/src/usr/local/www/system_authservers.php - Annotate - pfSense - pfSense bugtracker

| Branch: | Tag: | Revision:

root/src/usr/local/www/system_authservers.php @ ec51be45

1	fbf672cb	Matthew Grooms	<?php
2			/*
3	aaec5634	Renato Botelho	* system_authservers.php
4	ac9d8bed	Stephen Beaver	*
5	aaec5634	Renato Botelho	* part of pfSense (https://www.pfsense.org)
6	2a2396a6	Renato Botelho	* Copyright (c) 2004-2016 Rubicon Communications, LLC (Netgate)
7	aaec5634	Renato Botelho	* Copyright (c) 2008 Shrew Soft Inc
8			* All rights reserved.
9	ac9d8bed	Stephen Beaver	*
10	aaec5634	Renato Botelho	* Redistribution and use in source and binary forms, with or without
11			* modification, are permitted provided that the following conditions are met:
12	ac9d8bed	Stephen Beaver	*
13	aaec5634	Renato Botelho	* 1. Redistributions of source code must retain the above copyright notice,
14			* this list of conditions and the following disclaimer.
15	ac9d8bed	Stephen Beaver	*
16	aaec5634	Renato Botelho	* 2. Redistributions in binary form must reproduce the above copyright
17			* notice, this list of conditions and the following disclaimer in
18			* the documentation and/or other materials provided with the
19			* distribution.
20	ac9d8bed	Stephen Beaver	*
21	aaec5634	Renato Botelho	* 3. All advertising materials mentioning features or use of this software
22			* must display the following acknowledgment:
23			* "This product includes software developed by the pfSense Project
24			* for use in the pfSense® software distribution. (http://www.pfsense.org/).
25	ac9d8bed	Stephen Beaver	*
26	aaec5634	Renato Botelho	* 4. The names "pfSense" and "pfSense Project" must not be used to
27			* endorse or promote products derived from this software without
28			* prior written permission. For written permission, please contact
29			* coreteam@pfsense.org.
30	ac9d8bed	Stephen Beaver	*
31	aaec5634	Renato Botelho	* 5. Products derived from this software may not be called "pfSense"
32			* nor may "pfSense" appear in their names without prior written
33			* permission of the Electric Sheep Fencing, LLC.
34	ac9d8bed	Stephen Beaver	*
35	aaec5634	Renato Botelho	* 6. Redistributions of any form whatsoever must retain the following
36			* acknowledgment:
37	ac9d8bed	Stephen Beaver	*
38	aaec5634	Renato Botelho	* "This product includes software developed by the pfSense Project
39			* for use in the pfSense software distribution (http://www.pfsense.org/).
40	ac9d8bed	Stephen Beaver	*
41	aaec5634	Renato Botelho	* THIS SOFTWARE IS PROVIDED BY THE pfSense PROJECT ``AS IS'' AND ANY
42			* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43			* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
44			* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE pfSense PROJECT OR
45			* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
46			* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
47			* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
48			* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
49			* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
50			* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
51			* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
52			* OF THE POSSIBILITY OF SUCH DAMAGE.
53	ac9d8bed	Stephen Beaver	*/
54	fbf672cb	Matthew Grooms
55			##\|+PRIV
56			##\|*IDENT=page-system-authservers
57			##\|*NAME=System: Authentication Servers
58			##\|*DESCR=Allow access to the 'System: Authentication Servers' page.
59			##\|MATCH=system_authservers.php
60			##\|-PRIV
61
62	aceaf18c	Phil Davis	require_once("guiconfig.inc");
63	acee624f	Ermal Lu?i	require_once("auth.inc");
64	fbf672cb	Matthew Grooms
65	098604d3	Stephen Beaver	// Have we been called to populate the "Select a container" modal?
66			if ($_REQUEST['ajax']) {
67
68			$ous = array();
69			$authcfg = array();
70
71			$authcfg['ldap_port'] = $_REQUEST['port'];
72			$authcfg['ldap_basedn'] = $_REQUEST['basedn'];
73			$authcfg['host'] = $_REQUEST['host'];
74			$authcfg['ldap_scope'] = $_REQUEST['scope'];
75			$authcfg['ldap_binddn'] = $_REQUEST['binddn'];
76			$authcfg['ldap_bindpw'] = $_REQUEST['bindpw'];
77			$authcfg['ldap_urltype'] = $_REQUEST['urltype'];
78			$authcfg['ldap_protver'] = $_REQUEST['proto'];
79			$authcfg['ldap_authcn'] = explode(";", $_REQUEST['authcn']);
80			$authcfg['ldap_caref'] = $_REQUEST['cert'];
81
82			$ous = ldap_get_user_ous(true, $authcfg);
83
84			if (empty($ous)) {
85	89140b63	NOYB	print('<span class="text-danger">Could not connect to the LDAP server. Please check the LDAP configuration.</span>');
86	098604d3	Stephen Beaver	} else {
87	697b1e07	Stephen Beaver	$modal = new Modal("Select LDAP containers for authentication", "containers", true);
88	098604d3	Stephen Beaver	$group = new Form_MultiCheckboxGroup('Containers');
89
