Registrations to Open-AudIT forums are now closed. To ask any new questions please visit Opmantek Community Questions.

Open-AudIT

What's on your network?
It is currently Sat Mar 30, 2024 10:12 am

All times are UTC + 10 hours




Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 51 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
PostPosted: Thu Sep 06, 2007 4:07 am 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
I've written a script to authenticate users to Active Directory. In addition to authenticating the user, it checks for membership in a domain group(s) that is authorized to use OpenAudIt.

If you have a working LDAP section in include_config.php the only change required should be to add the group your authorized users will be a member of to $group_name_filter. In this case the OpenAuditUser group. If you need to make changes, you can explicitly set the following variables:

$group_name_filter
$server
$domain
$basedn

Is anyone willing to test this? As far as I can tell the credentials are passed in clear text unless you use SSL. The comunication with the LDAP server is also clear text as far as I can tell. Does anyone know how to bind using a protected password?

Each page can be protected by adding the following to the top of the page. I currently have it on index.php, but it would probably be better to place it in an include file that's already global. Any suggestions?

[code]include "login.inc";[/code]

Copy login.inc to the root folder:

[code]<?php
session_start();
if(!isset($_SESSION["username"]))
{
header('Location: login.php');
exit;
}
//echo "distinguishedName is: " . $_SESSION["fqdn"] . "<BR>";
//echo "Username: " . $_SESSION["username"] . "<BR>";
?>[/code]

Copy login.php to the root folder as well:

[code]<?php
//If you wish to force SSL
//if ($_SERVER["SERVER_PORT"]!=443){ header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']); exit(); }
session_start();
// Include LDAP settings from config file
include "include_config.php";

// When you view Active Directory with using LDAP, the Members attribute is not populated with the Primary group.
// Domain Users is the primary group by default. The groupname variable cannot be the Primary group.
$group_name_attributes = array("member", "name", "cn", "sAMAccountName");
// Here is an example of how to search one group
//$group_name_filter = "(&(objectClass=group)(sAMAccountName=Domain Admins))";

// Here is an example of how to search two groups
$group_name_filter = "(&(objectClass=group)(|(sAMAccountName=OpenAuditUser)(sAMAccountName=Domain Admins)))";

// Set variables to those defined in include_config.php
$server = $ldap_server;
$domain = $management_domain_suffix;
$basedn = $ldap_base_dn;

// Page to redirect to for initial logon or failed logon
$script=$_SERVER['SCRIPT_NAME'];

// Page to redirect to after successful authentication
// If you have index.php as a default document use this
//$page = "/";
// Explicitly provide index page
$page = "/index.php";

if (isset($_POST['username'])) {
// Get username and password information from POST
$username=$_POST['username'];

//The username must include the Active Directory UPN suffix
//Remove domain prefix
$pre = explode(chr(92),$username,2);
if (isset($pre[1])) {
$username=$pre[1];
}
//Check for domain suffix
$suf = explode(chr(64),$username,2);
if (isset($suf[1])) {
$username_plus_upn = $username;
$username = $suf[0];
} else {
//Add domain suffix
$username_plus_upn = $username . "@" . $domain;
}

$password=$_POST['password'];
//$pwd_md5 = '{MD5}' . base64_encode(pack('H*',md5($password)));
//$password = $pwd_md5;
$connect = ldap_connect($server);
// Connect
if (!($connect)) {
session_destroy();
header('Location: '.$script);
die ("Could not connect to LDAP server");
}
// Set AD specific options
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
// Bind to directory using username and password
//$bind = ldap_sasl_bind($connect, $username_plus_upn, $password);
$bind = ldap_bind($connect, $username_plus_upn, $password);
if (!($bind) || ($username=="") || ($password=="")) {
session_destroy();
// Close the connection
ldap_unbind($bind);
header('Location: '.$script);
die ("Could not bind with account $username");
}
// Query AD for fqdn to be used in check for group membership
$sr = ldap_search($connect, $basedn, "(&(objectClass=user)(objectCategory=person)(|(sAMAccountName=$username)))");
$info = ldap_get_entries($connect, $sr);
$fullname=$info[0]["displayname"][0];
$fqdn=$info[0]["dn"];

