Sincronización con LDAP
This commit is contained in:
Juan Ferrer Toribio
parent
5b50b3cc64
commit
400fa1787d
|
|
@ -1,4 +1,4 @@
|
|||
hedera-web (1.405.2) stable; urgency=low
|
||||
hedera-web (1.405.3) stable; urgency=low
|
||||
|
||||
* Initial Release.
|
||||
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ Vcs-Git: git://www.verdnatura.es/var/git/hedera-web
|
|||
|
||||
Package: hedera-web
|
||||
Architecture: all
|
||||
Depends: apache2, php5-mysql, php5-mcrypt, php5-ssh2, php-vn-lib, nodejs
|
||||
Depends: apache2, php5-mysql, php5-mcrypt, php5-ldap, php5-ssh2, php-vn-lib, nodejs
|
||||
Suggests: php-text-captcha, php5-imap, tinymce
|
||||
Section: misc
|
||||
Priority: optional
|
||||
|
|
|
|||
|
|
@ -2,7 +2,20 @@
|
|||
|
||||
class Account
|
||||
{
|
||||
static function sync ($db, $user, $password = NULL)
|
||||
static function trySync ($db, $user, $password = NULL)
|
||||
{
|
||||
$isSync = $db->getValue (
|
||||
'SELECT sync FROM account.user WHERE name = #',
|
||||
[$user]
|
||||
);
|
||||
|
||||
if ($isSync)
|
||||
return;
|
||||
|
||||
self::sync ($db, $user, $password);
|
||||
}
|
||||
|
||||
static function sync ($db, $user, $password = NULL, $force = TRUE)
|
||||
{
|
||||
$hasAccount = $db->getValue (
|
||||
'SELECT COUNT(*) > 0
|
||||
|
|
@ -12,61 +25,142 @@ class Account
|
|||
[$user]
|
||||
);
|
||||
|
||||
if (!$hasAccount)
|
||||
if ($hasAccount)
|
||||
{
|
||||
self::ldapSync ($db, $user, $password);
|
||||
self::sambaSync ($db, $user, $password);
|
||||
}
|
||||
|
||||
$db->query (
|
||||
'UPDATE account.user SET sync = TRUE WHERE name = #',
|
||||
[$user]
|
||||
);
|
||||
}
|
||||
|
||||
/**
|
||||
* Synchronizes the user credentials in the LDAP server.
|
||||
*/
|
||||
static function ldapSync ($db, $user, $password)
|
||||
{
|
||||
if (empty ($password))
|
||||
return;
|
||||
|
||||
$conf = $db->getRow (
|
||||
'SELECT sambaHost, homesHost, sshUser, sshPass
|
||||
FROM account.accountConfig'
|
||||
);
|
||||
$sshPass = base64_decode ($conf['sshPass']);
|
||||
|
||||
$samba = new SshConnection ($conf['sambaHost']
|
||||
,$conf['sshUser']
|
||||
,$sshPass
|
||||
);
|
||||
$homes = new SshConnection ($conf['homesHost']
|
||||
,$conf['sshUser']
|
||||
,$sshPass
|
||||
// Gets LDAP configuration parameters
|
||||
|
||||
$conf = $db->getObject (
|
||||
'SELECT host, rdn, password, baseDn, filter
|
||||
FROM account.ldapConfig');
|
||||
|
||||
// Connects an authenticates against server
|
||||
|
||||
$ds = ldap_connect ($conf->host);
|
||||
|
||||
if (!$ds)
|
||||
throw new Exception ("Can't connect to LDAP server: ". ldapError ($ds));
|
||||
|
||||
ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, 3);
|
||||
$bind = ldap_bind ($ds, $conf->rdn, base64_decode ($conf->password));
|
||||
|
||||
if (!$bind)
|
||||
throw new Exception ("Authentication failed on LDAP server: ". ldapError ($ds));
|
||||
|
||||
// Search the user entry
|
||||
|
||||
$res = ldap_search ($ds, $conf->baseDn, "(&(uid=$user)($conf->filter))");
|
||||
|
||||
if (!$res)
|
||||
throw new Exception ("Can't get the LDAP entry: ". ldapError ($ds));
|
||||
|
||||
$dn = "uid=$user,{$conf->baseDn}";
|
||||
$entry = ldap_first_entry ($ds, $res);
|
||||
|
||||
if ($entry)
|
||||
{
|
||||
$info = ['userPassword' => sshaEncode ($password)];
|
||||
ldap_modify ($ds, $dn, $info);
|
||||
}
|
||||
else
|
||||
{
|
||||
$info = [
|
||||
'objectClass' => ['account', 'simpleSecurityObject', 'top'],
|
||||
'uid' => $user,
|
||||
'userPassword' => sshaEncode ($password)
|
||||
];
|
||||
ldap_add ($ds, $dn, $info);
|
||||
}
|
||||
|
||||
ldap_unbind ($ds);
|
||||
}
|
||||
|
||||
/**
|
||||
* Synchronizes the user credentials in the Samba server.