90			if (is_array($ous)) {
91			$idx = 0;
92
93			foreach ($ous as $ou) {
94			$group->add(new Form_MultiCheckbox(
95			'ou' . $idx,
96			'',
97			$ou,
98			in_array($ou, $authcfg['ldap_authcn']),
99			$ou
100			));
101
102			$idx++;
103			}
104			}
105
106	697b1e07	Stephen Beaver	$modal->add($group);
107	098604d3	Stephen Beaver
108			// Create a "Save button"
109	697b1e07	Stephen Beaver
110			$btnsv = new Form_Button(
111	098604d3	Stephen Beaver	'svcontbtn',
112			'Save',
113			null,
114			'fa-save'
115			);
116
117	697b1e07	Stephen Beaver	$btnsv->removeClass("btn-default)")->addClass("btn-primary");
118	098604d3	Stephen Beaver
119	697b1e07	Stephen Beaver	$modal->addInput(new Form_StaticText(
120	098604d3	Stephen Beaver	'',
121	697b1e07	Stephen Beaver	$btnsv
122	098604d3	Stephen Beaver	));
123
124	697b1e07	Stephen Beaver	print($modal);
125	098604d3	Stephen Beaver	}
126
127			exit;
128			}
129
130	2ee8dea1	Phil Davis	if (is_numericint($_GET['id'])) {
131	e41ec584	Renato Botelho	$id = $_GET['id'];
132	2ee8dea1	Phil Davis	}
133	098604d3	Stephen Beaver
134	2ee8dea1	Phil Davis	if (isset($_POST['id']) && is_numericint($_POST['id'])) {
135	fbf672cb	Matthew Grooms	$id = $_POST['id'];
136	2ee8dea1	Phil Davis	}
137	fbf672cb	Matthew Grooms
138	2ee8dea1	Phil Davis	if (!is_array($config['system']['authserver'])) {
139	fbf672cb	Matthew Grooms	$config['system']['authserver'] = array();
140	2ee8dea1	Phil Davis	}
141	fbf672cb	Matthew Grooms
142	6306b5dd	Ermal Lu?i	$a_servers = auth_get_authserver_list();
143	2ee8dea1	Phil Davis	foreach ($a_servers as $servers) {
144	6306b5dd	Ermal Lu?i	$a_server[] = $servers;
145	2ee8dea1	Phil Davis	}
146	fbf672cb	Matthew Grooms
147	2ee8dea1	Phil Davis	if (!is_array($config['ca'])) {
148	a0165602	Sjon Hortensius	$config['ca'] = array();
149	2ee8dea1	Phil Davis	}
150	fe2031ab	Ermal	$a_ca =& $config['ca'];
151
152	fbf672cb	Matthew Grooms	$act = $_GET['act'];
153	2ee8dea1	Phil Davis	if ($_POST['act']) {
154	fbf672cb	Matthew Grooms	$act = $_POST['act'];
155	2ee8dea1	Phil Davis	}
156	fbf672cb	Matthew Grooms
157			if ($act == "del") {
158
159			if (!$a_server[$_GET['id']]) {
160			pfSenseHeader("system_authservers.php");
161			exit;
162			}
163
164	9db6993f	jim-p	/* Remove server from main list. */
165	fbf672cb	Matthew Grooms	$serverdeleted = $a_server[$_GET['id']]['name'];
166	9db6993f	jim-p	foreach ($config['system']['authserver'] as $k => $as) {
167	2ee8dea1	Phil Davis	if ($config['system']['authserver'][$k]['name'] == $serverdeleted) {
168	9db6993f	jim-p	unset($config['system']['authserver'][$k]);
169	2ee8dea1	Phil Davis	}
170	9db6993f	jim-p	}
171
172			/* Remove server from temp list used later on this page. */
173	fbf672cb	Matthew Grooms	unset($a_server[$_GET['id']]);
174	9db6993f	jim-p
175	8545adde	k-paulius	$savemsg = sprintf(gettext("Authentication Server %s deleted."), htmlspecialchars($serverdeleted));
176	9db6993f	jim-p	write_config($savemsg);
177	fbf672cb	Matthew Grooms	}
178
179			if ($act == "edit") {
180			if (isset($id) && $a_server[$id]) {
181
182			$pconfig['type'] = $a_server[$id]['type'];
183			$pconfig['name'] = $a_server[$id]['name'];
184
185			if ($pconfig['type'] == "ldap") {
186	fe2031ab	Ermal	$pconfig['ldap_caref'] = $a_server[$id]['ldap_caref'];
187	fbf672cb	Matthew Grooms	$pconfig['ldap_host'] = $a_server[$id]['host'];
188			$pconfig['ldap_port'] = $a_server[$id]['ldap_port'];
189	d6b4dfe3	jim-p	$pconfig['ldap_timeout'] = $a_server[$id]['ldap_timeout'];
190	fbf672cb	Matthew Grooms	$pconfig['ldap_urltype'] = $a_server[$id]['ldap_urltype'];
191			$pconfig['ldap_protver'] = $a_server[$id]['ldap_protver'];
192			$pconfig['ldap_scope'] = $a_server[$id]['ldap_scope'];
193			$pconfig['ldap_basedn'] = $a_server[$id]['ldap_basedn'];
194	c61e4626	Ermal Lu?i	$pconfig['ldap_authcn'] = $a_server[$id]['ldap_authcn'];
195	c7073ebf	namezero111111	$pconfig['ldap_extended_enabled'] = $a_server[$id]['ldap_extended_enabled'];
196			$pconfig['ldap_extended_query'] = $a_server[$id]['ldap_extended_query'];
197	fbf672cb	Matthew Grooms	$pconfig['ldap_binddn'] = $a_server[$id]['ldap_binddn'];
198			$pconfig['ldap_bindpw'] = $a_server[$id]['ldap_bindpw'];
199			$pconfig['ldap_attr_user'] = $a_server[$id]['ldap_attr_user'];
200			$pconfig['ldap_attr_group'] = $a_server[$id]['ldap_attr_group'];
201			$pconfig['ldap_attr_member'] = $a_server[$id]['ldap_attr_member'];
202	149efbea	jim-p	$pconfig['ldap_attr_groupobj'] = $a_server[$id]['ldap_attr_groupobj'];
203	a5cd1c5a	jim-p	$pconfig['ldap_utf8'] = isset($a_server[$id]['ldap_utf8']);
204			$pconfig['ldap_nostrip_at'] = isset($a_server[$id]['ldap_nostrip_at']);
205	149efbea	jim-p	$pconfig['ldap_rfc2307'] = isset($a_server[$id]['ldap_rfc2307']);
206	fbf672cb	Matthew Grooms
207	2ee8dea1	Phil Davis	if (!$pconfig['ldap_binddn'] \|\| !$pconfig['ldap_bindpw']) {