//Check for group membership
$sr=ldap_search($connect, $basedn, $group_name_filter, $group_name_attributes);
$info = ldap_get_entries($connect, $sr);
for ($i=0; $i<$info["count"]; $i++) {
for ($j=0; $j<count($info[$i]["member"])-1; $j++) {
// Create SESSION variable if username is a member groupname
if ($info[$i]["member"][$j] == $fqdn) {
$_SESSION["username"]=$username;
$_SESSION["token"]=$password;
$_SESSION["fullname"]=$fullname;
$_SESSION["fqdn"]=$fqdn;
// Close the connection
ldap_unbind($bind);
header('Location: '.$page);
exit;
//{break;}
}
}
}
session_destroy();
header('Location: '.$script);
exit;
} else {
?>
<html>
<head>
<title>Open-AudIT Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="expires" content="0">
<meta http-equiv="pragma" content="no-cache">
</head>
<SCRIPT LANGUAGE="JavaScript">
<!--
document.onmousedown=click;
function click()
{
if (event.button==2) {alert('Right-clicking has been disabled by the administrator.');}
}

//--></SCRIPT>
<div align="center">
<form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
<div align="center">
<table width="210" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="center">
<fieldset>
<Legend><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Enter Credentials</font></Legend>
<table border="0" cellspacing="3" cellpadding="0">
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Username:</font></td>
<td align="center" valign="middle">
<input class="clear" type="text" size="15" name="username">
</td>
</tr>
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Password:</font></td>
<td align="center" valign="middle">
<input class="pass" type="password" size="15" name="password">
</td>
</tr>
</table>
<input type="submit" value="Submit">
<br>
</div>
</td>
</tr>
</fieldset>
</table>
<br>
<table width="640"><tr><td align="center">
<font face="Verdana,Tahoma,Arial,sans-serif" size="1"
color="silver">This System is for the use of authorized users only.</font>
</td></tr></table>
</div>
</form>
</div>
</body>
</html>
<?php
die ();
}
?>[/code]


Top
 Profile  
Reply with quote  
PostPosted: Thu Sep 06, 2007 7:39 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
It looks neat to me, however I have a couple of points.
First, we need to make it optional depending on a flag in the config.

$use_ldap_login_authentication = true; in include_config and set this up in the setup.php page, and test this condition before including login.inc would be the way to do this.

I think we should try to stick to the oa naming , so login.inc becomes include_ldap_login.php and login.php becomes ldap_login.php other than that I think its excellent. I am extremely busy with the day to day stuff that pays the bills, so it may be a day or two before I try this out.

Does it work with both IE and Firefox?
Will it work with both Apache and IIS?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 07, 2007 11:21 pm 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
I tried this, but I get this...

[code]
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php:1) in C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php on line 4

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php:1) in C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php on line 4

Fatal error: Call to undefined function ldap_connect() in C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php on line 54
[/code]

Any thoughts?
:?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Fri Sep 07, 2007 11:56 pm 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
Read this thread [url]http://www.thescripts.com/forum/thread1890.html[/url]. It sounds like the include file might not be the first item on the page.

The first lines of my index.php are:

[code]<?php
include "include_ldap_login.php";[/code]

Can you post the first few lines where you put the include file on your page?

Also, regarding the "Fatal error: Call to undefined function ldap_connect() in C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php on line 54":

It sounds like extension=php_ldap.dll isn't uncommented in your php.ini. If I comment it out on mine I get the same error.

When you run php.php is LDAP listed?

[code]<?php
phpinfo();
?>
[/code]

You might try enabling error reporting to see if it's correctly loaded. In php.ini set "display_errors = on" and "display_startup_errors = on".

In OpenAudit under System Summary are you able to get "User Details" from Active Directory?


Top
 Profile  
Reply with quote  
PostPosted: Sat Sep 08, 2007 1:01 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Well spotted with the ldap problem. I am running this on a new box, so thats my excuse!

