Mirrors/sysPass
2
0
Fork 0
mirror of https://github.com/nuxsmin/sysPass.git synced 2026-03-06 16:36:59 +01:00
Code Issues Packages Projects Releases Wiki Activity

* LDAP parameters checking

Browse Source
This commit is contained in:
nuxsmin
2014-02-03 02:53:09 +01:00
parent 341dcc68ac
commit f5d9aa7a97
7 changed files with 248 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

53
ajax/ajax_checkLdap.php Normal file
View File

@@ -0,0 +1,53 @@
<?php
/**
* sysPass
*
* @author nuxsmin
* @link http://syspass.org
* @copyright 2012 Rubén Domínguez nuxsmin@syspass.org
*
* This file is part of sysPass.
*
* sysPass is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* sysPass is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with sysPass. If not, see <http://www.gnu.org/licenses/>.
*
*/
define('APP_ROOT', '..');
include_once (APP_ROOT."/inc/init.php");
SP_Util::checkReferer('POST');
if ( ! SP_Init::isLoggedIn() ) {
SP_Common::printJSON(_('La sesión no se ha iniciado o ha caducado'), 10);
}
$sk = SP_Common::parseParams('p', 'sk', FALSE);
if (!$sk || !SP_Common::checkSessionKey($sk)) {
SP_Common::printJSON(_('CONSULTA INVÁLIDA'));
}
$frmLdapServer = SP_Common::parseParams('p', 'ldapserver');
$frmLdapBase = SP_Common::parseParams('p', 'ldapbase');
$frmLdapGroup = SP_Common::parseParams('p', 'ldapgroup');
$frmLdapBindUser = SP_Common::parseParams('p', 'ldapbinduser');
$frmLdapBindPass = SP_Common::parseParams('p', 'ldapbindpass');
$resCheckLdap = SP_LDAP::checkLDAPConn($frmLdapServer,$frmLdapBindUser,$frmLdapBindPass,$frmLdapBase,$frmLdapGroup);
if ( $resCheckLdap === FALSE ){
SP_Common::printJSON(_('Error de conexión a LDAP').';;'._('Revise el registro de eventos para más detalles'));
} else{
SP_Common::printJSON(_('Conexión a LDAP correcta').';;'._('Objetos encontrados').': '.$resCheckLdap,0);
}

BIN
imgs/refresh.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.9 KiB

6
inc/auth.class.php
View File

@@ -51,8 +51,8 @@ class SP_Auth {
// Conectamos al servidor realizamos la conexión con el usuario proxy
try {
SP_LDAP::connect();
SP_LDAP::bind();
SP_LDAP::ldapConnect();
SP_LDAP::ldapBind();
SP_LDAP::getUserDN($userLogin);
} catch (Exception $e) {
return FALSE;
@@ -70,7 +70,7 @@ class SP_Auth {
// Realizamos la conexión con el usuario real y obtenemos los atributos
try{
SP_LDAP::bind($userDN, $userPass);
SP_LDAP::ldapBind($userDN, $userPass);
SP_LDAP::unbind();
$attribs = SP_LDAP::getLDAPAttr($attribsMap);
} catch (Exception $e) {

