Skip to content

Commit

Permalink
Add ability to define which LDAP attribute is used to log in. (#212)
Browse files Browse the repository at this point in the history
  • Loading branch information
wheelybird authored Jul 20, 2023
1 parent ce400b3 commit 7d1897b
Show file tree
Hide file tree
Showing 4 changed files with 31 additions and 23 deletions.
27 changes: 16 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ docker run \
-e "LDAP_ADMIN_BIND_PWD=secret"\
-e "LDAP_IGNORE_CERT_ERRORS=true" \
-e "EMAIL_DOMAIN=ldapusermanager.org" \
wheelybird/ldap-user-manager:v1.10
wheelybird/ldap-user-manager:v1.11
```
Change the variable values to suit your environment. Now go to https://lum.example.com/setup.

Expand Down Expand Up @@ -105,15 +105,6 @@ For example, if you're using Docker Swarm and you've set the LDAP bind password

* `SESSION_TIMEOUT` (default: *10 minutes*): How long before an idle session will be timed out.


#### Interface customisation

* `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name.

* `SITE_NAME` (default: *`ORGANISATION_NAME` user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management".

* `SHOW_POSIX_ATTRIBUTES` (default: *FALSE*): If set to `TRUE` this show extra attributes for **posixAccount** and **posixGroup** in the account and group forms. Leave this set to `FALSE` if you don't use LDAP accounts to log into servers etc., as it makes the interface much simpler. The Posix values are still set in the background using the default values. This setting doesn't hide any Posix attributes set via `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` or `LDAP_GROUP_ADDITIONAL_ATTRIBUTES`.

#### LDAP settings

* `LDAP_USER_OU` (default: *people*): The name of the OU used to store user accounts (without the base DN appended).
Expand Down Expand Up @@ -149,7 +140,7 @@ These settings should only be changed if you're trying to make the user manager
* `FORCE_RFC2307BIS` (default: *FALSE*): Set to *TRUE* if the auto-detection is failing to spot that the RFC2307BIS schema is available. When *FALSE* the user manager will use auto-detection. See [Using the RFC2307BIS schema](#using-the-rfc2307bis-schema) for more information.


#### User account settings
#### User account creation settings

* `DEFAULT_USER_GROUP` (default: *everybody*): The group that new accounts are automatically added to when created. *NOTE*: If this group doesn't exist then a group is created with the same name as the username and the user is added to that group.

Expand All @@ -166,9 +157,23 @@ These settings should only be changed if you're trying to make the user manager
* `PASSWORD_HASH` (no default): Select which hashing method which will be used to store passwords in LDAP. Options are (in order of precedence) `SHA512CRYPT`, `SHA256CRYPT`, `MD5CRYPT`, `SSHA`, `SHA`, `SMD5`, `MD5`, `ARGON2`, `CRYPT` & `CLEAR`. If your chosen method isn't available on your system then the strongest available method will be automatically selected - `SSHA` is the strongest method guaranteed to be available. (Note that for `ARGON2` to work your LDAP server will need to have the ARGON2 module enabled. If you don't the passwords will be saved but the user won't be able to authenticate.) Cleartext passwords should NEVER be used in any situation outside of a test.

* `ACCEPT_WEAK_PASSWORDS` (default: *FALSE*): Set this to *TRUE* to prevent a password being rejected for being too weak. The password strength indicators will still gauge the strength of the password. Don't enable this in a production environment.


#### Website appearance and behaviour settings

* `ORGANISATION_NAME`: (default: *LDAP*): Your organisation's name.

* `SITE_NAME` (default: *`ORGANISATION_NAME` user manager*): Change this to replace the title in the menu, e.g. "My Company Account Management".

* `SITE_LOGIN_LDAP_ATTRIBUTE` (default: *`LDAP_ACCOUNT_ATTRIBUTE`*): The LDAP account attribute to use when logging into the user-manager. For example, set this to `mail` to use email addresses to log in. Use this with extreme caution. The value for this attribute needs to be unique for each account; if more than one result is found when searching for an account then you won't be able to log in.

* `SITE_LOGIN_FIELD_LABEL` (default: *Username*): This is the label that appears next to the username field on the login page. If you change `SITE_LOGIN_LDAP_ATTRIBUTE` then you might want to change this. For example, `SITE_LOGIN_FIELD_LABEL="Email address"`.

* `SHOW_POSIX_ATTRIBUTES` (default: *FALSE*): If set to `TRUE` this show extra attributes for **posixAccount** and **posixGroup** in the account and group forms. Leave this set to `FALSE` if you don't use LDAP accounts to log into servers etc., as it makes the interface much simpler. The Posix values are still set in the background using the default values. This setting doesn't hide any Posix attributes set via `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` or `LDAP_GROUP_ADDITIONAL_ATTRIBUTES`.

* `REMOTE_HTTP_HEADERS_LOGIN`(default: *FALSE*) Enables session managment from an external service like Authelia. _This setting will compromise your security if you're not using an Auth-Proxy in front of this application_.


#### Email sending settings

To send emails you'll need to use an existing SMTP server. Email sending will be disabled if `SMTP_HOSTNAME` isn't set.