208	fbf672cb	Matthew Grooms	$pconfig['ldap_anon'] = true;
209	2ee8dea1	Phil Davis	}
210	fbf672cb	Matthew Grooms	}
211
212			if ($pconfig['type'] == "radius") {
213			$pconfig['radius_host'] = $a_server[$id]['host'];
214			$pconfig['radius_auth_port'] = $a_server[$id]['radius_auth_port'];
215			$pconfig['radius_acct_port'] = $a_server[$id]['radius_acct_port'];
216	e8a58de4	Ermal Lu?i	$pconfig['radius_secret'] = $a_server[$id]['radius_secret'];
217	bddd2be8	jim-p	$pconfig['radius_timeout'] = $a_server[$id]['radius_timeout'];
218	fbf672cb	Matthew Grooms
219			if ($pconfig['radius_auth_port'] &&
220	ac9d8bed	Stephen Beaver	$pconfig['radius_acct_port']) {
221	fbf672cb	Matthew Grooms	$pconfig['radius_srvcs'] = "both";
222			}
223
224	2ee8dea1	Phil Davis	if ($pconfig['radius_auth_port'] &&
225	ac9d8bed	Stephen Beaver	!$pconfig['radius_acct_port']) {
226	fbf672cb	Matthew Grooms	$pconfig['radius_srvcs'] = "auth";
227	acee624f	Ermal Lu?i	$pconfig['radius_acct_port'] = 1813;
228	fbf672cb	Matthew Grooms	}
229
230			if (!$pconfig['radius_auth_port'] &&
231	ac9d8bed	Stephen Beaver	$pconfig['radius_acct_port']) {
232	fbf672cb	Matthew Grooms	$pconfig['radius_srvcs'] = "acct";
233	acee624f	Ermal Lu?i	$pconfig['radius_auth_port'] = 1812;
234	fbf672cb	Matthew Grooms	}
235
236			}
237			}
238			}
239
240			if ($act == "new") {
241			$pconfig['ldap_protver'] = 3;
242			$pconfig['ldap_anon'] = true;
243			$pconfig['radius_srvcs'] = "both";
244	acee624f	Ermal Lu?i	$pconfig['radius_auth_port'] = "1812";
245			$pconfig['radius_acct_port'] = "1813";
246	fbf672cb	Matthew Grooms	}
247
248			if ($_POST) {
249			unset($input_errors);
250			$pconfig = $_POST;
251
252			/* input validation */
253
254			if ($pconfig['type'] == "ldap") {
255	2ee8dea1	Phil Davis	$reqdfields = explode(" ",
256			"name type ldap_host ldap_port " .
257			"ldap_urltype ldap_protver ldap_scope " .
258			"ldap_attr_user ldap_attr_group ldap_attr_member ldapauthcontainers");
259	7b4b0ad3	Stephen Beaver
260	257705ca	Renato Botelho	$reqdfieldsn = array(
261			gettext("Descriptive name"),
262			gettext("Type"),
263			gettext("Hostname or IP"),
264			gettext("Port value"),
265			gettext("Transport"),
266			gettext("Protocol version"),
267			gettext("Search level"),
268			gettext("User naming Attribute"),
269			gettext("Group naming Attribute"),
270			gettext("Group member attribute"),
271			gettext("Authentication container"));
272	fbf672cb	Matthew Grooms
273			if (!$pconfig['ldap_anon']) {
274			$reqdfields[] = "ldap_binddn";
275			$reqdfields[] = "ldap_bindpw";
276	257705ca	Renato Botelho	$reqdfieldsn[] = gettext("Bind user DN");
277			$reqdfieldsn[] = gettext("Bind Password");
278	fbf672cb	Matthew Grooms	}
279			}
280
281			if ($pconfig['type'] == "radius") {
282			$reqdfields = explode(" ", "name type radius_host radius_srvcs");
283	257705ca	Renato Botelho	$reqdfieldsn = array(
284			gettext("Descriptive name"),
285			gettext("Type"),
286			gettext("Hostname or IP"),
287			gettext("Services"));
288	fbf672cb	Matthew Grooms
289	99179710	hamnur	if ($pconfig['radius_srvcs'] == "both" \|\|
290			$pconfig['radius_srvcs'] == "auth") {
291	fbf672cb	Matthew Grooms	$reqdfields[] = "radius_auth_port";
292	81ec3187	Chris Buechler	$reqdfieldsn[] = gettext("Authentication port");
293	fbf672cb	Matthew Grooms	}
294
295	99179710	hamnur	if ($pconfig['radius_srvcs'] == "both" \|\|
296			$pconfig['radius_srvcs'] == "acct") {
297	fbf672cb	Matthew Grooms	$reqdfields[] = "radius_acct_port";
298	81ec3187	Chris Buechler	$reqdfieldsn[] = gettext("Accounting port");
299	fbf672cb	Matthew Grooms	}
300
301			if (!isset($id)) {
302			$reqdfields[] = "radius_secret";
303	257705ca	Renato Botelho	$reqdfieldsn[] = gettext("Shared Secret");
304	fbf672cb	Matthew Grooms	}
305			}
306
307	1e9b4611	Renato Botelho	do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
308	fbf672cb	Matthew Grooms
309	2ee8dea1	Phil Davis	if (preg_match("/[^a-zA-Z0-9\.\-_]/", $_POST['host'])) {
310	fbf672cb	Matthew Grooms	$input_errors[] = gettext("The host name contains invalid characters.");
311	2ee8dea1	Phil Davis	}
312	fbf672cb	Matthew Grooms
313	2ee8dea1	Phil Davis	if (auth_get_authserver($pconfig['name']) && !isset($id)) {
314	257705ca	Renato Botelho	$input_errors[] = gettext("An authentication server with the same name already exists.");
315	2ee8dea1	Phil Davis	}
316	acee624f	Ermal Lu?i
317	d6b4dfe3	jim-p	if (($pconfig['type'] == "ldap") \|\| ($pconfig['type'] == "radius")) {
318			$to_field = "{$pconfig['type']}_timeout";
319			if (isset($_POST[$to_field]) && !empty($_POST[$to_field]) && (!is_numeric($_POST[$to_field]) \|\| (is_numeric($_POST[$to_field]) && ($_POST[$to_field] <= 0)))) {
320			$input_errors[] = sprintf(gettext("%s Timeout value must be numeric and positive."), strtoupper($pconfig['type']));
321			}
