconfig['radius_srvcs'] = "both"; } if ($pconfig['radius_auth_port'] && !$pconfig['radius_acct_port']) { $pconfig['radius_srvcs'] = "auth"; $pconfig['radius_acct_port'] = 1813; } if (!$pconfig['radius_auth_port'] && $pconfig['radius_acct_port']) { $pconfig['radius_srvcs'] = "acct"; $pconfig['radius_auth_port'] = 1812; } } } } if ($act == "new") { $pconfig['ldap_protver'] = 3; $pconfig['ldap_anon'] = true; $pconfig['radius_protocol'] = "MSCHAPv2"; $pconfig['radius_srvcs'] = "both"; $pconfig['radius_auth_port'] = "1812"; $pconfig['radius_acct_port'] = "1813"; } if ($_POST['save']) { unset($input_errors); $pconfig = $_POST; /* input validation */ if ($pconfig['type'] == "ldap") { $reqdfields = explode(" ", "name type ldap_host ldap_port " . "ldap_urltype ldap_protver ldap_scope " . "ldap_attr_user ldap_attr_group ldap_attr_member ldapauthcontainers"); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Type"), gettext("Hostname or IP"), gettext("Port value"), gettext("Transport"), gettext("Protocol version"), gettext("Search level"), gettext("User naming Attribute"), gettext("Group naming Attribute"), gettext("Group member attribute"), gettext("Authentication container")); if (!$pconfig['ldap_anon']) { $reqdfields[] = "ldap_binddn"; $reqdfields[] = "ldap_bindpw"; $reqdfieldsn[] = gettext("Bind user DN"); $reqdfieldsn[] = gettext("Bind Password"); } } if ($pconfig['type'] == "radius") { $reqdfields = explode(" ", "name type radius_protocol radius_host radius_srvcs"); $reqdfieldsn = array( gettext("Descriptive name"), gettext("Type"), gettext("Radius Protocol"), gettext("Hostname or IP"), gettext("Services")); if ($pconfig['radius_srvcs'] == "both" || $pconfig['radius_srvcs'] == "auth") { $reqdfields[] = "radius_auth_port"; $reqdfieldsn[] = gettext("Authentication port"); } if ($pconfig['radius_srvcs'] == "both" || $pconfig['radius_srvcs'] == "acct") { $reqdfields[] = "radius_acct_port"; $reqdfieldsn[] = gettext("Accounting port"); } if (!isset($id)) { $reqdfields[] = "radius_secret"; $reqdfieldsn[] = gettext("Shared Secret"); } } do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors); if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['host'])) { $input_errors[] = gettext("The host name contains invalid characters."); } if (auth_get_authserver($pconfig['name']) && !isset($id)) { $input_errors[] = gettext("An authentication server with the same name already exists."); } if (($pconfig['type'] == "ldap") || ($pconfig['type'] == "radius")) { $to_field = "{$pconfig['type']}_timeout"; if (isset($_POST[$to_field]) && !empty($_POST[$to_field]) && (!is_numeric($_POST[$to_field]) || (is_numeric($_POST[$to_field]) && ($_POST[$to_field] <= 0)))) { $input_errors[] = sprintf(gettext("%s Timeout value must be numeric and positive."), strtoupper($pconfig['type'])); } } // https://redmine.pfsense.org/issues/4154 if ($pconfig['type'] == "radius") { if (is_ipaddrv6($_POST['radius_host'])) { $input_errors[] = gettext("IPv6 does not work for RADIUS authentication, see Bug #4154."); } } if (!