<?php /* Gets the members of the given group within the base DN. Retu

1. <?php
2.  
3. /* Gets the members of the given group within the base DN.
4. Returns an array containing the members. */
5. function getLDAPGroupMembers(&$ldapConn, $baseDN, $groupDN) {
6. $ldapSearch = ldap_search($ldapConn, $baseDN, "(|(distinguishedName=$groupDN))", array("member"));
7. $ldapResults = ldap_get_entries($ldapConn, $ldapSearch);
8.  
9. return @$ldapResults[0]['member'];
10. }
11.  
12. /* Checks if a user's group is also a member of the group's group.
13. Returns true or false. */
14. function inLDAPGroup($groupGroups, $userGroups) {
15. // Remove the first element of the array.
16. // The first element will be the element count, as returned by ldap_get_entries().
17. @array_shift($groupGroups);
18. @array_shift($userGroups);
19.  
20. // If either the group groups or user groups are empty, return false.
21. if (empty($groupGroups) || empty($userGroups)) {
22. return false;
23. }
24.  
25. // Set all elements to lowercase.
26. $groupGroups = array_map('strtolower', $groupGroups);
27. $userGroups = array_map('strtolower', $userGroups);
28.  
29. // Flip the group groups array so the value becomes the key.
30. $groupGroups = array_flip($groupGroups);
31.  
32. // Use isset() because it's faster than in_array() and others.
33. foreach($userGroups as $userGroup) {
34. if (isset($groupGroups[$userGroup])) {
35. return true;
36. }
37. }
38.  
39. return false;
40. }
41.  
42. // Set a variable so that misc.inc.php knows not to throw us into an infinite redirect loop
43. $loginPage = true;
44.  
45. require_once('db.inc.php');
46. require_once('facilities.inc.php');
47.  
48. // Uncomment these if you need/want to set a title in the header
49. $header=__("openDCIM Login");
50. $content = "";
51. $person = new People();
52.  
53. if ( isset($_GET['logout'])) {
54. // Unfortunately session_destroy() doesn't actually clear out existing variables, so let's nuke from orbit
55. session_unset();
56. $_SESSION = array();
57. unset($_SESSION["userid"]);
58. session_destroy();
59. session_commit();
60. $content = "<h3>Logout successful.</h3>";
61. }
62.  
63. if ( isset($_POST['username'])) {
64. $ldapConn = ldap_connect( $config->ParameterArray['LDAPServer'] );
65. if ( ! $ldapConn ) {
66. $content = "<h3>Fatal error. The LDAP server is not reachable. Please try again later, or contact your system administrator to check the configuration.</h3>";
67. error_log( "Unable to connect to LDAP Server: " . $config->ParameterArray['LDAPServer']);
68. } else {
69. ldap_set_option( $ldapConn, LDAP_OPT_PROTOCOL_VERSION, 3 );
70.  
71. $ldapUser = htmlspecialchars($_POST['username']);
72. $ldapDN = str_replace( "%userid%", $ldapUser, $config->ParameterArray['LDAPBindDN']);
73. $ldapPassword = $_POST['password'];
74.  
75. $ldapBind = ldap_bind( $ldapConn, $ldapDN, $ldapPassword );
76.  
77. if ( ! $ldapBind ) {
78. $content = "<h3>Login failed. Incorrect username, password, or rights.</h3>";
79. error_log("Login failed for $ldapUser. Incorrect username or password");
80. } else {
81. // User was able to authenticate, but might not have authorization to access openDCIM. Here we check for those rights.
82. /* If this install doesn't have the new parameter, use the old default */
83. if ( !isset($config->ParameterArray['LDAPBaseSearch'])) {
84. $config->ParameterArray['LDAPBaseSearch'] = "(&(objectClass=posixGroup)(memberUid=%userid%))";
85. }
86.  
87. // Because we have audit logs to maintain, we need to make a local copy of the User's record
88. // to keep in the openDCIM database just in case the user gets removed from LDAP. This also
89. // makes it easier to check access rights by replicating the user's rights from LDAP into the
90. // local db for the session. Revoke all rights every login and pull a fresh set from LDAP.
91. $person->UserID = $ldapUser;
92. $person->GetPersonByUserID();
93. $person->revokeAll();
94.  
95. // Now get some more info about the user
96. // Insert the default 4.2 UserSearch string in case this is an upgrade instance
97. if ( ! isset($config->ParameterArray['LDAPUserSearch'])) {
98. $config->ParameterArray['LDAPUserSearch'] = "(|(uid=%userid%))";
99. }
100. $userSearch = str_replace( "%userid%", $ldapUser, html_entity_decode($config->ParameterArray['LDAPUserSearch']));
101. $ldapSearch = ldap_search( $ldapConn, $config->ParameterArray['LDAPBaseDN'], $userSearch );
102. $ldapResults = ldap_get_entries( $ldapConn, $ldapSearch );
103.  
