mirror of
https://github.com/librenms/librenms.git
synced 2024-09-21 18:38:25 +00:00
refactor: AD Auth defer connection until it is needed (#7768)
* refactor: AD Auth defer connection until it is needed Nice error if php-ldap is missing instead of http 500. * Add the same error when ldap is missing to other auth methods. Not as graceful looking in the authorizers since they do not defer connection.
This commit is contained in:
parent
8d98fa5a5e
commit
6b5dccc169
@ -15,6 +15,10 @@ class ADAuthorizationAuthorizer extends AuthorizerBase
|
|||||||
$_SESSION['username'] = '';
|
$_SESSION['username'] = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!function_exists('ldap_connect')) {
|
||||||
|
throw new AuthenticationException("PHP does not support LDAP, please install or enable the PHP LDAP extension.");
|
||||||
|
}
|
||||||
|
|
||||||
// Disable certificate checking before connect if required
|
// Disable certificate checking before connect if required
|
||||||
if (Config::has('auth_ad_check_certificates') &&
|
if (Config::has('auth_ad_check_certificates') &&
|
||||||
Config::get('auth_ad_check_certificates') == 0) {
|
Config::get('auth_ad_check_certificates') == 0) {
|
||||||
@ -24,8 +28,7 @@ class ADAuthorizationAuthorizer extends AuthorizerBase
|
|||||||
// Set up connection to LDAP server
|
// Set up connection to LDAP server
|
||||||
$this->ldap_connection = @ldap_connect(Config::get('auth_ad_url'));
|
$this->ldap_connection = @ldap_connect(Config::get('auth_ad_url'));
|
||||||
if (! $this->ldap_connection) {
|
if (! $this->ldap_connection) {
|
||||||
echo '<h2>Fatal error while connecting to AD url ' . Config::get('auth_ad_url') . ': ' . ldap_error($this->ldap_connection) . '</h2>';
|
throw new AuthenticationException('Fatal error while connecting to AD url ' . Config::get('auth_ad_url') . ': ' . ldap_error($this->ldap_connection));
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// disable referrals and force ldap version to 3
|
// disable referrals and force ldap version to 3
|
||||||
|
@ -11,33 +11,16 @@ use LibreNMS\Exceptions\AuthenticationException;
|
|||||||
class ActiveDirectoryAuthorizer extends AuthorizerBase
|
class ActiveDirectoryAuthorizer extends AuthorizerBase
|
||||||
{
|
{
|
||||||
protected $ldap_connection;
|
protected $ldap_connection;
|
||||||
protected $ad_init;
|
protected $is_bound = false; // this variable tracks if bind has been called so we don't call it multiple times
|
||||||
|
|
||||||
public function __construct()
|
|
||||||
{
|
|
||||||
if (Config::has('auth_ad_check_certificates') &&
|
|
||||||
!Config::get('auth_ad_check_certificates')) {
|
|
||||||
putenv('LDAPTLS_REQCERT=never');
|
|
||||||
};
|
|
||||||
|
|
||||||
if (Config::has('auth_ad_check_certificates') && Config::get('auth_ad_debug')) {
|
|
||||||
ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7);
|
|
||||||
}
|
|
||||||
|
|
||||||
$this->ad_init = false; // this variable tracks if bind has been called so we don't call it multiple times
|
|
||||||
$this->ldap_connection = @ldap_connect(Config::get('auth_ad_url'));
|
|
||||||
|
|
||||||
// disable referrals and force ldap version to 3
|
|
||||||
ldap_set_option($this->ldap_connection, LDAP_OPT_REFERRALS, 0);
|
|
||||||
ldap_set_option($this->ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
|
|
||||||
}
|
|
||||||
|
|
||||||
public function authenticate($username, $password)
|
public function authenticate($username, $password)
|
||||||
{
|
{
|
||||||
|
$this->connect();
|
||||||
|
|
||||||
if ($this->ldap_connection) {
|
if ($this->ldap_connection) {
|
||||||
// bind with sAMAccountName instead of full LDAP DN
|
// bind with sAMAccountName instead of full LDAP DN
|
||||||
if ($username && $password && ldap_bind($this->ldap_connection, $username . '@' . Config::get('auth_ad_domain'), $password)) {
|
if ($username && $password && ldap_bind($this->ldap_connection, $username . '@' . Config::get('auth_ad_domain'), $password)) {
|
||||||
$this->ad_init = true;
|
$this->is_bound = true;
|
||||||