$input_errors) { $server = array(); $server['refid'] = uniqid(); if (isset($id) && $a_server[$id]) { $server = $a_server[$id]; } $server['type'] = $pconfig['type']; $server['name'] = $pconfig['name']; if ($server['type'] == "ldap") { if (!empty($pconfig['ldap_caref'])) { $server['ldap_caref'] = $pconfig['ldap_caref']; } $server['host'] = $pconfig['ldap_host']; $server['ldap_port'] = $pconfig['ldap_port']; $server['ldap_urltype'] = $pconfig['ldap_urltype']; $server['ldap_protver'] = $pconfig['ldap_protver']; $server['ldap_scope'] = $pconfig['ldap_scope']; $server['ldap_basedn'] = $pconfig['ldap_basedn']; $server['ldap_authcn'] = $pconfig['ldapauthcontainers']; $server['ldap_extended_enabled'] = $pconfig['ldap_extended_enabled']; $server['ldap_extended_query'] = $pconfig['ldap_extended_query']; $server['ldap_attr_user'] = $pconfig['ldap_attr_user']; $server['ldap_attr_group'] = $pconfig['ldap_attr_group']; $server['ldap_attr_member'] = $pconfig['ldap_attr_member']; $server['ldap_attr_groupobj'] = empty($pconfig['ldap_attr_groupobj']) ? "posixGroup" : $pconfig['ldap_attr_groupobj']; if ($pconfig['ldap_utf8'] == "yes") { $server['ldap_utf8'] = true; } else { unset($server['ldap_utf8']); } if ($pconfig['ldap_nostrip_at'] == "yes") { $server['ldap_nostrip_at'] = true; } else { unset($server['ldap_nostrip_at']); } if ($pconfig['ldap_rfc2307'] == "yes") { $server['ldap_rfc2307'] = true; } else { unset($server['ldap_rfc2307']); } if (!$pconfig['ldap_anon']) { $server['ldap_binddn'] = $pconfig['ldap_binddn']; $server['ldap_bindpw'] = $pconfig['ldap_bindpw']; } else { unset($server['ldap_binddn']); unset($server['ldap_bindpw']); } if ($pconfig['ldap_timeout']) { $server['ldap_timeout'] = $pconfig['ldap_timeout']; } else { $server['ldap_timeout'] = 25; } } if ($server['type'] == "radius") { $server['radius_protocol'] = $pconfig['radius_protocol']; $server['host'] = $pconfig['radius_host']; if ($pconfig['radius_secret']) { $server['radius_secret'] = $pconfig['radius_secret']; } if ($pconfig['radius_timeout']) { $server['radius_timeout'] = $pconfig['radius_timeout']; } else { $server['radius_timeout'] = 5; } if ($pconfig['radius_srvcs'] == "both") { $server['radius_auth_port'] = $pconfig['radius_auth_port']; $server['radius_acct_port'] = $pconfig['radius_acct_port']; } if ($pconfig['radius_srvcs'] == "auth") { $server['radius_auth_port'] = $pconfig['radius_auth_port']; unset($server['radius_acct_port']); } if ($pconfig['radius_srvcs'] == "acct") { $server['radius_acct_port'] = $pconfig['radius_acct_port']; unset($server['radius_auth_port']); } } if (isset($id) && $config['system']['authserver'][$id]) { $config['system']['authserver'][$id] = $server; } else { $config['system']['authserver'][] = $server; } write_config(); pfSenseHeader("system_authservers.php"); } } // On error, restore the form contents so the user doesn't have to re-enter too much if ($_POST && $input_errors) { $pconfig = $_POST; $pconfig['ldap_authcn'] = $_POST['ldapauthcontainers']; $pconfig['ldap_template'] = $_POST['ldap_tmpltype']; } $pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Authentication Servers")); $pglinks = array("", "system_usermanager.php", "system_authservers.php"); if ($act == "new" || $act == "edit" || $input_errors) { $pgtitle[] = gettext('Edit'); $pglinks[] = "@self"; } $shortcut_section = "authentication"; include("head.inc"); if ($input_errors) { print_input_errors($input_errors); } if ($savemsg) { print_info_box($savemsg, 'success'); } $tab_array = array(); $tab_array[] = array(gettext("Users"), false, "system_usermanager.php"); $tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php"); $tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php"); $tab_array[] = array(gettext("Authentication Servers"), true, "system_authservers.php"); display_top_tabs($tab_array); if (!($act == "new" || $act == "edit" || $input_errors)) { ?>

$server): ?>


			" href="system_authservers.php?act=edit&id="> " href="system_authservers.php?act=del&id=" usepost>