322	2ee8dea1	Phil Davis	}
323	bddd2be8	jim-p
324	fbf672cb	Matthew Grooms	if (!$input_errors) {
325			$server = array();
326			$server['refid'] = uniqid();
327	2ee8dea1	Phil Davis	if (isset($id) && $a_server[$id]) {
328	fbf672cb	Matthew Grooms	$server = $a_server[$id];
329	2ee8dea1	Phil Davis	}
330	fbf672cb	Matthew Grooms
331			$server['type'] = $pconfig['type'];
332			$server['name'] = $pconfig['name'];
333
334			if ($server['type'] == "ldap") {
335
336	2ee8dea1	Phil Davis	if (!empty($pconfig['ldap_caref'])) {
337	fe2031ab	Ermal	$server['ldap_caref'] = $pconfig['ldap_caref'];
338	2ee8dea1	Phil Davis	}
339	fbf672cb	Matthew Grooms	$server['host'] = $pconfig['ldap_host'];
340			$server['ldap_port'] = $pconfig['ldap_port'];
341			$server['ldap_urltype'] = $pconfig['ldap_urltype'];
342			$server['ldap_protver'] = $pconfig['ldap_protver'];
343			$server['ldap_scope'] = $pconfig['ldap_scope'];
344			$server['ldap_basedn'] = $pconfig['ldap_basedn'];
345	c61e4626	Ermal Lu?i	$server['ldap_authcn'] = $pconfig['ldapauthcontainers'];
346	c7073ebf	namezero111111	$server['ldap_extended_enabled'] = $pconfig['ldap_extended_enabled'];
347			$server['ldap_extended_query'] = $pconfig['ldap_extended_query'];
348	fbf672cb	Matthew Grooms	$server['ldap_attr_user'] = $pconfig['ldap_attr_user'];
349			$server['ldap_attr_group'] = $pconfig['ldap_attr_group'];
350			$server['ldap_attr_member'] = $pconfig['ldap_attr_member'];
351	149efbea	jim-p
352			$server['ldap_attr_groupobj'] = empty($pconfig['ldap_attr_groupobj']) ? "posixGroup" : $pconfig['ldap_attr_groupobj'];
353
354	2ee8dea1	Phil Davis	if ($pconfig['ldap_utf8'] == "yes") {
355	a5cd1c5a	jim-p	$server['ldap_utf8'] = true;
356	2ee8dea1	Phil Davis	} else {
357	a5cd1c5a	jim-p	unset($server['ldap_utf8']);
358	2ee8dea1	Phil Davis	}
359			if ($pconfig['ldap_nostrip_at'] == "yes") {
360	a5cd1c5a	jim-p	$server['ldap_nostrip_at'] = true;
361	2ee8dea1	Phil Davis	} else {
362	a5cd1c5a	jim-p	unset($server['ldap_nostrip_at']);
363	2ee8dea1	Phil Davis	}
364	149efbea	jim-p	if ($pconfig['ldap_rfc2307'] == "yes") {
365			$server['ldap_rfc2307'] = true;
366			} else {
367			unset($server['ldap_rfc2307']);
368			}
369	a5cd1c5a	jim-p
370	fbf672cb	Matthew Grooms
371			if (!$pconfig['ldap_anon']) {
372			$server['ldap_binddn'] = $pconfig['ldap_binddn'];
373			$server['ldap_bindpw'] = $pconfig['ldap_bindpw'];
374			} else {
375			unset($server['ldap_binddn']);
376			unset($server['ldap_bindpw']);
377			}
378	d6b4dfe3	jim-p
379			if ($pconfig['ldap_timeout']) {
380			$server['ldap_timeout'] = $pconfig['ldap_timeout'];
381			} else {
382			$server['ldap_timeout'] = 25;
383			}
384	fbf672cb	Matthew Grooms	}
385
386			if ($server['type'] == "radius") {
387
388			$server['host'] = $pconfig['radius_host'];
389
390	2ee8dea1	Phil Davis	if ($pconfig['radius_secret']) {
391	fbf672cb	Matthew Grooms	$server['radius_secret'] = $pconfig['radius_secret'];
392	2ee8dea1	Phil Davis	}
393	fbf672cb	Matthew Grooms
394	2ee8dea1	Phil Davis	if ($pconfig['radius_timeout']) {
395	bddd2be8	jim-p	$server['radius_timeout'] = $pconfig['radius_timeout'];
396	2ee8dea1	Phil Davis	} else {
397	afdf29d3	jim-p	$server['radius_timeout'] = 5;
398	2ee8dea1	Phil Davis	}
399	bddd2be8	jim-p
400	fbf672cb	Matthew Grooms	if ($pconfig['radius_srvcs'] == "both") {
401			$server['radius_auth_port'] = $pconfig['radius_auth_port'];
402			$server['radius_acct_port'] = $pconfig['radius_acct_port'];
403			}
404
405			if ($pconfig['radius_srvcs'] == "auth") {
406			$server['radius_auth_port'] = $pconfig['radius_auth_port'];
407			unset($server['radius_acct_port']);
408			}
409
410			if ($pconfig['radius_srvcs'] == "acct") {
411			$server['radius_acct_port'] = $pconfig['radius_acct_port'];
412			unset($server['radius_auth_port']);
413			}
414			}
415
416	2ee8dea1	Phil Davis	if (isset($id) && $config['system']['authserver'][$id]) {
417	6306b5dd	Ermal Lu?i	$config['system']['authserver'][$id] = $server;
418	2ee8dea1	Phil Davis	} else {
419	6306b5dd	Ermal Lu?i	$config['system']['authserver'][] = $server;
420	2ee8dea1	Phil Davis	}
421	fbf672cb	Matthew Grooms
422			write_config();
423
424			pfSenseHeader("system_authservers.php");
425			}
426			}
427
428	1d3259b5	Stephen Beaver	// On error, restore the form contents so the user doesn't have to re-enter too much
429	9488f42b	Phil Davis	if ($_POST && $input_errors) {
430	504bd882	Stephen Beaver	$pconfig = $_POST;
431			$pconfig['ldap_authcn'] = $_POST['ldapauthcontainers'];
432	b1f0f7e1	Stephen Beaver	$pconfig['ldap_template'] = $_POST['ldap_tmpltype'];
433	504bd882	Stephen Beaver	}
434
435	8f1ab2a4	k-paulius	$pgtitle = array(gettext("System"), gettext("User Manager"), gettext("Authentication Servers"));
436
437			if ($act == "new" \|\| $act == "edit" \|\| $input_errors) {
438			$pgtitle[] = gettext('Edit');
439			}