// group membership in one of the configured groups is required
|
// group membership in one of the configured groups is required
|
||||||
if (Config::get('auth_ad_require_groupmembership', true)) {
|
if (Config::get('auth_ad_require_groupmembership', true)) {
|
||||||
// cycle through defined groups, test for memberOf-ship
|
// cycle through defined groups, test for memberOf-ship
|
||||||
@ -72,7 +55,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
public function reauthenticate($sess_id, $token)
|
public function reauthenticate($sess_id, $token)
|
||||||
{
|
{
|
||||||
if ($this->adBind(false, true)) {
|
if ($this->bind(false, true)) {
|
||||||
$sess_id = clean($sess_id);
|
$sess_id = clean($sess_id);
|
||||||
$token = clean($token);
|
$token = clean($token);
|
||||||
list($username, $hash) = explode('|', $token);
|
list($username, $hash) = explode('|', $token);
|
||||||
@ -145,7 +128,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
public function userExists($username, $throw_exception = false)
|
public function userExists($username, $throw_exception = false)
|
||||||
{
|
{
|
||||||
$this->adBind(); // make sure we called bind
|
$this->bind(); // make sure we called bind
|
||||||
|
|
||||||
$search = ldap_search(
|
$search = ldap_search(
|
||||||
$this->ldap_connection,
|
$this->ldap_connection,
|
||||||
@ -166,7 +149,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
public function getUserlevel($username)
|
public function getUserlevel($username)
|
||||||
{
|
{
|
||||||
$this->adBind(); // make sure we called bind
|
$this->bind(); // make sure we called bind
|
||||||
|
|
||||||
$userlevel = 0;
|
$userlevel = 0;
|
||||||
if (!Config::get('auth_ad_require_groupmembership', true)) {
|
if (!Config::get('auth_ad_require_groupmembership', true)) {
|
||||||
@ -191,7 +174,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
public function getUserid($username)
|
public function getUserid($username)
|
||||||
{
|
{
|
||||||
$this->adBind(); // make sure we called bind
|
$this->bind(); // make sure we called bind
|
||||||
|
|
||||||
$attributes = array('objectsid');
|
$attributes = array('objectsid');
|
||||||
$search = ldap_search(
|
$search = ldap_search(
|
||||||
@ -211,7 +194,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
protected function getDomainSid()
|
protected function getDomainSid()
|
||||||
{
|
{
|
||||||
$this->adBind(); // make sure we called bind
|
$this->bind(); // make sure we called bind
|
||||||
|
|
||||||
// Extract only the domain components
|
// Extract only the domain components
|
||||||
$dn_candidate = preg_replace('/^.*?DC=/i', 'DC=', Config::get('auth_ad_base_dn'));
|
$dn_candidate = preg_replace('/^.*?DC=/i', 'DC=', Config::get('auth_ad_base_dn'));
|
||||||
@ -228,7 +211,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
public function getUser($user_id)
|
public function getUser($user_id)
|
||||||
{
|
{
|
||||||
$this->adBind(); // make sure we called bind
|
$this->bind(); // make sure we called bind
|
||||||
|
|
||||||
$domain_sid = $this->getDomainSid();
|
$domain_sid = $this->getDomainSid();
|
||||||
|
|
||||||
@ -256,7 +239,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
public function getUserlist()
|
public function getUserlist()
|
||||||
{
|
{
|
||||||
$this->adBind(); // make sure we called bind
|
$this->bind(); // make sure we called bind
|
||||||
|
|
||||||
$userlist = array();
|
$userlist = array();
|
||||||
$ldap_groups = $this->getGroupList();
|
$ldap_groups = $this->getGroupList();
|
||||||
@ -303,7 +286,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
protected function getEmail($username)
|
protected function getEmail($username)
|
||||||
{
|
{
|
||||||
$this->adBind(); // make sure we called bind
|
$this->bind(); // make sure we called bind
|
||||||
|
|
||||||
$attributes = array('mail');
|
$attributes = array('mail');
|
||||||
$search = ldap_search(
|
$search = ldap_search(
|
||||||
@ -319,7 +302,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
protected function getFullname($username)
|
