File: ldap.php

package info (click to toggle)
ocsinventory-server 2.5%2Bdfsg1-1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 7,088 kB
  • sloc: php: 27,462; perl: 8,241; sh: 1,680; sql: 1,355; xml: 1,041; makefile: 34
file content (235 lines) | stat: -rw-r--r-- 8,828 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
 
<?php
/*
 * Copyright 2005-2016 OCSInventory-NG/OCSInventory-ocsreports contributors.
 * See the Contributors file for more details about them.
 *
 * This file is part of OCSInventory-NG/OCSInventory-ocsreports.
 *
 * OCSInventory-NG/OCSInventory-ocsreports is free software: you can redistribute
 * it and/or modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, either version 2 of the License,
 * or (at your option) any later version.
 *
 * OCSInventory-NG/OCSInventory-ocsreports is distributed in the hope that it
 * will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty
 * of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with OCSInventory-NG/OCSInventory-ocsreports. if not, write to the
 * Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
 * MA 02110-1301, USA.
 */
/* This module automatically inserts valid LDAP users into OCS operators table.
 *
 * The userlevel is defined according to conditions defined in the following configuration fields:
 *
 * - CONEX_LDAP_CHECK_FIELD1_NAME
 * - CONEX_LDAP_CHECK_FIELD1_VALUE
 * - CONEX_LDAP_CHECK_FIELD1_ROLE
 * - CONEX_LDAP_CHECK_FIELD2_NAME
 * - CONEX_LDAP_CHECK_FIELD2_VALUE
 * - CONEX_LDAP_CHECK_FIELD2_ROLE
 *
 * If any of these attributes are defined (and found on the LDAP query), they're used to determine the correct
 * user level and role.
 *
 * in case of success, an array is returned with the access data in the following format:
 * array('accesslvl'=>%%,'tag_show'=>array(%,%,%,%,%...))
 *
 * else, an error code is returned.
 *
 * CONEX_LDAP_CHECK_FIELD1_NAME="thisGuyIsAdmin"
 * CONEX_LDAP_CHECK_FIELD1_VALUE="0"
 * CONEX_LDAP_CHECK_FIELD1_ROLE="user"
 * CONEX_LDAP_CHECK_FIELD2_NAME="thisGuyIsAdmin"
 * CONEX_LDAP_CHECK_FIELD2_VALUE="1"
 * CONEX_LDAP_CHECK_FIELD2_ROLE="sadmin"
 * In logical terms:
 * if thisGuyIsAdmin=0 then
 *    role=user
 * else if thisGuyIsAdmin=1 then
 *    role=sadmin
 *
 *    Note: the default user levels in OCS currently are "admin", "ladmin" and "sadmin". The above is just an example.
 *
 */
if ($_SESSION['OCS']['cnx_origine'] != "LDAP") {
    return false;
}

require_once ('require/function_files.php');
// page name
$name = "ldap.php";
connexion_local_read();

// select the main database
mysqli_select_db($link_ocs, $db_ocs);

// retrieve LDAP-related config values into an array
$sql = "select substr(NAME,7) as NAME,TVALUE from config where NAME like '%s'";
$arg = array("%CONEX%");
$res = mysql2_query_secure($sql, $link_ocs, $arg);
while ($item = mysqli_fetch_object($res)) {
    $config[$item->NAME] = $item->TVALUE;
}

// checks if the user already exists
$reqOp = "SELECT new_accesslvl as accesslvl FROM operators WHERE id='%s'";
$argOp = array($_SESSION['OCS']["loggeduser"]);
$resOp = mysql2_query_secure($reqOp, $link_ocs, $argOp);

// defines the user level according to specific LDAP attributes
// default: normal user
$defaultRole = $config['LDAP_CHECK_DEFAULT_ROLE'];
// Checks if the custom fields are valid
$f1_name = $config['LDAP_CHECK_FIELD1_NAME'];
$f2_name = $config['LDAP_CHECK_FIELD2_NAME'];
$f1_value = $_SESSION['OCS']['details'][$f1_name];
$f2_value = $_SESSION['OCS']['details'][$f2_name];
if ($f1_value != '') {
    //NEW CODE BELOW
    //FIXME: casing? -> 'memberOf'
    if ($f1_name == "memberof") {
        //the idea here is to iterate through the groups array looking for a match
        //if we find it, unset the array and store only the match, else leave as it is
        foreach ($f1_value as $group) {
            if ($group == $config['LDAP_CHECK_FIELD1_VALUE']) {
                $f1_value = array();
                $f1_value = $group;
            }
        }
    }
    //the if below is now redundant since we already know that we have a match
    //the coding can be improved, but the logic works.
    //END NEW CODE
    if ($f1_value == $config['LDAP_CHECK_FIELD1_VALUE']) {
        $defaultRole = $config['LDAP_CHECK_FIELD1_ROLE'];
    }
}

if ($f2_value != '') {
    //NEW CODE BELOW
    if ($f2_name == "memberof") {
        foreach ($f2_value as $group) {
            if ($group == $config['LDAP_CHECK_FIELD2_VALUE']) {
                $f2_value = array();
                $f2_value = $group;
            }
        }
    }
    //END NEW CODE
    if ($f2_value == $config['LDAP_CHECK_FIELD2_VALUE']) {
        $defaultRole = $config['LDAP_CHECK_FIELD2_ROLE'];
    }
}