177
inc/ldap.class.php
View File

@@ -29,38 +29,57 @@ defined('APP_ROOT') || die(_('No es posible acceder directamente a este archivo'
* Esta clase es la encargada de realizar la autentificación de usuarios de sysPass.
*/
class SP_LDAP {
private static $ldapConn;
private static $ldapServer;
private static $searchBase;
private static $bindDN;
private static $bindPass;
private static $ldapGroup;
public static $ldapSearchData;
/**
* @brief Obtener el recurso de conexión a LDAP
* @return resource
*/
public static function getConn(){
if (is_resource(self::$ldapConn)){
public static function getConn() {
if (is_resource(self::$ldapConn)) {
return self::$ldapConn;
}
}
/**
* @brief Comprobar la conexión al servidor de LDAP
* @param string $ldapServer con la dirección del servidor
* @param string $bindDN con el usuario de conexión
* @param string $bindPass con la clave del usuario de conexión
* @param string $searchBase con la base para las búsquedas
* @param string $ldapGroup con el grupo con los usuarios de acceso
* @return bool
*/
public static function checkLDAPConn(){
public static function checkLDAPConn($ldapServer, $bindDN, $bindPass, $searchBase, $ldapGroup) {
self::$ldapServer = $ldapServer;
self::$bindDN = $bindDN;
self::$bindPass = $bindPass;
self::$searchBase = $searchBase;
self::$ldapGroup = $ldapGroup;
try {
self::ldapConnect();
self::ldapBind();
$numObjects = self::searchBase();
} catch (Exception $e) {
return FALSE;
}
return $numObjects;
}
/**
* @brief Comprobar si los parámetros necesario de LDAP están establecidos
* @return bool
*/
public static function checkLDAPParams(){
public static function checkLDAPParams() {
self::$searchBase = SP_Config::getValue('ldapbase');
self::$ldapServer = SP_Config::getValue('ldapserver');
self::$bindDN = SP_Config::getValue('ldapbinduser');
@@ -70,12 +89,12 @@ class SP_LDAP {
if (!self::$searchBase || !self::$ldapServer || !self::$ldapGroup || !self::$bindDN || !self::$bindPass) {
$message['action'] = __FUNCTION__;
$message['text'][] = _('Los parámetros de LDAP no están configurados');
SP_Common::wrLogInfo($message);
return FALSE;
}
return TRUE;
}
@@ -84,22 +103,22 @@ class SP_LDAP {
* @param string $server con la dirección del servidor
* @return bool
*/
public static function connect(){
public static function ldapConnect() {
$message['action'] = __FUNCTION__;
// Conexión al servidor LDAP
if (!self::$ldapConn = @ldap_connect(self::$ldapServer)) {
$message['text'][] = _('No es posible conectar con el servidor de LDAP') . " '" . self::$ldapServer . "'";
$message['text'][] = 'LDAP ERROR: ' . ldap_error(self::$ldapConn) . '(' . ldap_errno(self::$ldapConn) . ')';
SP_Common::wrLogInfo($message);
throw new Exception(_('No es posible conectar con el servidor de LDAP'));
}
@ldap_set_option(self::$ldapConn, LDAP_OPT_NETWORK_TIMEOUT, 10); // Set timeout
@ldap_set_option(self::$ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3); // Set LDAP version
return TRUE;
}
@@ -109,33 +128,33 @@ class SP_LDAP {
* @param string $pass con la clave del usuario
* @return bool
*/
public static function bind($userDN = '', $userPass = ''){
public static function ldapBind($userDN = '', $userPass = '') {
$message['action'] = __FUNCTION__;
$dn = ( $userDN ) ? $userDN : self::$bindDN;
$pass = ( $userPass ) ? $userPass : self::$bindPass;
if (!@ldap_bind(self::$ldapConn, $dn, $pass)) {
$message['text'][] = _('Error al conectar (BIND)');
$message['text'][] = 'LDAP ERROR: ' . ldap_error(self::$ldapConn) . '(' . ldap_errno(self::$ldapConn) . ')';
$message['text'][] = 'LDAP DN: ' . $dn;
SP_Common::wrLogInfo($message);
throw new Exception(_('Error al conectar (BIND)'));
}
return TRUE;
}
/**
* @brief Obtener el RDN del usuario que realiza el login
* @param string $userLogin con el login del usuario
* @return none
*/
public static function getUserDN($userLogin){
public static function getUserDN($userLogin) {
$message['action'] = __FUNCTION__;
$filter = '(&(|(samaccountname=' . $userLogin . ')(cn=' . $userLogin . ')(uid=' . $userLogin . '))(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))';
