/etc/inc/auth.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/etc/inc/auth.inc @ 97c88dfa

1	55eb9c44	--global	<?php
2			/* $Id$ */
3			/*
4	d1b69106	namezero111111	Copyright (C) 2010 Ermal Lu�i
5	8a6b0fbe	Ermal Lu?i	All rights reserved.
6
7			Copyright (C) 2007, 2008 Scott Ullrich <sullrich@gmail.com>
8			All rights reserved.
9	55eb9c44	--global
10	ce77a9c4	Phil Davis	Copyright (C) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
11			All rights reserved.
12
13			Copyright (C) 2006 Paul Taylor <paultaylor@winn-dixie.com>.
14			All rights reserved.
15
16			Copyright (C) 2003-2006 Manuel Kasper <mk@neon1.net>.
17			All rights reserved.
18
19			Redistribution and use in source and binary forms, with or without
20			modification, are permitted provided that the following conditions are met:
21
22			1. Redistributions of source code must retain the above copyright notice,
23			this list of conditions and the following disclaimer.
24
25			2. Redistributions in binary form must reproduce the above copyright
26			notice, this list of conditions and the following disclaimer in the
27			documentation and/or other materials provided with the distribution.
28
29			THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
30			INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
31			AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
32			AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
33			OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
34			SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
35			INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
36			CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
37			ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
38			POSSIBILITY OF SUCH DAMAGE.
39
40			pfSense_BUILDER_BINARIES: /usr/sbin/pw /bin/cp
41			pfSense_MODULE: auth
42	55eb9c44	--global	*/
43
44			/*
45			* NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP.php
46			* file courtesy of Michael Retterklieber.
47			*/
48	1e0b1727	Phil Davis	if (!$do_not_include_config_gui_inc) {
49	052e65ef	Scott Ullrich	require_once("config.gui.inc");
50	1e0b1727	Phil Davis	}
51	55eb9c44	--global
52	9ae11a62	Scott Ullrich	// Will be changed to false if security checks fail
53			$security_passed = true;
54
55	1e0b1727	Phil Davis	/* If this function doesn't exist, we're being called from Captive Portal or
56	0321fa1b	jim-p	another internal subsystem which does not include authgui.inc */
57	14eab6fb	jim-p	if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) {
58	0734024c	Chris Buechler	/* DNS ReBinding attack prevention. https://redmine.pfsense.org/issues/708 */
59	0321fa1b	jim-p	$found_host = false;
60	209620ea	Seth Mos
61	4cf79fdd	smos	/* Either a IPv6 address with or without a alternate port */
62	1e0b1727	Phil Davis	if (strstr($_SERVER['HTTP_HOST'], "]")) {
63	4cf79fdd	smos	$http_host_port = explode("]", $_SERVER['HTTP_HOST']);
64	209620ea	Seth Mos	/* v6 address has more parts, drop the last part */
65	1e0b1727	Phil Davis	if (count($http_host_port) > 1) {
66	209620ea	Seth Mos	array_pop($http_host_port);
67			$http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port));
68			} else {
69	4cf79fdd	smos	$http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port));
70	209620ea	Seth Mos	}
71	7319dc73	jim-p	} else {
72	4fcab77b	smos	$http_host = explode(":", $_SERVER['HTTP_HOST']);
73			$http_host = $http_host[0];
74	7319dc73	jim-p	}
75	1e0b1727	Phil Davis	if (is_ipaddr($http_host) or $_SERVER['SERVER_ADDR'] == "127.0.0.1" or
76	ae52d165	Renato Botelho	strcasecmp($http_host, "localhost") == 0 or $_SERVER['SERVER_ADDR'] == "::1") {
77	9ae11a62	Scott Ullrich	$found_host = true;
78	1e0b1727	Phil Davis	}
79			if (strcasecmp($http_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 or
80	ae52d165	Renato Botelho	strcasecmp($http_host, $config['system']['hostname']) == 0) {
81	d7bf3178	Erik Fonnesbeck	$found_host = true;
82	1e0b1727	Phil Davis	}
83	9ae11a62	Scott Ullrich
84	1e0b1727	Phil Davis	if (is_array($config['dyndnses']['dyndns']) && !$found_host) {
85			foreach ($config['dyndnses']['dyndns'] as $dyndns) {
86			if (strcasecmp($dyndns['host'], $http_host) == 0) {
87	0321fa1b	jim-p	$found_host = true;
88	9ae11a62	Scott Ullrich	break;
89			}
90	1e0b1727	Phil Davis	}
91			}
92	7319dc73	jim-p
93	1e0b1727	Phil Davis	if (is_array($config['dnsupdates']['dnsupdate']) && !$found_host) {
94			foreach ($config['dnsupdates']['dnsupdate'] as $rfc2136) {
95			if (strcasecmp($rfc2136['host'], $http_host) == 0) {
96	fa087612	jim-p	$found_host = true;
97			break;
98			}
99	1e0b1727	Phil Davis	}
100			}
101	fa087612	jim-p
102	1e0b1727	Phil Davis	if (!empty($config['system']['webgui']['althostnames']) && !$found_host) {
103	86b21903	jim-p	$althosts = explode(" ", $config['system']['webgui']['althostnames']);
104	1e0b1727	Phil Davis	foreach ($althosts as $ah) {
105			if (strcasecmp($ah, $http_host) == 0 or strcasecmp($ah, $_SERVER['SERVER_ADDR']) == 0) {
106	86b21903	jim-p	$found_host = true;
107	9ae11a62	Scott Ullrich	break;
108			}
109	1e0b1727	Phil Davis	}
110	9b13f84b	Scott Ullrich	}
111	ce46b5da	Scott Ullrich
112	1e0b1727	Phil Davis	if ($found_host == false) {
113			if (!security_checks_disabled()) {
114	8cd558b6	ayvis	display_error_form("501", gettext("Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br />Try accessing the router by IP address instead of by hostname."));
115	9ae11a62	Scott Ullrich	exit;
116			}
117			$security_passed = false;
118			}
119			}
120	ef173724	Scott Ullrich
121	9ae11a62	Scott Ullrich	// If the HTTP_REFERER is something other than ourselves then disallow.
122	1e0b1727	Phil Davis	if (function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) {
123			if ($_SERVER['HTTP_REFERER']) {
124			if (file_exists("{$g['tmp_path']}/setupwizard_lastreferrer")) {
125			if ($_SERVER['HTTP_REFERER'] == file_get_contents("{$g['tmp_path']}/setupwizard_lastreferrer")) {
126	9ae11a62	Scott Ullrich	unlink("{$g['tmp_path']}/setupwizard_lastreferrer");
127			header("Refresh: 1; url=index.php");
128			echo "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">";
129			echo "<html><head><title>" . gettext("Redirecting...") . "</title></head><body>" . gettext("Redirecting to the dashboard...") . "</body></html>";
130			exit;
131			}
132			}
133			$found_host = false;
134			$referrer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
135	e6f7e0be	smos	$referrer_host = str_replace(array("[", "]"), "", $referrer_host);
136	1e0b1727	Phil Davis	if ($referrer_host) {
137	ae52d165	Renato Botelho	if (strcasecmp($referrer_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 \|\|
138			strcasecmp($referrer_host, $config['system']['hostname']) == 0) {
139	9ae11a62	Scott Ullrich	$found_host = true;
140	1e0b1727	Phil Davis	}
141	9f0bee02	jim-p
142	1e0b1727	Phil Davis	if (!empty($config['system']['webgui']['althostnames']) && !$found_host) {
143	9ae11a62	Scott Ullrich	$althosts = explode(" ", $config['system']['webgui']['althostnames']);
144			foreach ($althosts as $ah) {
145	1e0b1727	Phil Davis	if (strcasecmp($referrer_host, $ah) == 0) {
146	9ae11a62	Scott Ullrich	$found_host = true;
147			break;
148			}
149			}
150			}
151	9f0bee02	jim-p
152	1e0b1727	Phil Davis	if (is_array($config['dyndnses']['dyndns']) && !$found_host) {
153			foreach ($config['dyndnses']['dyndns'] as $dyndns) {
154			if (strcasecmp($dyndns['host'], $referrer_host) == 0) {
155	9f0bee02	jim-p	$found_host = true;