protected function getFullname($username)
|
||||||
{
|
{
|
||||||
$this->adBind(); // make sure we called bind
|
$this->bind(); // make sure we called bind
|
||||||
|
|
||||||
$attributes = array('name');
|
$attributes = array('name');
|
||||||
$result = ldap_search(
|
$result = ldap_search(
|
||||||
@ -365,7 +348,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
protected function getDn($samaccountname)
|
protected function getDn($samaccountname)
|
||||||
{
|
{
|
||||||
$this->adBind(); // make sure we called bind
|
$this->bind(); // make sure we called bind
|
||||||
|
|
||||||
$attributes = array('dn');
|
$attributes = array('dn');
|
||||||
$result = ldap_search(
|
$result = ldap_search(
|
||||||
@ -412,12 +395,14 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
* @param bool $force force rebind
|
* @param bool $force force rebind
|
||||||
* @return bool success or failure
|
* @return bool success or failure
|
||||||
*/
|
*/
|
||||||
protected function adBind($allow_anonymous = true, $force = false)
|
protected function bind($allow_anonymous = true, $force = false)
|
||||||
{
|
{
|
||||||
if ($this->ad_init && !$force) {
|
if ($this->is_bound && !$force) {
|
||||||
return true; // bind already attempted
|
return true; // bind already attempted
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->connect(); // make sure we are connected
|
||||||
|
|
||||||
// set timeout
|
// set timeout
|
||||||
ldap_set_option(
|
ldap_set_option(
|
||||||
$this->ldap_connection,
|
$this->ldap_connection,
|
||||||
@ -427,7 +412,7 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
// With specified bind user
|
// With specified bind user
|
||||||
if (Config::has('auth_ad_binduser') && Config::has('auth_ad_bindpassword')) {
|
if (Config::has('auth_ad_binduser') && Config::has('auth_ad_bindpassword')) {
|
||||||
$this->ad_init = true;
|
$this->is_bound = true;
|
||||||
$bind = ldap_bind(
|
$bind = ldap_bind(
|
||||||
$this->ldap_connection,
|
$this->ldap_connection,
|
||||||
Config::get('auth_ad_binduser') . '@' . Config::get('auth_ad_domain'),
|
Config::get('auth_ad_binduser') . '@' . Config::get('auth_ad_domain'),
|
||||||
@ -441,11 +426,38 @@ class ActiveDirectoryAuthorizer extends AuthorizerBase
|
|||||||
|
|
||||||
// Anonymous
|
// Anonymous
|
||||||
if ($allow_anonymous) {
|
if ($allow_anonymous) {
|
||||||
$this->ad_init = true;
|
$this->is_bound = true;
|
||||||
$bind = ldap_bind($this->ldap_connection);
|
$bind = ldap_bind($this->ldap_connection);
|
||||||
}
|
}
|
||||||
|
|
||||||
ldap_set_option($this->ldap_connection, LDAP_OPT_NETWORK_TIMEOUT, -1); // restore timeout
|
ldap_set_option($this->ldap_connection, LDAP_OPT_NETWORK_TIMEOUT, -1); // restore timeout
|
||||||
return $bind;
|
return $bind;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected function connect()
|
||||||
|
{
|
||||||
|
if ($this->ldap_connection) {
|
||||||
|
// no need to re-connect
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!function_exists('ldap_connect')) {
|
||||||
|
throw new AuthenticationException("PHP does not support LDAP, please install or enable the PHP LDAP extension.");
|
||||||
|
}
|
||||||
|
|
||||||
|
if (Config::has('auth_ad_check_certificates') &&
|
||||||
|
!Config::get('auth_ad_check_certificates')) {
|
||||||
|
putenv('LDAPTLS_REQCERT=never');
|
||||||
|
};
|
||||||
|
|
||||||
|
if (Config::has('auth_ad_check_certificates') && Config::get('auth_ad_debug')) {
|
||||||
|
ldap_set_option(null, LDAP_OPT_DEBUG_LEVEL, 7);
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->ldap_connection = @ldap_connect(Config::get('auth_ad_url'));
|
||||||
|
|
||||||
|
// disable referrals and force ldap version to 3
|
||||||
|
ldap_set_option($this->ldap_connection, LDAP_OPT_REFERRALS, 0);
|
||||||
|
ldap_set_option($this->ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
@ -52,13 +52,16 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase
|
|||||||
$_SESSION['username'] = '';
|
$_SESSION['username'] = '';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!function_exists('ldap_connect')) {