|
||||
*/
|
||||
static function sambaSync ($db, $user, $password)
|
||||
{
|
||||
$conf = $db->getObject (
|
||||
'SELECT host, sshUser, sshPass, domain, uidBase
|
||||
FROM account.sambaConfig'
|
||||
);
|
||||
|
||||
$escUser = SshConnection::escape ($user);
|
||||
$samba = new SshConnection ($conf->host
|
||||
,$conf->sshUser
|
||||
,base64_decode ($conf->sshPass)
|
||||
);
|
||||
|
||||
$scriptDir = '/mnt/cluster/scripts';
|
||||
|
||||
// Creates the Samba user and initializes it's home directory
|
||||
|
||||
$userId = $db->getValue (
|
||||
'SELECT id FROM account.user WHERE name = #', [$user]);
|
||||
$accConf = $db->getRow (
|
||||
'SELECT uidBase, domain FROM account.accountConfig');
|
||||
|
||||
$escUid = SshConnection::escape ($accConf['uidBase'] + $userId);
|
||||
$escMail = SshConnection::escape ("$user@{$accConf['domain']}");
|
||||
|
||||
$samba->exec (
|
||||
"/mnt/cluster/scripts/create-user.sh $escUser $escUid $escMail");
|
||||
$homes->exec (
|
||||
"/mnt/storage/scripts/create-user.sh $escUser");
|
||||
$samba->exec ("$scriptDir/create-user.sh %s %s %s"
|
||||
,$user
|
||||
,$conf->uidBase + $userId
|
||||
,"$user@{$conf->domain}"
|
||||
);
|
||||
|
||||
// Syncronizes the Samba password
|
||||
|
||||
if (empty ($password))
|
||||
return;
|
||||
|
||||
$escPassword = SshConnection::escape ($password);
|
||||
$samba->exec (
|
||||
"/mnt/cluster/scripts/set-password.sh $escUser $escPassword");
|
||||
|
||||
new SshConnection ($conf['homesHost'], $user, $password);
|
||||
$samba->exec ("$scriptDir/set-password.sh %s %s"
|
||||
,$user
|
||||
,$password
|
||||
);
|
||||
}
|
||||
}
|
||||
|
||||
function ldapError ($ds)
|
||||
{
|
||||
return ldap_errno ($ds) .': '. ldap_error ($ds);
|
||||
}
|
||||
|
||||
function sshaEncode ($value)
|
||||
{
|
||||
mt_srand ((double) microtime () * 1000000);
|
||||
$salt = pack ('CCCC', mt_rand (), mt_rand (), mt_rand (), mt_rand ());
|
||||
$hash = '{SSHA}' . base64_encode (pack ('H*', sha1 ($value . $salt)) . $salt);
|
||||
return $hash;
|
||||
}
|
||||
|
||||
function sshaVerify ($hash, $value)
|
||||
{
|
||||
$ohash = base64_decode (substr ($hash, 6));
|
||||
$osalt = substr ($ohash, 20);
|
||||
$ohash = substr ($ohash, 0, 20);
|
||||
$nhash = pack ('H*', sha1 ($value . $osalt));
|
||||
return $ohash == $nhash;
|
||||
}
|
||||
|
||||
class SshConnection
|
||||
{
|
||||
var $connection;
|
||||
|
||||
/**
|
||||
* Abrebiated method to make SSH connections.
|
||||
**/
|
||||
*/
|
||||
function __construct ($host, $user, $password)
|
||||
{
|
||||
$this->connection = $connection = ssh2_connect ($host);
|
||||
|
|
@ -84,15 +178,23 @@ class SshConnection
|
|||
|
||||
/**
|
||||
* Executes a command on the host.
|
||||
**/
|
||||
function exec ($command)
|
||||
*/
|
||||
function exec ()
|
||||
{
|
||||
$nargs = func_num_args ();
|
||||
$args = func_get_args ();
|
||||
|
||||
for ($i = 1; $i < $nargs; $i++)
|
||||
$args[$i] = self::escape ($args[$i]);
|
||||
|
||||
$command = call_user_func_array ('sprintf', $args);
|
||||
error_log ($command);
|
||||
return ssh2_exec ($this->connection, $command);
|
||||
}
|
||||
|
||||
/**
|
||||
* Escapes the double quotes from an string.
|
||||
**/
|
||||
*/
|
||||
static function escape ($str)
|
||||
{
|
||||
return '"'. str_replace ('"', '\\"', $str) .'"';
|
||||
|
|
|
|||
|
|
@ -1,9 +1,19 @@
|
|||
<?php
|
||||
|
||||
include __DIR__.'/account.php';
|
||||
|
||||
class Login extends Vn\Web\JsonRequest
|
||||
{
|
||||
function run ($db)
|
||||
{
|
||||
try {
|
||||
Account::trySync ($db
|
||||
,$_POST['user']
|
||||
,$_POST['password']
|
||||
);
|
||||
}
|
||||
catch (Exception $e) {}
|
||||
|
||||
$token = $this->service->createToken (
|
||||
$_SESSION['user'],
|
||||
!empty ($_POST['remember'])
|
||||
|
|
|
|||
Loading…
Reference in New Issue