However I still see
[code]
Warning: session_start() [function.session-start]: Cannot send session cookie - headers already sent by (output started at C:\Program Files\xampp\htdocs\OpenAudit\include_ldap_login.php:1) in C:\Program Files\xampp\htdocs\OpenAudit\include_ldap_login.php on line 2

Warning: session_start() [function.session-start]: Cannot send session cache limiter - headers already sent (output started at C:\Program Files\xampp\htdocs\OpenAudit\include_ldap_login.php:1) in C:\Program Files\xampp\htdocs\OpenAudit\include_ldap_login.php on line 2

Warning: Cannot modify header information - headers already sent by (output started at C:\Program Files\xampp\htdocs\OpenAudit\include_ldap_login.php:1) in C:\Program Files\xampp\htdocs\OpenAudit\include_ldap_login.php on line 5
[/code]

The start of my index.php reads...

[code]
<?php
include "include_ldap_login.php";
/**
*
* @version $Id: index.php 24th May 2007
*
* @author The Open Audit Developer Team
* @objective Index Page for Open Audit.
* @package open-audit (www.open-audit.org)
* @copyright Copyright (C) open-audit.org All rights reserved.
* @license http://www.gnu.org/copyleft/gpl.html GNU/GPL, see ../gpl.txt
* Open-Audit is free software. This version may have been modified pursuant
* to the GNU General Public License, and as distributed it includes or
* is derivative of works licensed under the GNU General Public License or
* other free or open source software licenses.
* See www.open-audit.org for further copyright notices and details.
*
*/
$page = "";
$extra = "";
$software = "";
$count = 0;
...[/code]

include_ldap_login.php reads..

[code]
<?php
session_start();
if(!isset($_SESSION["username"]))
{
header('Location: ldap_login.php');
exit;
}
//echo "distinguishedName is: " . $_SESSION["fqdn"] . "<BR>";
//echo "Username: " . $_SESSION["username"] . "<BR>";
?>
[/code]

and ldap_login.php reads..

[code]
<?php
//If you wish to force SSL
//if ($_SERVER["SERVER_PORT"]!=443){ header("Location: https://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF']); exit(); }
session_start();
// # LDAP settings from config file
include "include_config.php";

// When you view Active Directory with using LDAP, the Members attribute is not populated with the Primary group.
// Domain Users is the primary group by default. The groupname variable cannot be the Primary group.
$group_name_attributes = array("member", "name", "cn", "sAMAccountName");
// Here is an example of how to search one group
//$group_name_filter = "(&(objectClass=group)(sAMAccountName=Domain Admins))";

// Here is an example of how to search two groups
$group_name_filter = "(&(objectClass=group)(|(sAMAccountName=OpenAuditUser)(sAMAccountName=Domain Admins)))";

// Set variables to those defined in include_config.php
$server = $ldap_server;
$domain = $management_domain_suffix;
$basedn = $ldap_base_dn;

// Page to redirect to for initial logon or failed logon
$script=$_SERVER['SCRIPT_NAME'];

// Page to redirect to after successful authentication
// If you have index.php as a default document use this
//$page = "/";
// Explicitly provide index page
$page = "/index.php";

if (isset($_POST['username'])) {
// Get username and password information from POST
$username=$_POST['username'];

//The username must include the Active Directory UPN suffix
//Remove domain prefix
$pre = explode(chr(92),$username,2);
if (isset($pre[1])) {
$username=$pre[1];
}
//Check for domain suffix
$suf = explode(chr(64),$username,2);
if (isset($suf[1])) {
$username_plus_upn = $username;
$username = $suf[0];
} else {
//Add domain suffix
$username_plus_upn = $username . "@" . $domain;
}

$password=$_POST['password'];
//$pwd_md5 = '{MD5}' . base64_encode(pack('H*',md5($password)));
//$password = $pwd_md5;
$connect = ldap_connect($server);
// Connect
if (!($connect)) {
session_destroy();
header('Location: '.$script);
die ("Could not connect to LDAP server");
}
// Set AD specific options
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
// Bind to directory using username and password
//$bind = ldap_sasl_bind($connect, $username_plus_upn, $password);
$bind = ldap_bind($connect, $username_plus_upn, $password);
if (!($bind) || ($username=="") || ($password=="")) {
session_destroy();
// Close the connection
ldap_unbind($bind);
header('Location: '.$script);
die ("Could not bind with account $username");
}
// Query AD for fqdn to be used in check for group membership
$sr = ldap_search($connect, $basedn, "(&(objectClass=user)(objectCategory=person)(|(sAMAccountName=$username)))");
$info = ldap_get_entries($connect, $sr);
$fullname=$info[0]["displayname"][0];
$fqdn=$info[0]["dn"];

