/src/etc/inc/auth.inc - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/etc/inc/auth.inc @ b8f91b7c

1	55eb9c44	--global	<?php
2	b37b4034	Phil Davis	/*
3	ac24dc24	Renato Botelho	* auth.inc
4	995df6c3	Stephen Beaver	*
5	ac24dc24	Renato Botelho	* part of pfSense (https://www.pfsense.org)
6			* Copyright (c) 2003-2006 Manuel Kasper <mk@neon1.net>
7			* Copyright (c) 2005-2006 Bill Marquette <bill.marquette@gmail.com>
8			* Copyright (c) 2006 Paul Taylor <paultaylor@winn-dixie.com>
9	b8f91b7c	Luiz Souza	* Copyright (c) 2004-2018 Rubicon Communications, LLC (Netgate)
10	ac24dc24	Renato Botelho	* All rights reserved.
11	995df6c3	Stephen Beaver	*
12	b12ea3fb	Renato Botelho	* Licensed under the Apache License, Version 2.0 (the "License");
13			* you may not use this file except in compliance with the License.
14			* You may obtain a copy of the License at
15	995df6c3	Stephen Beaver	*
16	b12ea3fb	Renato Botelho	* http://www.apache.org/licenses/LICENSE-2.0
17	995df6c3	Stephen Beaver	*
18	b12ea3fb	Renato Botelho	* Unless required by applicable law or agreed to in writing, software
19			* distributed under the License is distributed on an "AS IS" BASIS,
20			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
21			* See the License for the specific language governing permissions and
22			* limitations under the License.
23	995df6c3	Stephen Beaver	*/
24	ac24dc24	Renato Botelho
25	55eb9c44	--global	/*
26			* NOTE : Portions of the mschapv2 support was based on the BSD licensed CHAP.php
27			* file courtesy of Michael Retterklieber.
28			*/
29	82cd6022	PiBa-NL	include_once('phpsessionmanager.inc');
30	1e0b1727	Phil Davis	if (!$do_not_include_config_gui_inc) {
31	052e65ef	Scott Ullrich	require_once("config.gui.inc");
32	1e0b1727	Phil Davis	}
33	55eb9c44	--global
34	9ae11a62	Scott Ullrich	// Will be changed to false if security checks fail
35			$security_passed = true;
36
37	1180e4f0	Sjon Hortensius	/* If this function doesn't exist, we're being called from Captive Portal or
38	0321fa1b	jim-p	another internal subsystem which does not include authgui.inc */
39	cc9b0f76	jim-p	if (function_exists("display_error_form")) {
40			/* Extra layer of lockout protection. Check if the user is in the GUI
41			* lockout table before processing a request */
42
43			/* Fetch the contents of the lockout table. */
44			exec("/sbin/pfctl -t 'webConfiguratorlockout' -T show", $entries);
45
46			/* If the client is in the lockout table, print an error, kill states, and exit */
47			if (in_array($_SERVER['REMOTE_ADDR'], array_map('trim', $entries))) {
48			if (!security_checks_disabled()) {
49			/* They may never see the error since the connection will be cut off, but try to be nice anyhow. */
50			display_error_form("501", gettext("Access Denied<br/><br/>Access attempt from a temporarily locked out client address.<br /><br />Try accessing the firewall again after the lockout expires."));
51			/* If they are locked out, they shouldn't have a state. Disconnect their connections. */
52			$retval = pfSense_kill_states($_SERVER['REMOTE_ADDR']);
53			if (is_ipaddrv4($_SERVER['REMOTE_ADDR'])) {
54			$retval = pfSense_kill_states("0.0.0.0/0", $_SERVER['REMOTE_ADDR']);
55			} elseif (is_ipaddrv6($_SERVER['REMOTE_ADDR'])) {
56			$retval = pfSense_kill_states("::", $_SERVER['REMOTE_ADDR']);
57			}
58			exit;
59			}
60			$security_passed = false;
61			}
62			}
63
64	14eab6fb	jim-p	if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) {
65	0734024c	Chris Buechler	/* DNS ReBinding attack prevention. https://redmine.pfsense.org/issues/708 */
66	0321fa1b	jim-p	$found_host = false;
67	209620ea	Seth Mos
68	4cf79fdd	smos	/* Either a IPv6 address with or without a alternate port */
69	1e0b1727	Phil Davis	if (strstr($_SERVER['HTTP_HOST'], "]")) {
70	4cf79fdd	smos	$http_host_port = explode("]", $_SERVER['HTTP_HOST']);
71	209620ea	Seth Mos	/* v6 address has more parts, drop the last part */
72	1e0b1727	Phil Davis	if (count($http_host_port) > 1) {
73	209620ea	Seth Mos	array_pop($http_host_port);
74			$http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port));
75			} else {
76	4cf79fdd	smos	$http_host = str_replace(array("[", "]"), "", implode(":", $http_host_port));
77	209620ea	Seth Mos	}
78	7319dc73	jim-p	} else {
79	4fcab77b	smos	$http_host = explode(":", $_SERVER['HTTP_HOST']);
80			$http_host = $http_host[0];
81	7319dc73	jim-p	}
82	1e0b1727	Phil Davis	if (is_ipaddr($http_host) or $_SERVER['SERVER_ADDR'] == "127.0.0.1" or
83	46bb8a0b	Sjon Hortensius	strcasecmp($http_host, "localhost") == 0 or $_SERVER['SERVER_ADDR'] == "::1") {
84	9ae11a62	Scott Ullrich	$found_host = true;
85	1e0b1727	Phil Davis	}
86			if (strcasecmp($http_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 or
87	46bb8a0b	Sjon Hortensius	strcasecmp($http_host, $config['system']['hostname']) == 0) {
88	d7bf3178	Erik Fonnesbeck	$found_host = true;
89	1e0b1727	Phil Davis	}
90	9ae11a62	Scott Ullrich
91	1e0b1727	Phil Davis	if (is_array($config['dyndnses']['dyndns']) && !$found_host) {
92			foreach ($config['dyndnses']['dyndns'] as $dyndns) {
93			if (strcasecmp($dyndns['host'], $http_host) == 0) {
94	0321fa1b	jim-p	$found_host = true;
95	9ae11a62	Scott Ullrich	break;
96			}
97	1e0b1727	Phil Davis	}
98			}
99	7319dc73	jim-p
100	1e0b1727	Phil Davis	if (is_array($config['dnsupdates']['dnsupdate']) && !$found_host) {
101			foreach ($config['dnsupdates']['dnsupdate'] as $rfc2136) {
102			if (strcasecmp($rfc2136['host'], $http_host) == 0) {
103	fa087612	jim-p	$found_host = true;
104			break;
105			}
106	1e0b1727	Phil Davis	}
107			}
108	fa087612	jim-p
109	1e0b1727	Phil Davis	if (!empty($config['system']['webgui']['althostnames']) && !$found_host) {
110	86b21903	jim-p	$althosts = explode(" ", $config['system']['webgui']['althostnames']);
111	1e0b1727	Phil Davis	foreach ($althosts as $ah) {
112			if (strcasecmp($ah, $http_host) == 0 or strcasecmp($ah, $_SERVER['SERVER_ADDR']) == 0) {
113	86b21903	jim-p	$found_host = true;
114	9ae11a62	Scott Ullrich	break;
115			}
116	1e0b1727	Phil Davis	}
117	9b13f84b	Scott Ullrich	}
118	ce46b5da	Scott Ullrich
119	1e0b1727	Phil Davis	if ($found_host == false) {
120			if (!security_checks_disabled()) {
121	8cd558b6	ayvis	display_error_form("501", gettext("Potential DNS Rebind attack detected, see http://en.wikipedia.org/wiki/DNS_rebinding<br />Try accessing the router by IP address instead of by hostname."));
122	9ae11a62	Scott Ullrich	exit;
123			}
124			$security_passed = false;
125			}
126			}
127	ef173724	Scott Ullrich
128	9ae11a62	Scott Ullrich	// If the HTTP_REFERER is something other than ourselves then disallow.
129	1e0b1727	Phil Davis	if (function_exists("display_error_form") && !isset($config['system']['webgui']['nohttpreferercheck'])) {
130			if ($_SERVER['HTTP_REFERER']) {
131			if (file_exists("{$g['tmp_path']}/setupwizard_lastreferrer")) {
132			if ($_SERVER['HTTP_REFERER'] == file_get_contents("{$g['tmp_path']}/setupwizard_lastreferrer")) {
133	9ae11a62	Scott Ullrich	unlink("{$g['tmp_path']}/setupwizard_lastreferrer");
134			header("Refresh: 1; url=index.php");
135	1180e4f0	Sjon Hortensius	?>
136			<!DOCTYPE html>
137			<html lang="en">
138			<head>
139	b4738ddc	NewEraCracker	<link rel="stylesheet" href="/css/pfSense.css" />
140	1180e4f0	Sjon Hortensius	<title><?=gettext("Redirecting..."); ?></title>
141			</head>
142			<body id="error" class="no-menu">
143			<div id="jumbotron">
144			<div class="container">
145	c7d61071	Sander van Leeuwen	<div class="col-sm-offset-3 col-sm-6 col-xs-12">
146			<p><?=gettext("Redirecting to the dashboard...")?></p>
147			</div>
148	1180e4f0	Sjon Hortensius	</div>
149			</div>
150			</body>
151			</html>
152			<?php
153	9ae11a62	Scott Ullrich	exit;
154			}
155			}
156			$found_host = false;
157			$referrer_host = parse_url($_SERVER['HTTP_REFERER'], PHP_URL_HOST);
158	e6f7e0be	smos	$referrer_host = str_replace(array("[", "]"), "", $referrer_host);
159	1e0b1727	Phil Davis	if ($referrer_host) {
160	ae52d165	Renato Botelho	if (strcasecmp($referrer_host, $config['system']['hostname'] . "." . $config['system']['domain']) == 0 \|\|
161	4e322e2c	Phil Davis	strcasecmp($referrer_host, $config['system']['hostname']) == 0) {
162	9ae11a62	Scott Ullrich	$found_host = true;
163	1e0b1727	Phil Davis	}
164	9f0bee02	jim-p
165	1e0b1727	Phil Davis	if (!empty($config['system']['webgui']['althostnames']) && !$found_host) {
166	9ae11a62	Scott Ullrich	$althosts = explode(" ", $config['system']['webgui']['althostnames']);
167			foreach ($althosts as $ah) {
168	1e0b1727	Phil Davis	if (strcasecmp($referrer_host, $ah) == 0) {
169	9ae11a62	Scott Ullrich	$found_host = true;
170			break;
171			}
172			}
173			}
174	9f0bee02	jim-p
175	1e0b1727	Phil Davis	if (is_array($config['dyndnses']['dyndns']) && !$found_host) {
176			foreach ($config['dyndnses']['dyndns'] as $dyndns) {
177			if (strcasecmp($dyndns['host'], $referrer_host) == 0) {
178	9f0bee02	jim-p	$found_host = true;
179			break;
180			}
181	1e0b1727	Phil Davis	}
182			}
183	9f0bee02	jim-p
184	1e0b1727	Phil Davis	if (is_array($config['dnsupdates']['dnsupdate']) && !$found_host) {
185			foreach ($config['dnsupdates']['dnsupdate'] as $rfc2136) {
186			if (strcasecmp($rfc2136['host'], $referrer_host) == 0) {
187	9f0bee02	jim-p	$found_host = true;
188			break;
189			}
190	1e0b1727	Phil Davis	}
191			}
192	9f0bee02	jim-p
193	1e0b1727	Phil Davis	if (!$found_host) {
194	9ae11a62	Scott Ullrich	$interface_list_ips = get_configured_ip_addresses();
195	1e0b1727	Phil Davis	foreach ($interface_list_ips as $ilips) {
196			if (strcasecmp($referrer_host, $ilips) == 0) {
197	9ae11a62	Scott Ullrich	$found_host = true;
198			break;
199			}
200			}
201	6a53de6f	NewEraCracker	$interface_list_ipv6s = get_configured_ipv6_addresses(true);
202	1e0b1727	Phil Davis	foreach ($interface_list_ipv6s as $ilipv6s) {
203	6a53de6f	NewEraCracker	$ilipv6s = explode('%', $ilipv6s)[0];
204	1e0b1727	Phil Davis	if (strcasecmp($referrer_host, $ilipv6s) == 0) {
205	e6f7e0be	smos	$found_host = true;
206			break;
207			}
208			}
209	1e0b1727	Phil Davis	if ($referrer_host == "127.0.0.1" \|\| $referrer_host == "localhost") {
210	17dd7ff3	Chris Buechler	// allow SSH port forwarded connections and links from localhost
211			$found_host = true;
212			}
213	9ae11a62	Scott Ullrich	}
214			}
215	1e0b1727	Phil Davis	if ($found_host == false) {
216			if (!security_checks_disabled()) {
217	530e4707	NOYB	display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . htmlspecialchars($_SERVER['HTTP_REFERER']) . "). If not needed, this check can be disabled in System -> Advanced -> Admin.");
218	0f806eca	Erik Fonnesbeck	exit;
219			}
220	9ae11a62	Scott Ullrich	$security_passed = false;
221			}
222	1e0b1727	Phil Davis	} else {
223	9ae11a62	Scott Ullrich	$security_passed = false;
224	1e0b1727	Phil Davis	}
225	4fe9c2dc	Scott Ullrich	}
226
227	1e0b1727	Phil Davis	if (function_exists("display_error_form") && $security_passed) {
228	9ae11a62	Scott Ullrich	/* Security checks passed, so it should be OK to turn them back on */
229			restore_security_checks();
230	1e0b1727	Phil Davis	}
231	9ae11a62	Scott Ullrich	unset($security_passed);
232
233	55eb9c44	--global	$groupindex = index_groups();
234			$userindex = index_users();
235
236			function index_groups() {
237			global $g, $debug, $config, $groupindex;
238
239			$groupindex = array();
240
241	6dcd80af	Ermal	if (is_array($config['system']['group'])) {
242	55eb9c44	--global	$i = 0;
243	1e0b1727	Phil Davis	foreach ($config['system']['group'] as $groupent) {
244	55eb9c44	--global	$groupindex[$groupent['name']] = $i;
245			$i++;
246			}
247			}
248
249			return ($groupindex);
250			}
251
252			function index_users() {
253			global $g, $debug, $config;
254