// uncomment this section for DEBUG
// note: cannot use the global DEBUG variable because this happens before the toggle is available.
/*
  echo ("field1: ".$f1_name." value=".$f1_value." condition: ".$config['LDAP_CHECK_FIELD1_VALUE']." role=".$config['LDAP_CHECK_FIELD1_ROLE']." level=".$config['LDAP_CHECK_FIELD1_USERLEVEL']."<br>");
  echo ("field2: ".$item['CONEX_LDAP_CHECK_FIELD2_NAME']." value=".$f2_value." condition: ".$config['LDAP_CHECK_FIELD2_VALUE']." role=".$config['LDAP_CHECK_FIELD2_ROLE']." level=".$config['LDAP_CHECK_FIELD2_USERLEVEL']."<br>");
  echo ("user: ".$_SESSION['OCS']["loggeduser"]." will have level=".$defaultLevel." and role=".$defaultRole."<br>");
 */
//if defaultRole is define
if (isset($defaultRole) && $defaultRole != '') {
    // if it doesn't exist, create the user record
    if (!mysqli_fetch_object($resOp)) {

        $reqInsert = "INSERT INTO operators (
            ID,
            FIRSTNAME,
            LASTNAME,
            PASSWD,
            COMMENTS,
            NEW_ACCESSLVL,
            EMAIL,
            USER_GROUP
                )
                VALUES ('%s','%s', '%s', '%s','%s', '%s', '%s', '%s')";

        $arg_insert = array($_SESSION['OCS']["loggeduser"],
            $_SESSION['OCS']['details']['givenname'],
            $_SESSION['OCS']['details']['sn'],
            "",
            "LDAP",
            $defaultRole,
            $_SESSION['OCS']['details']['mail'],
            "NULL"
        );
    } else {
        // else update it
        $reqInsert = "UPDATE operators SET
                        NEW_ACCESSLVL='%s',
                        EMAIL='%s'
                    WHERE ID='%s'";

        $arg_insert = array($defaultRole,
            $_SESSION['OCS']['details']['mail'],
            $_SESSION['OCS']["loggeduser"]);
    }
    connexion_local_write();
    // select the main database
    mysqli_select_db($link_ocs, $db_ocs);
    // Execute the query to insert/update the user record
    mysql2_query_secure($reqInsert, $link_ocs, $arg_insert);

    // repeat the query and define the needed OCS variables
    // note: original OCS code below
    connexion_local_read();

    // select the main database
    mysqli_select_db($link_ocs, $db_ocs);
    $resOp = mysql2_query_secure($reqOp, $link_ocs, $argOp);
    $rowOp = mysqli_fetch_object($resOp);
    if (isset($rowOp->accesslvl)) {
        $lvluser = $rowOp->accesslvl;

        $profile_config = PROFILES_DIR . $lvluser . '.xml';

        if (!file_exists($profile_config)) {
            migrate_config_2_2();
        }

        $profile_serializer = new XMLProfileSerializer();
        $profile = $profile_serializer->unserialize($lvluser, file_get_contents($profile_config));

        $restriction = $profile->getRestriction('GUI');

        //if this user has RESTRICTION
        //search all tag for this user
        if ($restriction == 'YES') {
            $sql = "select tag from tags where login='%s'";
            $arg = array($_SESSION['OCS']["loggeduser"]);
            $res = mysql2_query_secure($sql, $link_ocs, $arg);
            while ($row = mysqli_fetch_object($res)) {
                // Check for wildcard
                if (strpos($row->tag, '*') !== false || strpos($row->tag,'?') !== false) {
                    $wildcard = true;
                    $row->tag = str_replace("*", "%", $row->tag);
                    $row->tag = str_replace("?", "_", $row->tag);
                    if($wildcard === true){
                        $sql_wildcard = "SELECT TAG FROM `accountinfo` WHERE TAG LIKE '$row->tag' GROUP BY TAG";
                        $res_wildcard = mysql2_query_secure($sql_wildcard, $link_ocs);
                        while ($row_wildcard = mysqli_fetch_object($res_wildcard)) {
                            $list_tag[$row_wildcard->TAG] = $row_wildcard->TAG;
                        }

                    }      
                }else{
                    $list_tag[$row->tag] = $row->tag;
                }
            }
            if (!isset($list_tag)) {
                $ERROR = $l->g(893);
            }
        } elseif (($restriction != 'NO')) {
            $ERROR = $restriction;
        }
    } else {
        $ERROR = $l->g(894);
    }
} else {
    $ERROR = $l->g(1278);
}
?>