|
||||||
|
throw new AuthenticationException("PHP does not support LDAP, please install or enable the PHP LDAP extension.");
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Set up connection to LDAP server
|
* Set up connection to LDAP server
|
||||||
*/
|
*/
|
||||||
$this->ldap_connection = @ldap_connect(Config::get('auth_ldap_server'), Config::get('auth_ldap_port'));
|
$this->ldap_connection = @ldap_connect(Config::get('auth_ldap_server'), Config::get('auth_ldap_port'));
|
||||||
if (! $this->ldap_connection) {
|
if (! $this->ldap_connection) {
|
||||||
echo '<h2>Fatal error while connecting to LDAP server ' . Config::get('auth_ldap_server') . ':' . Config::get('auth_ldap_port') . ': ' . ldap_error($this->ldap_connection) . '</h2>';
|
throw new AuthenticationException('Fatal error while connecting to LDAP server ' . Config::get('auth_ldap_server') . ':' . Config::get('auth_ldap_port') . ': ' . ldap_error($this->ldap_connection));
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
if (Config::get('auth_ldap_version')) {
|
if (Config::get('auth_ldap_version')) {
|
||||||
ldap_set_option($this->ldap_connection, LDAP_OPT_PROTOCOL_VERSION, Config::get('auth_ldap_version'));
|
ldap_set_option($this->ldap_connection, LDAP_OPT_PROTOCOL_VERSION, Config::get('auth_ldap_version'));
|
||||||
@ -67,8 +70,7 @@ class LdapAuthorizationAuthorizer extends AuthorizerBase
|
|||||||
if (Config::get('auth_ldap_starttls') && (Config::get('auth_ldap_starttls') == 'optional' || Config::get('auth_ldap_starttls') == 'require')) {
|
if (Config::get('auth_ldap_starttls') && (Config::get('auth_ldap_starttls') == 'optional' || Config::get('auth_ldap_starttls') == 'require')) {
|
||||||
$tls = ldap_start_tls($this->ldap_connection);
|
$tls = ldap_start_tls($this->ldap_connection);
|
||||||
if (Config::get('auth_ldap_starttls') == 'require' && $tls === false) {
|
if (Config::get('auth_ldap_starttls') == 'require' && $tls === false) {
|
||||||
echo '<h2>Fatal error: LDAP TLS required but not successfully negotiated:' . ldap_error($this->ldap_connection) . '</h2>';
|
throw new AuthenticationException('Fatal error: LDAP TLS required but not successfully negotiated:' . ldap_error($this->ldap_connection));
|
||||||
exit;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -249,6 +249,10 @@ class LdapAuthorizer extends AuthorizerBase
|
|||||||
return $this->ldap_connection; // bind already attempted
|
return $this->ldap_connection; // bind already attempted
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!function_exists('ldap_connect')) {
|
||||||
|
throw new AuthenticationException("PHP does not support LDAP, please install or enable the PHP LDAP extension.");
|
||||||
|
}
|
||||||
|
|
||||||
$this->ldap_connection = @ldap_connect(Config::get('auth_ldap_server'), Config::get('auth_ldap_port', 389));
|
$this->ldap_connection = @ldap_connect(Config::get('auth_ldap_server'), Config::get('auth_ldap_port', 389));
|
||||||
|
|
||||||
if (!$this->ldap_connection) {
|
if (!$this->ldap_connection) {
|
||||||
|
@ -155,6 +155,7 @@ try {
|
|||||||
Auth::get();
|
Auth::get();
|
||||||
} catch (Exception $exception) {
|
} catch (Exception $exception) {
|
||||||
print_error('ERROR: no valid auth_mechanism defined!');
|
print_error('ERROR: no valid auth_mechanism defined!');
|
||||||
|
echo $exception->getMessage() . PHP_EOL;
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -51,7 +51,7 @@ try {
|
|||||||
// peek inside the class
|
// peek inside the class
|
||||||
$lc_rp = new ReflectionProperty($authorizer, 'ldap_connection');
|
$lc_rp = new ReflectionProperty($authorizer, 'ldap_connection');
|
||||||
$lc_rp->setAccessible(true);
|
$lc_rp->setAccessible(true);
|
||||||
$adbind_rm = new ReflectionMethod($authorizer, 'adBind');
|
$adbind_rm = new ReflectionMethod($authorizer, 'bind');
|
||||||
$adbind_rm->setAccessible(true);
|
$adbind_rm->setAccessible(true);
|
||||||
|
|
||||||
$bind_success = false;
|
$bind_success = false;
|
||||||
|
Loading…
Reference in New Issue
Block a user