255	6dcd80af	Ermal	if (is_array($config['system']['user'])) {
256	55eb9c44	--global	$i = 0;
257	1e0b1727	Phil Davis	foreach ($config['system']['user'] as $userent) {
258	55eb9c44	--global	$userindex[$userent['name']] = $i;
259			$i++;
260			}
261			}
262
263			return ($userindex);
264			}
265
266			function & getUserEntry($name) {
267			global $debug, $config, $userindex;
268	0ef6fddc	jim-p	$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
269
270	1e0b1727	Phil Davis	if (isset($userindex[$name])) {
271	55eb9c44	--global	return $config['system']['user'][$userindex[$name]];
272	0ef6fddc	jim-p	} elseif ($authcfg['type'] != "Local Database") {
273			$user = array();
274			$user['name'] = $name;
275			return $user;
276	1e0b1727	Phil Davis	}
277	55eb9c44	--global	}
278
279			function & getUserEntryByUID($uid) {
280			global $debug, $config;
281	84924e76	Ermal
282	1e0b1727	Phil Davis	if (is_array($config['system']['user'])) {
283			foreach ($config['system']['user'] as & $user) {
284			if ($user['uid'] == $uid) {
285	84924e76	Ermal	return $user;
286	1e0b1727	Phil Davis	}
287			}
288			}
289	55eb9c44	--global
290			return false;
291			}
292
293			function & getGroupEntry($name) {
294			global $debug, $config, $groupindex;
295	1e0b1727	Phil Davis	if (isset($groupindex[$name])) {
296	55eb9c44	--global	return $config['system']['group'][$groupindex[$name]];
297	1e0b1727	Phil Davis	}
298	55eb9c44	--global	}
299
300			function & getGroupEntryByGID($gid) {
301			global $debug, $config;
302	84924e76	Ermal
303	1e0b1727	Phil Davis	if (is_array($config['system']['group'])) {
304			foreach ($config['system']['group'] as & $group) {
305			if ($group['gid'] == $gid) {
306	84924e76	Ermal	return $group;
307	1e0b1727	Phil Davis	}
308			}
309			}
310	55eb9c44	--global
311			return false;
312			}
313
314	6dc88d53	Ermal Luci	function get_user_privileges(& $user) {
315	7abc3f99	Phil Davis	global $config, $_SESSION;
316	0ef6fddc	jim-p
317			$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
318	7abc3f99	Phil Davis	$allowed_groups = array();
319	6dc88d53	Ermal Luci
320	1e0b1727	Phil Davis	$privs = $user['priv'];
321			if (!is_array($privs)) {
322			$privs = array();
323			}
324	6dc88d53	Ermal Luci
325	7abc3f99	Phil Davis	// cache auth results for a short time to ease load on auth services & logs
326			if (isset($config['system']['webgui']['auth_refresh_time'])) {
327			$recheck_time = $config['system']['webgui']['auth_refresh_time'];
328			} else {
329			$recheck_time = 30;
330			}
331
332	0ef6fddc	jim-p	if ($authcfg['type'] == "ldap") {
333	7abc3f99	Phil Davis	if (isset($_SESSION["ldap_allowed_groups"]) &&
334			(time() <= $_SESSION["auth_check_time"] + $recheck_time)) {
335			$allowed_groups = $_SESSION["ldap_allowed_groups"];
336			} else {
337			$allowed_groups = @ldap_get_groups($user['name'], $authcfg);
338			$_SESSION["ldap_allowed_groups"] = $allowed_groups;
339			$_SESSION["auth_check_time"] = time();
340			}
341	0ef6fddc	jim-p	} elseif ($authcfg['type'] == "radius") {
342	7abc3f99	Phil Davis	if (isset($_SESSION["radius_allowed_groups"]) &&
343			(time() <= $_SESSION["auth_check_time"] + $recheck_time)) {
344			$allowed_groups = $_SESSION["radius_allowed_groups"];
345			} else {
346			$allowed_groups = @radius_get_groups($_SESSION['user_radius_attributes']);
347			$_SESSION["radius_allowed_groups"] = $allowed_groups;
348			$_SESSION["auth_check_time"] = time();
349			}
350	0ef6fddc	jim-p	}
351
352	7abc3f99	Phil Davis	if (empty($allowed_groups)) {
353			$allowed_groups = local_user_get_groups($user, true);
354	0ef6fddc	jim-p	}
355	6dc88d53	Ermal Luci
356	7abc3f99	Phil Davis	if (is_array($allowed_groups)) {
357			foreach ($allowed_groups as $name) {
358			$group = getGroupEntry($name);
359			if (is_array($group['priv'])) {
360			$privs = array_merge($privs, $group['priv']);
361			}
362	1e0b1727	Phil Davis	}
363			}
364	6dc88d53	Ermal Luci
365	1e0b1727	Phil Davis	return $privs;
366	6dc88d53	Ermal Luci	}
367
368			function userHasPrivilege($userent, $privid = false) {
369
370	1e0b1727	Phil Davis	if (!$privid \|\| !is_array($userent)) {
371			return false;
372			}
373	6dc88d53	Ermal Luci
374	1e0b1727	Phil Davis	$privs = get_user_privileges($userent);
375	6dc88d53	Ermal Luci
376	1e0b1727	Phil Davis	if (!is_array($privs)) {
377			return false;
378			}
379	6dc88d53	Ermal Luci
380	1e0b1727	Phil Davis	if (!in_array($privid, $privs)) {
381			return false;
382			}
383	6dc88d53	Ermal Luci
384	1e0b1727	Phil Davis	return true;
385	6dc88d53	Ermal Luci	}
386
387	55eb9c44	--global	function local_backed($username, $passwd) {
388
389			$user = getUserEntry($username);
390	1e0b1727	Phil Davis	if (!$user) {
391	55eb9c44	--global	return false;
392	1e0b1727	Phil Davis	}
393	55eb9c44	--global
394	1e0b1727	Phil Davis	if (is_account_disabled($username) \|\| is_account_expired($username)) {
395	a13ce628	Ermal Lu?i	return false;
396	1e0b1727	Phil Davis	}
397	a13ce628	Ermal Lu?i
398	9219378b	daniel	if ($user['bcrypt-hash']) {
399			if (password_verify($passwd, $user['bcrypt-hash'])) {
400			return true;
401			}
402			}
403
404			//for backwards compatibility
405	1e0b1727	Phil Davis	if ($user['password']) {
406			if (crypt($passwd, $user['password']) == $user['password']) {
407	55eb9c44	--global	return true;
408	1e0b1727	Phil Davis	}
409	55eb9c44	--global	}
410
411	1e0b1727	Phil Davis	if ($user['md5-hash']) {
412			if (md5($passwd) == $user['md5-hash']) {
413	55eb9c44	--global	return true;
414	1e0b1727	Phil Davis	}
415	55eb9c44	--global	}
416
417			return false;
418			}
419
420			function local_sync_accounts() {
421			global $debug, $config;
422
423			/* remove local users to avoid uid conflicts */
424			$fd = popen("/usr/sbin/pw usershow -a", "r");
425			if ($fd) {
426			while (!feof($fd)) {
427	4de8f7ba	Phil Davis	$line = explode(":", fgets($fd));
428	3ee1e659	Renato Botelho	if ($line[0] != "admin") {
429			if (!strncmp($line[0], "_", 1)) {
430			continue;
431			}
432			if ($line[2] < 2000) {
433			continue;
434			}
435			if ($line[2] > 65000) {
436			continue;
437			}
438	1e0b1727	Phil Davis	}
439	2b41df9c	Renato Botelho	/*
440			* If a crontab was created to user, pw userdel will be interactive and
441			* can cause issues. Just remove crontab before run it when necessary
442			*/
443			unlink_if_exists("/var/cron/tabs/{$line[0]}");
444	0a39f78f	jim-p	$cmd = "/usr/sbin/pw userdel -n " . escapeshellarg($line[0]);
445	1e0b1727	Phil Davis	if ($debug) {
446	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
447	1e0b1727	Phil Davis	}
448	55eb9c44	--global	mwexec($cmd);
449			}
450			pclose($fd);
451			}
452
453			/* remove local groups to avoid gid conflicts */
454			$gids = array();
455			$fd = popen("/usr/sbin/pw groupshow -a", "r");
456			if ($fd) {
457			while (!feof($fd)) {
458	4de8f7ba	Phil Davis	$line = explode(":", fgets($fd));
459	1e0b1727	Phil Davis	if (!strncmp($line[0], "_", 1)) {
460	55eb9c44	--global	continue;
461	1e0b1727	Phil Davis	}
462			if ($line[2] < 2000) {
463	55eb9c44	--global	continue;
464	1e0b1727	Phil Davis	}
465			if ($line[2] > 65000) {
466	55eb9c44	--global	continue;
467	1e0b1727	Phil Davis	}
468	0a39f78f	jim-p	$cmd = "/usr/sbin/pw groupdel -g " . escapeshellarg($line[2]);
469	1e0b1727	Phil Davis	if ($debug) {
470	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
471	1e0b1727	Phil Davis	}
472	55eb9c44	--global	mwexec($cmd);
473			}
474			pclose($fd);
475			}
476
477			/* make sure the all group exists */
478			$allgrp = getGroupEntryByGID(1998);
479			local_group_set($allgrp, true);
480
481	5af2baf7	jim-p	/* sync all local users */
482	1e0b1727	Phil Davis	if (is_array($config['system']['user'])) {
483			foreach ($config['system']['user'] as $user) {
484	5af2baf7	jim-p	local_user_set($user);
485	1e0b1727	Phil Davis	}
486			}
487	5af2baf7	jim-p
488	f3e0a111	jim-p	/* sync all local groups */
489	1e0b1727	Phil Davis	if (is_array($config['system']['group'])) {
490			foreach ($config['system']['group'] as $group) {
491	f3e0a111	jim-p	local_group_set($group);
492	1e0b1727	Phil Davis	}
493			}
494	f3e0a111	jim-p
495	55eb9c44	--global
496			}
497
498			function local_user_set(& $user) {
499			global $g, $debug;
500
501	9219378b	daniel	if (empty($user['password']) && empty($user['bcrypt-hash'])) {
502	530e4707	NOYB	log_error("There is something wrong in the config because user {$user['name']} password is missing!");
503	b3c106a0	Ermal	return;
504			}
505
506	2bb07efc	Scott Ullrich
507	1180e4f0	Sjon Hortensius	$home_base = "/home/";
508	55eb9c44	--global	$user_uid = $user['uid'];
509			$user_name = $user['name'];
510	461df7c0	jim-p	$user_home = "{$home_base}{$user_name}";
511	55eb9c44	--global	$user_shell = "/etc/rc.initial";
512			$user_group = "nobody";
513
514			// Ensure $home_base exists and is writable
515	1e0b1727	Phil Davis	if (!is_dir($home_base)) {
516	55eb9c44	--global	mkdir($home_base, 0755);
517	1e0b1727	Phil Davis	}
518	55eb9c44	--global
519	df8d74de	jim-p	$lock_account = false;
520	55eb9c44	--global	/* configure shell type */
521	3e251b12	Erik Fonnesbeck	/* Cases here should be ordered by most privileged to least privileged. */
522	a137fedd	jim-p	if (userHasPrivilege($user, "user-shell-access") \|\| userHasPrivilege($user, "page-all")) {
523	29293dce	jim-p	$user_shell = "/bin/tcsh";
524	74fd2299	doktornotor	} elseif (userHasPrivilege($user, "user-copy-files-chroot")) {
525			$user_shell = "/usr/local/sbin/scponlyc";
526	647db6bb	doktornotor	} elseif (userHasPrivilege($user, "user-copy-files")) {
527			$user_shell = "/usr/local/bin/scponly";
528	3e251b12	Erik Fonnesbeck	} elseif (userHasPrivilege($user, "user-ssh-tunnel")) {
529			$user_shell = "/usr/local/sbin/ssh_tunnel_shell";
530	fbfd675a	jim-p	} elseif (userHasPrivilege($user, "user-ipsec-xauth-dialin")) {
531			$user_shell = "/sbin/nologin";
532	1ed86bc6	jim-p	} else {
533			$user_shell = "/sbin/nologin";
534	df8d74de	jim-p	$lock_account = true;
535			}
536
537			/* Lock out disabled or expired users, unless it's root/admin. */
538			if ((is_account_disabled($user_name) \|\| is_account_expired($user_name)) && ($user_uid != 0)) {
539			$user_shell = "/sbin/nologin";
540			$lock_account = true;
541	55eb9c44	--global	}
542
543			/* root user special handling */
544			if ($user_uid == 0) {
545			$cmd = "/usr/sbin/pw usermod -q -n root -s /bin/sh -H 0";
546	1e0b1727	Phil Davis	if ($debug) {
547	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
548	1e0b1727	Phil Davis	}
549	55eb9c44	--global	$fd = popen($cmd, "w");
550	9219378b	daniel	if (empty($user['bcrypt-hash'])) {
551			fwrite($fd, $user['password']);
552	9a7911eb	Daniel Vinakovsky	} else {
553	9219378b	daniel	fwrite($fd, $user['bcrypt-hash']);
554			}
555	55eb9c44	--global	pclose($fd);
556			$user_group = "wheel";
557	2708e399	jim-p	$user_home = "/root";
558	29293dce	jim-p	$user_shell = "/etc/rc.initial";
559	55eb9c44	--global	}
560
561			/* read from pw db */
562	9fd14591	jim-p	$fd = popen("/usr/sbin/pw usershow -n {$user_name} 2>&1", "r");
563	55eb9c44	--global	$pwread = fgets($fd);
564			pclose($fd);
565	9fd14591	jim-p	$userattrs = explode(":", trim($pwread));
566	55eb9c44	--global
567	13a70e7d	Renato Botelho	$skel_dir = '/etc/skel';
568
569	55eb9c44	--global	/* determine add or mod */
570	9fd14591	jim-p	if (($userattrs[0] != $user['name']) \|\| (!strncmp($pwread, "pw:", 3))) {
571	4bf17edc	jim-p	$user_op = "useradd -m -k " . escapeshellarg($skel_dir) . " -o";
572	38564fde	smos	} else {
573	55eb9c44	--global	$user_op = "usermod";
574	38564fde	smos	}
575	55eb9c44	--global
576	1180e4f0	Sjon Hortensius	$comment = str_replace(array(":", "!", "@"), " ", $user['descr']);
577	55eb9c44	--global	/* add or mod pw db */
578	0a39f78f	jim-p	$cmd = "/usr/sbin/pw {$user_op} -q " .