156			break;
157			}
158	1e0b1727	Phil Davis	}
159			}
160	9f0bee02	jim-p
161	1e0b1727	Phil Davis	if (is_array($config['dnsupdates']['dnsupdate']) && !$found_host) {
162			foreach ($config['dnsupdates']['dnsupdate'] as $rfc2136) {
163			if (strcasecmp($rfc2136['host'], $referrer_host) == 0) {
164	9f0bee02	jim-p	$found_host = true;
165			break;
166			}
167	1e0b1727	Phil Davis	}
168			}
169	9f0bee02	jim-p
170	1e0b1727	Phil Davis	if (!$found_host) {
171	9ae11a62	Scott Ullrich	$interface_list_ips = get_configured_ip_addresses();
172	1e0b1727	Phil Davis	foreach ($interface_list_ips as $ilips) {
173			if (strcasecmp($referrer_host, $ilips) == 0) {
174	9ae11a62	Scott Ullrich	$found_host = true;
175			break;
176			}
177			}
178	e6f7e0be	smos	$interface_list_ipv6s = get_configured_ipv6_addresses();
179	1e0b1727	Phil Davis	foreach ($interface_list_ipv6s as $ilipv6s) {
180			if (strcasecmp($referrer_host, $ilipv6s) == 0) {
181	e6f7e0be	smos	$found_host = true;
182			break;
183			}
184			}
185	1e0b1727	Phil Davis	if ($referrer_host == "127.0.0.1" \|\| $referrer_host == "localhost") {
186	17dd7ff3	Chris Buechler	// allow SSH port forwarded connections and links from localhost
187			$found_host = true;
188			}
189	9ae11a62	Scott Ullrich	}
190			}
191	1e0b1727	Phil Davis	if ($found_host == false) {
192			if (!security_checks_disabled()) {
193	9ae11a62	Scott Ullrich	display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). You can disable this check if needed in System -> Advanced -> Admin.");
194	0f806eca	Erik Fonnesbeck	exit;
195			}
196	9ae11a62	Scott Ullrich	$security_passed = false;
197			}
198	1e0b1727	Phil Davis	} else {
199	9ae11a62	Scott Ullrich	$security_passed = false;
200	1e0b1727	Phil Davis	}
201	4fe9c2dc	Scott Ullrich	}
202
203	1e0b1727	Phil Davis	if (function_exists("display_error_form") && $security_passed) {
204	9ae11a62	Scott Ullrich	/* Security checks passed, so it should be OK to turn them back on */
205			restore_security_checks();
206	1e0b1727	Phil Davis	}
207	9ae11a62	Scott Ullrich	unset($security_passed);
208
209	55eb9c44	--global	$groupindex = index_groups();
210			$userindex = index_users();
211
212			function index_groups() {
213			global $g, $debug, $config, $groupindex;
214
215			$groupindex = array();
216
217	6dcd80af	Ermal	if (is_array($config['system']['group'])) {
218	55eb9c44	--global	$i = 0;
219	1e0b1727	Phil Davis	foreach ($config['system']['group'] as $groupent) {
220	55eb9c44	--global	$groupindex[$groupent['name']] = $i;
221			$i++;
222			}
223			}
224
225			return ($groupindex);
226			}
227
228			function index_users() {
229			global $g, $debug, $config;
230
231	6dcd80af	Ermal	if (is_array($config['system']['user'])) {
232	55eb9c44	--global	$i = 0;
233	1e0b1727	Phil Davis	foreach ($config['system']['user'] as $userent) {
234	55eb9c44	--global	$userindex[$userent['name']] = $i;
235			$i++;
236			}
237			}
238
239			return ($userindex);
240			}
241
242			function & getUserEntry($name) {
243			global $debug, $config, $userindex;
244	1e0b1727	Phil Davis	if (isset($userindex[$name])) {
245	55eb9c44	--global	return $config['system']['user'][$userindex[$name]];
246	1e0b1727	Phil Davis	}
247	55eb9c44	--global	}
248
249			function & getUserEntryByUID($uid) {
250			global $debug, $config;
251	84924e76	Ermal
252	1e0b1727	Phil Davis	if (is_array($config['system']['user'])) {
253			foreach ($config['system']['user'] as & $user) {
254			if ($user['uid'] == $uid) {
255	84924e76	Ermal	return $user;
256	1e0b1727	Phil Davis	}
257			}
258			}
259	55eb9c44	--global
260			return false;
261			}
262
263			function & getGroupEntry($name) {
264			global $debug, $config, $groupindex;
265	1e0b1727	Phil Davis	if (isset($groupindex[$name])) {
266	55eb9c44	--global	return $config['system']['group'][$groupindex[$name]];
267	1e0b1727	Phil Davis	}
268	55eb9c44	--global	}
269
270			function & getGroupEntryByGID($gid) {
271			global $debug, $config;
272	84924e76	Ermal
273	1e0b1727	Phil Davis	if (is_array($config['system']['group'])) {
274			foreach ($config['system']['group'] as & $group) {
275			if ($group['gid'] == $gid) {
276	84924e76	Ermal	return $group;
277	1e0b1727	Phil Davis	}
278			}
279			}
280	55eb9c44	--global
281			return false;
282			}
283
284	6dc88d53	Ermal Luci	function get_user_privileges(& $user) {
285
286	1e0b1727	Phil Davis	$privs = $user['priv'];
287			if (!is_array($privs)) {
288			$privs = array();
289			}
290	6dc88d53	Ermal Luci
291	1e0b1727	Phil Davis	$names = local_user_get_groups($user, true);
292	6dc88d53	Ermal Luci
293	1e0b1727	Phil Davis	foreach ($names as $name) {
294			$group = getGroupEntry($name);
295			if (is_array($group['priv'])) {
296			$privs = array_merge( $privs, $group['priv']);
297			}
298			}
299	6dc88d53	Ermal Luci
300	1e0b1727	Phil Davis	return $privs;
301	6dc88d53	Ermal Luci	}
302
303			function userHasPrivilege($userent, $privid = false) {
304
305	1e0b1727	Phil Davis	if (!$privid \|\| !is_array($userent)) {
306			return false;
307			}
308	6dc88d53	Ermal Luci
309	1e0b1727	Phil Davis	$privs = get_user_privileges($userent);
310	6dc88d53	Ermal Luci
311	1e0b1727	Phil Davis	if (!is_array($privs)) {
312			return false;
313			}
314	6dc88d53	Ermal Luci
315	1e0b1727	Phil Davis	if (!in_array($privid, $privs)) {
316			return false;
317			}
318	6dc88d53	Ermal Luci
319	1e0b1727	Phil Davis	return true;
320	6dc88d53	Ermal Luci	}
321
322	55eb9c44	--global	function local_backed($username, $passwd) {
323
324			$user = getUserEntry($username);
325	1e0b1727	Phil Davis	if (!$user) {
326	55eb9c44	--global	return false;
327	1e0b1727	Phil Davis	}
328	55eb9c44	--global
329	1e0b1727	Phil Davis	if (is_account_disabled($username) \|\| is_account_expired($username)) {
330	a13ce628	Ermal Lu?i	return false;
331	1e0b1727	Phil Davis	}
332	a13ce628	Ermal Lu?i
333	1e0b1727	Phil Davis	if ($user['password']) {
334			if (crypt($passwd, $user['password']) == $user['password']) {
335	55eb9c44	--global	return true;
336	1e0b1727	Phil Davis	}
337	55eb9c44	--global	}
338
339	1e0b1727	Phil Davis	if ($user['md5-hash']) {
340			if (md5($passwd) == $user['md5-hash']) {
341	55eb9c44	--global	return true;
342	1e0b1727	Phil Davis	}
343	55eb9c44	--global	}
344
345			return false;
346			}
347
348			function local_sync_accounts() {
349			global $debug, $config;
350			conf_mount_rw();
351
352			/* remove local users to avoid uid conflicts */
353			$fd = popen("/usr/sbin/pw usershow -a", "r");
354			if ($fd) {
355			while (!feof($fd)) {
356			$line = explode(":",fgets($fd));
357	1e0b1727	Phil Davis	if (((!strncmp($line[0], "_", 1)) \|\| ($line[2] < 2000) \|\| ($line[2] > 65000)) && ($line[0] != "admin")) {
358	55eb9c44	--global	continue;
359	1e0b1727	Phil Davis	}
360	2b41df9c	Renato Botelho	/*
361			* If a crontab was created to user, pw userdel will be interactive and
362			* can cause issues. Just remove crontab before run it when necessary
363			*/
364			unlink_if_exists("/var/cron/tabs/{$line[0]}");
365	0f84dee3	Renato Botelho	$cmd = "/usr/sbin/pw userdel -n '{$line[0]}'";
366	1e0b1727	Phil Davis	if ($debug) {
367	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
368	1e0b1727	Phil Davis	}
369	55eb9c44	--global	mwexec($cmd);
370			}
371			pclose($fd);
372			}
373
374			/* remove local groups to avoid gid conflicts */
375			$gids = array();
376			$fd = popen("/usr/sbin/pw groupshow -a", "r");
377			if ($fd) {
378			while (!feof($fd)) {
379			$line = explode(":",fgets($fd));
