From 7f1d14bd21055e624e8c970c21232da4181d682d Mon Sep 17 00:00:00 2001 From: Marco Dickert Date: Tue, 13 Jun 2017 11:18:08 +0200 Subject: [PATCH] fix merge conflicts with master --- ifm.php | 45 +++++++++++++++++++++++++++++++++++++-------- src/config.php | 10 +++++++++- src/main.php | 35 ++++++++++++++++++++++++++++------- 3 files changed, 74 insertions(+), 16 deletions(-) diff --git a/ifm.php b/ifm.php index af93fe0..5abaa6e 100644 --- a/ifm.php +++ b/ifm.php @@ -46,14 +46,22 @@ class IFMConfig { configured. The credential information can be either set inline or read from a file. The password has to be a hash generated by PHPs password_hash function. The default credentials are admin:admin. - + If you specify a file it should only contain one line, with the credentials in the following format: : + + LDAP auth syntax + + const auth_source = 'ldap;:'; + + The script will add "uid=," to the rootdn for binding. If your ldap server + does not use uid for usernames you can change it in the function checkCredentials. examples: const auth_source = 'inline;admin:$2y$10$0Bnm5L4wKFHRxJgNq.oZv.v7yXhkJZQvinJYR2p6X1zPvzyDRUVRC'; const auth_source = 'file;/path/to/file'; + const auth_source = 'ldap;:'; */ const auth = 0; const auth_source = 'inline;admin:$2y$10$0Bnm5L4wKFHRxJgNq.oZv.v7yXhkJZQvinJYR2p6X1zPvzyDRUVRC'; @@ -1830,21 +1838,42 @@ ifm.init(); } } - private function checkCredentials($user, $pass) { - list($src, $srcopt) = explode(";", IFMConfig::auth_source, 2); - switch($src) { + private function checkCredentials( $user, $pass ) { + list( $src, $srcopt ) = explode( ";", IFMConfig::auth_source, 2 ); + switch( $src ) { case "inline": - list($uname, $hash) = explode(":", $srcopt); + list( $uname, $hash ) = explode( ":", $srcopt ); + return password_verify( $pass, trim( $hash ) ) ? ( $uname == $user ) : false; break; case "file": - if(@file_exists($srcopt) && @is_readable($srcopt)) { - list($uname, $hash) = explode(":", fgets(fopen($srcopt, 'r'))); + if( @file_exists( $srcopt ) && @is_readable( $srcopt ) ) { + list( $uname, $hash ) = explode( ":", fgets( fopen( $srcopt, 'r' ) ) ); + return password_verify( $pass, trim( $hash ) ) ? ( $uname == $user ) : false; } else { return false; } break; + case "ldap": + $authenticated = false; + list( $ldap_server, $rootdn ) = explode( ":", $srcopt ); + $u = "uid=" . $user . "," . $rootdn; + $ds = ldap_connect( $ldap_server ) or ( trigger_error( "Could not reach the ldap server.", E_USER_ERROR ); return false; ); + ldap_set_option( $ds, LDAP_OPT_PROTOCOL_VERSION, 3 ); + if( $ds ) { + $ldbind = @ldap_bind( $ds, $u, $pass ); + if( $ldbind ) { + $authenticated = true; + } else { + $authenticated = false; + } + ldap_unbind( $ds ); + } else { + $authenticated = false; + } + return $authenticated; + break; } - return password_verify($pass, trim($hash))?($uname == $user):false; + return false; } private function loginForm($loginFailed=false) { diff --git a/src/config.php b/src/config.php index 8c0ed61..04b9c99 100644 --- a/src/config.php +++ b/src/config.php @@ -46,14 +46,22 @@ class IFMConfig { configured. The credential information can be either set inline or read from a file. The password has to be a hash generated by PHPs password_hash function. The default credentials are admin:admin. - + If you specify a file it should only contain one line, with the credentials in the following format: : + + LDAP auth syntax + + const auth_source = 'ldap;:'; + + The script will add "uid=," to the rootdn for binding. If your ldap server + does not use uid for usernames you can change it in the function checkCredentials. examples: const auth_source = 'inline;admin:$2y$10$0Bnm5L4wKFHRxJgNq.oZv.v7yXhkJZQvinJYR2p6X1zPvzyDRUVRC'; const auth_source = 'file;/path/to/file'; + const auth_source = 'ldap;:'; */ const auth = 0; const auth_source = 'inline;admin:$2y$10$0Bnm5L4wKFHRxJgNq.oZv.v7yXhkJZQvinJYR2p6X1zPvzyDRUVRC'; diff --git a/src/main.php b/src/main.php index 7cbdae6..b62dc27 100644 --- a/src/main.php +++ b/src/main.php @@ -616,21 +616,42 @@ class IFM { } } - private function checkCredentials($user, $pass) { - list($src, $srcopt) = explode(";", IFMConfig::auth_source, 2); - switch($src) { + private function checkCredentials( $user, $pass ) { + list( $src, $srcopt ) = explode( ";", IFMConfig::auth_source, 2 ); + switch( $src ) { case "inline": - list($uname, $hash) = explode(":", $srcopt); + list( $uname, $hash ) = explode( ":", $srcopt ); + return password_verify( $pass, trim( $hash ) ) ? ( $uname == $user ) : false; break; case "file": - if(@file_exists($srcopt) && @is_readable($srcopt)) { - list($uname, $hash) = explode(":", fgets(fopen($srcopt, 'r'))); + if( @file_exists( $srcopt ) && @is_readable( $srcopt ) ) { + list( $uname, $hash ) = explode( ":", fgets( fopen( $srcopt, 'r' ) ) ); + return password_verify( $pass, trim( $hash ) ) ? ( $uname == $user ) : false; } else { return false; } break; + case "ldap": + $authenticated = false; + list( $ldap_server, $rootdn ) = explode( ":", $srcopt ); + $u = "uid=" . $user . "," . $rootdn; + $ds = ldap_connect( $ldap_server ) or ( trigger_error( "Could not reach the ldap server.", E_USER_ERROR ); return false; ); + ldap_set_option( $ds, LDAP_OPT_PROTOCOL_VERSION, 3 ); + if( $ds ) { + $ldbind = @ldap_bind( $ds, $u, $pass ); + if( $ldbind ) { + $authenticated = true; + } else { + $authenticated = false; + } + ldap_unbind( $ds ); + } else { + $authenticated = false; + } + return $authenticated; + break; } - return password_verify($pass, trim($hash))?($uname == $user):false; + return false; } private function loginForm($loginFailed=false) {