579			" -u " . escapeshellarg($user_uid) .
580			" -n " . escapeshellarg($user_name) .
581			" -g " . escapeshellarg($user_group) .
582			" -s " . escapeshellarg($user_shell) .
583			" -d " . escapeshellarg($user_home) .
584			" -c " . escapeshellarg($comment) .
585			" -H 0 2>&1";
586	55eb9c44	--global
587	1e0b1727	Phil Davis	if ($debug) {
588	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
589	1e0b1727	Phil Davis	}
590	55eb9c44	--global	$fd = popen($cmd, "w");
591	9219378b	daniel	if (empty($user['bcrypt-hash'])) {
592			fwrite($fd, $user['password']);
593	9a7911eb	Daniel Vinakovsky	} else {
594	9219378b	daniel	fwrite($fd, $user['bcrypt-hash']);
595			}
596	55eb9c44	--global	pclose($fd);
597
598			/* create user directory if required */
599			if (!is_dir($user_home)) {
600			mkdir($user_home, 0700);
601			}
602	23c652cd	Ermal	@chown($user_home, $user_name);
603			@chgrp($user_home, $user_group);
604	55eb9c44	--global
605	13a70e7d	Renato Botelho	/* Make sure all users have last version of config files */
606			foreach (glob("{$skel_dir}/dot.*") as $dot_file) {
607			$target = $user_home . '/' . substr(basename($dot_file), 3);
608			@copy($dot_file, $target);
609			@chown($target, $user_name);
610			@chgrp($target, $user_group);
611			}
612
613	55eb9c44	--global	/* write out ssh authorized key file */
614	1e0b1727	Phil Davis	if ($user['authorizedkeys']) {
615	a2286360	Ermal Lu?i	if (!is_dir("{$user_home}/.ssh")) {
616	23c652cd	Ermal	@mkdir("{$user_home}/.ssh", 0700);
617			@chown("{$user_home}/.ssh", $user_name);
618	a2286360	Ermal Lu?i	}
619			$keys = base64_decode($user['authorizedkeys']);
620	23c652cd	Ermal	@file_put_contents("{$user_home}/.ssh/authorized_keys", $keys);
621			@chown("{$user_home}/.ssh/authorized_keys", $user_name);
622	1e0b1727	Phil Davis	} else {
623	cdab65cc	Erik Fonnesbeck	unlink_if_exists("{$user_home}/.ssh/authorized_keys");
624	1e0b1727	Phil Davis	}
625	df8d74de	jim-p
626			$un = $lock_account ? "" : "un";
627	0a39f78f	jim-p	exec("/usr/sbin/pw {$un}lock " . escapeshellarg($user_name) . " -q 2>/dev/null");
628	1180e4f0	Sjon Hortensius
629	55eb9c44	--global	}
630
631			function local_user_del($user) {
632			global $debug;
633	2bb07efc	Scott Ullrich
634	55eb9c44	--global	/* remove all memberships */
635	019e6c3f	jim-p	local_user_set_groups($user);
636	55eb9c44	--global
637	a39675ec	jim-p	/* Don't remove /root */
638	1e0b1727	Phil Davis	if ($user['uid'] != 0) {
639	a39675ec	jim-p	$rmhome = "-r";
640	1e0b1727	Phil Davis	}
641	a39675ec	jim-p
642	9fd14591	jim-p	/* read from pw db */
643			$fd = popen("/usr/sbin/pw usershow -n {$user['name']} 2>&1", "r");
644			$pwread = fgets($fd);
645			pclose($fd);
646			$userattrs = explode(":", trim($pwread));
647
648			if ($userattrs[0] != $user['name']) {
649			log_error("Tried to remove user {$user['name']} but got user {$userattrs[0]} instead. Bailing.");
650			return;
651			}
652
653	55eb9c44	--global	/* delete from pw db */
654	0a39f78f	jim-p	$cmd = "/usr/sbin/pw userdel -n " . escapeshellarg($user['name']) . " " . escapeshellarg($rmhome);
655	55eb9c44	--global
656	1e0b1727	Phil Davis	if ($debug) {
657	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
658	1e0b1727	Phil Davis	}
659	0914b6bb	Ermal	mwexec($cmd);
660	2bb07efc	Scott Ullrich
661	0914b6bb	Ermal	/* Delete user from groups needs a call to write_config() */
662			local_group_del_user($user);
663	55eb9c44	--global	}
664
665	4d9801c2	Jim Thompson	function local_user_set_password(&$user, $password) {
666	55eb9c44	--global
667	33386b07	Daniel Vinakovsky	unset($user['password']);
668			unset($user['md5-hash']);
669			$user['bcrypt-hash'] = password_hash($password, PASSWORD_BCRYPT);
670	55eb9c44	--global
671	4d4e9a11	Daniel Vinakovsky	/* Maintain compatibility with FreeBSD - change $2y$ prefix to $2b$
672			* https://reviews.freebsd.org/D2742
673	6fadbf9b	Dan Vinakovsky	* XXX: Can be removed as soon as r284483 is MFC'd.
674	4d4e9a11	Daniel Vinakovsky	*/
675	4b737f6e	Daniel Vinakovsky	if ($user['bcrypt-hash'][2] == "y") {
676			$user['bcrypt-hash'][2] = "b";
677			}
678
679	55eb9c44	--global	// Converts ascii to unicode.
680			$astr = (string) $password;
681			$ustr = '';
682			for ($i = 0; $i < strlen($astr); $i++) {
683			$a = ord($astr{$i}) << 8;
684	4de8f7ba	Phil Davis	$ustr .= sprintf("%X", $a);
685	55eb9c44	--global	}
686
687			}
688
689			function local_user_get_groups($user, $all = false) {
690			global $debug, $config;
691
692			$groups = array();
693	1e0b1727	Phil Davis	if (!is_array($config['system']['group'])) {
694	55eb9c44	--global	return $groups;
695	1e0b1727	Phil Davis	}
696	55eb9c44	--global
697	1e0b1727	Phil Davis	foreach ($config['system']['group'] as $group) {
698	4de8f7ba	Phil Davis	if ($all \|\| (!$all && ($group['name'] != "all"))) {
699	1e0b1727	Phil Davis	if (is_array($group['member'])) {
700			if (in_array($user['uid'], $group['member'])) {
701	55eb9c44	--global	$groups[] = $group['name'];
702	1e0b1727	Phil Davis	}
703			}
704			}
705			}
706	55eb9c44	--global
707	1e0b1727	Phil Davis	if ($all) {
708	b0c231e4	jim-p	$groups[] = "all";
709	1e0b1727	Phil Davis	}
710	b0c231e4	jim-p
711	55eb9c44	--global	sort($groups);
712
713			return $groups;
714	1180e4f0	Sjon Hortensius
715	55eb9c44	--global	}
716
717	4de8f7ba	Phil Davis	function local_user_set_groups($user, $new_groups = NULL) {
718	55eb9c44	--global	global $debug, $config, $groupindex;
719	4de8f7ba	Phil Davis
720	1e0b1727	Phil Davis	if (!is_array($config['system']['group'])) {
721	55eb9c44	--global	return;
722	1e0b1727	Phil Davis	}
723	55eb9c44	--global
724	739c78ac	jim-p	$cur_groups = local_user_get_groups($user, true);
725	55eb9c44	--global	$mod_groups = array();
726
727	1e0b1727	Phil Davis	if (!is_array($new_groups)) {
728	55eb9c44	--global	$new_groups = array();
729	1e0b1727	Phil Davis	}
730	55eb9c44	--global
731	1e0b1727	Phil Davis	if (!is_array($cur_groups)) {
732	55eb9c44	--global	$cur_groups = array();
733	1e0b1727	Phil Davis	}
734	55eb9c44	--global
735			/* determine which memberships to add */
736			foreach ($new_groups as $groupname) {
737	4de8f7ba	Phil Davis	if ($groupname == '' \|\| in_array($groupname, $cur_groups)) {
738	55eb9c44	--global	continue;
739	1e0b1727	Phil Davis	}
740	55eb9c44	--global	$group = & $config['system']['group'][$groupindex[$groupname]];
741			$group['member'][] = $user['uid'];
742			$mod_groups[] = $group;
743			}
744	9ae11a62	Scott Ullrich	unset($group);
745	55eb9c44	--global
746			/* determine which memberships to remove */
747			foreach ($cur_groups as $groupname) {
748	4de8f7ba	Phil Davis	if (in_array($groupname, $new_groups)) {
749	e879fc81	Ermal	continue;
750	1e0b1727	Phil Davis	}
751			if (!isset($config['system']['group'][$groupindex[$groupname]])) {
752	25fec9b3	jim-p	continue;
753	1e0b1727	Phil Davis	}
754	55eb9c44	--global	$group = & $config['system']['group'][$groupindex[$groupname]];
755	7b5c56ea	jim-p	if (is_array($group['member'])) {
756			$index = array_search($user['uid'], $group['member']);
757			array_splice($group['member'], $index, 1);
758			$mod_groups[] = $group;
759			}
760	55eb9c44	--global	}
761	9ae11a62	Scott Ullrich	unset($group);
762	55eb9c44	--global
763			/* sync all modified groups */
764	1e0b1727	Phil Davis	foreach ($mod_groups as $group) {
765	55eb9c44	--global	local_group_set($group);
766	1e0b1727	Phil Davis	}
767	55eb9c44	--global	}
768
769	0914b6bb	Ermal	function local_group_del_user($user) {
770			global $config;
771
772	1e0b1727	Phil Davis	if (!is_array($config['system']['group'])) {
773			return;
774			}
775	0914b6bb	Ermal
776	1e0b1727	Phil Davis	foreach ($config['system']['group'] as $group) {
777	0914b6bb	Ermal	if (is_array($group['member'])) {
778			foreach ($group['member'] as $idx => $uid) {
779	1e0b1727	Phil Davis	if ($user['uid'] == $uid) {
780	0914b6bb	Ermal	unset($config['system']['group']['member'][$idx]);
781	1e0b1727	Phil Davis	}
782	0914b6bb	Ermal	}
783			}
784			}
785			}
786
787	55eb9c44	--global	function local_group_set($group, $reset = false) {
788			global $debug;
789
790			$group_name = $group['name'];
791			$group_gid = $group['gid'];
792	baca968c	Ermal	$group_members = '';
793	1e0b1727	Phil Davis	if (!$reset && !empty($group['member']) && count($group['member']) > 0) {
794	4de8f7ba	Phil Davis	$group_members = implode(",", $group['member']);
795	1e0b1727	Phil Davis	}
796	55eb9c44	--global
797	792adb45	Chris Buechler	if (empty($group_name) \|\| $group['scope'] == "remote") {
798	baca968c	Ermal	return;
799	1e0b1727	Phil Davis	}
800	baca968c	Ermal
801	55eb9c44	--global	/* determine add or mod */
802	0a39f78f	jim-p	if (mwexec("/usr/sbin/pw groupshow -g " . escapeshellarg($group_gid) . " 2>&1", true) == 0) {
803	7cb01159	Chris Buechler	$group_op = "groupmod -l";
804	1e0b1727	Phil Davis	} else {
805	7cb01159	Chris Buechler	$group_op = "groupadd -n";
806	1e0b1727	Phil Davis	}
807	55eb9c44	--global
808			/* add or mod group db */
809	0a39f78f	jim-p	$cmd = "/usr/sbin/pw {$group_op} " .