Expand Down
3 changes: 3 additions & 0 deletions www/includes/config.inc.php
Original file line number Diff line number Diff line change
Expand Up @@ -116,6 +116,9 @@
$ORGANISATION_NAME = (getenv('ORGANISATION_NAME') ? getenv('ORGANISATION_NAME') : 'LDAP');
$SITE_NAME = (getenv('SITE_NAME') ? getenv('SITE_NAME') : "$ORGANISATION_NAME user manager");

$SITE_LOGIN_LDAP_ATTRIBUTE = (getenv('SITE_LOGIN_LDAP_ATTRIBUTE') ? getenv('SITE_LOGIN_LDAP_ATTRIBUTE') : $LDAP['account_attribute'] );
$SITE_LOGIN_FIELD_LABEL = (getenv('SITE_LOGIN_FIELD_LABEL') ? getenv('SITE_LOGIN_FIELD_LABEL') : "Username" );

$SERVER_HOSTNAME = (getenv('SERVER_HOSTNAME') ? getenv('SERVER_HOSTNAME') : "ldapusermanager.org");
$SERVER_PATH = (getenv('SERVER_PATH') ? getenv('SERVER_PATH') : "/");

Expand Down
13 changes: 7 additions & 6 deletions www/includes/ldap_functions.inc.php
Original file line number Diff line number Diff line change
Expand Up @@ -83,14 +83,14 @@ function open_ldap_connection($ldap_bind=TRUE) {

###################################

function ldap_auth_username($ldap_connection,$username, $password) {
function ldap_auth_username($ldap_connection, $username, $password) {

# Search for the DN for the given username. If found, try binding with the DN and user's password.
# If the binding succeeds, return the DN.

global $log_prefix, $LDAP, $LDAP_DEBUG;
global $log_prefix, $LDAP, $SITE_LOGIN_LDAP_ATTRIBUTE, $LDAP_DEBUG;

$ldap_search_query="{$LDAP['account_attribute']}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
$ldap_search_query="{$SITE_LOGIN_LDAP_ATTRIBUTE}=" . ldap_escape($username, "", LDAP_ESCAPE_FILTER);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Running LDAP search for: $ldap_search_query"); }

$ldap_search = @ ldap_search( $ldap_connection, $LDAP['user_dn'], $ldap_search_query );
Expand All @@ -117,13 +117,14 @@ function ldap_auth_username($ldap_connection,$username, $password) {
$this_dn = $result[0]['dn'];
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Attempting authenticate as $username by binding with {$this_dn} ",0); }
$auth_ldap_connection = open_ldap_connection(FALSE);
$can_bind = @ ldap_bind( $auth_ldap_connection, $result[0]['dn'], $password);
$can_bind = @ ldap_bind($auth_ldap_connection, $result[0]['dn'], $password);

if ($can_bind) {
preg_match("/{$LDAP['account_attribute']}=(.*?),/",$result[0]['dn'],$dn_match);
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Able to bind as {$username}",0); }
$account_id=$dn_match[1];
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Able to bind as {$username}: dn is {$result[0]['dn']} and account ID is {$account_id}",0); }
ldap_close($auth_ldap_connection);
return $dn_match[1];
return $account_id;
}
else {
if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix Unable to bind as {$username}: " . ldap_error($auth_ldap_connection),0); }
Expand Down
11 changes: 5 additions & 6 deletions www/log_in/index.php
Original file line number Diff line number Diff line change
Expand Up @@ -22,19 +22,18 @@
if (isset($_POST["user_id"]) and isset($_POST["password"])) {

$ldap_connection = open_ldap_connection();
$user_auth = ldap_auth_username($ldap_connection,$_POST["user_id"],$_POST["password"]);
$is_admin = ldap_is_group_member($ldap_connection,$LDAP['admins_group'],$_POST["user_id"]);
$account_id = ldap_auth_username($ldap_connection,$_POST["user_id"],$_POST["password"]);
$is_admin = ldap_is_group_member($ldap_connection,$LDAP['admins_group'],$account_id);

ldap_close($ldap_connection);

if ($user_auth != FALSE) {
if ($account_id != FALSE) {

set_passkey_cookie($user_auth,$is_admin);
set_passkey_cookie($account_id,$is_admin);
if (isset($_POST["redirect_to"])) {
header("Location: //{$_SERVER['HTTP_HOST']}" . base64_decode($_POST['redirect_to']) . "\n\n");
}
else {

if ($IS_ADMIN) { $default_module = "account_manager"; } else { $default_module = "change_password"; }
header("Location: //{$_SERVER['HTTP_HOST']}{$SERVER_PATH}$default_module?logged_in\n\n");
}
Expand Down Expand Up @@ -78,7 +77,7 @@
<?php if (isset($redirect_to) and ($redirect_to != "")) { ?><input type="hidden" name="redirect_to" value="<?php print htmlspecialchars($redirect_to); ?>"><?php } ?>

<div class="form-group">
<label for="username" class="col-sm-4 control-label">Username</label>
<label for="username" class="col-sm-4 control-label"><?php print $SITE_LOGIN_FIELD_LABEL; ?></label>
<div class="col-sm-6">
<input type="text" class="form-control" id="user_id" name="user_id">
</div>
Expand Down

0 comments on commit 7d1897b

Please sign in to comment.