440			$shortcut_section = "authentication";
441	fbf672cb	Matthew Grooms	include("head.inc");
442
443	762faef5	Phil Davis	if ($input_errors) {
444	a0165602	Sjon Hortensius	print_input_errors($input_errors);
445	762faef5	Phil Davis	}
446	7b4b0ad3	Stephen Beaver
447	762faef5	Phil Davis	if ($savemsg) {
448	ea342b0f	Stephen Beaver	print_info_box($savemsg, 'success');
449	762faef5	Phil Davis	}
450	a0165602	Sjon Hortensius
451			$tab_array = array();
452			$tab_array[] = array(gettext("Users"), false, "system_usermanager.php");
453			$tab_array[] = array(gettext("Groups"), false, "system_groupmanager.php");
454			$tab_array[] = array(gettext("Settings"), false, "system_usermanager_settings.php");
455	2d1f33d9	k-paulius	$tab_array[] = array(gettext("Authentication Servers"), true, "system_authservers.php");
456	a0165602	Sjon Hortensius	display_top_tabs($tab_array);
457
458	762faef5	Phil Davis	if (!($act == "new" \|\| $act == "edit" \|\| $input_errors)) {
459	060ed238	Stephen Beaver	?>
460			<div class="panel panel-default">
461	70dc5cd6	Phil Davis	<div class="panel-heading"><h2 class="panel-title"><?=gettext('Authentication Servers')?></h2></div>
462	060ed238	Stephen Beaver	<div class="panel-body">
463			<div class="table-responsive">
464	91677170	PiBa-NL	<table class="table table-striped table-hover table-condensed sortable-theme-bootstrap table-rowdblclickedit" data-sortable>
465	060ed238	Stephen Beaver	<thead>
466			<tr>
467			<th><?=gettext("Server Name")?></th>
468			<th><?=gettext("Type")?></th>
469			<th><?=gettext("Host Name")?></th>
470			<th><?=gettext("Actions")?></th>
471			</tr>
472			</thead>
473			<tbody>
474	9488f42b	Phil Davis	<?php foreach ($a_server as $i => $server): ?>
475	060ed238	Stephen Beaver	<tr>
476			<td><?=htmlspecialchars($server['name'])?></td>
477			<td><?=htmlspecialchars($auth_server_types[$server['type']])?></td>
478			<td><?=htmlspecialchars($server['host'])?></td>
479			<td>
480			<?php if ($i < (count($a_server) - 1)): ?>
481			<a class="fa fa-pencil" title="<?=gettext("Edit server"); ?>" href="system_authservers.php?act=edit&id=<?=$i?>"></a>
482			<a class="fa fa-trash" title="<?=gettext("Delete server")?>" href="system_authservers.php?act=del&id=<?=$i?>"></a>
483			<?php endif?>
484			</td>
485			</tr>
486			<?php endforeach; ?>
487			</tbody>
488			</table>
489			</div>
490	94404d94	Sander van Leeuwen	</div>
491	060ed238	Stephen Beaver	</div>
492
493			<nav class="action-buttons">
494			<a href="?act=new" class="btn btn-success btn-sm">
495			<i class="fa fa-plus icon-embed-btn"></i>
496			<?=gettext("Add")?>
497			</a>
498			</nav>
499	fbf672cb	Matthew Grooms	<?php
500	a0165602	Sjon Hortensius	include("foot.inc");
501			exit;
502	fbf672cb	Matthew Grooms	}
503
504	a0165602	Sjon Hortensius	$form = new Form;
505			$form->setAction('system_authservers.php?act=edit');
506	ea342b0f	Stephen Beaver
507	a0165602	Sjon Hortensius	$form->addGlobal(new Form_Input(
508			'userid',
509			null,
510			'hidden',
511			$id
512			));
513
514	5f88f964	k-paulius	$section = new Form_Section('Server Settings');
515	a0165602	Sjon Hortensius
516			$section->addInput($input = new Form_Input(
517			'name',
518			'Descriptive name',
519			'text',
520			$pconfig['name']
521			));
522
523			$section->addInput($input = new Form_Select(
524			'type',
525			'Type',
526			$pconfig['type'],
527			$auth_server_types
528	44d906ca	Sjon Hortensius	))->toggles();
529	a0165602	Sjon Hortensius
530			$form->add($section);
531	6157f724	Stephen Beaver
532			// ==== LDAP settings =========================================================
533	a0165602	Sjon Hortensius	$section = new Form_Section('LDAP Server Settings');
534	44d906ca	Sjon Hortensius	$section->addClass('toggle-ldap collapse');
535	a0165602	Sjon Hortensius
536			if (!isset($pconfig['type']) \|\| $pconfig['type'] == 'ldap')
537			$section->addClass('in');
538
539			$section->addInput(new Form_Input(
540			'ldap_host',
541			'Hostname or IP address',
542			'text',
543			$pconfig['ldap_host']
544			))->setHelp('NOTE: When using SSL, this hostname MUST match the Common Name '.
545	5585e65d	Chris Buechler	'(CN) of the LDAP server\'s SSL Certificate.');
546	a0165602	Sjon Hortensius
547			$section->addInput(new Form_Input(
548			'ldap_port',
549			'Port value',
550			'number',
551			$pconfig['ldap_port']
552			));
553
554			$section->addInput(new Form_Select(
555			'ldap_urltype',
556			'Transport',
557			$pconfig['ldap_urltype'],
558			array_combine(array_keys($ldap_urltypes), array_keys($ldap_urltypes))
559			));
560
561			if (empty($a_ca))
562			{
563			$section->addInput(new Form_StaticText(
564			'Peer Certificate Authority',
565	d4a744b2	k-paulius	'No Certificate Authorities defined.<br/>Create one under <a href="system_camanager.php">System > Cert. Manager</a>.'