380	1e0b1727	Phil Davis	if (!strncmp($line[0], "_", 1)) {
381	55eb9c44	--global	continue;
382	1e0b1727	Phil Davis	}
383			if ($line[2] < 2000) {
384	55eb9c44	--global	continue;
385	1e0b1727	Phil Davis	}
386			if ($line[2] > 65000) {
387	55eb9c44	--global	continue;
388	1e0b1727	Phil Davis	}
389	55eb9c44	--global	$cmd = "/usr/sbin/pw groupdel {$line[2]}";
390	1e0b1727	Phil Davis	if ($debug) {
391	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
392	1e0b1727	Phil Davis	}
393	55eb9c44	--global	mwexec($cmd);
394			}
395			pclose($fd);
396			}
397
398			/* make sure the all group exists */
399			$allgrp = getGroupEntryByGID(1998);
400			local_group_set($allgrp, true);
401
402	5af2baf7	jim-p	/* sync all local users */
403	1e0b1727	Phil Davis	if (is_array($config['system']['user'])) {
404			foreach ($config['system']['user'] as $user) {
405	5af2baf7	jim-p	local_user_set($user);
406	1e0b1727	Phil Davis	}
407			}
408	5af2baf7	jim-p
409	f3e0a111	jim-p	/* sync all local groups */
410	1e0b1727	Phil Davis	if (is_array($config['system']['group'])) {
411			foreach ($config['system']['group'] as $group) {
412	f3e0a111	jim-p	local_group_set($group);
413	1e0b1727	Phil Davis	}
414			}
415	f3e0a111	jim-p
416	55eb9c44	--global	conf_mount_ro();
417
418			}
419
420			function local_user_set(& $user) {
421			global $g, $debug;
422
423	b3c106a0	Ermal	if (empty($user['password'])) {
424			log_error("There is something wrong in your config because user {$user['name']} password is missing!");
425			return;
426			}
427
428	2bb07efc	Scott Ullrich	conf_mount_rw();
429
430	1e0b1727	Phil Davis	$home_base = "/home/";
431	55eb9c44	--global	$user_uid = $user['uid'];
432			$user_name = $user['name'];
433	461df7c0	jim-p	$user_home = "{$home_base}{$user_name}";
434	55eb9c44	--global	$user_shell = "/etc/rc.initial";
435			$user_group = "nobody";
436
437			// Ensure $home_base exists and is writable
438	1e0b1727	Phil Davis	if (!is_dir($home_base)) {
439	55eb9c44	--global	mkdir($home_base, 0755);
440	1e0b1727	Phil Davis	}
441	55eb9c44	--global
442	df8d74de	jim-p	$lock_account = false;
443	55eb9c44	--global	/* configure shell type */
444	3e251b12	Erik Fonnesbeck	/* Cases here should be ordered by most privileged to least privileged. */
445	a137fedd	jim-p	if (userHasPrivilege($user, "user-shell-access") \|\| userHasPrivilege($user, "page-all")) {
446	29293dce	jim-p	$user_shell = "/bin/tcsh";
447	1ed86bc6	jim-p	} elseif (userHasPrivilege($user, "user-copy-files")) {
448	a137fedd	jim-p	$user_shell = "/usr/local/bin/scponly";
449	3e251b12	Erik Fonnesbeck	} elseif (userHasPrivilege($user, "user-ssh-tunnel")) {
450			$user_shell = "/usr/local/sbin/ssh_tunnel_shell";
451	fbfd675a	jim-p	} elseif (userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
452			$user_shell = "/sbin/nologin";
453	1ed86bc6	jim-p	} else {
454			$user_shell = "/sbin/nologin";
455	df8d74de	jim-p	$lock_account = true;
456			}
457
458			/* Lock out disabled or expired users, unless it's root/admin. */
459			if ((is_account_disabled($user_name) \|\| is_account_expired($user_name)) && ($user_uid != 0)) {
460			$user_shell = "/sbin/nologin";
461			$lock_account = true;
462	55eb9c44	--global	}
463
464			/* root user special handling */
465			if ($user_uid == 0) {
466			$cmd = "/usr/sbin/pw usermod -q -n root -s /bin/sh -H 0";
467	1e0b1727	Phil Davis	if ($debug) {
468	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
469	1e0b1727	Phil Davis	}
470	55eb9c44	--global	$fd = popen($cmd, "w");
471			fwrite($fd, $user['password']);
472			pclose($fd);
473			$user_group = "wheel";
474	2708e399	jim-p	$user_home = "/root";
475	29293dce	jim-p	$user_shell = "/etc/rc.initial";
476	55eb9c44	--global	}
477
478			/* read from pw db */
479	9fd14591	jim-p	$fd = popen("/usr/sbin/pw usershow -n {$user_name} 2>&1", "r");
480	55eb9c44	--global	$pwread = fgets($fd);
481			pclose($fd);
482	9fd14591	jim-p	$userattrs = explode(":", trim($pwread));
483	55eb9c44	--global
484			/* determine add or mod */
485	9fd14591	jim-p	if (($userattrs[0] != $user['name']) \|\| (!strncmp($pwread, "pw:", 3))) {
486	4b49a8a9	jim-p	$user_op = "useradd -m -k /etc/skel -o";
487	38564fde	smos	} else {
488	55eb9c44	--global	$user_op = "usermod";
489	38564fde	smos	}
490	55eb9c44	--global
491	1e0b1727	Phil Davis	$comment = str_replace(array(":", "!", "@"), " ", $user['descr']);
492	55eb9c44	--global	/* add or mod pw db */
493			$cmd = "/usr/sbin/pw {$user_op} -q -u {$user_uid} -n {$user_name}".
494	eb72845c	jim-p	" -g {$user_group} -s {$user_shell} -d {$user_home}".
495	1cb94b24	Ermal	" -c ".escapeshellarg($comment)." -H 0 2>&1";
496	55eb9c44	--global
497	1e0b1727	Phil Davis	if ($debug) {
498	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
499	1e0b1727	Phil Davis	}
500	55eb9c44	--global	$fd = popen($cmd, "w");
501			fwrite($fd, $user['password']);
502			pclose($fd);
503
504			/* create user directory if required */
505			if (!is_dir($user_home)) {
506			mkdir($user_home, 0700);
507	ee4fc984	Ermal	mwexec("/bin/cp /root/.* {$home_base}/", true);
508	55eb9c44	--global	}
509	23c652cd	Ermal	@chown($user_home, $user_name);
510			@chgrp($user_home, $user_group);
511	55eb9c44	--global
512			/* write out ssh authorized key file */
513	1e0b1727	Phil Davis	if ($user['authorizedkeys']) {
514	a2286360	Ermal Lu?i	if (!is_dir("{$user_home}/.ssh")) {
515	23c652cd	Ermal	@mkdir("{$user_home}/.ssh", 0700);
516			@chown("{$user_home}/.ssh", $user_name);
517	a2286360	Ermal Lu?i	}
518			$keys = base64_decode($user['authorizedkeys']);
519	23c652cd	Ermal	@file_put_contents("{$user_home}/.ssh/authorized_keys", $keys);
520			@chown("{$user_home}/.ssh/authorized_keys", $user_name);
521	1e0b1727	Phil Davis	} else {
522	cdab65cc	Erik Fonnesbeck	unlink_if_exists("{$user_home}/.ssh/authorized_keys");
523	1e0b1727	Phil Davis	}
524	df8d74de	jim-p
525			$un = $lock_account ? "" : "un";
526	7ac98d0b	Erik Fonnesbeck	exec("/usr/sbin/pw {$un}lock {$user_name} -q");
527	1e0b1727	Phil Davis
528	2bb07efc	Scott Ullrich	conf_mount_ro();
529	55eb9c44	--global	}
530
531			function local_user_del($user) {
532			global $debug;
533	2bb07efc	Scott Ullrich
534	55eb9c44	--global	/* remove all memberships */
535	019e6c3f	jim-p	local_user_set_groups($user);
536	55eb9c44	--global
537	a39675ec	jim-p	/* Don't remove /root */
538	1e0b1727	Phil Davis	if ($user['uid'] != 0) {
539	a39675ec	jim-p	$rmhome = "-r";
540	1e0b1727	Phil Davis	}
541	a39675ec	jim-p
542	9fd14591	jim-p	/* read from pw db */
543			$fd = popen("/usr/sbin/pw usershow -n {$user['name']} 2>&1", "r");
544			$pwread = fgets($fd);
545			pclose($fd);
546			$userattrs = explode(":", trim($pwread));
547
548			if ($userattrs[0] != $user['name']) {
549			log_error("Tried to remove user {$user['name']} but got user {$userattrs[0]} instead. Bailing.");
550			return;
551			}
552
553	55eb9c44	--global	/* delete from pw db */
554	9fd14591	jim-p	$cmd = "/usr/sbin/pw userdel -n {$user['name']} {$rmhome}";
555	55eb9c44	--global
556	1e0b1727	Phil Davis	if ($debug) {
557	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
558	1e0b1727	Phil Davis	}
559	0914b6bb	Ermal	mwexec($cmd);
560	2bb07efc	Scott Ullrich
561	0914b6bb	Ermal	/* Delete user from groups needs a call to write_config() */
562			local_group_del_user($user);
563	55eb9c44	--global	}
564
565			function local_user_set_password(& $user, $password) {
566
567			$user['password'] = crypt($password);
568			$user['md5-hash'] = md5($password);
569
570			// Converts ascii to unicode.