810			escapeshellarg($group_name) .
811			" -g " . escapeshellarg($group_gid) .
812			" -M " . escapeshellarg($group_members) . " 2>&1";
813	55eb9c44	--global
814	1e0b1727	Phil Davis	if ($debug) {
815	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
816	1e0b1727	Phil Davis	}
817	0914b6bb	Ermal	mwexec($cmd);
818	55eb9c44	--global
819			}
820
821			function local_group_del($group) {
822			global $debug;
823
824			/* delete from group db */
825	0a39f78f	jim-p	$cmd = "/usr/sbin/pw groupdel " . escapeshellarg($group['name']);
826	55eb9c44	--global
827	1e0b1727	Phil Davis	if ($debug) {
828	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Running: %s"), $cmd));
829	1e0b1727	Phil Davis	}
830	0914b6bb	Ermal	mwexec($cmd);
831	55eb9c44	--global	}
832
833	6306b5dd	Ermal Lu?i	function ldap_test_connection($authcfg) {
834	55eb9c44	--global	global $debug, $config, $g;
835
836	c61e4626	Ermal Lu?i	if ($authcfg) {
837	d672403c	derelict-pf	if (strstr($authcfg['ldap_urltype'], "SSL")) {
838	1e0b1727	Phil Davis	$ldapproto = "ldaps";
839	d672403c	derelict-pf	} else {
840			$ldapproto = "ldap";
841	1e0b1727	Phil Davis	}
842			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
843			$ldapport = $authcfg['ldap_port'];
844			if (!empty($ldapport)) {
845	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
846	1e0b1727	Phil Davis	}
847			$ldapbasedn = $authcfg['ldap_basedn'];
848			$ldapbindun = $authcfg['ldap_binddn'];
849			$ldapbindpw = $authcfg['ldap_bindpw'];
850			} else {
851	6306b5dd	Ermal Lu?i	return false;
852	1e0b1727	Phil Davis	}
853	55eb9c44	--global
854	1e0b1727	Phil Davis	/* first check if there is even an LDAP server populated */
855	4de8f7ba	Phil Davis	if (!$ldapserver) {
856	1e0b1727	Phil Davis	return false;
857			}
858	c61e4626	Ermal Lu?i
859	1e0b1727	Phil Davis	/* Setup CA environment if needed. */
860			ldap_setup_caenv($authcfg);
861	fe2031ab	Ermal
862	1e0b1727	Phil Davis	/* connect and see if server is up */
863			$error = false;
864			if (!($ldap = ldap_connect($ldapserver))) {
865	9f27de6d	jim-p	$error = true;
866	1e0b1727	Phil Davis	}
867	c61e4626	Ermal Lu?i
868	1e0b1727	Phil Davis	if ($error == true) {
869			log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
870			return false;
871			}
872	55eb9c44	--global
873			return true;
874			}
875
876	fe2031ab	Ermal	function ldap_setup_caenv($authcfg) {
877			global $g;
878	007e59d2	jim-p	require_once("certs.inc");
879	fe2031ab	Ermal
880			unset($caref);
881	d672403c	derelict-pf	if (empty($authcfg['ldap_caref']) \|\| strstr($authcfg['ldap_urltype'], "Standard")) {
882	fe2031ab	Ermal	putenv('LDAPTLS_REQCERT=never');
883			return;
884	87c67243	jim-p	} elseif ($authcfg['ldap_caref'] == "global") {
885			putenv('LDAPTLS_REQCERT=hard');
886			putenv("LDAPTLS_CACERTDIR=/etc/ssl/");
887			putenv("LDAPTLS_CACERT=/etc/ssl/cert.pem");
888	fe2031ab	Ermal	} else {
889	a7702ed5	Ermal	$caref = lookup_ca($authcfg['ldap_caref']);
890	ff500c90	jim-p	$param = array('caref' => $authcfg['ldap_caref']);
891			$cachain = ca_chain($param);
892	fe2031ab	Ermal	if (!$caref) {
893	a7702ed5	Ermal	log_error(sprintf(gettext("LDAP: Could not lookup CA by reference for host %s."), $authcfg['ldap_caref']));
894	fe2031ab	Ermal	/* XXX: Prevent for credential leaking since we cannot setup the CA env. Better way? */
895			putenv('LDAPTLS_REQCERT=hard');
896			return;
897			}
898	1e0b1727	Phil Davis	if (!is_dir("{$g['varrun_path']}/certs")) {
899	fe2031ab	Ermal	@mkdir("{$g['varrun_path']}/certs");
900	1e0b1727	Phil Davis	}
901			if (file_exists("{$g['varrun_path']}/certs/{$caref['refid']}.ca")) {
902	b2a0a8e9	jim-p	@unlink("{$g['varrun_path']}/certs/{$caref['refid']}.ca");
903	1e0b1727	Phil Davis	}
904	ff500c90	jim-p	file_put_contents("{$g['varrun_path']}/certs/{$caref['refid']}.ca", $cachain);
905	b2a0a8e9	jim-p	@chmod("{$g['varrun_path']}/certs/{$caref['refid']}.ca", 0600);
906	fe2031ab	Ermal	putenv('LDAPTLS_REQCERT=hard');
907			/* XXX: Probably even the hashed link should be created for this? */
908	906daddc	Ermal	putenv("LDAPTLS_CACERTDIR={$g['varrun_path']}/certs");
909	b2a0a8e9	jim-p	putenv("LDAPTLS_CACERT={$g['varrun_path']}/certs/{$caref['refid']}.ca");
910	fe2031ab	Ermal	}
911			}
912
913	6306b5dd	Ermal Lu?i	function ldap_test_bind($authcfg) {
914	55eb9c44	--global	global $debug, $config, $g;
915
916	c61e4626	Ermal Lu?i	if ($authcfg) {
917	d672403c	derelict-pf	if (strstr($authcfg['ldap_urltype'], "SSL")) {
918	1e0b1727	Phil Davis	$ldapproto = "ldaps";
919	d672403c	derelict-pf	} else {
920			$ldapproto = "ldap";
921	1e0b1727	Phil Davis	}
922			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
923			$ldapport = $authcfg['ldap_port'];
924			if (!empty($ldapport)) {
925	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
926	1e0b1727	Phil Davis	}
927			$ldapbasedn = $authcfg['ldap_basedn'];
928			$ldapbindun = $authcfg['ldap_binddn'];
929			$ldapbindpw = $authcfg['ldap_bindpw'];
930			$ldapver = $authcfg['ldap_protver'];
931	e8c09a23	Chris Buechler	$ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5;
932	1e0b1727	Phil Davis	if (empty($ldapbndun) \|\| empty($ldapbindpw)) {
933			$ldapanon = true;
934			} else {
935			$ldapanon = false;
936			}
937			} else {
938	6306b5dd	Ermal Lu?i	return false;
939	1e0b1727	Phil Davis	}
940	c61e4626	Ermal Lu?i
941			/* first check if there is even an LDAP server populated */
942	1e0b1727	Phil Davis	if (!$ldapserver) {
943			return false;
944			}
945	c61e4626	Ermal Lu?i
946	fe2031ab	Ermal	/* Setup CA environment if needed. */
947			ldap_setup_caenv($authcfg);
948
949	1e0b1727	Phil Davis	/* connect and see if server is up */
950			$error = false;
951			if (!($ldap = ldap_connect($ldapserver))) {
952	9f27de6d	jim-p	$error = true;
953	1e0b1727	Phil Davis	}
954	c61e4626	Ermal Lu?i
955	1e0b1727	Phil Davis	if ($error == true) {
956			log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
957			return false;
958			}
959	55eb9c44	--global
960			ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
961	3d3081ec	Andrew MacIsaac	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
962	c61e4626	Ermal Lu?i	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
963	d6b4dfe3	jim-p	ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout);
964			ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout);
965	1180e4f0	Sjon Hortensius
966	d672403c	derelict-pf	if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
967	ff500c90	jim-p	if (!(@ldap_start_tls($ldap))) {
968	d672403c	derelict-pf	log_error(sprintf(gettext("ERROR! ldap_test_bind() could not STARTTLS to server %s."), $ldapname));
969			@ldap_close($ldap);
970			return false;
971			}
972			}
973
974	a5cd1c5a	jim-p	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
975			$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
976	c61e4626	Ermal Lu?i	if ($ldapanon == true) {
977	6306b5dd	Ermal Lu?i	if (!($res = @ldap_bind($ldap))) {
978			@ldap_close($ldap);
979	c61e4626	Ermal Lu?i	return false;
980	6306b5dd	Ermal Lu?i	}
981			} else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
982			@ldap_close($ldap);
983	55eb9c44	--global	return false;
984	6306b5dd	Ermal Lu?i	}
985	55eb9c44	--global
986	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
987	c61e4626	Ermal Lu?i
988	55eb9c44	--global	return true;
989			}
990
991	6306b5dd	Ermal Lu?i	function ldap_get_user_ous($show_complete_ou=true, $authcfg) {
992	55eb9c44	--global	global $debug, $config, $g;
993
994	1e0b1727	Phil Davis	if (!function_exists("ldap_connect")) {
995	55eb9c44	--global	return;
996	1e0b1727	Phil Davis	}
997	55eb9c44	--global
998	7a938f1b	Ermal	$ous = array();
999
1000	c61e4626	Ermal Lu?i	if ($authcfg) {
1001	d672403c	derelict-pf	if (strstr($authcfg['ldap_urltype'], "SSL")) {
1002	1e0b1727	Phil Davis	$ldapproto = "ldaps";
1003	d672403c	derelict-pf	} else {
1004			$ldapproto = "ldap";
1005	1e0b1727	Phil Davis	}
1006			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
1007			$ldapport = $authcfg['ldap_port'];
1008			if (!empty($ldapport)) {
1009	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
1010	1e0b1727	Phil Davis	}
1011			$ldapbasedn = $authcfg['ldap_basedn'];
1012			$ldapbindun = $authcfg['ldap_binddn'];
1013			$ldapbindpw = $authcfg['ldap_bindpw'];
1014			$ldapver = $authcfg['ldap_protver'];
1015			if (empty($ldapbindun) \|\| empty($ldapbindpw)) {
1016			$ldapanon = true;
1017			} else {
1018			$ldapanon = false;
1019			}
1020			$ldapname = $authcfg['name'];
1021			$ldapfallback = false;
1022			$ldapscope = $authcfg['ldap_scope'];
1023	e8c09a23	Chris Buechler	$ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5;
1024	1e0b1727	Phil Davis	} else {
1025	6306b5dd	Ermal Lu?i	return false;
1026	1e0b1727	Phil Davis	}
1027	55eb9c44	--global
1028	1e0b1727	Phil Davis	/* first check if there is even an LDAP server populated */
1029			if (!$ldapserver) {
1030			log_error(gettext("ERROR! ldap_get_user_ous() backed selected with no LDAP authentication server defined."));
1031			return $ous;
1032			}
1033	c61e4626	Ermal Lu?i
1034	fe2031ab	Ermal	/* Setup CA environment if needed. */
1035			ldap_setup_caenv($authcfg);
1036
1037	c61e4626	Ermal Lu?i	/* connect and see if server is up */
1038	1e0b1727	Phil Davis	$error = false;
1039			if (!($ldap = ldap_connect($ldapserver))) {