566	a0165602	Sjon Hortensius	));
567	fbf672cb	Matthew Grooms	}
568	a0165602	Sjon Hortensius	else
569			{
570			$ldapCaRef = [];
571			foreach ($a_ca as $ca)
572			$ldapCaRef[ $ca['refid'] ] = $ca['descr'];
573
574			$section->addInput(new Form_Select(
575			'ldap_caref',
576			'Peer Certificate Authority',
577			$pconfig['ldap_caref'],
578			$ldapCaRef
579			))->setHelp('This option is used if \'SSL Encrypted\' option is choosen. '.
580			'It must match with the CA in the AD otherwise problems will arise.');
581	fbf672cb	Matthew Grooms	}
582
583	a0165602	Sjon Hortensius	$section->addInput(new Form_Select(
584			'ldap_protver',
585			'Protocol version',
586			$pconfig['ldap_protver'],
587			array_combine($ldap_protvers, $ldap_protvers)
588			));
589
590	d6b4dfe3	jim-p	$section->addInput(new Form_Input(
591			'ldap_timeout',
592			'Server Timeout',
593			'number',
594			$pconfig['ldap_timeout'],
595			['placeholder' => 25]
596			))->setHelp('Timeout for LDAP operations (seconds)');
597
598	905f6119	Stephen Beaver	$group = new Form_Group('Search scope');
599
600	c84db5bb	Stephen Beaver	$SSF = new Form_Select(
601	a0165602	Sjon Hortensius	'ldap_scope',
602	c84db5bb	Stephen Beaver	'Level',
603	a0165602	Sjon Hortensius	$pconfig['ldap_scope'],
604			$ldap_scopes
605	c84db5bb	Stephen Beaver	);
606	df8fca9d	Stephen Beaver
607	c84db5bb	Stephen Beaver	$SSB = new Form_Input(
608	a0165602	Sjon Hortensius	'ldap_basedn',
609			'Base DN',
610			'text',
611			$pconfig['ldap_basedn']
612	c84db5bb	Stephen Beaver	);
613	905f6119	Stephen Beaver
614	c84db5bb	Stephen Beaver
615			$section->addInput(new Form_StaticText(
616			'Search scope',
617			'Level ' . $SSF . '<br />' . 'Base DN' . $SSB
618			));
619	a0165602	Sjon Hortensius
620			$group = new Form_Group('Authentication containers');
621			$group->add(new Form_Input(
622			'ldapauthcontainers',
623			'Containers',
624			'text',
625			$pconfig['ldap_authcn']
626			))->setHelp('Note: Semi-Colon separated. This will be prepended to the search '.
627	89140b63	NOYB	'base dn above or the full container path can be specified containing a dc= '.
628	a0165602	Sjon Hortensius	'component.<br/>Example: CN=Users;DC=example,DC=com or OU=Staff;OU=Freelancers');
629	504bd882	Stephen Beaver
630	a0165602	Sjon Hortensius	$group->add(new Form_Button(
631			'Select',
632	faab522f	Renato Botelho	'Select a container',
633	2e7fa7ca	jim-p	null,
634			'fa-search'
635	347c0214	Phil Davis	))->setAttribute('type','button')->addClass('btn-info');
636	501efbd2	Stephen Beaver
637	a0165602	Sjon Hortensius	$section->add($group);
638
639	2e101d89	Sander van Leeuwen	$section->addInput(new Form_Checkbox(
640	a0165602	Sjon Hortensius	'ldap_extended_enabled',
641	2e101d89	Sander van Leeuwen	'Extended query',
642			'Enable extended query',
643	a0165602	Sjon Hortensius	$pconfig['ldap_extended_enabled']
644	e39a41e9	Stephen Beaver	));
645	a0165602	Sjon Hortensius
646	2e101d89	Sander van Leeuwen	$group = new Form_Group('Query');
647	e39a41e9	Stephen Beaver	$group->addClass('extended');
648
649	a0165602	Sjon Hortensius	$group->add(new Form_Input(
650			'ldap_extended_query',
651	2e101d89	Sander van Leeuwen	'Query',
652	a0165602	Sjon Hortensius	'text',
653			$pconfig['ldap_extended_query']
654	2e101d89	Sander van Leeuwen	))->setHelp('Example: &(objectClass=inetOrgPerson)(mail=*@example.com)');
655
656	a0165602	Sjon Hortensius	$section->add($group);
657
658			$section->addInput(new Form_Checkbox(
659			'ldap_anon',
660			'Bind anonymous',
661			'Use anonymous binds to resolve distinguished names',
662			$pconfig['ldap_anon']
663	b0909f2e	Stephen Beaver	));
664	a0165602	Sjon Hortensius
665			$group = new Form_Group('Bind credentials');
666	b0909f2e	Stephen Beaver	$group->addClass('ldapanon');
667
668	a0165602	Sjon Hortensius	$group->add(new Form_Input(
669			'ldap_binddn',
670			'User DN:',
671			'text',
672			$pconfig['ldap_binddn']
673			));
674	b0909f2e	Stephen Beaver
675	a0165602	Sjon Hortensius	$group->add(new Form_Input(
676			'ldap_bindpw',
677			'Password',
678	6df9b5cb	Stephen Beaver	'password',
679	a0165602	Sjon Hortensius	$pconfig['ldap_bindpw']
680			));
681			$section->add($group);
682
683	ac9d8bed	Stephen Beaver	if (!isset($id)) {
684			$template_list = array();
685
686	9488f42b	Phil Davis	foreach ($ldap_templates as $option => $template) {
687	ac9d8bed	Stephen Beaver	$template_list[$option] = $template['desc'];
688			}
689	a0165602	Sjon Hortensius
690			$section->addInput(new Form_Select(
691			'ldap_tmpltype',
692			'Initial Template',
693			$pconfig['ldap_template'],
694	ac9d8bed	Stephen Beaver	$template_list
695	a0165602	Sjon Hortensius	));
696	fbf672cb	Matthew Grooms	}
697
698	a0165602	Sjon Hortensius	$section->addInput(new Form_Input(
699			'ldap_attr_user',
700			'User naming attribute',
701			'text',
702			$pconfig['ldap_attr_user']
703			));
704
705			$section->addInput(new Form_Input(
706			'ldap_attr_group',
707			'Group naming attribute',
708			'text',
709			$pconfig['ldap_attr_group']
710			));
711
712			$section->addInput(new Form_Input(
713			'ldap_attr_member',
714			'Group member attribute',
715			'text',
716			$pconfig['ldap_attr_member']
717			));
718
719	149efbea	jim-p	$section->addInput(new Form_Checkbox(
720			'ldap_rfc2307',
721			'RFC 2307 Groups',
722			'LDAP Server uses RFC 2307 style group membership',
723			$pconfig['ldap_rfc2307']
724			))->setHelp('RFC 2307 style group membership has members listed on the group '.
