mirror of
https://github.com/LDAPAccountManager/lam.git
synced 2025-10-06 03:49:56 +02:00
Merge pull request #182 from LDAPAccountManager/feature/simpleSecurityObject
Feature/simple security object
This commit is contained in:
gruberroland
GitHub
commit
609aa3141e
10 changed files with 75 additions and 15 deletions
|
|
@ -1,6 +1,8 @@
|
|||
September 2022 8.1
|
||||
- Allow hostObject for groups and ":" in values
|
||||
- Docker: added Let's Encrypt CA certificates
|
||||
- LAM Pro:
|
||||
-> Added support for simpleSecurityObject
|
||||
- Fixed bugs:
|
||||
-> PHP 8.1 does not show proper error message when login failed with LDAP search method
|
||||
-> Self service issues on PHP 8.1 (181)
|
||||
|
|
|
|||
|
|
@ -658,6 +658,24 @@
|
|||
<entry>LAM Pro only</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><inlinemediaobject>
|
||||
<imageobject>
|
||||
<imagedata fileref="images/schema_ssh.png"/>
|
||||
</imageobject>
|
||||
</inlinemediaobject></entry>
|
||||
|
||||
<entry>Simple Security Object</entry>
|
||||
|
||||
<entry>simpleSecurityObject</entry>
|
||||
|
||||
<entry>core.schema</entry>
|
||||
|
||||
<entry>Part of OpenLDAP installation</entry>
|
||||
|
||||
<entry>LAM Pro only</entry>
|
||||
</row>
|
||||
|
||||
<row>
|
||||
<entry><inlinemediaobject>
|
||||
<imageobject>
|
||||
|
|
|
|||
|
|
@ -2985,18 +2985,18 @@ AuthorizedKeysCommandUser root</literallayout>
|
|||
<section>
|
||||
<title>Hosts</title>
|
||||
|
||||
<para>You can specify a list of valid host names where the group's members may
|
||||
login. If you add the value "*" then the users may login to any host.
|
||||
This can be further restricted by adding explicit deny entries which are
|
||||
prefixed with "!" (e.g. "!hr_server").</para>
|
||||
<para>You can specify a list of valid host names where the group's
|
||||
members may login. If you add the value "*" then the users may login to
|
||||
any host. This can be further restricted by adding explicit deny entries
|
||||
which are prefixed with "!" (e.g. "!hr_server").</para>
|
||||
|
||||
<para>Please note that your PAM settings need to support host
|
||||
restrictions. This feature is enabled by setting <emphasis
|
||||
role="bold">pam_check_host_attr yes</emphasis> in your <emphasis
|
||||
role="bold">/etc/pam_ldap.conf</emphasis>. When it is enabled then the
|
||||
account facility of pam_ldap will perform the checks and return an error
|
||||
when no proper host attribute is present. Please note that users without
|
||||
host attribute cannot login to such a configured server.</para>
|
||||
restrictions. This feature is enabled by setting <emphasis
|
||||
role="bold">pam_check_host_attr yes</emphasis> in your <emphasis
|
||||
role="bold">/etc/pam_ldap.conf</emphasis>. When it is enabled then the
|
||||
account facility of pam_ldap will perform the checks and return an error
|
||||
when no proper host attribute is present. Please note that users without
|
||||
host attribute cannot login to such a configured server.</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
|
@ -3006,7 +3006,6 @@ AuthorizedKeysCommandUser root</literallayout>
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
</section>
|
||||
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
|
@ -3472,6 +3471,39 @@ AuthorizedKeysCommandUser root</literallayout>
|
|||
</screenshot>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Simple Security Object (LAM Pro)</title>
|
||||
|
||||
<para>This allows to add passwords to LDAP entries which do not support
|
||||
passwords by other object classes. E.g. passwords can be added to
|
||||
organizational roles.</para>
|
||||
|
||||
<para>The simple security object module can be added to the following
|
||||
account types: users, groups, group of names</para>
|
||||
|
||||
<para>Configuration:</para>
|
||||
|
||||
<para>Add the Simple Security Object module to your account type.</para>