$filterAttr = array("dn", "displayname", "samaccountname", "mail", "memberof", "lockouttime", "fullname", "groupmembership", "mail");
@@ -147,7 +166,7 @@ class SP_LDAP {
$message['text'][] = 'LDAP FILTER: ' . $filter;
SP_Common::wrLogInfo($message);
throw new Exception(_('Error al buscar el DN del usuario'));
}
@@ -159,40 +178,43 @@ class SP_LDAP {
$message['text'][] = 'LDAP ERROR: ' . ldap_error(self::$ldapConn) . '(' . ldap_errno(self::$ldapConn) . ')';
SP_Common::wrLogInfo($message);
throw new Exception(_('Error al localizar el usuario en LDAP'));
}
//return $searchUser[0]["dn"];
} else {
$message['text'][] = _('Error al buscar el DN del usuario');
$message['text'][] = 'LDAP FILTER: ' . $filter;
SP_Common::wrLogInfo($message);
throw new Exception(_('Error al buscar el DN del usuario'));
}
}
/**
* @brief Realizar la desconexión del servidor de LDAP
* @return none
*/
public static function unbind(){
public static function unbind() {
@ldap_unbind(self::$ldapConn);
}
public static function getLDAPAttr($attribs){
/**
* @brief Obtener los atributos del usuario
* @param array $attribs con los atributos a obtener
* @return array con los atributos disponibles y sus valores
*/
public static function getLDAPAttr($attribs) {
$res = array();
foreach (self::$ldapSearchData as $entryValue) {
if (is_array($entryValue)) {
foreach ($entryValue as $entryAttr => $attrValue) {
if (is_array($attrValue)) {
if (array_key_exists($entryAttr, $attribs)){
if ( $attrValue['count'] > 1 ){
if (array_key_exists($entryAttr, $attribs)) {
if ($attrValue['count'] > 1) {
$res[$attribs[$entryAttr]] = $attrValue;
} else{
} else {
$res[$attribs[$entryAttr]] = $attrValue[0];
}
}
@@ -200,7 +222,84 @@ class SP_LDAP {
}
}
}
return $res;
}
}
/**
* @brief Realizar una búsqueda de objetos en la ruta indicada
* @return int con el número de resultados
*/
private static function searchBase() {
$message['action'] = __FUNCTION__;
$groupDN = self::searchGroupDN();
$filter = '(&(memberOf=' . $groupDN . ')(|(objectClass=inetOrgPerson)(objectClass=person)(objectClass=simpleSecurityObject)))';
$filterAttr = array("dn");
$searchRes = @ldap_search(self::$ldapConn, self::$searchBase, $filter, $filterAttr);
if (!$searchRes) {
$message['text'][] = _('Error al buscar objetos en DN base');
$message['text'][] = 'LDAP ERROR: ' . ldap_error(self::$ldapConn) . '(' . ldap_errno(self::$ldapConn) . ')';
$message['text'][] = 'LDAP FILTER: ' . $filter;
SP_Common::wrLogInfo($message);
throw new Exception(_('Error al buscar objetos en DN base'));
}
return @ldap_count_entries(self::$ldapConn, $searchRes);
}
/**
* @brief Obtener el RDN del grupo
* @return string con el RDN del grupo
*/
private static function searchGroupDN() {
$message['action'] = __FUNCTION__;
$filter = '(cn=' . self::$ldapGroup . ')';
$filterAttr = array("dn");
$searchRes = @ldap_search(self::$ldapConn, self::$searchBase, $filter, $filterAttr);
if (!$searchRes) {
$message['text'][] = _('Error al buscar RDN de grupo');
$message['text'][] = 'LDAP ERROR: ' . ldap_error(self::$ldapConn) . '(' . ldap_errno(self::$ldapConn) . ')';
$message['text'][] = 'LDAP FILTER: ' . $filter;
SP_Common::wrLogInfo($message);
throw new Exception(_('Error al buscar RDN de grupo'));
}
if (@ldap_count_entries(self::$ldapConn, $searchRes) === 1) {
$ldapSearchData = @ldap_get_entries(self::$ldapConn, $searchRes);
if (!$ldapSearchData) {
$message['text'][] = _('Error al buscar RDN de grupo');
$message['text'][] = 'LDAP ERROR: ' . ldap_error(self::$ldapConn) . '(' . ldap_errno(self::$ldapConn) . ')';
SP_Common::wrLogInfo($message);
throw new Exception(_('Error al buscar RDN de grupo'));
}
$message['text'][] = _('RDN de grupo encontrado');
$message['text'][] = 'RDN: ' . $ldapSearchData[0]["dn"];
SP_Common::wrLogInfo($message);
return $ldapSearchData[0]["dn"];
} else {
$message['text'][] = _('Error al buscar RDN de grupo');
$message['text'][] = 'LDAP FILTER: ' . $filter;
SP_Common::wrLogInfo($message);
throw new Exception(_('Error al buscar RDN de grupo'));
}
}
}