571			$astr = (string) $password;
572			$ustr = '';
573			for ($i = 0; $i < strlen($astr); $i++) {
574			$a = ord($astr{$i}) << 8;
575			$ustr.= sprintf("%X", $a);
576			}
577
578			// Generate the NT-HASH from the unicode string
579	1e0b1727	Phil Davis	$user['nt-hash'] = bin2hex(hash("md4", $ustr));
580	55eb9c44	--global	}
581
582			function local_user_get_groups($user, $all = false) {
583			global $debug, $config;
584
585			$groups = array();
586	1e0b1727	Phil Davis	if (!is_array($config['system']['group'])) {
587	55eb9c44	--global	return $groups;
588	1e0b1727	Phil Davis	}
589	55eb9c44	--global
590	1e0b1727	Phil Davis	foreach ($config['system']['group'] as $group) {
591			if ( $all \|\| ( !$all && ($group['name'] != "all"))) {
592			if (is_array($group['member'])) {
593			if (in_array($user['uid'], $group['member'])) {
594	55eb9c44	--global	$groups[] = $group['name'];
595	1e0b1727	Phil Davis	}
596			}
597			}
598			}
599	55eb9c44	--global
600	1e0b1727	Phil Davis	if ($all) {
601	b0c231e4	jim-p	$groups[] = "all";
602	1e0b1727	Phil Davis	}
603	b0c231e4	jim-p
604	55eb9c44	--global	sort($groups);
605
606			return $groups;
607	1e0b1727	Phil Davis
608	55eb9c44	--global	}
609
610			function local_user_set_groups($user, $new_groups = NULL ) {
611			global $debug, $config, $groupindex;
612
613	1e0b1727	Phil Davis	if (!is_array($config['system']['group'])) {
614	55eb9c44	--global	return;
615	1e0b1727	Phil Davis	}
616	55eb9c44	--global
617	739c78ac	jim-p	$cur_groups = local_user_get_groups($user, true);
618	55eb9c44	--global	$mod_groups = array();
619
620	1e0b1727	Phil Davis	if (!is_array($new_groups)) {
621	55eb9c44	--global	$new_groups = array();
622	1e0b1727	Phil Davis	}
623	55eb9c44	--global
624	1e0b1727	Phil Davis	if (!is_array($cur_groups)) {
625	55eb9c44	--global	$cur_groups = array();
626	1e0b1727	Phil Davis	}
627	55eb9c44	--global
628			/* determine which memberships to add */
629			foreach ($new_groups as $groupname) {
630	1e0b1727	Phil Davis	if ($groupname == '' \|\| in_array($groupname,$cur_groups)) {
631	55eb9c44	--global	continue;
632	1e0b1727	Phil Davis	}
633	55eb9c44	--global	$group = & $config['system']['group'][$groupindex[$groupname]];
634			$group['member'][] = $user['uid'];
635			$mod_groups[] = $group;
636			}
637	9ae11a62	Scott Ullrich	unset($group);
638	55eb9c44	--global
639			/* determine which memberships to remove */
640			foreach ($cur_groups as $groupname) {
641	1e0b1727	Phil Davis	if (in_array($groupname,$new_groups)) {
642	e879fc81	Ermal	continue;
643	1e0b1727	Phil Davis	}
644			if (!isset($config['system']['group'][$groupindex[$groupname]])) {
645	25fec9b3	jim-p	continue;
646	1e0b1727	Phil Davis	}
647	55eb9c44	--global	$group = & $config['system']['group'][$groupindex[$groupname]];
648	7b5c56ea	jim-p	if (is_array($group['member'])) {
649			$index = array_search($user['uid'], $group['member']);
650			array_splice($group['member'], $index, 1);
651			$mod_groups[] = $group;
652			}
653	55eb9c44	--global	}
654	9ae11a62	Scott Ullrich	unset($group);
655	55eb9c44	--global
656			/* sync all modified groups */
657	1e0b1727	Phil Davis	foreach ($mod_groups as $group) {
658	55eb9c44	--global	local_group_set($group);
659	1e0b1727	Phil Davis	}
660	55eb9c44	--global	}
661
662	0914b6bb	Ermal	function local_group_del_user($user) {
663			global $config;
664
665	1e0b1727	Phil Davis	if (!is_array($config['system']['group'])) {
666			return;
667			}
668	0914b6bb	Ermal
669	1e0b1727	Phil Davis	foreach ($config['system']['group'] as $group) {
670	0914b6bb	Ermal	if (is_array($group['member'])) {
671			foreach ($group['member'] as $idx => $uid) {
672	1e0b1727	Phil Davis	if ($user['uid'] == $uid) {
673	0914b6bb	Ermal	unset($config['system']['group']['member'][$idx]);
674	1e0b1727	Phil Davis	}
675	0914b6bb	Ermal	}
676			}
677			}
678			}
679
680	55eb9c44	--global	function local_group_set($group, $reset = false) {
681			global $debug;
682
683			$group_name = $group['name'];
684			$group_gid = $group['gid'];
685	baca968c	Ermal	$group_members = '';
686	1e0b1727	Phil Davis	if (!$reset && !empty($group['member']) && count($group['member']) > 0) {
687	55eb9c44	--global	$group_members = implode(",",$group['member']);
688	1e0b1727	Phil Davis	}
689	55eb9c44	--global
690	1e0b1727	Phil Davis	if (empty($group_name)) {
691	baca968c	Ermal	return;
692	1e0b1727	Phil Davis	}
693	baca968c	Ermal
694	55eb9c44	--global	/* read from group db */
695			$fd = popen("/usr/sbin/pw groupshow {$group_name} 2>&1", "r");
696			$pwread = fgets($fd);
697			pclose($fd);
698
699			/* determine add or mod */
700	1e0b1727	Phil Davis	if (!strncmp($pwread, "pw:", 3)) {
701	55eb9c44	--global	$group_op = "groupadd";
702	1e0b1727	Phil Davis	} else {
703	55eb9c44	--global	$group_op = "groupmod";
704	1e0b1727	Phil Davis	}
705	55eb9c44	--global
706			/* add or mod group db */
707	224b4208	Renato Botelho	$cmd = "/usr/sbin/pw {$group_op} {$group_name} -g {$group_gid} -M '{$group_members}' 2>&1";
708	55eb9c44	--global
709	1e0b1727	Phil Davis	if ($debug) {
710	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
711	1e0b1727	Phil Davis	}
712	0914b6bb	Ermal	mwexec($cmd);
713	55eb9c44	--global
714			}
715
716			function local_group_del($group) {
717			global $debug;
718
719			/* delete from group db */
720			$cmd = "/usr/sbin/pw groupdel {$group['name']}";
721
722	1e0b1727	Phil Davis	if ($debug) {
723	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
724	1e0b1727	Phil Davis	}
725	0914b6bb	Ermal	mwexec($cmd);
726	55eb9c44	--global	}
727
728	6306b5dd	Ermal Lu?i	function ldap_test_connection($authcfg) {
729	55eb9c44	--global	global $debug, $config, $g;
730
731	c61e4626	Ermal Lu?i	if ($authcfg) {
732	1e0b1727	Phil Davis	if (strstr($authcfg['ldap_urltype'], "Standard")) {
733			$ldapproto = "ldap";
734			} else {
735			$ldapproto = "ldaps";
736			}
737			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
738			$ldapport = $authcfg['ldap_port'];
739			if (!empty($ldapport)) {
740	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
741	1e0b1727	Phil Davis	}
742			$ldapbasedn = $authcfg['ldap_basedn'];
743			$ldapbindun = $authcfg['ldap_binddn'];
744			$ldapbindpw = $authcfg['ldap_bindpw'];
745			} else {
746	6306b5dd	Ermal Lu?i	return false;
747	1e0b1727	Phil Davis	}
748	55eb9c44	--global
749	1e0b1727	Phil Davis	/* first check if there is even an LDAP server populated */
750			if ( !$ldapserver) {
751			return false;
752			}
753	c61e4626	Ermal Lu?i
754	1e0b1727	Phil Davis	/* Setup CA environment if needed. */
755			ldap_setup_caenv($authcfg);
756	fe2031ab	Ermal
757	1e0b1727	Phil Davis	/* connect and see if server is up */
758			$error = false;
759			if (!($ldap = ldap_connect($ldapserver))) {
760	9f27de6d	jim-p	$error = true;
761	1e0b1727	Phil Davis	}
762	c61e4626	Ermal Lu?i
763	1e0b1727	Phil Davis	if ($error == true) {
764			log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
765			return false;
766			}
767	55eb9c44	--global
768			return true;
769			}
770
771	fe2031ab	Ermal	function ldap_setup_caenv($authcfg) {
772			global $g;
773	007e59d2	jim-p	require_once("certs.inc");
774	fe2031ab	Ermal
775			unset($caref);
776	a7702ed5	Ermal	if (empty($authcfg['ldap_caref']) \|\| !strstr($authcfg['ldap_urltype'], "SSL")) {
777	fe2031ab	Ermal	putenv('LDAPTLS_REQCERT=never');
778			return;
779			} else {
780	a7702ed5	Ermal	$caref = lookup_ca($authcfg['ldap_caref']);
781	fe2031ab	Ermal	if (!$caref) {
782	a7702ed5	Ermal	log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref']));
783	fe2031ab	Ermal	/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */
784			putenv('LDAPTLS_REQCERT=hard');
785			return;
786			}
787	1e0b1727	Phil Davis	if (!is_dir("{$g['varrun_path']}/certs")) {
788	fe2031ab	Ermal	@mkdir("{$g['varrun_path']}/certs");
789	1e0b1727	Phil Davis	}
790			if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) {
791	b2a0a8e9	jim-p	@unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca");
792	1e0b1727	Phil Davis	}
793	b2a0a8e9	jim-p	file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", base64_decode($caref['crt']));
794			@chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600);
795	fe2031ab	Ermal	putenv('LDAPTLS_REQCERT=hard');
796			/* XXX: Probably even the hashed link should be created for this? */
797	906daddc	Ermal	putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs");
798	b2a0a8e9	jim-p	putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca");