//Check for group membership
$sr=ldap_search($connect, $basedn, $group_name_filter, $group_name_attributes);
$info = ldap_get_entries($connect, $sr);
for ($i=0; $i<$info["count"]; $i++) {
for ($j=0; $j<count($info[$i]["member"])-1; $j++) {
// Create SESSION variable if username is a member groupname
if ($info[$i]["member"][$j] == $fqdn) {
$_SESSION["username"]=$username;
$_SESSION["token"]=$password;
$_SESSION["fullname"]=$fullname;
$_SESSION["fqdn"]=$fqdn;
// Close the connection
ldap_unbind($bind);
header('Location: '.$page);
exit;
//{break;}
}
}
}
session_destroy();
header('Location: '.$script);
exit;
} else {
?>
<html>
<head>
<title>Open-AudIT Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="expires" content="0">
<meta http-equiv="pragma" content="no-cache">
</head>
<SCRIPT LANGUAGE="JavaScript">
<!--
document.onmousedown=click;
function click()
{
if (event.button==2) {alert('Right-clicking has been disabled by the administrator.');}
}

//--></SCRIPT>
<div align="center">
<form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
<div align="center">
<table width="210" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="center">
<fieldset>
<Legend><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Enter Credentials</font></Legend>
<table border="0" cellspacing="3" cellpadding="0">
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Username:</font></td>
<td align="center" valign="middle">
<input class="clear" type="text" size="15" name="username">
</td>
</tr>
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Password:</font></td>
<td align="center" valign="middle">
<input class="pass" type="password" size="15" name="password">
</td>
</tr>
</table>
<input type="submit" value="Submit">
<br>
</div>
</td>
</tr>
</fieldset>
</table>
<br>
<table width="640"><tr><td align="center">
<font face="Verdana,Tahoma,Arial,sans-serif" size="1"
color="silver">This System is for the use of authorized users only.</font>
</td></tr></table>
</div>
</form>
</div>
</body>
</html>
<?php
die ();
}
?>
[/code]

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Sat Sep 08, 2007 1:15 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
OK Sussed the previous error, a null character before <php at the start of the files, probably came from cut and paste.

However, when I load index.php now I get.
[code]

Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Invalid credentials in C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php on line 66

Warning: ldap_unbind() expects parameter 1 to be resource, boolean given in C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php on line 70

Warning: Cannot modify header information - headers already sent by (output started at C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php:66) in C:\Program Files\xampp\htdocs\OpenAudit\ldap_login.php on line 71
Could not bind with account andrew
[/code]

...If I fail to authenticate.


and If I authenticate, I keep seeing the login page.... :?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Sat Sep 08, 2007 2:49 am 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
You are probably failing the group membership check. In ldap_login.php the following line is the filter to check for group membership:

[code]$group_name_filter = "(&(objectClass=group)(|(sAMAccountName=OpenAuditUser)(sAMAccountName=Domain Admins)))";[/code]

Make sure the group exists and the user is a member of one of the listed groups.

When you view Active Directory using LDAP, the Members attribute is not populated with the Primary group. Domain Users is the primary group by default. The groupname variable cannot be the Primary group. In other words, the group must be something other than "Domain Users".