BIN
inc/locales/en_US/LC_MESSAGES/messages.mo
View File

Binary file not shown.

8
inc/tpl/config.php
View File

@@ -293,6 +293,14 @@ $allowedExts = SP_Config::getValue('allowed_exts');
<input type="text" name="ldapgroup" class="txtLong" value="<?php echo SP_Config::getValue('ldapgroup'); ?>" maxlength="128" />
</td>
</tr>
<tr>
<td class="descField">
<?php echo _('Comprobar'); ?>
</td>
<td class="valField">
<img src="imgs/refresh.png" class="inputImg" title="<?php echo _('Comprobar conexión con LDAP'); ?>" onclick="checkLdapConn();"/>
</td>
</tr>
<?php else: ?>
<tr>
<td class="option-disabled">

46
js/functions.js
View File

@@ -1004,4 +1004,50 @@ function resMsg(type, txt, url, action){
$.fancybox(html,{afterLoad: function(){
$('.fancybox-skin,.fancybox-outer,.fancybox-inner').css({'border-radius':'25px','-moz-border-radius':'25px','-webkit-border-radius':'25px'});
},afterClose : function() { if ( typeof(action) !== "undefined" ) eval(action);} });
}
// Función para comprobar la conexión con LDAP
function checkLdapConn(){
var ldapServer = $('#frmConfig [name=ldapserver]').val();
var ldapBase = $('#frmConfig [name=ldapbase]').val();
var ldapGroup = $('#frmConfig [name=ldapgroup]').val();
var ldapBindUser = $('#frmConfig [name=ldapbinduser]').val();
var ldapBindPass = $('#frmConfig [name=ldapbindpass]').val();
var sk = $('#frmConfig [name=sk]').val();
$.fancybox.showLoading();
$.ajax({
type: 'POST',
dataType: 'json',
url: APP_ROOT + '/ajax/ajax_checkLdap.php',
data: {'ldapserver' : ldapServer, 'ldapbase' : ldapBase, 'ldapgroup' : ldapGroup, 'ldapbinduser' : ldapBindUser, 'ldapbindpass' : ldapBindPass, 'is_ajax' : 1, 'sk' : sk},
success: function(json){
var status = json.status;
var description = json.description;
description = description.replace(/;;/g,"<br />");
switch(status){
case 0:
$.fancybox.close();
resMsg("ok", description);
break;
case 1:
$.fancybox.close();
resMsg("error", description);
break;
case 10:
doLogout();
break;
default:
return;
}
},
error:function(jqXHR, textStatus, errorThrown){
var txt = LANG[1] + '<p>' + errorThrown + textStatus + '</p>';
resMsg("error", txt);
},
complete: function(){$.fancybox.hideLoading();}
});
}