725			'object rather than using groups listed on user object. Leave unchecked '.
726			'for Active Directory style group membership (RFC 2307bis).');
727
728			$section->addInput(new Form_Input(
729			'ldap_attr_groupobj',
730			'Group Object Class',
731			'text',
732			$pconfig['ldap_attr_groupobj'],
733			['placeholder' => 'posixGroup']
734			))->setHelp('Object class used for groups in RFC2307 mode. '.
735			'Typically "posixGroup" or "group".');
736
737	a0165602	Sjon Hortensius	$section->addInput(new Form_Checkbox(
738			'ldap_utf8',
739			'UTF8 Encode',
740			'UTF8 encode LDAP parameters before sending them to the server.',
741			$pconfig['ldap_utf8']
742			))->setHelp('Required to support international characters, but may not be '.
743			'supported by every LDAP server.');
744
745			$section->addInput(new Form_Checkbox(
746			'ldap_nostrip_at',
747			'Username Alterations',
748			'Do not strip away parts of the username after the @ symbol',
749			$pconfig['ldap_nostrip_at']
750			))->setHelp('e.g. user@host becomes user when unchecked.');
751
752			$form->add($section);
753	6157f724	Stephen Beaver
754			// ==== RADIUS section ========================================================
755	7aaf60a8	k-paulius	$section = new Form_Section('RADIUS Server Settings');
756	44d906ca	Sjon Hortensius	$section->addClass('toggle-radius collapse');
757	a0165602	Sjon Hortensius
758			$section->addInput(new Form_Input(
759			'radius_host',
760			'Hostname or IP address',
761			'text',
762			$pconfig['radius_host']
763			));
764
765			$section->addInput(new Form_Input(
766			'radius_secret',
767			'Shared Secret',
768			'text',
769			$pconfig['radius_secret']
770			));
771
772			$section->addInput(new Form_Select(
773			'radius_srvcs',
774			'Services offered',
775			$pconfig['radius_srvcs'],
776			$radius_srvcs
777			));
778
779			$section->addInput(new Form_Input(
780			'radius_auth_port',
781	81ec3187	Chris Buechler	'Authentication port',
782	a0165602	Sjon Hortensius	'number',
783	df5d8616	Stephen Beaver	$pconfig['radius_auth_port']
784	a0165602	Sjon Hortensius	));
785
786			$section->addInput(new Form_Input(
787			'radius_acct_port',
788	df5d8616	Stephen Beaver	'Accounting port',
789	a0165602	Sjon Hortensius	'number',
790			$pconfig['radius_acct_port']
791			));
792
793			$section->addInput(new Form_Input(
794			'radius_timeout',
795			'Authentication Timeout',
796			'number',
797			$pconfig['radius_timeout']
798			))->setHelp('This value controls how long, in seconds, that the RADIUS '.
799			'server may take to respond to an authentication request. If left blank, the '.
800	89140b63	NOYB	'default value is 5 seconds. NOTE: If using an interactive two-factor '.
801	a0165602	Sjon Hortensius	'authentication system, increase this timeout to account for how long it will '.
802			'take the user to receive and enter a token.');
803
804			if (isset($id) && $a_server[$id])
805			{
806			$section->addInput(new Form_Input(
807			'id',
808			null,
809			'hidden',
810			$id
811			));
812	6306b5dd	Ermal Lu?i	}
813	a0165602	Sjon Hortensius
814			$form->add($section);
815	098604d3	Stephen Beaver
816			// Create a largely empty modal to show the available containers. We will populate it via AJAX later
817			$modal = new Modal("LDAP containers", "containers", true);
818
819			$form->add($modal);
820
821	a0165602	Sjon Hortensius	print $form;
822	ac9d8bed	Stephen Beaver	?>
823	8fd9052f	Colin Fleming	<script type="text/javascript">
824	ac9d8bed	Stephen Beaver	//<![CDATA[
825	098604d3	Stephen Beaver	events.push(function() {
826
827			// Create an AJAX request (to this page) to get the container list and controls
828	501efbd2	Stephen Beaver	function select_clicked() {
829			if (document.getElementById("ldap_port").value == '' \|\|
830	7b4b0ad3	Stephen Beaver	document.getElementById("ldap_host").value == '' \|\|
831			document.getElementById("ldap_scope").value == '' \|\|
832			document.getElementById("ldap_basedn").value == '' \|\|
833			document.getElementById("ldapauthcontainers").value == '') {
834	501efbd2	Stephen Beaver	alert("<?=gettext("Please fill the required values.");?>");
835			return;
836			}
837	7b4b0ad3	Stephen Beaver
838	501efbd2	Stephen Beaver	if (!document.getElementById("ldap_anon").checked) {
839			if (document.getElementById("ldap_binddn").value == '' \|\|
840	7b4b0ad3	Stephen Beaver	document.getElementById("ldap_bindpw").value == '') {
841	501efbd2	Stephen Beaver	alert("<?=gettext("Please fill the bind username/password.");?>");
842			return;
843			}
844			}
845	098604d3	Stephen Beaver
846			var ajaxRequest;
847			var authserver = $('#authmode').val();
848			var cert;
849
850			<?php if (count($a_ca) > 0): ?>
851			cert = $('#ldap_caref').val();
852			<?php else: ?>
853			cert = '';
854			<?php endif; ?>
855	697b1e07	Stephen Beaver	/*
856	098604d3	Stephen Beaver	$('#containers').modal('show');
857	79df3d68	Stephen Beaver	$('#serverlist').parent('div').prev('label').remove();
858			$('#serverlist').parent('div').removeClass("col-sm-10");