799	fe2031ab	Ermal	}
800			}
801
802	6306b5dd	Ermal Lu?i	function ldap_test_bind($authcfg) {
803	55eb9c44	--global	global $debug, $config, $g;
804
805	c61e4626	Ermal Lu?i	if ($authcfg) {
806	1e0b1727	Phil Davis	if (strstr($authcfg['ldap_urltype'], "Standard")) {
807			$ldapproto = "ldap";
808			} else {
809			$ldapproto = "ldaps";
810			}
811			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
812			$ldapport = $authcfg['ldap_port'];
813			if (!empty($ldapport)) {
814	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
815	1e0b1727	Phil Davis	}
816			$ldapbasedn = $authcfg['ldap_basedn'];
817			$ldapbindun = $authcfg['ldap_binddn'];
818			$ldapbindpw = $authcfg['ldap_bindpw'];
819			$ldapver = $authcfg['ldap_protver'];
820			if (empty($ldapbndun) \|\| empty($ldapbindpw)) {
821			$ldapanon = true;
822			} else {
823			$ldapanon = false;
824			}
825			} else {
826	6306b5dd	Ermal Lu?i	return false;
827	1e0b1727	Phil Davis	}
828	c61e4626	Ermal Lu?i
829			/* first check if there is even an LDAP server populated */
830	1e0b1727	Phil Davis	if (!$ldapserver) {
831			return false;
832			}
833	c61e4626	Ermal Lu?i
834	fe2031ab	Ermal	/* Setup CA environment if needed. */
835			ldap_setup_caenv($authcfg);
836
837	1e0b1727	Phil Davis	/* connect and see if server is up */
838			$error = false;
839			if (!($ldap = ldap_connect($ldapserver))) {
840	9f27de6d	jim-p	$error = true;
841	1e0b1727	Phil Davis	}
842	c61e4626	Ermal Lu?i
843	1e0b1727	Phil Davis	if ($error == true) {
844			log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
845			return false;
846			}
847	55eb9c44	--global
848			ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
849	3d3081ec	Andrew MacIsaac	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
850	c61e4626	Ermal Lu?i	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
851	1e0b1727	Phil Davis
852	a5cd1c5a	jim-p	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
853			$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
854	c61e4626	Ermal Lu?i	if ($ldapanon == true) {
855	6306b5dd	Ermal Lu?i	if (!($res = @ldap_bind($ldap))) {
856			@ldap_close($ldap);
857	c61e4626	Ermal Lu?i	return false;
858	6306b5dd	Ermal Lu?i	}
859			} else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
860			@ldap_close($ldap);
861	55eb9c44	--global	return false;
862	6306b5dd	Ermal Lu?i	}
863	55eb9c44	--global
864	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
865	c61e4626	Ermal Lu?i
866	55eb9c44	--global	return true;
867			}
868
869	6306b5dd	Ermal Lu?i	function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
870	55eb9c44	--global	global $debug, $config, $g;
871
872	1e0b1727	Phil Davis	if (!function_exists("ldap_connect")) {
873	55eb9c44	--global	return;
874	1e0b1727	Phil Davis	}
875	55eb9c44	--global
876	7a938f1b	Ermal	$ous = array();
877
878	c61e4626	Ermal Lu?i	if ($authcfg) {
879	1e0b1727	Phil Davis	if (strstr($authcfg['ldap_urltype'], "Standard")) {
880			$ldapproto = "ldap";
881			} else {
882			$ldapproto = "ldaps";
883			}
884			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
885			$ldapport = $authcfg['ldap_port'];
886			if (!empty($ldapport)) {
887	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
888	1e0b1727	Phil Davis	}
889			$ldapbasedn = $authcfg['ldap_basedn'];
890			$ldapbindun = $authcfg['ldap_binddn'];
891			$ldapbindpw = $authcfg['ldap_bindpw'];
892			$ldapver = $authcfg['ldap_protver'];
893			if (empty($ldapbindun) \|\| empty($ldapbindpw)) {
894			$ldapanon = true;
895			} else {
896			$ldapanon = false;
897			}
898			$ldapname = $authcfg['name'];
899			$ldapfallback = false;
900			$ldapscope = $authcfg['ldap_scope'];
901			} else {
902	6306b5dd	Ermal Lu?i	return false;
903	1e0b1727	Phil Davis	}
904	55eb9c44	--global
905	1e0b1727	Phil Davis	/* first check if there is even an LDAP server populated */
906			if (!$ldapserver) {
907			log_error(gettext("ERROR! ldap_get_user_ous() backed selected with no LDAP authentication server defined."));
908			return $ous;
909			}
910	c61e4626	Ermal Lu?i
911	fe2031ab	Ermal	/* Setup CA environment if needed. */
912			ldap_setup_caenv($authcfg);
913
914	c61e4626	Ermal Lu?i	/* connect and see if server is up */
915	1e0b1727	Phil Davis	$error = false;
916			if (!($ldap = ldap_connect($ldapserver))) {
917	9f27de6d	jim-p	$error = true;
918	1e0b1727	Phil Davis	}
919	c61e4626	Ermal Lu?i
920	1e0b1727	Phil Davis	if ($error == true) {
921			log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
922			return $ous;
923			}
924	c61e4626	Ermal Lu?i
925			$ldapfilter = "(\|(ou=*)(cn=Users))";
926	55eb9c44	--global
927			ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
928	3d3081ec	Andrew MacIsaac	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
929	c61e4626	Ermal Lu?i	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
930	55eb9c44	--global
931	a5cd1c5a	jim-p	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
932			$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
933	c61e4626	Ermal Lu?i	if ($ldapanon == true) {
934	1e0b1727	Phil Davis	if (!($res = @ldap_bind($ldap))) {
935	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind anonymously to server %s."), $ldapname));
936	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
937	1e0b1727	Phil Davis	return $ous;
938	c61e4626	Ermal Lu?i	}
939			} else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
940	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind to server %s."), $ldapname));
941	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
942	c61e4626	Ermal Lu?i	return $ous;
943	55eb9c44	--global	}
944
945	1e0b1727	Phil Davis	if ($ldapscope == "one") {
946	c61e4626	Ermal Lu?i	$ldapfunc = "ldap_list";
947	1e0b1727	Phil Davis	} else {
948	c61e4626	Ermal Lu?i	$ldapfunc = "ldap_search";
949	1e0b1727	Phil Davis	}
950	55eb9c44	--global
951	7a938f1b	Ermal	$search = @$ldapfunc($ldap, $ldapbasedn, $ldapfilter);
952			$info = @ldap_get_entries($ldap, $search);
953	55eb9c44	--global
954			if (is_array($info)) {
955			foreach ($info as $inf) {
956			if (!$show_complete_ou) {
957	cfbfd941	smos	$inf_split = explode(",", $inf['dn']);
958	55eb9c44	--global	$ou = $inf_split[0];
959			$ou = str_replace("OU=","", $ou);
960	c61e4626	Ermal Lu?i	$ou = str_replace("CN=","", $ou);
961	1e0b1727	Phil Davis	} else {
962			if ($inf['dn']) {
963	55eb9c44	--global	$ou = $inf['dn'];
964	1e0b1727	Phil Davis	}
965			}
966			if ($ou) {
967	55eb9c44	--global	$ous[] = $ou;
968	1e0b1727	Phil Davis	}
969	55eb9c44	--global	}
970			}
971
972	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
973
974	55eb9c44	--global	return $ous;
975			}
976
977	6306b5dd	Ermal Lu?i	function ldap_get_groups($username, $authcfg) {
978	55eb9c44	--global	global $debug, $config;
979	1e0b1727	Phil Davis
980			if (!function_exists("ldap_connect")) {
981	55eb9c44	--global	return;
982	1e0b1727	Phil Davis	}
983
984			if (!$username) {
985	55eb9c44	--global	return false;
986	1e0b1727	Phil Davis	}
987	55eb9c44	--global
988	1e0b1727	Phil Davis	if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
989	2ce660ad	smos	$username_split = explode("@", $username);
990	1e0b1727	Phil Davis	$username = $username_split[0];
991	55eb9c44	--global	}
992
993	1e0b1727	Phil Davis	if (stristr($username, "\\")) {
994	cfbfd941	smos	$username_split = explode("\\", $username);
995	1e0b1727	Phil Davis	$username = $username_split[0];
996			}
997
998	55eb9c44	--global	//log_error("Getting LDAP groups for {$username}.");
999	1e0b1727	Phil Davis	if ($authcfg) {
1000			if (strstr($authcfg['ldap_urltype'], "Standard")) {
1001			$ldapproto = "ldap";
1002			} else {
1003			$ldapproto = "ldaps";
1004			}
1005			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
1006			$ldapport = $authcfg['ldap_port'];
1007			if (!empty($ldapport)) {
1008	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
1009	1e0b1727	Phil Davis	}
1010			$ldapbasedn = $authcfg['ldap_basedn'];
1011			$ldapbindun = $authcfg['ldap_binddn'];
1012			$ldapbindpw = $authcfg['ldap_bindpw'];
1013			$ldapauthcont = $authcfg['ldap_authcn'];
1014			$ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
1015			$ldapgroupattribute = strtolower($authcfg['ldap_attr_member']);
1016			$ldapfilter = "({$ldapnameattribute}={$username})";
1017			$ldaptype = "";
1018			$ldapver = $authcfg['ldap_protver'];
1019			if (empty($ldapbindun) \|\| empty($ldapbindpw)) {
1020			$ldapanon = true;