1040	9f27de6d	jim-p	$error = true;
1041	1e0b1727	Phil Davis	}
1042	c61e4626	Ermal Lu?i
1043	1e0b1727	Phil Davis	if ($error == true) {
1044			log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
1045			return $ous;
1046			}
1047	c61e4626	Ermal Lu?i
1048			$ldapfilter = "(\|(ou=*)(cn=Users))";
1049	55eb9c44	--global
1050			ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
1051	3d3081ec	Andrew MacIsaac	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
1052	c61e4626	Ermal Lu?i	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
1053	d6b4dfe3	jim-p	ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout);
1054			ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout);
1055	55eb9c44	--global
1056	d672403c	derelict-pf	if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
1057	ff500c90	jim-p	if (!(@ldap_start_tls($ldap))) {
1058	d672403c	derelict-pf	log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not STARTTLS to server %s."), $ldapname));
1059			@ldap_close($ldap);
1060			return false;
1061			}
1062			}
1063
1064	a5cd1c5a	jim-p	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
1065			$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
1066	c61e4626	Ermal Lu?i	if ($ldapanon == true) {
1067	1e0b1727	Phil Davis	if (!($res = @ldap_bind($ldap))) {
1068	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind anonymously to server %s."), $ldapname));
1069	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
1070	1e0b1727	Phil Davis	return $ous;
1071	c61e4626	Ermal Lu?i	}
1072			} else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
1073	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_user_ous() could not bind to server %s."), $ldapname));
1074	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
1075	c61e4626	Ermal Lu?i	return $ous;
1076	55eb9c44	--global	}
1077
1078	1e0b1727	Phil Davis	if ($ldapscope == "one") {
1079	c61e4626	Ermal Lu?i	$ldapfunc = "ldap_list";
1080	1e0b1727	Phil Davis	} else {
1081	c61e4626	Ermal Lu?i	$ldapfunc = "ldap_search";
1082	1e0b1727	Phil Davis	}
1083	55eb9c44	--global
1084	7a938f1b	Ermal	$search = @$ldapfunc($ldap, $ldapbasedn, $ldapfilter);
1085			$info = @ldap_get_entries($ldap, $search);
1086	55eb9c44	--global
1087			if (is_array($info)) {
1088			foreach ($info as $inf) {
1089			if (!$show_complete_ou) {
1090	cfbfd941	smos	$inf_split = explode(",", $inf['dn']);
1091	55eb9c44	--global	$ou = $inf_split[0];
1092	4de8f7ba	Phil Davis	$ou = str_replace("OU=", "", $ou);
1093			$ou = str_replace("CN=", "", $ou);
1094	1e0b1727	Phil Davis	} else {
1095			if ($inf['dn']) {
1096	55eb9c44	--global	$ou = $inf['dn'];
1097	1e0b1727	Phil Davis	}
1098			}
1099			if ($ou) {
1100	55eb9c44	--global	$ous[] = $ou;
1101	1e0b1727	Phil Davis	}
1102	55eb9c44	--global	}
1103			}
1104
1105	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
1106
1107	55eb9c44	--global	return $ous;
1108			}
1109
1110	6306b5dd	Ermal Lu?i	function ldap_get_groups($username, $authcfg) {
1111	55eb9c44	--global	global $debug, $config;
1112	1180e4f0	Sjon Hortensius
1113	1e0b1727	Phil Davis	if (!function_exists("ldap_connect")) {
1114	55eb9c44	--global	return;
1115	1e0b1727	Phil Davis	}
1116	1180e4f0	Sjon Hortensius
1117	1e0b1727	Phil Davis	if (!$username) {
1118	55eb9c44	--global	return false;
1119	1e0b1727	Phil Davis	}
1120	55eb9c44	--global
1121	1e0b1727	Phil Davis	if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
1122	2ce660ad	smos	$username_split = explode("@", $username);
1123	1180e4f0	Sjon Hortensius	$username = $username_split[0];
1124	55eb9c44	--global	}
1125
1126	1e0b1727	Phil Davis	if (stristr($username, "\\")) {
1127	cfbfd941	smos	$username_split = explode("\\", $username);
1128	1180e4f0	Sjon Hortensius	$username = $username_split[0];
1129			}
1130
1131	55eb9c44	--global	//log_error("Getting LDAP groups for {$username}.");
1132	1e0b1727	Phil Davis	if ($authcfg) {
1133	d672403c	derelict-pf	if (strstr($authcfg['ldap_urltype'], "SSL")) {
1134	1e0b1727	Phil Davis	$ldapproto = "ldaps";
1135	d672403c	derelict-pf	} else {
1136			$ldapproto = "ldap";
1137	1e0b1727	Phil Davis	}
1138			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
1139			$ldapport = $authcfg['ldap_port'];
1140			if (!empty($ldapport)) {
1141	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
1142	1e0b1727	Phil Davis	}
1143			$ldapbasedn = $authcfg['ldap_basedn'];
1144			$ldapbindun = $authcfg['ldap_binddn'];
1145			$ldapbindpw = $authcfg['ldap_bindpw'];
1146			$ldapauthcont = $authcfg['ldap_authcn'];
1147			$ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
1148			$ldapgroupattribute = strtolower($authcfg['ldap_attr_member']);
1149	149efbea	jim-p	if (isset($authcfg['ldap_rfc2307'])) {
1150			$ldapfilter = "(&(objectClass={$authcfg['ldap_attr_groupobj']})({$ldapgroupattribute}={$username}))";
1151			} else {
1152			$ldapfilter = "({$ldapnameattribute}={$username})";
1153			}
1154	1e0b1727	Phil Davis	$ldaptype = "";
1155			$ldapver = $authcfg['ldap_protver'];
1156			if (empty($ldapbindun) \|\| empty($ldapbindpw)) {
1157			$ldapanon = true;
1158			} else {
1159			$ldapanon = false;
1160			}
1161			$ldapname = $authcfg['name'];
1162			$ldapfallback = false;
1163			$ldapscope = $authcfg['ldap_scope'];
1164	e8c09a23	Chris Buechler	$ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5;
1165	1e0b1727	Phil Davis	} else {
1166	6306b5dd	Ermal Lu?i	return false;
1167	1e0b1727	Phil Davis	}
1168	c61e4626	Ermal Lu?i
1169	149efbea	jim-p	if (isset($authcfg['ldap_rfc2307'])) {
1170			$ldapdn = $ldapbasedn;
1171			} else {
1172			$ldapdn = $_SESSION['ldapdn'];
1173			}
1174	c61e4626	Ermal Lu?i
1175	55eb9c44	--global	/Convert attribute to lowercase. php ldap arrays put everything in lowercase /
1176			$ldapgroupattribute = strtolower($ldapgroupattribute);
1177	c61e4626	Ermal Lu?i	$memberof = array();
1178	55eb9c44	--global
1179	1e0b1727	Phil Davis	/* Setup CA environment if needed. */
1180			ldap_setup_caenv($authcfg);
1181	fe2031ab	Ermal
1182	55eb9c44	--global	/* connect and see if server is up */
1183	c61e4626	Ermal Lu?i	$error = false;
1184	1e0b1727	Phil Davis	if (!($ldap = ldap_connect($ldapserver))) {
1185	9f27de6d	jim-p	$error = true;
1186	1e0b1727	Phil Davis	}
1187	c61e4626	Ermal Lu?i
1188			if ($error == true) {
1189	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_groups() Could not connect to server %s."), $ldapname));
1190	0241b34f	Phil Davis	return $memberof;
1191	1e0b1727	Phil Davis	}
1192	1180e4f0	Sjon Hortensius
1193	55eb9c44	--global	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
1194	3d3081ec	Andrew MacIsaac	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
1195	c61e4626	Ermal Lu?i	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
1196	d6b4dfe3	jim-p	ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout);
1197			ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout);
1198	55eb9c44	--global
1199	d672403c	derelict-pf	if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
1200	ff500c90	jim-p	if (!(@ldap_start_tls($ldap))) {
1201	d672403c	derelict-pf	log_error(sprintf(gettext("ERROR! ldap_get_groups() could not STARTTLS to server %s."), $ldapname));
1202			@ldap_close($ldap);
1203			return false;
1204			}
1205			}
1206
1207	55eb9c44	--global	/* bind as user that has rights to read group attributes */
1208	a5cd1c5a	jim-p	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
1209			$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
1210	c61e4626	Ermal Lu?i	if ($ldapanon == true) {
1211	1e0b1727	Phil Davis	if (!($res = @ldap_bind($ldap))) {
1212	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind anonymously to server %s."), $ldapname));
1213	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
1214	1e0b1727	Phil Davis	return false;
1215	6306b5dd	Ermal Lu?i	}
1216	c61e4626	Ermal Lu?i	} else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
1217	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! ldap_get_groups() could not bind to server %s."), $ldapname));
1218	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
1219	0241b34f	Phil Davis	return $memberof;
1220	55eb9c44	--global	}
1221
1222			/* get groups from DN found */
1223			/* use ldap_read instead of search so we don't have to do a bunch of extra work */
1224			/* since we know the DN is in $_SESSION['ldapdn'] */
1225			//$search = ldap_read($ldap, $ldapdn, "(objectclass=*)", array($ldapgroupattribute));
1226	1e0b1727	Phil Davis	if ($ldapscope == "one") {
1227			$ldapfunc = "ldap_list";
1228			} else {
1229			$ldapfunc = "ldap_search";
1230			}
1231	c61e4626	Ermal Lu?i
1232	1e0b1727	Phil Davis	$search = @$ldapfunc($ldap, $ldapdn, $ldapfilter, array($ldapgroupattribute));
1233			$info = @ldap_get_entries($ldap, $search);
1234	55eb9c44	--global
1235	149efbea	jim-p	$gresults = isset($authcfg['ldap_rfc2307']) ? $info : $info[0][$ldapgroupattribute];
1236	1180e4f0	Sjon Hortensius
1237	4e322e2c	Phil Davis	if (is_array($gresults)) {
1238	55eb9c44	--global	/* Iterate through the groups and throw them into an array */
1239	149efbea	jim-p	foreach ($gresults as $grp) {
1240	4e322e2c	Phil Davis	if (((isset($authcfg['ldap_rfc2307'])) && (stristr($grp["dn"], "CN=") !== false)) \|\|
1241			((!isset($authcfg['ldap_rfc2307'])) && (stristr($grp, "CN=") !== false))) {