setAction('system_authservers.php?act=edit'); $form->addGlobal(new Form_Input( 'userid', null, 'hidden', $id )); $section = new Form_Section('Server Settings'); $section->addInput($input = new Form_Input( 'name', '*Descriptive name', 'text', $pconfig['name'] )); $section->addInput($input = new Form_Select( 'type', '*Type', $pconfig['type'], $auth_server_types ))->toggles(); $form->add($section); // ==== LDAP settings ========================================================= $section = new Form_Section('LDAP Server Settings'); $section->addClass('toggle-ldap collapse'); if (!isset($pconfig['type']) || $pconfig['type'] == 'ldap') $section->addClass('in'); $section->addInput(new Form_Input( 'ldap_host', '*Hostname or IP address', 'text', $pconfig['ldap_host'] ))->setHelp('NOTE: When using SSL or STARTTLS, this hostname MUST match the Common Name '. '(CN) of the LDAP server\'s SSL Certificate.'); $section->addInput(new Form_Input( 'ldap_port', '*Port value', 'number', $pconfig['ldap_port'] )); $section->addInput(new Form_Select( 'ldap_urltype', '*Transport', $pconfig['ldap_urltype'], array_combine(array_keys($ldap_urltypes), array_keys($ldap_urltypes)) )); if (empty($a_ca)) { $section->addInput(new Form_StaticText( 'Peer Certificate Authority', 'No Certificate Authorities defined.
Create one under System > Cert. Manager.' )); } else { $ldapCaRef = []; foreach ($a_ca as $ca) $ldapCaRef[ $ca['refid'] ] = $ca['descr']; $section->addInput(new Form_Select( 'ldap_caref', 'Peer Certificate Authority', $pconfig['ldap_caref'], $ldapCaRef ))->setHelp('This option is used if \'SSL Encrypted\' '. 'or \'TCP - STARTTLS\' options are chosen. '. 'It must match with the CA in the AD otherwise problems will arise.'); } $section->addInput(new Form_Select( 'ldap_protver', '*Protocol version', $pconfig['ldap_protver'], array_combine($ldap_protvers, $ldap_protvers) )); $section->addInput(new Form_Input( 'ldap_timeout', 'Server Timeout', 'number', $pconfig['ldap_timeout'], ['placeholder' => 25] ))->setHelp('Timeout for LDAP operations (seconds)'); $group = new Form_Group('Search scope'); $SSF = new Form_Select( 'ldap_scope', '*Level', $pconfig['ldap_scope'], $ldap_scopes ); $SSB = new Form_Input( 'ldap_basedn', 'Base DN', 'text', $pconfig['ldap_basedn'] ); $section->addInput(new Form_StaticText( 'Search scope', 'Level ' . $SSF . '
' . 'Base DN' . $SSB )); $group = new Form_Group('Authentication containers'); $group->add(new Form_Input( 'ldapauthcontainers', '*Containers', 'text', $pconfig['ldap_authcn'] ))->setHelp('Note: Semi-Colon separated. This will be prepended to the search '. 'base dn above or the full container path can be specified containing a dc= '. 'component.%1$sExample: CN=Users;DC=example,DC=com or OU=Staff;OU=Freelancers', '
'); $group->add(new Form_Button( 'Select', 'Select a container', null, 'fa-search' ))->setAttribute('type','button')->addClass('btn-info'); $section->add($group); $section->addInput(new Form_Checkbox( 'ldap_extended_enabled', 'Extended query', 'Enable extended query', $pconfig['ldap_extended_enabled'] )); $group = new Form_Group('Query'); $group->addClass('extended'); $group->add(new Form_Input( 'ldap_extended_query', 'Query', 'text', $pconfig['ldap_extended_query'] ))->setHelp('Example: &(objectClass=inetOrgPerson)(mail=*@example.com)'); $section->add($group); $section->addInput(new Form_Checkbox( 'ldap_anon', 'Bind anonymous', 'Use anonymous binds to resolve distinguished names', $pconfig['ldap_anon'] )); $group = new Form_Group('*Bind credentials'); $group->addClass('ldapanon'); $group->add(new Form_Input( 'ldap_binddn', 'User DN:', 'text', $pconfig['ldap_binddn'] )); $group->add(new