1021			} else {
1022			$ldapanon = false;
1023			}
1024			$ldapname = $authcfg['name'];
1025			$ldapfallback = false;
1026			$ldapscope = $authcfg['ldap_scope'];
1027			} else {
1028	6306b5dd	Ermal Lu?i	return false;
1029	1e0b1727	Phil Davis	}
1030	c61e4626	Ermal Lu?i
1031	1e0b1727	Phil Davis	$ldapdn = $_SESSION['ldapdn'];
1032	c61e4626	Ermal Lu?i
1033	55eb9c44	--global	/Convert attribute to lowercase. php ldap arrays put everything in lowercase /
1034			$ldapgroupattribute = strtolower($ldapgroupattribute);
1035	c61e4626	Ermal Lu?i	$memberof = array();
1036	55eb9c44	--global
1037	1e0b1727	Phil Davis	/* Setup CA environment if needed. */
1038			ldap_setup_caenv($authcfg);
1039	fe2031ab	Ermal
1040	55eb9c44	--global	/* connect and see if server is up */
1041	c61e4626	Ermal Lu?i	$error = false;
1042	1e0b1727	Phil Davis	if (!($ldap = ldap_connect($ldapserver))) {
1043	9f27de6d	jim-p	$error = true;
1044	1e0b1727	Phil Davis	}
1045	c61e4626	Ermal Lu?i
1046			if ($error == true) {
1047	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_groups() Could not connect to server %s."), $ldapname));
1048	1e0b1727	Phil Davis	return memberof;
1049			}
1050
1051	55eb9c44	--global	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
1052	3d3081ec	Andrew MacIsaac	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
1053	c61e4626	Ermal Lu?i	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
1054	55eb9c44	--global
1055			/* bind as user that has rights to read group attributes */
1056	a5cd1c5a	jim-p	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
1057			$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
1058	c61e4626	Ermal Lu?i	if ($ldapanon == true) {
1059	1e0b1727	Phil Davis	if (!($res = @ldap_bind($ldap))) {
1060	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind anonymously to server %s."), $ldapname));
1061	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
1062	1e0b1727	Phil Davis	return false;
1063	6306b5dd	Ermal Lu?i	}
1064	c61e4626	Ermal Lu?i	} else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
1065	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind to server %s."), $ldapname));
1066	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
1067	c61e4626	Ermal Lu?i	return memberof;
1068	55eb9c44	--global	}
1069
1070			/* get groups from DN found */
1071			/* use ldap_read instead of search so we don't have to do a bunch of extra work */
1072			/* since we know the DN is in $_SESSION['ldapdn'] */
1073			//$search = ldap_read($ldap, $ldapdn, "(objectclass=*)", array($ldapgroupattribute));
1074	1e0b1727	Phil Davis	if ($ldapscope == "one") {
1075			$ldapfunc = "ldap_list";
1076			} else {
1077			$ldapfunc = "ldap_search";
1078			}
1079
1080			$search = @$ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute));
1081			$info = @ldap_get_entries($ldap, $search);
1082	c61e4626	Ermal Lu?i
1083	1e0b1727	Phil Davis	$countem = $info["count"];
1084	55eb9c44	--global
1085	1e0b1727	Phil Davis	if (is_array($info[0][$ldapgroupattribute])) {
1086	55eb9c44	--global	/* Iterate through the groups and throw them into an array */
1087			foreach ($info[0][$ldapgroupattribute] as $member) {
1088			if (stristr($member, "CN=") !== false) {
1089	cfbfd941	smos	$membersplit = explode(",", $member);
1090	55eb9c44	--global	$memberof[] = preg_replace("/CN=/i", "", $membersplit[0]);
1091			}
1092			}
1093			}
1094	1e0b1727	Phil Davis
1095	55eb9c44	--global	/* Time to close LDAP connection */
1096	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
1097	1e0b1727	Phil Davis
1098	55eb9c44	--global	$groups = print_r($memberof,true);
1099	1e0b1727	Phil Davis
1100	55eb9c44	--global	//log_error("Returning groups ".$groups." for user $username");
1101	1e0b1727	Phil Davis
1102	55eb9c44	--global	return $memberof;
1103			}
1104
1105	83e0d4c8	jim-p	function ldap_format_host($host) {
1106			return is_ipaddrv6($host) ? "[$host]" : $host ;
1107			}
1108
1109	6306b5dd	Ermal Lu?i	function ldap_backed($username, $passwd, $authcfg) {
1110	55eb9c44	--global	global $debug, $config;
1111	1e0b1727	Phil Davis
1112			if (!$username) {
1113	55eb9c44	--global	return;
1114	1e0b1727	Phil Davis	}
1115	55eb9c44	--global
1116	1e0b1727	Phil Davis	if (!function_exists("ldap_connect")) {
1117	55eb9c44	--global	return;
1118	1e0b1727	Phil Davis	}
1119	55eb9c44	--global
1120	1e0b1727	Phil Davis	if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
1121	2ce660ad	smos	$username_split = explode("@", $username);
1122	1e0b1727	Phil Davis	$username = $username_split[0];
1123	55eb9c44	--global	}
1124	1e0b1727	Phil Davis	if (stristr($username, "\\")) {
1125	cfbfd941	smos	$username_split = explode("\\", $username);
1126	1e0b1727	Phil Davis	$username = $username_split[0];
1127	55eb9c44	--global	}
1128
1129	c61e4626	Ermal Lu?i	if ($authcfg) {
1130	1e0b1727	Phil Davis	if (strstr($authcfg['ldap_urltype'], "Standard")) {
1131	c61e4626	Ermal Lu?i	$ldapproto = "ldap";
1132	1e0b1727	Phil Davis	} else {
1133	c61e4626	Ermal Lu?i	$ldapproto = "ldaps";
1134	1e0b1727	Phil Davis	}
1135			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
1136			$ldapport = $authcfg['ldap_port'];
1137			if (!empty($ldapport)) {
1138	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
1139	1e0b1727	Phil Davis	}
1140			$ldapbasedn = $authcfg['ldap_basedn'];
1141			$ldapbindun = $authcfg['ldap_binddn'];
1142			$ldapbindpw = $authcfg['ldap_bindpw'];
1143			if (empty($ldapbindun) \|\| empty($ldapbindpw)) {
1144	c61e4626	Ermal Lu?i	$ldapanon = true;
1145	1e0b1727	Phil Davis	} else {
1146	c61e4626	Ermal Lu?i	$ldapanon = false;
1147	1e0b1727	Phil Davis	}
1148			$ldapauthcont = $authcfg['ldap_authcn'];
1149			$ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
1150			$ldapextendedqueryenabled = $authcfg['ldap_extended_enabled'];
1151			$ldapextendedquery = $authcfg['ldap_extended_query'];
1152			$ldapfilter = "";
1153			if (!$ldapextendedqueryenabled) {
1154			$ldapfilter = "({$ldapnameattribute}={$username})";
1155			} else {
1156			$ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))";
1157			}
1158			$ldaptype = "";
1159			$ldapver = $authcfg['ldap_protver'];
1160			$ldapname = $authcfg['name'];
1161			$ldapscope = $authcfg['ldap_scope'];
1162			} else {
1163	6306b5dd	Ermal Lu?i	return false;
1164	1e0b1727	Phil Davis	}
1165	55eb9c44	--global
1166	1e0b1727	Phil Davis	/* first check if there is even an LDAP server populated */
1167			if (!$ldapserver) {
1168	c61e4626	Ermal Lu?i	if ($ldapfallback) {
1169	94021404	Carlos Eduardo Ramos	log_error(gettext("ERROR! ldap_backed() called with no LDAP authentication server defined. Defaulting to local user database. Visit System -> User Manager."));
1170	c61e4626	Ermal Lu?i	return local_backed($username, $passwd);
1171	1e0b1727	Phil Davis	} else {
1172	94021404	Carlos Eduardo Ramos	log_error(gettext("ERROR! ldap_backed() called with no LDAP authentication server defined."));
1173	1e0b1727	Phil Davis	}
1174	c61e4626	Ermal Lu?i
1175			return false;
1176	55eb9c44	--global	}
1177	1e0b1727	Phil Davis
1178			/* Setup CA environment if needed. */
1179			ldap_setup_caenv($authcfg);
1180	fe2031ab	Ermal
1181	906daddc	Ermal	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
1182	3d3081ec	Andrew MacIsaac	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
1183	906daddc	Ermal	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
1184
1185	55eb9c44	--global	/* Make sure we can connect to LDAP */
1186	c61e4626	Ermal Lu?i	$error = false;
1187	1e0b1727	Phil Davis	if (!($ldap = ldap_connect($ldapserver))) {
1188	c61e4626	Ermal Lu?i	$error = true;
1189	1e0b1727	Phil Davis	}
1190	c61e4626	Ermal Lu?i
1191			if ($error == true) {
1192	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
1193	c61e4626	Ermal Lu?i	return false;
1194	55eb9c44	--global	}
1195	c61e4626	Ermal Lu?i
1196	55eb9c44	--global	/* ok, its up. now, lets bind as the bind user so we can search it */
1197	c61e4626	Ermal Lu?i	$error = false;
1198	a5cd1c5a	jim-p	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
1199			$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
1200	c61e4626	Ermal Lu?i	if ($ldapanon == true) {
1201	1e0b1727	Phil Davis	if (!($res = @ldap_bind($ldap))) {
1202			$error = true;
1203			}
1204			} else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
1205	c61e4626	Ermal Lu?i	$error = true;
1206	1e0b1727	Phil Davis	}
1207	c61e4626	Ermal Lu?i
1208			if ($error == true) {