1242	149efbea	jim-p	$grpsplit = isset($authcfg['ldap_rfc2307']) ? explode(",", $grp["dn"]) : explode(",", $grp);
1243			$memberof[] = preg_replace("/CN=/i", "", $grpsplit[0]);
1244	55eb9c44	--global	}
1245			}
1246			}
1247	1180e4f0	Sjon Hortensius
1248	55eb9c44	--global	/* Time to close LDAP connection */
1249	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
1250	1180e4f0	Sjon Hortensius
1251	4de8f7ba	Phil Davis	$groups = print_r($memberof, true);
1252	1180e4f0	Sjon Hortensius
1253	55eb9c44	--global	//log_error("Returning groups ".$groups." for user $username");
1254	1180e4f0	Sjon Hortensius
1255	55eb9c44	--global	return $memberof;
1256			}
1257
1258	83e0d4c8	jim-p	function ldap_format_host($host) {
1259			return is_ipaddrv6($host) ? "[$host]" : $host ;
1260			}
1261
1262	6306b5dd	Ermal Lu?i	function ldap_backed($username, $passwd, $authcfg) {
1263	55eb9c44	--global	global $debug, $config;
1264	1180e4f0	Sjon Hortensius
1265	1e0b1727	Phil Davis	if (!$username) {
1266	55eb9c44	--global	return;
1267	1e0b1727	Phil Davis	}
1268	55eb9c44	--global
1269	1e0b1727	Phil Davis	if (!function_exists("ldap_connect")) {
1270	55eb9c44	--global	return;
1271	1e0b1727	Phil Davis	}
1272	55eb9c44	--global
1273	1e0b1727	Phil Davis	if (!isset($authcfg['ldap_nostrip_at']) && stristr($username, "@")) {
1274	2ce660ad	smos	$username_split = explode("@", $username);
1275	1180e4f0	Sjon Hortensius	$username = $username_split[0];
1276	55eb9c44	--global	}
1277	1e0b1727	Phil Davis	if (stristr($username, "\\")) {
1278	cfbfd941	smos	$username_split = explode("\\", $username);
1279	1180e4f0	Sjon Hortensius	$username = $username_split[0];
1280	55eb9c44	--global	}
1281
1282	c61e4626	Ermal Lu?i	if ($authcfg) {
1283	d672403c	derelict-pf	if (strstr($authcfg['ldap_urltype'], "SSL")) {
1284	c61e4626	Ermal Lu?i	$ldapproto = "ldaps";
1285	d672403c	derelict-pf	} else {
1286			$ldapproto = "ldap";
1287	1e0b1727	Phil Davis	}
1288			$ldapserver = "{$ldapproto}://" . ldap_format_host($authcfg['host']);
1289			$ldapport = $authcfg['ldap_port'];
1290			if (!empty($ldapport)) {
1291	9f27de6d	jim-p	$ldapserver .= ":{$ldapport}";
1292	1e0b1727	Phil Davis	}
1293			$ldapbasedn = $authcfg['ldap_basedn'];
1294			$ldapbindun = $authcfg['ldap_binddn'];
1295			$ldapbindpw = $authcfg['ldap_bindpw'];
1296			if (empty($ldapbindun) \|\| empty($ldapbindpw)) {
1297	c61e4626	Ermal Lu?i	$ldapanon = true;
1298	1e0b1727	Phil Davis	} else {
1299	c61e4626	Ermal Lu?i	$ldapanon = false;
1300	1e0b1727	Phil Davis	}
1301			$ldapauthcont = $authcfg['ldap_authcn'];
1302			$ldapnameattribute = strtolower($authcfg['ldap_attr_user']);
1303			$ldapextendedqueryenabled = $authcfg['ldap_extended_enabled'];
1304			$ldapextendedquery = $authcfg['ldap_extended_query'];
1305			$ldapfilter = "";
1306			if (!$ldapextendedqueryenabled) {
1307			$ldapfilter = "({$ldapnameattribute}={$username})";
1308			} else {
1309			$ldapfilter = "(&({$ldapnameattribute}={$username})({$ldapextendedquery}))";
1310			}
1311			$ldaptype = "";
1312			$ldapver = $authcfg['ldap_protver'];
1313			$ldapname = $authcfg['name'];
1314			$ldapscope = $authcfg['ldap_scope'];
1315	e8c09a23	Chris Buechler	$ldaptimeout = is_numeric($authcfg['ldap_timeout']) ? $authcfg['ldap_timeout'] : 5;
1316	1e0b1727	Phil Davis	} else {
1317	6306b5dd	Ermal Lu?i	return false;
1318	1e0b1727	Phil Davis	}
1319	55eb9c44	--global
1320	1180e4f0	Sjon Hortensius	/* first check if there is even an LDAP server populated */
1321	1e0b1727	Phil Davis	if (!$ldapserver) {
1322	c61e4626	Ermal Lu?i	if ($ldapfallback) {
1323	94021404	Carlos Eduardo Ramos	log_error(gettext("ERROR! ldap_backed() called with no LDAP authentication server defined. Defaulting to local user database. Visit System -> User Manager."));
1324	c61e4626	Ermal Lu?i	return local_backed($username, $passwd);
1325	1e0b1727	Phil Davis	} else {
1326	94021404	Carlos Eduardo Ramos	log_error(gettext("ERROR! ldap_backed() called with no LDAP authentication server defined."));
1327	1e0b1727	Phil Davis	}
1328	c61e4626	Ermal Lu?i
1329			return false;
1330	55eb9c44	--global	}
1331	1180e4f0	Sjon Hortensius
1332	1e0b1727	Phil Davis	/* Setup CA environment if needed. */
1333			ldap_setup_caenv($authcfg);
1334	fe2031ab	Ermal
1335	d672403c	derelict-pf	/* Make sure we can connect to LDAP */
1336			$error = false;
1337			if (!($ldap = ldap_connect($ldapserver))) {
1338			$error = true;
1339			}
1340
1341	906daddc	Ermal	ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
1342	3d3081ec	Andrew MacIsaac	ldap_set_option($ldap, LDAP_OPT_DEREF, LDAP_DEREF_SEARCHING);
1343	906daddc	Ermal	ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, (int)$ldapver);
1344	d6b4dfe3	jim-p	ldap_set_option($ldap, LDAP_OPT_TIMELIMIT, (int)$ldaptimeout);
1345			ldap_set_option($ldap, LDAP_OPT_NETWORK_TIMEOUT, (int)$ldaptimeout);
1346	906daddc	Ermal
1347	d672403c	derelict-pf	if (strstr($authcfg['ldap_urltype'], "STARTTLS")) {
1348	b2c7a79c	jim-p	if (!(@ldap_start_tls($ldap))) {
1349	d672403c	derelict-pf	log_error(sprintf(gettext("ERROR! ldap_backed() could not STARTTLS to server %s."), $ldapname));
1350			@ldap_close($ldap);
1351			return false;
1352			}
1353	1e0b1727	Phil Davis	}
1354	c61e4626	Ermal Lu?i
1355			if ($error == true) {
1356	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! Could not connect to server %s."), $ldapname));
1357	c61e4626	Ermal Lu?i	return false;
1358	55eb9c44	--global	}
1359	c61e4626	Ermal Lu?i
1360	55eb9c44	--global	/* ok, its up. now, lets bind as the bind user so we can search it */
1361	c61e4626	Ermal Lu?i	$error = false;
1362	a5cd1c5a	jim-p	$ldapbindun = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindun) : $ldapbindun;
1363			$ldapbindpw = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapbindpw) : $ldapbindpw;
1364	c61e4626	Ermal Lu?i	if ($ldapanon == true) {
1365	1e0b1727	Phil Davis	if (!($res = @ldap_bind($ldap))) {
1366			$error = true;
1367			}
1368			} else if (!($res = @ldap_bind($ldap, $ldapbindun, $ldapbindpw))) {
1369	c61e4626	Ermal Lu?i	$error = true;
1370	1e0b1727	Phil Davis	}
1371	c61e4626	Ermal Lu?i
1372			if ($error == true) {
1373	6306b5dd	Ermal Lu?i	@ldap_close($ldap);
1374	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("ERROR! Could not bind to server %s."), $ldapname));
1375	c61e4626	Ermal Lu?i	return false;
1376	55eb9c44	--global	}
1377	1180e4f0	Sjon Hortensius
1378	55eb9c44	--global	/* Get LDAP Authcontainers and split em up. */
1379	cfbfd941	smos	$ldac_splits = explode(";", $ldapauthcont);
1380	1180e4f0	Sjon Hortensius
1381	086cf944	Phil Davis	/* setup the usercount so we think we haven't found anyone yet */
1382	4de8f7ba	Phil Davis	$usercount = 0;
1383	55eb9c44	--global
1384			/*****************************************************************/
1385	6990ad35	Phil Davis	/* We first find the user based on username and filter */
1386			/* then, once we find the first occurrence of that person */
1387			/* we set session variables to point to the OU and DN of the */
1388			/* person. To later be used by ldap_get_groups. */
1389	55eb9c44	--global	/* that way we don't have to search twice. */
1390			/*****************************************************************/
1391	1e0b1727	Phil Davis	if ($debug) {
1392	3ac8324f	Ermal	log_auth(sprintf(gettext("Now Searching for %s in directory."), $username));
1393	1e0b1727	Phil Davis	}
1394	c61e4626	Ermal Lu?i	/* Iterate through the user containers for search */
1395			foreach ($ldac_splits as $i => $ldac_split) {
1396	a5cd1c5a	jim-p	$ldac_split = isset($authcfg['ldap_utf8']) ? utf8_encode($ldac_split) : $ldac_split;
1397			$ldapfilter = isset($authcfg['ldap_utf8']) ? utf8_encode($ldapfilter) : $ldapfilter;
1398			$ldapsearchbasedn = isset($authcfg['ldap_utf8']) ? utf8_encode("{$ldac_split},{$ldapbasedn}") : "{$ldac_split},{$ldapbasedn}";
1399	c61e4626	Ermal Lu?i	/* Make sure we just use the first user we find */
1400	1e0b1727	Phil Davis	if ($debug) {
1401	a5cd1c5a	jim-p	log_auth(sprintf(gettext('Now Searching in server %1$s, container %2$s with filter %3$s.'), $ldapname, utf8_decode($ldac_split), utf8_decode($ldapfilter)));
1402	1e0b1727	Phil Davis	}
1403			if ($ldapscope == "one") {
1404	c61e4626	Ermal Lu?i	$ldapfunc = "ldap_list";
1405	1e0b1727	Phil Davis	} else {
1406	c61e4626	Ermal Lu?i	$ldapfunc = "ldap_search";
1407	1e0b1727	Phil Davis	}
1408	c61e4626	Ermal Lu?i	/* Support legacy auth container specification. */
1409	1e0b1727	Phil Davis	if (stristr($ldac_split, "DC=") \|\| empty($ldapbasedn)) {
1410	6990ad35	Phil Davis	$search = @$ldapfunc($ldap, $ldac_split, $ldapfilter);
1411	1e0b1727	Phil Davis	} else {
1412	6990ad35	Phil Davis	$search = @$ldapfunc($ldap, $ldapsearchbasedn, $ldapfilter);
1413	1e0b1727	Phil Davis	}
1414	c61e4626	Ermal Lu?i	if (!$search) {
1415	94021404	Carlos Eduardo Ramos	log_error(sprintf(gettext("Search resulted in error: %s"), ldap_error($ldap)));
1416	c61e4626	Ermal Lu?i	continue;
1417	55eb9c44	--global	}
1418	4de8f7ba	Phil Davis	$info = ldap_get_entries($ldap, $search);
1419	c61e4626	Ermal Lu?i	$matches = $info['count'];
1420	1e0b1727	Phil Davis	if ($matches == 1) {
1421	c61e4626	Ermal Lu?i	$userdn = $_SESSION['ldapdn'] = $info[0]['dn'];
1422			$_SESSION['ldapou'] = $ldac_split[$i];
1423			$_SESSION['ldapon'] = "true";
1424			$usercount = 1;
1425			break;
1426	55eb9c44	--global	}