You can disable the group check by commenting out these lines:

[code] //Check for group membership
// $sr=ldap_search($connect, $basedn, $group_name_filter, $group_name_attributes);
// $info = ldap_get_entries($connect, $sr);
// for ($i=0; $i<$info["count"]; $i++) {
// for ($j=0; $j<count($info[$i]["member"])-1; $j++) {
// // Create SESSION variable if username is a member groupname
// if ($info[$i]["member"][$j] == $fqdn) {
$_SESSION["username"]=$username;
$_SESSION["token"]=$password;
$_SESSION["fullname"]=$fullname;
$_SESSION["fqdn"]=$fqdn;
// // Close the connection
ldap_unbind($bind);
header('Location: '.$page);
exit;
// //{break;}
// }
// }[/code]


Top
 Profile  
Reply with quote  
PostPosted: Mon Sep 10, 2007 3:28 am 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
I've reworked the code a little. The objective was to implement a role based authentication system. There are two roles, "user" and "admin." Upon authentication to LDAP the user is checked against two arrays $admin_list and $user_list. The array list may contain Active Directory user names and group names. The user is assigned the role of the list in which it is a member. By default each array is given an empty value "()" so each authenticated user is given the role of "admin." Once a user name or group name is assigned in either array, role checking is enabled.

Copy ldap_login.php and include_ldap_login.php to the OpenAudit document root, then add include "include_ldap_login.php"; to the top of each page page to be protected. For example, my index.php has the following as the first two lines:

[code]<?php
include "include_ldap_login.php";[/code]

The following is the new include_ldap_login.php file. Notice the session variable "role" is checked. If it is set the user is allowed access. The code could easily be modified to deny access to certain pages by name if the role isn't "admin." Maybe use something like array_search($_SERVER['SCRIPT_NAME'],$protected_pages). Right now it just checks to see if the role is set, so everyone is given equal access. You can comment out the last echo line. I just left it in to demonstrate the roles.

[code]<?php
session_start();
if(!isset($_SESSION["role"]))
{
header('Location: ldap_login.php');
exit;
}
//echo "distinguishedName is: " . $_SESSION["fqdn"] . "<BR>";
echo "Username: " . $_SESSION["username"] . " Role: " . $_SESSION["role"] . "<BR>";
?>[/code]

The following is the new ldap_login.php file:

[code]<?php
session_start();
// Include LDAP settings from config file
include "include_config.php";
// Set variables to those defined in include_config.php
$server = $ldap_server;
$domain = $management_domain_suffix;
$basedn = $ldap_base_dn;

// When you view Active Directory with using LDAP, the Members attribute is not populated with the Primary group.
// Domain Users is the primary group by default. The $admin_list and $user_list variables cannot contain the Primary group.

// You can assign roles by populating these arrays with Active Directory user or group names enclosed in quotes
// and separated separated by commas. If each is empty, all users are given the role of admin.
//$admin_list = array("openauditadmin", "administrator");
//$user_list = array("username1", "username2");

$admin_list = array();
$user_list = array();

// Page to redirect to for initial logon or failed logon
$script=$_SERVER['SCRIPT_NAME'];

// Page to redirect to after successful authentication
$page = "/index.php";

if (isset($_POST['username'])) {
// Get username and password information from POST
$username=$_POST['username'];

//The username must include the Active Directory UPN suffix
//Remove domain prefix
$pre = explode(chr(92),$username,2);
if (isset($pre[1])) {
$username=$pre[1];
}
//Check for domain suffix
$suf = explode(chr(64),$username,2);
if (isset($suf[1])) {
$username_plus_upn = $username;
$username = $suf[0];
} else {
//Add domain suffix
$username_plus_upn = $username . "@" . $domain;
}

$password=$_POST['password'];
$connect = ldap_connect($server);
// Connect
if (!($connect)) {
session_destroy();
header('Location: '.$script);
die ("Could not connect to LDAP server");
}
// Set AD specific options
ldap_set_option($connect, LDAP_OPT_PROTOCOL_VERSION, 3);
ldap_set_option($connect, LDAP_OPT_REFERRALS, 0);
// Bind to directory using username and password
$bind = ldap_bind($connect, $username_plus_upn, $password);
if (!($bind) || ($username=="") || ($password=="")) {
session_destroy();
// Close the connection
ldap_unbind($bind);
header('Location: '.$script);
die ("Could not bind with account $username");
}

// Query AD for fqdn to be used in check for group membership
$sr = ldap_search($connect, $basedn, "(&(objectClass=user)(objectCategory=person)(|(sAMAccountName=$username)))");
$info = ldap_get_entries($connect, $sr);
$fullname=$info[0]["displayname"][0];
$fqdn=$info[0]["dn"];