1209	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
1210	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! Could not bind to server %s."), $ldapname));
1211	c61e4626	Ermal Lu?i	return false;
1212	55eb9c44	--global	}
1213	1e0b1727	Phil Davis
1214	55eb9c44	--global	/* Get LDAP Authcontainers and split em up. */
1215	cfbfd941	smos	$ldac_splits = explode(";", $ldapauthcont);
1216	1e0b1727	Phil Davis
1217	55eb9c44	--global	/* setup the usercount so we think we havn't found anyone yet */
1218			$usercount = 0;
1219
1220			/*****************************************************************/
1221			/* We First find the user based on username and filter */
1222	1e0b1727	Phil Davis	/* Then, once we find the first occurrence of that person */
1223			/* We set session variables to point to the OU and DN of the */
1224	55eb9c44	--global	/* Person. To later be used by ldap_get_groups. */
1225			/* that way we don't have to search twice. */
1226			/*****************************************************************/
1227	1e0b1727	Phil Davis	if ($debug) {
1228	3ac8324f	Ermal	log_auth(sprintf(gettext("Now Searching for %s in directory."), $username));
1229	1e0b1727	Phil Davis	}
1230	c61e4626	Ermal Lu?i	/* Iterate through the user containers for search */
1231			foreach ($ldac_splits as $i => $ldac_split) {
1232	a5cd1c5a	jim-p	$ldac_split = isset($authcfg['ldap_utf8']) ? utf8_encode($ldac_split) : $ldac_split;
1233			$ldapfilter = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapfilter) : $ldapfilter;
1234			$ldapsearchbasedn = isset($authcfg['ldap_utf8']) ? utf8_encode("{$ldac_split},{$ldapbasedn}") : "{$ldac_split},{$ldapbasedn}";
1235	c61e4626	Ermal Lu?i	/* Make sure we just use the first user we find */
1236	1e0b1727	Phil Davis	if ($debug) {
1237	a5cd1c5a	jim-p	log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, utf8_decode($ldac_split), utf8_decode($ldapfilter)));
1238	1e0b1727	Phil Davis	}
1239			if ($ldapscope == "one") {
1240	c61e4626	Ermal Lu?i	$ldapfunc = "ldap_list";
1241	1e0b1727	Phil Davis	} else {
1242	c61e4626	Ermal Lu?i	$ldapfunc = "ldap_search";
1243	1e0b1727	Phil Davis	}
1244	c61e4626	Ermal Lu?i	/* Support legacy auth container specification. */
1245	1e0b1727	Phil Davis	if (stristr($ldac_split, "DC=") \|\| empty($ldapbasedn)) {
1246	9ae11a62	Scott Ullrich	$search = @$ldapfunc($ldap,$ldac_split,$ldapfilter);
1247	1e0b1727	Phil Davis	} else {
1248	a5cd1c5a	jim-p	$search = @$ldapfunc($ldap,$ldapsearchbasedn,$ldapfilter);
1249	1e0b1727	Phil Davis	}
1250	c61e4626	Ermal Lu?i	if (!$search) {
1251	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));
1252	c61e4626	Ermal Lu?i	continue;
1253	55eb9c44	--global	}
1254	1e0b1727	Phil Davis	$info = ldap_get_entries($ldap,$search);
1255	c61e4626	Ermal Lu?i	$matches = $info['count'];
1256	1e0b1727	Phil Davis	if ($matches == 1) {
1257	c61e4626	Ermal Lu?i	$userdn = $_SESSION['ldapdn'] = $info[0]['dn'];
1258			$_SESSION['ldapou'] = $ldac_split[$i];
1259			$_SESSION['ldapon'] = "true";
1260			$usercount = 1;
1261			break;
1262	55eb9c44	--global	}
1263			}
1264
1265	1e0b1727	Phil Davis	if ($usercount != 1) {
1266	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
1267	94021404	Carlos Eduardo Ramos	log_error(gettext("ERROR! Either LDAP search failed, or multiple users were found."));
1268	1e0b1727	Phil Davis	return false;
1269	55eb9c44	--global	}
1270	c61e4626	Ermal Lu?i
1271	55eb9c44	--global	/* Now lets bind as the user we found */
1272	a5cd1c5a	jim-p	$passwd = isset($authcfg['ldap_utf8']) ? utf8_encode($passwd) : $passwd;
1273	c61e4626	Ermal Lu?i	if (!($res = @ldap_bind($ldap, $userdn, $passwd))) {
1274	3697adb2	jim-p	log_error(sprintf(gettext('ERROR! Could not login to server %1$s as user %2$s: %3$s'), $ldapname, $username, ldap_error($ldap)));
1275	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
1276	c61e4626	Ermal Lu?i	return false;
1277	55eb9c44	--global	}
1278
1279	a5cd1c5a	jim-p	if ($debug) {
1280			$userdn = isset($authcfg['ldap_utf8']) ? utf8_decode($userdn) : $userdn;
1281	2004def5	Ermal	log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn));
1282	a5cd1c5a	jim-p	}
1283	c61e4626	Ermal Lu?i
1284			/* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */
1285	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
1286	55eb9c44	--global
1287			return true;
1288			}
1289
1290	1492e02c	Ermal	function radius_backed($username, $passwd, $authcfg, &$attributes = array()) {
1291	a13ce628	Ermal Lu?i	global $debug, $config;
1292	55eb9c44	--global	$ret = false;
1293
1294	868c6826	Ermal	require_once("radius.inc");
1295
1296	55eb9c44	--global	$rauth = new Auth_RADIUS_PAP($username, $passwd);
1297	c61e4626	Ermal Lu?i	if ($authcfg) {
1298			$radiusservers = array();
1299			$radiusservers[0]['ipaddr'] = $authcfg['host'];
1300			$radiusservers[0]['port'] = $authcfg['radius_auth_port'];
1301			$radiusservers[0]['sharedsecret'] = $authcfg['radius_secret'];
1302	bddd2be8	jim-p	$radiusservers[0]['timeout'] = $authcfg['radius_timeout'];
1303	1e0b1727	Phil Davis	} else {
1304	6306b5dd	Ermal Lu?i	return false;
1305	1e0b1727	Phil Davis	}
1306	c61e4626	Ermal Lu?i
1307	1e0b1727	Phil Davis	/* Add new servers to our instance */
1308	bddd2be8	jim-p	foreach ($radiusservers as $radsrv) {
1309			$timeout = (is_numeric($radsrv['timeout'])) ? $radsrv['timeout'] : 5;
1310			$rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret'], $timeout);
1311			}
1312	55eb9c44	--global
1313	6e815096	Ermal	if (PEAR::isError($rauth->start())) {
1314	55eb9c44	--global	$retvalue['auth_val'] = 1;
1315			$retvalue['error'] = $rauth->getError();
1316	1e0b1727	Phil Davis	if ($debug) {
1317	8cd558b6	ayvis	printf(gettext("Radius start: %s<br />\n"), $retvalue['error']);
1318	1e0b1727	Phil Davis	}
1319	55eb9c44	--global	}
1320
1321			// XXX - billm - somewhere in here we need to handle securid challenge/response
1322
1323			/* Send request */
1324			$result = $rauth->send();
1325			if (PEAR::isError($result)) {
1326			$retvalue['auth_val'] = 1;
1327			$retvalue['error'] = $result->getMessage();
1328	1e0b1727	Phil Davis	if ($debug) {
1329	8cd558b6	ayvis	printf(gettext("Radius send failed: %s<br />\n"), $retvalue['error']);
1330	1e0b1727	Phil Davis	}
1331	55eb9c44	--global	} else if ($result === true) {
1332	1e0b1727	Phil Davis	if ($rauth->getAttributes()) {
1333	1492e02c	Ermal	$attributes = $rauth->listAttributes();
1334	1e0b1727	Phil Davis	}
1335	55eb9c44	--global	$retvalue['auth_val'] = 2;
1336	1e0b1727	Phil Davis	if ($debug) {
1337	8cd558b6	ayvis	printf(gettext("Radius Auth succeeded")."<br />\n");
1338	1e0b1727	Phil Davis	}
1339	55eb9c44	--global	$ret = true;
1340			} else {
1341			$retvalue['auth_val'] = 3;
1342	1e0b1727	Phil Davis	if ($debug) {
1343	8cd558b6	ayvis	printf(gettext("Radius Auth rejected")."<br />\n");
1344	1e0b1727	Phil Davis	}
1345	55eb9c44	--global	}
1346
1347			// close OO RADIUS_AUTHENTICATION
1348			$rauth->close();
1349
1350			return $ret;
1351			}
1352
1353	7dd044f2	sullrich	function get_user_expiration_date($username) {
1354	a13ce628	Ermal Lu?i	$user = getUserEntry($username);
1355	1e0b1727	Phil Davis	if ($user['expires']) {
1356	a13ce628	Ermal Lu?i	return $user['expires'];
1357	1e0b1727	Phil Davis	}
1358	a13ce628	Ermal Lu?i	}
1359
1360			function is_account_expired($username) {
1361			$expirydate = get_user_expiration_date($username);
1362			if ($expirydate) {
1363	1e0b1727	Phil Davis	if (strtotime("-1 day") > strtotime(date("m/d/Y",strtotime($expirydate)))) {
1364	a13ce628	Ermal Lu?i	return true;
1365	1e0b1727	Phil Davis	}
1366	7dd044f2	sullrich	}
1367	a13ce628	Ermal Lu?i
1368			return false;
1369	7dd044f2	sullrich	}
1370
1371	b4bfd25d	sullrich	function is_account_disabled($username) {
1372	a13ce628	Ermal Lu?i	$user = getUserEntry($username);
1373	1e0b1727	Phil Davis	if (isset($user['disabled'])) {
1374	a13ce628	Ermal Lu?i	return true;
1375	1e0b1727	Phil Davis	}
1376	a13ce628	Ermal Lu?i
1377	b4bfd25d	sullrich	return false;
1378			}
1379
1380	c61e4626	Ermal Lu?i	function auth_get_authserver($name) {
1381	1e0b1727	Phil Davis	global $config;
1382
1383			if (is_array($config['system']['authserver'])) {
1384			foreach ($config['system']['authserver'] as $authcfg) {
1385			if ($authcfg['name'] == $name) {
1386			return $authcfg;
1387			}
1388			}
1389			}
1390			if ($name == "Local Database") {
1391	96568521	Vinicius Coque	return array("name" => gettext("Local Database"), "type" => "Local Auth", "host" => $config['system']['hostname']);
