Added possibility to allow access only from certain clients, networks.

author cajus <cajus@594d385d-05f5-0310-b6e9-bd551577e9d8>

Thu, 3 Sep 2009 07:45:50 +0000 (07:45 +0000)

committer cajus <cajus@594d385d-05f5-0310-b6e9-bd551577e9d8>

Thu, 3 Sep 2009 07:45:50 +0000 (07:45 +0000)
author cajus <cajus@594d385d-05f5-0310-b6e9-bd551577e9d8>
Thu, 3 Sep 2009 07:45:50 +0000 (07:45 +0000)
committer cajus <cajus@594d385d-05f5-0310-b6e9-bd551577e9d8>
Thu, 3 Sep 2009 07:45:50 +0000 (07:45 +0000)
diff --git a/gosa-core/include/class_userinfo.inc b/gosa-core/include/class_userinfo.inc

index 36c5072553e9296ae2ec100b25c9e40d5103ce8f..01315479d61e08eafce76df79a733e5cc2550c18 100644 (file)
--- a/gosa-core/include/class_userinfo.inc
+++ b/gosa-core/include/class_userinfo.inc
@@ -27,6 +27,7 @@ class userinfo
    var $username;
    var $cn;
    var $uid;
+  var $restrictions= array();
    var $gidNumber= -1;
    var $language= "";
    var $config;
@@ -45,7 +46,7 @@ class userinfo
    function userinfo(&$config, $userdn){
      $this->config= &$config;
      $ldap= $this->config->get_ldap_link();
-    $ldap->cat($userdn,array('sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage', 'gosaUnitTag'));
+    $ldap->cat($userdn,array('sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage', 'gosaUnitTag', 'gosaLoginRestriction'));
      $attrs= $ldap->fetch();
  
      if (isset($attrs['givenName'][0]) && isset($attrs['sn'][0])){
@@ -57,6 +58,12 @@ class userinfo
        $this->gidNumber= $attrs['gidNumber'][0];
      }
  
+    /* Restrictions? */
+    if (isset($attrs['gosaLoginRestrictions'])){
+      $this->restrictions= $attrs['gosaLoginRestrictions'];
+      unset($this->restrictions['count']);
+    }
+
      /* Assign user language */
      if (isset($attrs['preferredLanguage'][0])){
        $this->language= $attrs['preferredLanguage'][0];
@@ -705,7 +712,52 @@ class userinfo
      return($this->ignoreACL);
    }
  
+
+  function loginAllowed()
+  {
+    // Need to check restrictions?
+    if (count($this->restrictions)){
+
+      // We have restrictions but cannot check them
+      if (!isset($_SERVER['REMOTE_ADDR'])){
+        return false;
+      }
+
+      // Move to binary...
+      $source= $_SERVER['REMOTE_ADDR'];
+      foreach ($this->restrictions as $restriction) {
+
+        // Single IP
+        if (preg_match('/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/', $restriction)) {
+           if ($source == $restriction){
+             return true;
+           }
+        }
+
+        // Match with short netmask
+        if (preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)$/', $restriction, $matches)) {
+          if (isIpInNet($source, $matches[1], long2ip(~(pow(2, (32-$matches[2]))-1)))) {
+            return true;
+          }
+        }
+
+        // Match with long netmask
+        if (preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/', $restriction, $matches)) {
+          if (isIpInNet($source, $matches[1], $matches[2])) {
+            return true;
+          }
+        }
+
+      }
+
+      return false;
+    }
+
+    return true;
+  }
+
  }
  
+
  // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
  ?>
diff --git a/gosa-core/include/functions.inc b/gosa-core/include/functions.inc

index e75dc292fd6108ccdd1d6c117bb6dcd1375653ec..d02d7d46264fd15083e23f313b2ee7b1a9a8c636 100644 (file)
--- a/gosa-core/include/functions.inc
+++ b/gosa-core/include/functions.inc
@@ -405,6 +405,12 @@ function ldap_login_user_htaccess ($username)
    $ui= new userinfo($config, $ldap->getDN());
    $ui->username= $attrs['uid'][0];
  
+  /* Bail out if we have login restrictions set, for security reasons
+     the message is the same than failed user/pw */
+  if (!$ui->loginAllowed()){
+    return (NULL);
+  }
+
    /* No password check needed - the webserver did it for us */
    $ldap->disconnect();
  
@@ -485,6 +491,12 @@ function ldap_login_user ($username, $password)
    $ui= new userinfo($config, $ldap->getDN());
    $ui->username= $attrs['uid'][0];
  
+  /* Bail out if we have login restrictions set, for security reasons
+     the message is the same than failed user/pw */
+  if (!$ui->loginAllowed()){
+    return (NULL);
+  }
+
    /* password check, bind as user with supplied password  */
    $ldap->disconnect();
    $ldap= new LDAP($ui->dn, $password, $config->current['SERVER'],
@@ -2787,6 +2799,7 @@ function cred_encrypt($input, $password) {
  
  }
  
+
  function cred_decrypt($input,$password) {
    $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
    $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
@@ -2794,16 +2807,31 @@ function cred_decrypt($input,$password) {
    return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $password, pack("H*", $input), MCRYPT_MODE_ECB, $iv);
  }
  
+
  function get_object_info()
  {
    return(session::get('objectinfo'));
  }
  
+
  function set_object_info($str = "")
  {
    session::set('objectinfo',$str);
  }
  
  
+function isIpInNet($ip, $net, $mask) {
+   // Move to long ints
+   $ip= ip2long($ip);
+   $net= ip2long($net);
+   $mask= ip2long($mask);
+
+   // Mask given IP with mask. If it returns "net", we're in...
+   $res= $ip & $mask;
+
+   return ($res == $net);
+}
+
+
  // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler:
  ?>
author	cajus <cajus@594d385d-05f5-0310-b6e9-bd551577e9d8>
	Thu, 3 Sep 2009 07:45:50 +0000 (07:45 +0000)
committer	cajus <cajus@594d385d-05f5-0310-b6e9-bd551577e9d8>
	Thu, 3 Sep 2009 07:45:50 +0000 (07:45 +0000)
gosa-core/include/class_userinfo.inc		patch \| blob \| history
gosa-core/include/functions.inc		patch \| blob \| history