Form_Input( 'ldap_bindpw', 'Password', 'password', $pconfig['ldap_bindpw'] )); $section->add($group); if (!isset($id)) { $template_list = array(); foreach ($ldap_templates as $option => $template) { $template_list[$option] = $template['desc']; } $section->addInput(new Form_Select( 'ldap_tmpltype', 'Initial Template', $pconfig['ldap_template'], $template_list )); } $section->addInput(new Form_Input( 'ldap_attr_user', '*User naming attribute', 'text', $pconfig['ldap_attr_user'] )); $section->addInput(new Form_Input( 'ldap_attr_group', '*Group naming attribute', 'text', $pconfig['ldap_attr_group'] )); $section->addInput(new Form_Input( 'ldap_attr_member', '*Group member attribute', 'text', $pconfig['ldap_attr_member'] )); $section->addInput(new Form_Checkbox( 'ldap_rfc2307', 'RFC 2307 Groups', 'LDAP Server uses RFC 2307 style group membership', $pconfig['ldap_rfc2307'] ))->setHelp('RFC 2307 style group membership has members listed on the group '. 'object rather than using groups listed on user object. Leave unchecked '. 'for Active Directory style group membership (RFC 2307bis).'); $section->addInput(new Form_Input( 'ldap_attr_groupobj', 'Group Object Class', 'text', $pconfig['ldap_attr_groupobj'], ['placeholder' => 'posixGroup'] ))->setHelp('Object class used for groups in RFC2307 mode. '. 'Typically "posixGroup" or "group".'); $section->addInput(new Form_Checkbox( 'ldap_utf8', 'UTF8 Encode', 'UTF8 encode LDAP parameters before sending them to the server.', $pconfig['ldap_utf8'] ))->setHelp('Required to support international characters, but may not be '. 'supported by every LDAP server.'); $section->addInput(new Form_Checkbox( 'ldap_nostrip_at', 'Username Alterations', 'Do not strip away parts of the username after the @ symbol', $pconfig['ldap_nostrip_at'] ))->setHelp('e.g. user@host becomes user when unchecked.'); $form->add($section); // ==== RADIUS section ======================================================== $section = new Form_Section('RADIUS Server Settings'); $section->addClass('toggle-radius collapse'); $section->addInput(new Form_Select( 'radius_protocol', '*Protocol', $pconfig['radius_protocol'], $radius_protocol )); $section->addInput(new Form_Input( 'radius_host', '*Hostname or IP address', 'text', $pconfig['radius_host'] )); $section->addInput(new Form_Input( 'radius_secret', '*Shared Secret', 'password', $pconfig['radius_secret'] )); $section->addInput(new Form_Select( 'radius_srvcs', '*Services offered', $pconfig['radius_srvcs'], $radius_srvcs )); $section->addInput(new Form_Input( 'radius_auth_port', 'Authentication port', 'number', $pconfig['radius_auth_port'] )); $section->addInput(new Form_Input( 'radius_acct_port', 'Accounting port', 'number', $pconfig['radius_acct_port'] )); $section->addInput(new Form_Input( 'radius_timeout', 'Authentication Timeout', 'number', $pconfig['radius_timeout'] ))->setHelp('This value controls how long, in seconds, that the RADIUS '. 'server may take to respond to an authentication request. If left blank, the '. 'default value is 5 seconds. NOTE: If using an interactive two-factor '. 'authentication system, increase this timeout to account for how long it will '. 'take the user to receive and enter a token.'); if (isset($id) && $a_server[$id]) { $section->addInput(new Form_Input( 'id', null, 'hidden', $id )); } $form->add($section); // Create a largely empty modal to show the available containers. We will populate it via AJAX later $modal = new Modal("LDAP containers", "containers", true); $form->add($modal); print $form; ?>