1427			}
1428
1429	1e0b1727	Phil Davis	if ($usercount != 1) {
1430	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
1431	94021404	Carlos Eduardo Ramos	log_error(gettext("ERROR! Either LDAP search failed, or multiple users were found."));
1432	1180e4f0	Sjon Hortensius	return false;
1433	55eb9c44	--global	}
1434	c61e4626	Ermal Lu?i
1435	55eb9c44	--global	/* Now lets bind as the user we found */
1436	a5cd1c5a	jim-p	$passwd = isset($authcfg['ldap_utf8']) ? utf8_encode($passwd) : $passwd;
1437	c61e4626	Ermal Lu?i	if (!($res = @ldap_bind($ldap, $userdn, $passwd))) {
1438	3697adb2	jim-p	log_error(sprintf(gettext('ERROR! Could not login to server %1$s as user %2$s: %3$s'), $ldapname, $username, ldap_error($ldap)));
1439	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
1440	c61e4626	Ermal Lu?i	return false;
1441	55eb9c44	--global	}
1442
1443	a5cd1c5a	jim-p	if ($debug) {
1444			$userdn = isset($authcfg['ldap_utf8']) ? utf8_decode($userdn) : $userdn;
1445	2004def5	Ermal	log_auth(sprintf(gettext('Logged in successfully as %1$s via LDAP server %2$s with DN = %3$s.'), $username, $ldapname, $userdn));
1446	a5cd1c5a	jim-p	}
1447	c61e4626	Ermal Lu?i
1448			/* At this point we are bound to LDAP so the user was auth'd okay. Close connection. */
1449	6306b5dd	Ermal Lu?i	@ldap_unbind($ldap);
1450	55eb9c44	--global
1451			return true;
1452			}
1453
1454	9da4a575	Renato Botelho	function radius_backed($username, $password, $authcfg, &$attributes = array()) {
1455	a13ce628	Ermal Lu?i	global $debug, $config;
1456	55eb9c44	--global	$ret = false;
1457
1458	868c6826	Ermal	require_once("radius.inc");
1459	9da4a575	Renato Botelho	require_once("Crypt/CHAP.php");
1460	868c6826	Ermal
1461	c61e4626	Ermal Lu?i	if ($authcfg) {
1462			$radiusservers = array();
1463			$radiusservers[0]['ipaddr'] = $authcfg['host'];
1464			$radiusservers[0]['port'] = $authcfg['radius_auth_port'];
1465			$radiusservers[0]['sharedsecret'] = $authcfg['radius_secret'];
1466	bddd2be8	jim-p	$radiusservers[0]['timeout'] = $authcfg['radius_timeout'];
1467	9da4a575	Renato Botelho	if(isset($authcfg['radius_protocol'])) {
1468			$radius_protocol = $authcfg['radius_protocol'];
1469			} else {
1470			$radius_protocol = 'PAP';
1471			}
1472	1e0b1727	Phil Davis	} else {
1473	6306b5dd	Ermal Lu?i	return false;
1474	1e0b1727	Phil Davis	}
1475	c61e4626	Ermal Lu?i
1476	9da4a575	Renato Botelho	// Create our instance
1477			$classname = 'Auth_RADIUS_' . $radius_protocol;
1478			$rauth = new $classname($username, $password);
1479
1480	1e0b1727	Phil Davis	/* Add new servers to our instance */
1481	bddd2be8	jim-p	foreach ($radiusservers as $radsrv) {
1482			$timeout = (is_numeric($radsrv['timeout'])) ? $radsrv['timeout'] : 5;
1483			$rauth->addServer($radsrv['ipaddr'], $radsrv['port'], $radsrv['sharedsecret'], $timeout);
1484			}
1485	55eb9c44	--global
1486	9da4a575	Renato Botelho	// Construct data package
1487			$rauth->username = $username;
1488			switch ($radius_protocol) {
1489			case 'CHAP_MD5':
1490			case 'MSCHAPv1':
1491			$classname = $radius_protocol == 'MSCHAPv1' ? 'Crypt_CHAP_MSv1' : 'Crypt_CHAP_MD5';
1492			$crpt = new $classname;
1493			$crpt->username = $username;
1494			$crpt->password = $password;
1495			$rauth->challenge = $crpt->challenge;
1496			$rauth->chapid = $crpt->chapid;
1497			$rauth->response = $crpt->challengeResponse();
1498			$rauth->flags = 1;
1499			break;
1500
1501			case 'MSCHAPv2':
1502			$crpt = new Crypt_CHAP_MSv2;
1503			$crpt->username = $username;
1504			$crpt->password = $password;
1505			$rauth->challenge = $crpt->authChallenge;
1506			$rauth->peerChallenge = $crpt->peerChallenge;
1507			$rauth->chapid = $crpt->chapid;
1508			$rauth->response = $crpt->challengeResponse();
1509			break;
1510
1511			default:
1512			$rauth->password = $password;
1513			break;
1514			}
1515
1516	6e815096	Ermal	if (PEAR::isError($rauth->start())) {
1517	55eb9c44	--global	$retvalue['auth_val'] = 1;
1518			$retvalue['error'] = $rauth->getError();
1519	1e0b1727	Phil Davis	if ($debug) {
1520	23afee66	Renato Botelho	printf(gettext("RADIUS start: %s") . "<br />\n", $retvalue['error']);
1521	1e0b1727	Phil Davis	}
1522	55eb9c44	--global	}
1523
1524			// XXX - billm - somewhere in here we need to handle securid challenge/response
1525
1526			/* Send request */
1527			$result = $rauth->send();
1528			if (PEAR::isError($result)) {
1529			$retvalue['auth_val'] = 1;
1530			$retvalue['error'] = $result->getMessage();
1531	1e0b1727	Phil Davis	if ($debug) {
1532	23afee66	Renato Botelho	printf(gettext("RADIUS send failed: %s") . "<br />\n", $retvalue['error']);
1533	1e0b1727	Phil Davis	}
1534	55eb9c44	--global	} else if ($result === true) {
1535	1e0b1727	Phil Davis	if ($rauth->getAttributes()) {
1536	1492e02c	Ermal	$attributes = $rauth->listAttributes();
1537	1e0b1727	Phil Davis	}
1538	55eb9c44	--global	$retvalue['auth_val'] = 2;
1539	1e0b1727	Phil Davis	if ($debug) {
1540	7aaf60a8	k-paulius	printf(gettext("RADIUS Auth succeeded")."<br />\n");
1541	1e0b1727	Phil Davis	}
1542	55eb9c44	--global	$ret = true;
1543			} else {
1544			$retvalue['auth_val'] = 3;
1545	1e0b1727	Phil Davis	if ($debug) {
1546	7aaf60a8	k-paulius	printf(gettext("RADIUS Auth rejected")."<br />\n");
1547	1e0b1727	Phil Davis	}
1548	55eb9c44	--global	}
1549
1550			// close OO RADIUS_AUTHENTICATION
1551			$rauth->close();
1552
1553			return $ret;
1554			}
1555
1556	c4a9f99a	jim-p	/*
1557			$attributes must contain a "class" key containing the groups and local
1558			groups must exist to match.
1559			*/
1560			function radius_get_groups($attributes) {
1561			$groups = array();
1562	461bae6b	jim-p	if (!empty($attributes) && is_array($attributes) && (!empty($attributes['class']) \|\| !empty($attributes['class_int']))) {
1563			/* Some RADIUS servers return multiple class attributes, so check them all. */
1564			$groups = array();
1565			if (!empty($attributes['class']) && is_array($attributes['class'])) {
1566			foreach ($attributes['class'] as $class) {
1567			$groups = array_unique(array_merge($groups, explode(";", $class)));
1568			}
1569			}
1570
1571	c4a9f99a	jim-p	foreach ($groups as & $grp) {
1572	916fc1f8	jim-p	$grp = trim($grp);
1573			if (strtolower(substr($grp, 0, 3)) == "ou=") {
1574	c4a9f99a	jim-p	$grp = substr($grp, 3);
1575			}
1576			}
1577			}
1578			return $groups;
1579			}
1580
1581	7dd044f2	sullrich	function get_user_expiration_date($username) {
1582	a13ce628	Ermal Lu?i	$user = getUserEntry($username);
1583	1e0b1727	Phil Davis	if ($user['expires']) {
1584	a13ce628	Ermal Lu?i	return $user['expires'];
1585	1e0b1727	Phil Davis	}
1586	a13ce628	Ermal Lu?i	}
1587
1588			function is_account_expired($username) {
1589			$expirydate = get_user_expiration_date($username);
1590			if ($expirydate) {
1591	4de8f7ba	Phil Davis	if (strtotime("-1 day") > strtotime(date("m/d/Y", strtotime($expirydate)))) {
1592	a13ce628	Ermal Lu?i	return true;
1593	1e0b1727	Phil Davis	}
1594	7dd044f2	sullrich	}
1595	a13ce628	Ermal Lu?i
1596			return false;
1597	7dd044f2	sullrich	}
1598
1599	b4bfd25d	sullrich	function is_account_disabled($username) {
1600	a13ce628	Ermal Lu?i	$user = getUserEntry($username);
1601	1e0b1727	Phil Davis	if (isset($user['disabled'])) {
1602	a13ce628	Ermal Lu?i	return true;
1603	1e0b1727	Phil Davis	}
1604	a13ce628	Ermal Lu?i
1605	b4bfd25d	sullrich	return false;
1606			}
1607
1608	8bab524e	Phil Davis	function get_user_settings($username) {
1609			global $config;
1610			$settings = array();
1611			$settings['widgets'] = $config['widgets'];
1612			$settings['webgui']['dashboardcolumns'] = $config['system']['webgui']['dashboardcolumns'];
1613			$settings['webgui']['webguihostnamemenu'] = $config['system']['webgui']['webguihostnamemenu'];
1614			$settings['webgui']['webguicss'] = $config['system']['webgui']['webguicss'];
1615	e79ff1ee	Steve Beaver	$settings['webgui']['logincss'] = $config['system']['webgui']['logincss'];
1616	1d3510cf	Phil Davis	$settings['webgui']['interfacessort'] = isset($config['system']['webgui']['interfacessort']);
1617	8bab524e	Phil Davis	$settings['webgui']['dashboardavailablewidgetspanel'] = isset($config['system']['webgui']['dashboardavailablewidgetspanel']);
1618			$settings['webgui']['webguifixedmenu'] = isset($config['system']['webgui']['webguifixedmenu']);
1619			$settings['webgui']['webguileftcolumnhyper'] = isset($config['system']['webgui']['webguileftcolumnhyper']);
1620	d9058974	Phil Davis	$settings['webgui']['disablealiaspopupdetail'] = isset($config['system']['webgui']['disablealiaspopupdetail']);
1621	8bab524e	Phil Davis	$settings['webgui']['systemlogsfilterpanel'] = isset($config['system']['webgui']['systemlogsfilterpanel']);
1622			$settings['webgui']['systemlogsmanagelogpanel'] = isset($config['system']['webgui']['systemlogsmanagelogpanel']);
1623			$settings['webgui']['statusmonitoringsettingspanel'] = isset($config['system']['webgui']['statusmonitoringsettingspanel']);
1624			$settings['webgui']['pagenamefirst'] = isset($config['system']['webgui']['pagenamefirst']);
1625			$user = getUserEntry($username);
1626			if (isset($user['customsettings'])) {
1627			$settings['customsettings'] = true;
1628			if (isset($user['widgets'])) {
1629			// This includes the 'sequence', and any widgetname-config per-widget settings.