104. // These are standard schema items, so they aren't configurable
105. // However, suppress any errors that may crop up from not finding them
106. $person->FirstName = @$ldapResults[0]['givenname'][0];
107. $person->LastName = @$ldapResults[0]['sn'][0];
108. $person->Email = @$ldapResults[0]['mail'][0];
109.  
110. // Get the user's DN.
111. $ldapUserDN = @$ldapResults[0]['dn'];
112. // Get the groups that the user is a member of.
113. $ldapUserGroups = @$ldapResults[0]['memberof'];
114. // Add the user's DN to the groups as well because they may have been added as a member of the group explicitly.
115. array_push($ldapUserGroups, $ldapUserDN);
116.  
117. // Check the different OpenDCIM priviledges and try to match.
118. // Lots of if statements here because a user could be a member of more than one group.
119. if ($config->ParameterArray['LDAPSiteAccess'] == "" || inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPSiteAccess']), $ldapUserGroups)) {
120. // No specific group membership required to access openDCIM or they have a match to the group required
121. $_SESSION['userid'] = $ldapUser;
122. $_SESSION['LoginTime'] = time();
123. session_commit();
124. }
125.  
126. if (inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPReadAccess']), $ldapUserGroups)) {
127. $person->ReadAccess = true;
128. }
129.  
130. if (inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPWriteAccess']), $ldapUserGroups)) {
131. $person->WriteAccess = true;
132. }
133.  
134. if (inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPDeleteAccess']), $ldapUserGroups)) {
135. $person->DeleteAccess = true;
136. }
137.  
138. if (inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPAdminOwnDevices']), $ldapUserGroups)) {
139. $person->AdminOwnDevices = true;
140. }
141.  
142. if (inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPRackRequest']), $ldapUserGroups)) {
143. $person->RackRequest = true;
144. }
145.  
146. if (inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPRackAdmin']), $ldapUserGroups)) {
147. $person->RackAdmin = true;
148. }
149.  
150. if (inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPContactAdmin']), $ldapUserGroups)) {
151. $person->ContactAdmin = true;
152. }
153.  
154. if (inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPBulkOperations']), $ldapUserGroups)) {
155. $person->BulkOperations = true;
156. }
157.  
158. if (inLDAPGroup(getLDAPGroupMembers($ldapConn, $config->ParameterArray['LDAPBaseDN'], $config->ParameterArray['LDAPSiteAdmin']), $ldapUserGroups)) {
159. $person->SiteAdmin = true;
160. }
161.  
162. if ( isset($_SESSION['userid']) ) {
163. if ( $person->PersonID > 0 ) {
164. $person->UpdatePerson();
165. } else {
166. $person->CreatePerson();
167. }
168. if ( isset($_COOKIE['targeturl'] )) {
169. header('Location: ' . html_entity_decode($_COOKIE['targeturl']));
170. } else {
171. header('Location: ' . redirect('index.php'));
172. }
173. exit;
174. } else {
175. $content .= "<h3>Login failed. Incorrect username, password, or rights.</h3>";
176. }
177.  
178. }
179. }
180.  
181. }
182.  
183.  
184. ?>
185. <!doctype html>
186. <html>
187. <head>
188. <meta http-equiv="X-UA-Compatible" content="IE=Edge">
189. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
190.  
191. <title>openDCIM Data Center Inventory</title>
192. <link rel="stylesheet" href="css/inventory.php" type="text/css">
193. <link rel="stylesheet" href="css/jquery-ui.css" type="text/css">
194. <!--[if lt IE 9]>
195. <link rel="stylesheet" href="css/ie.css" type="text/css" />
196. <![endif]-->
197.  
198. <script type="text/javascript" src="scripts/jquery.min.js"></script>
199. <script type="text/javascript" src="scripts/jquery-ui.min.js"></script>
200. <script type="text/javascript">
201. $(document).ready(function() {
202. $("#username").focus();
203. });
204. </script>
205. </head>
206. <body>
207. <?php include( 'header.inc.php' ); ?>
208. <div class="page index">
209. <?php
210. include( 'sidebar.inc.php' );
211. ?>
212. <div class="main">
213. <div class="center"><div>
214.  
215. <?php echo $content; ?>
216.  
217. <form action="login_ldap.php" method="post">
218. <div class="table">
219. <div>
220. <div><label for="username"><?php echo __("Username:"); ?></label></div>
221. <div><input type="text" id="username" name="username"></div>
222. </div>
223. <div>
224. <div><label for="password"><?php echo __("Password:"); ?></label></div>
225. <div><input type="password" name="password"></div>
226. </div>
227. <div>
228. <div></div>
229. <div><input type="submit" name="submit" value="<?php echo __("Submit"); ?>"></div>
230. </div>
231. </div>
232. </form>
233.  
234.  
235. <div>
236. <?php
237. if ( file_exists("sitecontact.html")) {
238. include("sitecontact.html");
239. }
240. ?>
241. </div>
242. </div></div>
243. </div><!-- END div.main -->
244. </div><!-- END div.page -->
245. </body>
246. </html>