$_SESSION["username"]=$username;
$_SESSION["token"]=$password;
$_SESSION["fullname"]=$fullname;
$_SESSION["fqdn"]=$fqdn;


// check to see if $admin_list or $user_list arrays are populated.
// If arrays are populated check authenticated user for assigned role
// otherwise assign all users the admin role by default
if ((count($admin_list)>0) || (count($user_list)>0)) {
for ($j=0; $j<count($user_list); $j++) {
if (strtolower($username)==strtolower($user_list[$j])) {
echo " MATCH USER USERNAME" . "<BR>";
$_SESSION["role"]="user";
} else {
$sr=ldap_search($connect, $basedn, "(&(objectClass=group)(sAMAccountName=" . $user_list[$j] . "))");
$info = ldap_get_entries($connect, $sr);
for ($i=0; $i<$info["count"]; $i++) {
for ($j=0; $j<count($info[$i]["member"])-1; $j++) {
// Create SESSION variable if username is a member $user_list
echo "Member " . $info[$i]["member"][$j] . "<BR>";
if ($info[$i]["member"][$j] == $fqdn) {
echo " MATCH USER GROUP " . "<BR>";
$_SESSION["role"]="user";
break 3;
}
}
}
}


}

for ($j=0; $j<count($admin_list); $j++) {
if ($username==$admin_list[$j]) {
echo " MATCH ADMIN USERNAME" . "<BR>";
$_SESSION["role"]="admin";
} else {
$sr=ldap_search($connect, $basedn, "(&(objectClass=group)(sAMAccountName=" . $admin_list[$j] . "))");
$info = ldap_get_entries($connect, $sr);
for ($i=0; $i<$info["count"]; $i++) {
for ($j=0; $j<count($info[$i]["member"])-1; $j++) {
// Create SESSION variable if username is a member of $admin_list
echo "Member " . $info[$i]["member"][$j] . "<BR>";
if ($info[$i]["member"][$j] == $fqdn) {
echo " MATCH ADMIN GROUP " . "<BR>";
$_SESSION["role"]="admin";
break 3;
}
}
}
}


}

} else {
$_SESSION["role"]="admin";
}

if (isset($_SESSION["role"])) {
// Close the connection
ldap_unbind($bind);
header('Location: '.$page);
exit;
} else {
session_destroy();
ldap_unbind($bind);
header('Location: '.$script);
exit;
}
} else {
?>
<html>
<head>
<title>Open-AudIT Login</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<meta http-equiv="expires" content="0">
<meta http-equiv="pragma" content="no-cache">
</head>
<SCRIPT LANGUAGE="JavaScript">
<!--
document.onmousedown=click;
function click()
{
if (event.button==2) {alert('Right-clicking has been disabled by the administrator.');}
}

//--></SCRIPT>
<div align="center">
<form method="post" action="<?php echo $_SERVER['SCRIPT_NAME']; ?>">
<div align="center">
<table width="210" border="0" cellspacing="0" cellpadding="0">
<tr>
<td align="center">
<fieldset>
<Legend><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Enter Credentials</font></Legend>
<table border="0" cellspacing="3" cellpadding="0">
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Username:</font></td>
<td align="center" valign="middle">
<input class="clear" type="text" size="15" name="username">
</td>
</tr>
<tr>
<td align="right" valign="middle"><b><font face="Verdana,Tahoma,Arial,sans-serif" size="1" color="gray">Password:</font></td>
<td align="center" valign="middle">
<input class="pass" type="password" size="15" name="password">
</td>
</tr>
</table>
<input type="submit" value="Submit">
<br>
</div>
</td>
</tr>
</fieldset>
</table>
<br>
<table width="640"><tr><td align="center">
<font face="Verdana,Tahoma,Arial,sans-serif" size="1"
color="silver">This System is for the use of authorized users only.</font>
</td></tr></table>
</div>
</form>
</div>
</body>
</html>
<?php
die ();
}
?>[/code]


Last edited by jpmorgan on Tue Sep 11, 2007 1:31 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 11, 2007 1:15 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Much neater.

Put the line include "include_ldap_login.php"; on the third line of the include.php file, and you should protect every page.