859			$('#serverlist').parent('div').addClass("col-sm-12");
860	697b1e07	Stephen Beaver	*/
861	098604d3	Stephen Beaver	ajaxRequest = $.ajax(
862			{
863			url: "/system_authservers.php",
864			type: "post",
865			data: {
866			ajax: "ajax",
867			port: $('#ldap_port').val(),
868			host: $('#ldap_host').val(),
869			scope: $('#ldap_scope').val(),
870			basedn: $('#ldap_basedn').val(),
871			binddn: $('#ldap_binddn').val(),
872			bindpw: $('#ldap_bindpw').val(),
873			urltype:$('#ldap_urltype').val(),
874			proto: $('#ldap_protver').val(),
875			authcn: $('#ldapauthcontainers').val(),
876			cert: cert
877			}
878			}
879			);
880
881			// Deal with the results of the above ajax call
882			ajaxRequest.done(function (response, textStatus, jqXHR) {
883	697b1e07	Stephen Beaver	$('#containers').replaceWith(response);
884
885			$('#containers').modal('show');
886	098604d3	Stephen Beaver
887			// The button handler needs to be here because until the modal has been populated
888			// the controls we need to attach handlers to do not exist
889			$('#svcontbtn').prop("type", "button");
890			$('#svcontbtn').removeAttr("href");
891
892			$('#svcontbtn').click(function () {
893			var ous = $('[id^=ou]').length;
894			var i;
895
896			$('#ldapauthcontainers').val("");
897
898			for (i = 0; i < ous; i++) {
899			if ($('#ou' + i).prop("checked")) {
900			if ($('#ldapauthcontainers').val() != "") {
901			$('#ldapauthcontainers').val($('#ldapauthcontainers').val() +";");
902			}
903
904			$('#ldapauthcontainers').val($('#ldapauthcontainers').val() + $('#ou' + i).val());
905			}
906			}
907
908			$('#containers').modal('hide');
909			});
910			});
911
912	501efbd2	Stephen Beaver	}
913	7b4b0ad3	Stephen Beaver
914	f3a43095	Stephen Beaver	function set_ldap_port() {
915	9488f42b	Phil Davis	if ($('#ldap_urltype').find(":selected").index() == 0)
916	f3a43095	Stephen Beaver	$('#ldap_port').val('389');
917			else
918	7b4b0ad3	Stephen Beaver	$('#ldap_port').val('636');
919			}
920
921			// Hides all elements of the specified class. This will usually be a section
922			function hideClass(s_class, hide) {
923	9488f42b	Phil Davis	if (hide)
924	7b4b0ad3	Stephen Beaver	$('.' + s_class).hide();
925			else
926			$('.' + s_class).show();
927	f3a43095	Stephen Beaver	}
928	7b4b0ad3	Stephen Beaver
929	ac9d8bed	Stephen Beaver	function ldap_tmplchange() {
930			switch ($('#ldap_tmpltype').find(":selected").index()) {
931			<?php
932			$index = 0;
933			foreach ($ldap_templates as $tmpldata):
934			?>
935			case <?=$index;?>:
936			$('#ldap_attr_user').val("<?=$tmpldata['attr_user'];?>");
937			$('#ldap_attr_group').val("<?=$tmpldata['attr_group'];?>");
938			$('#ldap_attr_member').val("<?=$tmpldata['attr_member'];?>");
939			break;
940			<?php
941			$index++;
942			endforeach;
943			?>
944			}
945			}
946	a0165602	Sjon Hortensius
947	eef93144	Jared Dillard	// ---------- On initial page load ------------------------------------------------------------
948	782922c2	Stephen Beaver
949	c4302457	Stephen Beaver	<?php if ($act != 'edit') : ?>
950	ac9d8bed	Stephen Beaver	ldap_tmplchange();
951	c4302457	Stephen Beaver	<?php endif; ?>
952
953	b0909f2e	Stephen Beaver	hideClass('ldapanon', $('#ldap_anon').prop('checked'));
954	e39a41e9	Stephen Beaver	hideClass('extended', !$('#ldap_extended_enabled').prop('checked'));
955	7b4b0ad3	Stephen Beaver
956	9488f42b	Phil Davis	if ($('#ldap_port').val() == "")
957	f3a43095	Stephen Beaver	set_ldap_port();
958	ac9d8bed	Stephen Beaver
959	ea342b0f	Stephen Beaver	<?php
960	9488f42b	Phil Davis	if ($act == 'edit') {
961	ea342b0f	Stephen Beaver	?>
962	6157f724	Stephen Beaver	$('#type option:not(:selected)').each(function(){
963	7b4b0ad3	Stephen Beaver	$(this).attr('disabled', 'disabled');
964	6157f724	Stephen Beaver	});
965	7b4b0ad3	Stephen Beaver
966	2138c41b	Stephen Beaver	<?php
967	9488f42b	Phil Davis	if (!$input_errors) {
968	7b4b0ad3	Stephen Beaver	?>
969	6157f724	Stephen Beaver	$('#name').prop("readonly", true);
970	ea342b0f	Stephen Beaver	<?php
971	2138c41b	Stephen Beaver	}
972	ea342b0f	Stephen Beaver	}
973			?>
974	eef93144	Jared Dillard	// ---------- Click checkbox handlers ---------------------------------------------------------
975	782922c2	Stephen Beaver
976	ac9d8bed	Stephen Beaver	$('#ldap_tmpltype').on('change', function() {
977			ldap_tmplchange();
978			});
979	b0909f2e	Stephen Beaver
980	7b4b0ad3	Stephen Beaver	$('#ldap_anon').click(function () {
981			hideClass('ldapanon', this.checked);
982			});
983
984	f3a43095	Stephen Beaver	$('#ldap_urltype').on('change', function() {
985			set_ldap_port();
986	7b4b0ad3	Stephen Beaver	});
987
988			$('#Select').click(function () {
989			select_clicked();
990			});
991	504bd882	Stephen Beaver
992	e39a41e9	Stephen Beaver	$('#ldap_extended_enabled').click(function () {
993			hideClass('extended', !this.checked);
994			});
995	504bd882	Stephen Beaver
996	ac9d8bed	Stephen Beaver	});
997			//]]>
998			</script>
999			<?php
1000	81ec3187	Chris Buechler	include("foot.inc");

Project

General

Profile

pfSense