1392	1e0b1727	Phil Davis	}
1393	6306b5dd	Ermal Lu?i	}
1394
1395			function auth_get_authserver_list() {
1396	1e0b1727	Phil Davis	global $config;
1397	6306b5dd	Ermal Lu?i
1398			$list = array();
1399
1400	1e0b1727	Phil Davis	if (is_array($config['system']['authserver'])) {
1401			foreach ($config['system']['authserver'] as $authcfg) {
1402	6306b5dd	Ermal Lu?i	/* Add support for disabled entries? */
1403			$list[$authcfg['name']] = $authcfg;
1404	1e0b1727	Phil Davis	}
1405			}
1406	6306b5dd	Ermal Lu?i
1407	96568521	Vinicius Coque	$list["Local Database"] = array( "name" => gettext("Local Database"), "type" => "Local Auth", "host" => $config['system']['hostname']);
1408	6306b5dd	Ermal Lu?i	return $list;
1409	c61e4626	Ermal Lu?i	}
1410
1411	fb0f22c0	Ermal Lu?i	function getUserGroups($username, $authcfg) {
1412			global $config;
1413
1414			$allowed_groups = array();
1415
1416	1e0b1727	Phil Davis	switch ($authcfg['type']) {
1417			case 'ldap':
1418			$allowed_groups = @ldap_get_groups($username, $authcfg);
1419			break;
1420			case 'radius':
1421			break;
1422			default:
1423			$user = getUserEntry($username);
1424			$allowed_groups = @local_user_get_groups($user, true);
1425			break;
1426	fb0f22c0	Ermal Lu?i	}
1427
1428			$member_groups = array();
1429	1e0b1727	Phil Davis	if (is_array($config['system']['group'])) {
1430			foreach ($config['system']['group'] as $group) {
1431			if (in_array($group['name'], $allowed_groups)) {
1432	fb0f22c0	Ermal Lu?i	$member_groups[] = $group['name'];
1433	1e0b1727	Phil Davis	}
1434			}
1435	fb0f22c0	Ermal Lu?i	}
1436
1437			return $member_groups;
1438			}
1439
1440	1492e02c	Ermal	function authenticate_user($username, $password, $authcfg = NULL, &$attributes = array()) {
1441	c61e4626	Ermal Lu?i
1442			if (!$authcfg) {
1443			return local_backed($username, $password);
1444			}
1445
1446			$authenticated = false;
1447	1e0b1727	Phil Davis	switch ($authcfg['type']) {
1448			case 'ldap':
1449			if (ldap_backed($username, $password, $authcfg)) {
1450			$authenticated = true;
1451			}
1452			break;
1453			case 'radius':
1454			if (radius_backed($username, $password, $authcfg, $attributes)) {
1455			$authenticated = true;
1456			}
1457			break;
1458			default:
1459			/* lookup user object by name */
1460			if (local_backed($username, $password)) {
1461			$authenticated = true;
1462			}
1463			break;
1464			}
1465	c61e4626	Ermal Lu?i
1466			return $authenticated;
1467			}
1468
1469	6306b5dd	Ermal Lu?i	function session_auth() {
1470	aa205c3b	Ermal	global $config, $_SESSION, $page;
1471	55eb9c44	--global
1472	49ddf9a1	Warren Baker	// Handle HTTPS httponly and secure flags
1473	16789caa	Renato Botelho	$currentCookieParams = session_get_cookie_params();
1474			session_set_cookie_params(
1475			$currentCookieParams["lifetime"],
1476			$currentCookieParams["path"],
1477			NULL,
1478			($config['system']['webgui']['protocol'] == "https"),
1479			true
1480			);
1481	49ddf9a1	Warren Baker
1482	1e0b1727	Phil Davis	if (!session_id()) {
1483	9252d093	Ermal	session_start();
1484	1e0b1727	Phil Davis	}
1485	55eb9c44	--global
1486	dd030de9	Renato Botelho	// Detect protocol change
1487	1e0b1727	Phil Davis	if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) {
1488	dd030de9	Renato Botelho	return false;
1489	1e0b1727	Phil Davis	}
1490	dd030de9	Renato Botelho
1491	55eb9c44	--global	/* Validate incoming login request */
1492	88165371	Ermal	if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
1493	6306b5dd	Ermal Lu?i	$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
1494	1e0b1727	Phil Davis	if (authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg) \|\|
1495	ae52d165	Renato Botelho	authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
1496	526f5b11	Renato Botelho	// Generate a new id to avoid session fixation
1497	8588095f	Renato Botelho	session_regenerate_id();
1498	6306b5dd	Ermal Lu?i	$_SESSION['Logged_In'] = "True";
1499			$_SESSION['Username'] = $_POST['usernamefld'];
1500			$_SESSION['last_access'] = time();
1501	dd030de9	Renato Botelho	$_SESSION['protocol'] = $config['system']['webgui']['protocol'];
1502	1e0b1727	Phil Davis	if (!isset($config['system']['webgui']['quietlogin'])) {
1503	54bdff75	Vinicius Coque	log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
1504	4fc3855f	smos	}
1505	1e0b1727	Phil Davis	if (isset($_POST['postafterlogin'])) {
1506	92140621	Ermal	return true;
1507	1e0b1727	Phil Davis	} else {
1508			if (empty($page)) {
1509	80b292f3	Ermal	$page = "/";
1510	1e0b1727	Phil Davis	}
1511	80b292f3	Ermal	header("Location: {$page}");
1512			}
1513	f23e6363	Ermal	exit;
1514	a13ce628	Ermal Lu?i	} else {
1515			/* give the user an error message */
1516			$_SESSION['Login_Error'] = "Username or Password incorrect";
1517	65f7fba8	Scott Ullrich	log_auth("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}");
1518	1e0b1727	Phil Davis	if (isAjax()) {
1519	a13ce628	Ermal Lu?i	echo "showajaxmessage('{$_SESSION['Login_Error']}');";
1520			return;
1521	55eb9c44	--global	}
1522			}
1523			}
1524
1525			/* Show login page if they aren't logged in */
1526	1e0b1727	Phil Davis	if (empty($_SESSION['Logged_In'])) {
1527	55eb9c44	--global	return false;
1528	1e0b1727	Phil Davis	}
1529	55eb9c44	--global
1530			/* If session timeout isn't set, we don't mark sessions stale */
1531	02647583	Ermal	if (!isset($config['system']['webgui']['session_timeout'])) {
1532	bdadaf3c	Chris Buechler	/* Default to 4 hour timeout if one is not set */
1533			if ($_SESSION['last_access'] < (time() - 14400)) {
1534			$_GET['logout'] = true;
1535			$_SESSION['Logout'] = true;
1536	1e0b1727	Phil Davis	} else {
1537			$_SESSION['last_access'] = time();
1538			}
1539	02647583	Ermal	} else if (intval($config['system']['webgui']['session_timeout']) == 0) {
1540			/* only update if it wasn't ajax */
1541	1e0b1727	Phil Davis	if (!isAjax()) {
1542	02647583	Ermal	$_SESSION['last_access'] = time();
1543	1e0b1727	Phil Davis	}
1544	bdadaf3c	Chris Buechler	} else {
1545	55eb9c44	--global	/* Check for stale session */
1546			if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
1547			$_GET['logout'] = true;
1548			$_SESSION['Logout'] = true;
1549			} else {
1550			/* only update if it wasn't ajax */
1551	1e0b1727	Phil Davis	if (!isAjax()) {
1552	55eb9c44	--global	$_SESSION['last_access'] = time();
1553	1e0b1727	Phil Davis	}
1554	55eb9c44	--global	}
1555			}
1556
1557			/* user hit the logout button */
1558			if (isset($_GET['logout'])) {
1559
1560	1e0b1727	Phil Davis	if ($_SESSION['Logout']) {
1561	addc0439	Renato Botelho	log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
1562	1e0b1727	Phil Davis	} else {
1563	addc0439	Renato Botelho	log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
1564	1e0b1727	Phil Davis	}
1565	55eb9c44	--global
1566			/* wipe out $_SESSION */
1567			$_SESSION = array();
1568
1569	1e0b1727	Phil Davis	if (isset($_COOKIE[session_name()])) {
1570	55eb9c44	--global	setcookie(session_name(), '', time()-42000, '/');
1571	1e0b1727	Phil Davis	}
1572	55eb9c44	--global
1573			/* and destroy it */
1574			session_destroy();
1575
1576	cfbfd941	smos	$scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]);
1577	55eb9c44	--global	$scriptElms = count($scriptName);
1578			$scriptName = $scriptName[$scriptElms-1];
1579
1580	1e0b1727	Phil Davis	if (isAjax()) {
1581	55eb9c44	--global	return false;
1582	1e0b1727	Phil Davis	}
1583	55eb9c44	--global
1584			/* redirect to page the user is on, it'll prompt them to login again */
1585	6f3d2063	Renato Botelho	header("Location: {$scriptName}");
1586	55eb9c44	--global
1587			return false;
1588			}
1589
1590			/*
1591			* this is for debugging purpose if you do not want to use Ajax
1592	1e0b1727	Phil Davis	* to submit a HTML form. It basically disables the observation
1593	55eb9c44	--global	* of the submit event and hence does not trigger Ajax.
1594			*/
1595	1e0b1727	Phil Davis	if ($_GET['disable_ajax']) {
1596	55eb9c44	--global	$_SESSION['NO_AJAX'] = "True";
1597	1e0b1727	Phil Davis	}
1598	55eb9c44	--global
1599			/*
1600			* Same to re-enable Ajax.
1601			*/
1602	1e0b1727	Phil Davis	if ($_GET['enable_ajax']) {
1603	55eb9c44	--global	unset($_SESSION['NO_AJAX']);
1604	1e0b1727	Phil Davis	}
1605	55eb9c44	--global
1606			return true;
1607			}
1608
1609	88165371	Ermal	?>

Project

General

Profile

pfSense