[code]
<?php
include_once "include_config.php";
include "include_ldap_login.php";
include_once "include_lang.php";
include_once "include_functions.php";
include_once "include_col_scheme.php";
[/code]

Also change ldap_login.php around line 24 to read...

[code]
// Page to redirect to after successful authentication
$page = "./index.php";

[/code]

This will correctly locate the index page if you have multiple sites on your server (the use of "/index.php" without the . breaks this as it will go to the base index page of the current host, which in my case is not openaudit, but my support help pages, most confusing!)

You also modeify include_ldap_login.php like so if you want to make this an option in the config...

[code]
<?php
session_start();
if(!isset($_SESSION["role"])and ($use_ldap_login == true))
[/code]

This is dependent on the first suggestion as we need to read the config before we include this include.

Finally we need to be able to log out! Otherwise potentially I will only ever need to authenticate once...

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 11, 2007 1:26 am 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
I'll make the changes you suggested and see what I can do to limit access of the config page and backup page to the admin role only. I might also rework searching the arrays for match so it uses the array_search function instead of a loop.

I was hoping to include the username, role and maybe a logoff hyperlink in small print at the top of each page. When I echo this information (in IE 6) it currently distorts the page. It seems to push together the middle rows and the right column. Any idea why it does that? On Firefox it works fine. This ability could be commented out if this isn't desirable.


Last edited by jpmorgan on Tue Sep 11, 2007 1:38 am, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 11, 2007 1:33 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
You will also need to ensure that the pages used to post data to the server are NOT authenticated, otherwise the script will be unable to post to the server.

(unless you want to modify audit.vbs to post login credentials :lol: ).

It would be a good idea to also check to see if the user is using https, because if they are .... well actually it just seems to work. Forget that :oops:
Have you checked that this doesn't break the RSS feeds?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 11, 2007 1:47 am 
Offline
Helper

Joined: Thu Jun 14, 2007 4:06 am
Posts: 96
Location: Georgia, USA
I haven't checked the feeds or the admin_pc_add pages. I'll add that to the list. That issue might be solved by adding an $unprotected_pages array to include pages that shouldn't be protected. That would be in addition to the $protected_pages array. I'll have to look into it. Maybe I can find a slick way to do it. Since admin_pc_add_1.php includes "include.php" the login would get in the way.


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 11, 2007 2:02 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
I have added the work so far to the SVN at ver 792.

The login page could do with a graphic to tell you what you are logging in to and suggest the format for the login (i.e. user@activedirectory.domain)
It would be good if the login could handle ... username ... domain\username .... and ... username@domain.suffix That way we can be less specific and have fewer support calls. :P

On the subject of which pages to the login, if the page url is admin_*_add or rss* then we don't need to protect it. We also dont need an array of the pages to protect or unprotect, and when we create a new RSS feed or additional admin_*add pages they are automagically unprotected.

So...

Pseudocode....

#gets the URI of the script
$our_url = $_SERVER['SCRIPT_URI'];

#chops URI into bits
$chopped = parse_url($our_url);

... look for the above strings, then set/unset $protect_this_page which we then test before including the include_ldap_login...

(see PHP manual for more info on $_SERVER)
Might be the way to go, what do you think. :?:

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 11, 2007 2:21 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
This is now all in the SVN including an option to switch it on or off on the admin pages. We still have a way to go testing this so any other feed back would be nice.

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
PostPosted: Tue Sep 11, 2007 3:01 am 
Offline
Moderator
User avatar

Joined: Tue Jan 25, 2005 3:09 am
Posts: 2140
Location: Scotland
Added the OA banner to the login page and updated the login text to make clear the info required to log in.
What do you think?

_________________
Andrew

[size=85]OA Server: Windows XP/ XAMPP, Mandriva/Apache, Ubuntu
Auditing: 300+ Wstns, 20+ Srvrs, Thin clients, Linux boxes, Routers, etc
OS's: Windows XP , W2K Srvr, W2K3 Srvr, W2K8, Vista, Windows 7, Linuxes (and a Mac at home)
LDAP: Active Directory[/size]


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 51 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC + 10 hours


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group