1630			$settings['widgets'] = $user['widgets'];
1631			}
1632			if (isset($user['dashboardcolumns'])) {
1633			$settings['webgui']['dashboardcolumns'] = $user['dashboardcolumns'];
1634			}
1635			if (isset($user['webguicss'])) {
1636			$settings['webgui']['webguicss'] = $user['webguicss'];
1637			}
1638			if (isset($user['webguihostnamemenu'])) {
1639			$settings['webgui']['webguihostnamemenu'] = $user['webguihostnamemenu'];
1640			}
1641	1d3510cf	Phil Davis	$settings['webgui']['interfacessort'] = isset($user['interfacessort']);
1642	8bab524e	Phil Davis	$settings['webgui']['dashboardavailablewidgetspanel'] = isset($user['dashboardavailablewidgetspanel']);
1643			$settings['webgui']['webguifixedmenu'] = isset($user['webguifixedmenu']);
1644			$settings['webgui']['webguileftcolumnhyper'] = isset($user['webguileftcolumnhyper']);
1645	d9058974	Phil Davis	$settings['webgui']['disablealiaspopupdetail'] = isset($user['disablealiaspopupdetail']);
1646	8bab524e	Phil Davis	$settings['webgui']['systemlogsfilterpanel'] = isset($user['systemlogsfilterpanel']);
1647			$settings['webgui']['systemlogsmanagelogpanel'] = isset($user['systemlogsmanagelogpanel']);
1648			$settings['webgui']['statusmonitoringsettingspanel'] = isset($user['statusmonitoringsettingspanel']);
1649			$settings['webgui']['pagenamefirst'] = isset($user['pagenamefirst']);
1650			} else {
1651			$settings['customsettings'] = false;
1652			}
1653
1654			if ($settings['webgui']['dashboardcolumns'] < 1) {
1655			$settings['webgui']['dashboardcolumns'] = 2;
1656			}
1657
1658			return $settings;
1659			}
1660
1661	2b7d0520	Phil Davis	function save_widget_settings($username, $settings, $message = "") {
1662	8bab524e	Phil Davis	global $config, $userindex;
1663			$user = getUserEntry($username);
1664	2b7d0520	Phil Davis
1665			if (strlen($message) > 0) {
1666			$msgout = $message;
1667			} else {
1668			$msgout = gettext("Widget configuration has been changed.");
1669			}
1670
1671	8bab524e	Phil Davis	if (isset($user['customsettings'])) {
1672			$config['system']['user'][$userindex[$username]]['widgets'] = $settings;
1673	2b7d0520	Phil Davis	write_config($msgout . " " . sprintf(gettext("(User %s)"), $username));
1674	8bab524e	Phil Davis	} else {
1675			$config['widgets'] = $settings;
1676	2b7d0520	Phil Davis	write_config($msgout);
1677	8bab524e	Phil Davis	}
1678			}
1679
1680	c61e4626	Ermal Lu?i	function auth_get_authserver($name) {
1681	1e0b1727	Phil Davis	global $config;
1682
1683			if (is_array($config['system']['authserver'])) {
1684			foreach ($config['system']['authserver'] as $authcfg) {
1685			if ($authcfg['name'] == $name) {
1686			return $authcfg;
1687			}
1688			}
1689			}
1690			if ($name == "Local Database") {
1691	96568521	Vinicius Coque	return array("name" => gettext("Local Database"), "type" => "Local Auth", "host" => $config['system']['hostname']);
1692	1e0b1727	Phil Davis	}
1693	6306b5dd	Ermal Lu?i	}
1694
1695			function auth_get_authserver_list() {
1696	1e0b1727	Phil Davis	global $config;
1697	6306b5dd	Ermal Lu?i
1698			$list = array();
1699
1700	1e0b1727	Phil Davis	if (is_array($config['system']['authserver'])) {
1701			foreach ($config['system']['authserver'] as $authcfg) {
1702	6306b5dd	Ermal Lu?i	/* Add support for disabled entries? */
1703			$list[$authcfg['name']] = $authcfg;
1704	1e0b1727	Phil Davis	}
1705			}
1706	6306b5dd	Ermal Lu?i
1707	4de8f7ba	Phil Davis	$list["Local Database"] = array("name" => gettext("Local Database"), "type" => "Local Auth", "host" => $config['system']['hostname']);
1708	6306b5dd	Ermal Lu?i	return $list;
1709	c61e4626	Ermal Lu?i	}
1710
1711	c4a9f99a	jim-p	function getUserGroups($username, $authcfg, &$attributes = array()) {
1712	fb0f22c0	Ermal Lu?i	global $config;
1713
1714			$allowed_groups = array();
1715
1716	1e0b1727	Phil Davis	switch ($authcfg['type']) {
1717			case 'ldap':
1718			$allowed_groups = @ldap_get_groups($username, $authcfg);
1719			break;
1720			case 'radius':
1721	c4a9f99a	jim-p	$allowed_groups = @radius_get_groups($attributes);
1722	1e0b1727	Phil Davis	break;
1723			default:
1724			$user = getUserEntry($username);
1725			$allowed_groups = @local_user_get_groups($user, true);
1726			break;
1727	fb0f22c0	Ermal Lu?i	}
1728
1729			$member_groups = array();
1730	1e0b1727	Phil Davis	if (is_array($config['system']['group'])) {
1731			foreach ($config['system']['group'] as $group) {
1732			if (in_array($group['name'], $allowed_groups)) {
1733	fb0f22c0	Ermal Lu?i	$member_groups[] = $group['name'];
1734	1e0b1727	Phil Davis	}
1735			}
1736	fb0f22c0	Ermal Lu?i	}
1737
1738			return $member_groups;
1739			}
1740
1741	1492e02c	Ermal	function authenticate_user($username, $password, $authcfg = NULL, &$attributes = array()) {
1742	c61e4626	Ermal Lu?i
1743	b7369ff8	NewEraCracker	if (is_array($username) \|\| is_array($password)) {
1744			return false;
1745			}
1746
1747	c61e4626	Ermal Lu?i	if (!$authcfg) {
1748			return local_backed($username, $password);
1749			}
1750
1751			$authenticated = false;
1752	1e0b1727	Phil Davis	switch ($authcfg['type']) {
1753			case 'ldap':
1754			if (ldap_backed($username, $password, $authcfg)) {
1755			$authenticated = true;
1756			}
1757			break;
1758			case 'radius':
1759			if (radius_backed($username, $password, $authcfg, $attributes)) {
1760			$authenticated = true;
1761			}
1762			break;
1763			default:
1764			/* lookup user object by name */
1765			if (local_backed($username, $password)) {
1766			$authenticated = true;
1767			}
1768			break;
1769			}
1770	c61e4626	Ermal Lu?i
1771			return $authenticated;
1772			}
1773
1774	6306b5dd	Ermal Lu?i	function session_auth() {
1775	aa205c3b	Ermal	global $config, $_SESSION, $page;
1776	55eb9c44	--global
1777	49ddf9a1	Warren Baker	// Handle HTTPS httponly and secure flags
1778	16789caa	Renato Botelho	$currentCookieParams = session_get_cookie_params();
1779			session_set_cookie_params(
1780			$currentCookieParams["lifetime"],
1781			$currentCookieParams["path"],
1782			NULL,
1783			($config['system']['webgui']['protocol'] == "https"),
1784			true
1785			);
1786	49ddf9a1	Warren Baker
1787	82cd6022	PiBa-NL	phpsession_begin();
1788	55eb9c44	--global
1789	dd030de9	Renato Botelho	// Detect protocol change
1790	1e0b1727	Phil Davis	if (!isset($_POST['login']) && !empty($_SESSION['Logged_In']) && $_SESSION['protocol'] != $config['system']['webgui']['protocol']) {
1791	82cd6022	PiBa-NL	phpsession_end();
1792	dd030de9	Renato Botelho	return false;
1793	1e0b1727	Phil Davis	}
1794	dd030de9	Renato Botelho
1795	55eb9c44	--global	/* Validate incoming login request */
1796	c4a9f99a	jim-p	$attributes = array();
1797	88165371	Ermal	if (isset($_POST['login']) && !empty($_POST['usernamefld']) && !empty($_POST['passwordfld'])) {
1798	6306b5dd	Ermal Lu?i	$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
1799	b77a6394	PiBa-NL	$remoteauth = authenticate_user($_POST['usernamefld'], $_POST['passwordfld'], $authcfg, $attributes);
1800			if ($remoteauth \|\| authenticate_user($_POST['usernamefld'], $_POST['passwordfld'])) {
1801	526f5b11	Renato Botelho	// Generate a new id to avoid session fixation
1802	8588095f	Renato Botelho	session_regenerate_id();
1803	6306b5dd	Ermal Lu?i	$_SESSION['Logged_In'] = "True";
1804	b77a6394	PiBa-NL	$_SESSION['remoteauth'] = $remoteauth;
1805	6306b5dd	Ermal Lu?i	$_SESSION['Username'] = $_POST['usernamefld'];
1806	c4a9f99a	jim-p	$_SESSION['user_radius_attributes'] = $attributes;
1807	6306b5dd	Ermal Lu?i	$_SESSION['last_access'] = time();
1808	dd030de9	Renato Botelho	$_SESSION['protocol'] = $config['system']['webgui']['protocol'];
1809	82cd6022	PiBa-NL	phpsession_end(true);
1810	1e0b1727	Phil Davis	if (!isset($config['system']['webgui']['quietlogin'])) {
1811	54bdff75	Vinicius Coque	log_auth(sprintf(gettext("Successful login for user '%1\$s' from: %2\$s"), $_POST['usernamefld'], $_SERVER['REMOTE_ADDR']));
1812	4fc3855f	smos	}
1813	1e0b1727	Phil Davis	if (isset($_POST['postafterlogin'])) {
1814	92140621	Ermal	return true;
1815	1e0b1727	Phil Davis	} else {
1816			if (empty($page)) {
1817	80b292f3	Ermal	$page = "/";
1818	1e0b1727	Phil Davis	}
1819	80b292f3	Ermal	header("Location: {$page}");
1820			}
1821	f23e6363	Ermal	exit;
1822	a13ce628	Ermal Lu?i	} else {
1823			/* give the user an error message */
1824	ca44a37c	Steve Beaver	$_SESSION['Login_Error'] = gettext("Username or Password incorrect");
1825	65f7fba8	Scott Ullrich	log_auth("webConfigurator authentication error for '{$_POST['usernamefld']}' from {$_SERVER['REMOTE_ADDR']}");
1826	1e0b1727	Phil Davis	if (isAjax()) {
1827	a13ce628	Ermal Lu?i	echo "showajaxmessage('{$_SESSION['Login_Error']}');";
1828			return;
1829	55eb9c44	--global	}
1830			}
1831			}
1832
1833			/* Show login page if they aren't logged in */
1834	1e0b1727	Phil Davis	if (empty($_SESSION['Logged_In'])) {
1835	82cd6022	PiBa-NL	phpsession_end(true);
1836	55eb9c44	--global	return false;
1837	1e0b1727	Phil Davis	}
1838	55eb9c44	--global
1839			/* If session timeout isn't set, we don't mark sessions stale */
1840	02647583	Ermal	if (!isset($config['system']['webgui']['session_timeout'])) {
1841	bdadaf3c	Chris Buechler	/* Default to 4 hour timeout if one is not set */
1842			if ($_SESSION['last_access'] < (time() - 14400)) {
1843	ce437697	Steve Beaver	$_POST['logout'] = true;
1844	bdadaf3c	Chris Buechler	$_SESSION['Logout'] = true;
1845	1e0b1727	Phil Davis	} else {
1846	1180e4f0	Sjon Hortensius	$_SESSION['last_access'] = time();
1847	1e0b1727	Phil Davis	}
1848	02647583	Ermal	} else if (intval($config['system']['webgui']['session_timeout']) == 0) {
1849			/* only update if it wasn't ajax */
1850	1e0b1727	Phil Davis	if (!isAjax()) {
1851	02647583	Ermal	$_SESSION['last_access'] = time();
1852	1e0b1727	Phil Davis	}
1853	bdadaf3c	Chris Buechler	} else {
1854	55eb9c44	--global	/* Check for stale session */
1855			if ($_SESSION['last_access'] < (time() - ($config['system']['webgui']['session_timeout'] * 60))) {
1856	ce437697	Steve Beaver	$_POST['logout'] = true;
1857	55eb9c44	--global	$_SESSION['Logout'] = true;
1858			} else {
1859			/* only update if it wasn't ajax */
1860	1e0b1727	Phil Davis	if (!isAjax()) {
1861	55eb9c44	--global	$_SESSION['last_access'] = time();
1862	1e0b1727	Phil Davis	}
1863	55eb9c44	--global	}
1864			}
1865
1866			/* user hit the logout button */
1867	ce437697	Steve Beaver	if (isset($_POST['logout'])) {
1868	55eb9c44	--global
1869	1e0b1727	Phil Davis	if ($_SESSION['Logout']) {
1870	addc0439	Renato Botelho	log_error(sprintf(gettext("Session timed out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
1871	1e0b1727	Phil Davis	} else {
1872	addc0439	Renato Botelho	log_error(sprintf(gettext("User logged out for user '%1\$s' from: %2\$s"), $_SESSION['Username'], $_SERVER['REMOTE_ADDR']));
1873	1e0b1727	Phil Davis	}
1874	55eb9c44	--global
1875			/* wipe out $_SESSION */
1876			$_SESSION = array();
1877
1878	1e0b1727	Phil Davis	if (isset($_COOKIE[session_name()])) {
1879	55eb9c44	--global	setcookie(session_name(), '', time()-42000, '/');
1880	1e0b1727	Phil Davis	}
1881	55eb9c44	--global
1882			/* and destroy it */
1883	82cd6022	PiBa-NL	phpsession_destroy();
1884	55eb9c44	--global
1885	cfbfd941	smos	$scriptName = explode("/", $_SERVER["SCRIPT_FILENAME"]);
1886	55eb9c44	--global	$scriptElms = count($scriptName);
1887			$scriptName = $scriptName[$scriptElms-1];
1888
1889	1e0b1727	Phil Davis	if (isAjax()) {
1890	55eb9c44	--global	return false;
1891	1e0b1727	Phil Davis	}
1892	55eb9c44	--global
1893			/* redirect to page the user is on, it'll prompt them to login again */
1894	6f3d2063	Renato Botelho	header("Location: {$scriptName}");
1895	55eb9c44	--global
1896			return false;
1897			}
1898
1899			/*
1900			* this is for debugging purpose if you do not want to use Ajax
1901	1e0b1727	Phil Davis	* to submit a HTML form. It basically disables the observation
1902	55eb9c44	--global	* of the submit event and hence does not trigger Ajax.
1903			*/
1904	8d58ebae	Steve Beaver	if ($_REQUEST['disable_ajax']) {
1905	55eb9c44	--global	$_SESSION['NO_AJAX'] = "True";
1906	1e0b1727	Phil Davis	}
1907	55eb9c44	--global
1908			/*
1909			* Same to re-enable Ajax.
1910			*/
1911	8d58ebae	Steve Beaver	if ($_REQUEST['enable_ajax']) {
1912	55eb9c44	--global	unset($_SESSION['NO_AJAX']);
1913	1e0b1727	Phil Davis	}
1914	82cd6022	PiBa-NL	phpsession_end(true);
1915	55eb9c44	--global	return true;
1916			}
1917
1918	88165371	Ermal	?>

Project

General

Profile

pfSense