From: cajus Date: Thu, 3 Sep 2009 07:45:50 +0000 (+0000) Subject: Added possibility to allow access only from certain clients, networks. X-Git-Url: https://git.tokkee.org/?a=commitdiff_plain;h=2d37f6ce56d1254c94c402fa47618dad42e40daf;p=gosa.git Added possibility to allow access only from certain clients, networks. git-svn-id: https://oss.gonicus.de/repositories/gosa/trunk@14199 594d385d-05f5-0310-b6e9-bd551577e9d8 --- diff --git a/gosa-core/include/class_userinfo.inc b/gosa-core/include/class_userinfo.inc index 36c507255..01315479d 100644 --- a/gosa-core/include/class_userinfo.inc +++ b/gosa-core/include/class_userinfo.inc @@ -27,6 +27,7 @@ class userinfo var $username; var $cn; var $uid; + var $restrictions= array(); var $gidNumber= -1; var $language= ""; var $config; @@ -45,7 +46,7 @@ class userinfo function userinfo(&$config, $userdn){ $this->config= &$config; $ldap= $this->config->get_ldap_link(); - $ldap->cat($userdn,array('sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage', 'gosaUnitTag')); + $ldap->cat($userdn,array('sn', 'givenName', 'uid', 'gidNumber', 'preferredLanguage', 'gosaUnitTag', 'gosaLoginRestriction')); $attrs= $ldap->fetch(); if (isset($attrs['givenName'][0]) && isset($attrs['sn'][0])){ @@ -57,6 +58,12 @@ class userinfo $this->gidNumber= $attrs['gidNumber'][0]; } + /* Restrictions? */ + if (isset($attrs['gosaLoginRestrictions'])){ + $this->restrictions= $attrs['gosaLoginRestrictions']; + unset($this->restrictions['count']); + } + /* Assign user language */ if (isset($attrs['preferredLanguage'][0])){ $this->language= $attrs['preferredLanguage'][0]; @@ -705,7 +712,52 @@ class userinfo return($this->ignoreACL); } + + function loginAllowed() + { + // Need to check restrictions? + if (count($this->restrictions)){ + + // We have restrictions but cannot check them + if (!isset($_SERVER['REMOTE_ADDR'])){ + return false; + } + + // Move to binary... + $source= $_SERVER['REMOTE_ADDR']; + foreach ($this->restrictions as $restriction) { + + // Single IP + if (preg_match('/^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$/', $restriction)) { + if ($source == $restriction){ + return true; + } + } + + // Match with short netmask + if (preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+)$/', $restriction, $matches)) { + if (isIpInNet($source, $matches[1], long2ip(~(pow(2, (32-$matches[2]))-1)))) { + return true; + } + } + + // Match with long netmask + if (preg_match('/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\/([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)$/', $restriction, $matches)) { + if (isIpInNet($source, $matches[1], $matches[2])) { + return true; + } + } + + } + + return false; + } + + return true; + } + } + // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler: ?> diff --git a/gosa-core/include/functions.inc b/gosa-core/include/functions.inc index e75dc292f..d02d7d462 100644 --- a/gosa-core/include/functions.inc +++ b/gosa-core/include/functions.inc @@ -405,6 +405,12 @@ function ldap_login_user_htaccess ($username) $ui= new userinfo($config, $ldap->getDN()); $ui->username= $attrs['uid'][0]; + /* Bail out if we have login restrictions set, for security reasons + the message is the same than failed user/pw */ + if (!$ui->loginAllowed()){ + return (NULL); + } + /* No password check needed - the webserver did it for us */ $ldap->disconnect(); @@ -485,6 +491,12 @@ function ldap_login_user ($username, $password) $ui= new userinfo($config, $ldap->getDN()); $ui->username= $attrs['uid'][0]; + /* Bail out if we have login restrictions set, for security reasons + the message is the same than failed user/pw */ + if (!$ui->loginAllowed()){ + return (NULL); + } + /* password check, bind as user with supplied password */ $ldap->disconnect(); $ldap= new LDAP($ui->dn, $password, $config->current['SERVER'], @@ -2787,6 +2799,7 @@ function cred_encrypt($input, $password) { } + function cred_decrypt($input,$password) { $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM); @@ -2794,16 +2807,31 @@ function cred_decrypt($input,$password) { return mcrypt_decrypt(MCRYPT_RIJNDAEL_128, $password, pack("H*", $input), MCRYPT_MODE_ECB, $iv); } + function get_object_info() { return(session::get('objectinfo')); } + function set_object_info($str = "") { session::set('objectinfo',$str); } +function isIpInNet($ip, $net, $mask) { + // Move to long ints + $ip= ip2long($ip); + $net= ip2long($net); + $mask= ip2long($mask); + + // Mask given IP with mask. If it returns "net", we're in... + $res= $ip & $mask; + + return ($res == $net); +} + + // vim:tabstop=2:expandtab:shiftwidth=2:filetype=php:syntax:ruler: ?>