|
||||
|
||||
<screenshot>
|
||||
<graphic fileref="images/mod_simpleSecurityObject1.png"/>
|
||||
</screenshot>
|
||||
|
||||
<para>Next configure the password hash type to use (module settings
|
||||
tab).</para>
|
||||
|
||||
<screenshot>
|
||||
<graphic fileref="images/mod_simpleSecurityObject2.png"/>
|
||||
</screenshot>
|
||||
|
||||
<para>Now you can add a password to your entries by adding the extension
|
||||
to an entry.</para>
|
||||
|
||||
<screenshot>
|
||||
<graphic fileref="images/mod_simpleSecurityObject3.png"/>
|
||||
</screenshot>
|
||||
</section>
|
||||
|
||||
<section id="type_asterisk">
|
||||
<title>Asterisk</title>
|
||||
|
||||
|
|
@ -5467,7 +5499,7 @@ OK (10 msec)</programlisting>
|
|||
</mediaobject>
|
||||
</screenshot>
|
||||
|
||||
<para> Presentation:</para>
|
||||
<para>Presentation:</para>
|
||||
|
||||
<screenshot>
|
||||
<mediaobject>
|
||||
|
|
|
|||
BIN
lam/docs/manual-sources/images/mod_simpleSecurityObject1.png
Normal file
BIN
lam/docs/manual-sources/images/mod_simpleSecurityObject1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 33 KiB |
BIN
lam/docs/manual-sources/images/mod_simpleSecurityObject2.png
Normal file
BIN
lam/docs/manual-sources/images/mod_simpleSecurityObject2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 9.1 KiB |
BIN
lam/docs/manual-sources/images/mod_simpleSecurityObject3.png
Normal file
BIN
lam/docs/manual-sources/images/mod_simpleSecurityObject3.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 24 KiB |
|
|
@ -224,6 +224,9 @@ class Ldap{
|
|||
* @return string user name
|
||||
*/
|
||||
public function getUserName() {
|
||||
if ($this->username === null) {
|
||||
return null;
|
||||
}
|
||||
return lamDecrypt(base64_decode($this->username));
|
||||
}
|
||||
|
||||
|
|
@ -233,6 +236,9 @@ class Ldap{
|
|||
* @return string password
|
||||
*/
|
||||
public function getPassword() {
|
||||
if ($this->password === null) {
|
||||
return null;
|
||||
}
|
||||
return lamDecrypt(base64_decode($this->password));
|
||||
}
|
||||
|
||||
|
|
|
|||
1
lam/lib/modules/.gitignore
vendored
1
lam/lib/modules/.gitignore
vendored
|
|
@ -44,3 +44,4 @@
|
|||
/mitKerberosPolicy.inc
|
||||
/openldapTotp.inc
|
||||
/powerDNS.inc
|
||||
/simpleSecurityObject.inc
|
||||
|
|
|
|||
|
|
@ -201,7 +201,7 @@ class posixAccount extends baseModule implements passwordService,AccountStatusPr
|
|||
// self service configuration settings
|
||||
$selfServiceContainer = new htmlResponsiveRow();
|
||||
$selfServiceContainer->add(new htmlResponsiveSelect('posixAccount_pwdHash', getSupportedHashTypes(),
|
||||
array('SSHA'), _("Password hash type"), array('pwdHash', get_class($this))), 12);
|
||||
array('CRYPT-SHA512'), _("Password hash type"), array('pwdHash', get_class($this))), 12);
|
||||
$selfServiceContainer->add(new htmlResponsiveInputTextarea('posixAccount_shells', implode("\r\n", $this->getShells()), 30, 4, _('Login shells'), array('loginShells', get_class($this))), 12);
|
||||
$selfServiceContainer->add(new htmlResponsiveInputField(_('Group DN'), 'posixAccount_groupDn', '', array('groupDn', get_class($this))), 12);
|
||||
$selfServiceContainer->add(new htmlResponsiveInputCheckbox('posixAccount_useOldPwd', false, _('Password change with old password'), array('useOldPwd', get_class($this))), 12);
|
||||
|
|
@ -3126,7 +3126,7 @@ class posixAccount extends baseModule implements passwordService,AccountStatusPr
|
|||
"ERROR",
|
||||
_('Unable to set password'),
|
||||
$dn . '<br>' . getDefaultLDAPErrorString($_SESSION['ldap']->server()),
|
||||
array($temp['groups'][$temp['counter']])
|
||||
array($temp['exop'][$temp['counter']])
|
||||
);
|
||||
}
|
||||
$temp['counter']++;
|
||||
|
|
|
|||
3
lam/tmp/.gitignore
vendored
3
lam/tmp/.gitignore
vendored
|
|
@ -1,3 +1,4 @@
|
|||
/*.jpg
|
||||
/*.pem
|
||||
/*.log
|
||||
/*.log
|
||||
/*.pdf
|
||||
Loading…
Add table
Add a link
Reference in a new issue