mirror/librenms-librenms
1
0
Fork 0
mirror of https://github.com/librenms/librenms.git synced 2024-10-07 16:52:45 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feature: bind user for active_directory auth (#6255)

Browse Source 
* feature: bind user for active_directory auth
Optional, allows the use of "remember me", API, and alerting.

* missing global (but still may not be working)

* always return a value from reauthenticate()

* Make sure the ldapbind credentials are correct on reauth.
Do not send output if they are incorrect (use d_echo) this breaks ajax calls, etc.
Add scripts/auth_test.php, to make it easier to debug authentication.

* Refine auth_test.php a bit more
A few small cleanups in other places of the auth

* Add auth_test.php to docs
Some more improvements in the auth_test.php output.

* Update Authentication.md
This commit is contained in:
Tony Murray
2017-03-29 08:22:02 -05:00
committed by GitHub
parent 5d2aa30153
commit 1ea7af424b
8 changed files with 303 additions and 65 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
doc/Extensions/Authentication.md
View File

@@ -41,7 +41,14 @@ When using SELinux on the LibreNMS server, you need to allow Apache (httpd) to c
setsebool -P httpd_can_connect_ldap=1
```
#### MySQL Authentication
#### Testing authentication
You can test authentication with this script:
```shell
./scripts/auth_test.php
```
Enable debug output to troubleshoot issues
### MySQL Authentication
Config option: `mysql`
@@ -54,7 +61,7 @@ $config['db_pass'] = "DBPASS";
$config['db_name'] = "DBNAME";
```
#### HTTP Authentication
### HTTP Authentication
Config option: `http-auth`
@@ -69,7 +76,7 @@ $config['http_auth_guest'] = "guest";
```
This will then assign the userlevel for guest to all authenticated users.
#### LDAP Authentication
### LDAP Authentication
Config option: `ldap`
@@ -84,6 +91,8 @@ $config['auth_ldap_port'] = 389;
$config['auth_ldap_prefix'] = "uid=";
$config['auth_ldap_suffix'] = ",ou=People,dc=example,dc=com";
$config['auth_ldap_group'] = "cn=groupname,ou=groups,dc=example,dc=com";
$config['auth_ad_binduser'] = 'examplebinduser';
$config['auth_ad_bindpassword'] = 'examplepassword';
$config['auth_ldap_groupbase'] = "ou=group,dc=example,dc=com";
$config['auth_ldap_groups']['admin']['level'] = 10;
@@ -93,6 +102,7 @@ $config['auth_ldap_groupmemberattr'] = "memberUid";
```
Typically auth_ldap_suffix, auth_ldap_group, auth_ldap_groupbase, auth_ldap_groups are what's required to be configured.
It is highly suggested to create a bind user, other wise "remember me", alerting AD users, and the API will not work.
An example config setup for use with Jumpcloud LDAP as a service is:
@@ -112,7 +122,7 @@ $config['auth_ldap_groupmemberattr'] = "memberUid";
Replace {id} with the unique ID provided by Jumpcloud.
#### HTTP Authentication / LDAP Authorization
### HTTP Authentication / LDAP Authorization
Config option: `ldap-authorization`
@@ -130,7 +140,7 @@ To disabled this caching (highly discourage) set this option to 0.
$config['auth_ldap_cache_ttl'] = 300;
```
#### Active Directory Authentication
### Active Directory Authentication
Config option: `active_directory`
@@ -183,7 +193,7 @@ $config['auth_ad_group_filter'] = "(objectclass=group)";
This yields `(&(objectclass=user)(sAMAccountName=$username))` for the user filter and `(&(objectclass=group)(sAMAccountName=$group))` for the group filter.
#### Radius Authentication
### Radius Authentication
Please note that a mysql user is created for each user the logs in successfully. User level 1 is assigned to those accounts so you will then need to assign the relevant permissions unless you set `$config['radius']['userlevel']` to be something other than 1.
@@ -199,7 +209,7 @@ $config['radius']['users_purge'] = 14;//Purge users who haven't logged in for 14
$config['radius']['default_level'] = 1;//Set the default user level when automatically creating a user.
```
#### HTTP Authentication / AD Authorization
### HTTP Authentication / AD Authorization
Config option: `ad-authorization`

1
html/includes/authenticate.inc.php
View File

@@ -74,7 +74,6 @@ if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token
if (isset($_POST['remember'])) {
$sess_id = session_id();
$hasher = new PasswordHash(8, false);
$token = strgen();
$auth = strgen();
$hasher = new PasswordHash(8, false);

197
html/includes/authentication/active_directory.inc.php
View File

@@ -1,5 +1,7 @@
<?php
use Phpass\PasswordHash;
// easier to rewrite for Active Directory than to bash it into existing LDAP implementation
// disable certificate checking before connect if required
@@ -19,6 +21,11 @@ $ldap_connection = @ldap_connect($config['auth_ad_url']);
ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0);
ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
// Bind to AD
if (!ad_bind($ldap_connection)) {
d_echo(ldap_error($ldap_connection) . PHP_EOL);
}
function authenticate($username, $password)
{
global $config, $ldap_connection, $auth_error;
@@ -78,9 +85,35 @@ function authenticate($username, $password)
return 0;
}
function reauthenticate()
function reauthenticate($sess_id, $token)
{
// not supported so return 0
global $ldap_connection;
if (ad_bind($ldap_connection, false)) {
$sess_id = clean($sess_id);
$token = clean($token);
list($username, $hash) = explode('|', $token);
if (!user_exists($username)) {
d_echo("$username is not a valid AD user\n");
return 0;
}
$session = dbFetchRow(
"SELECT * FROM `session` WHERE `session_username`=? AND session_value=?",
array($username, $sess_id),
true
);
$hasher = new PasswordHash(8, false);
if ($hasher->CheckPassword($username . $session['session_token'], $hash)) {
$_SESSION['username'] = $username;
return 1;
} else {
d_echo("Reauthenticate token check failed\n");
return 0;
}
}
return 0;
}
@@ -108,20 +141,8 @@ function auth_usermanagement()
function adduser($username, $level = 0, $email = '', $realname = '', $can_modify_passwd = 0, $description = '', $twofactor = 0)
{
// Check to see if user is already added in the database
if (!user_exists_in_db($username)) {
$userid = dbInsert(array('username' => $username, 'realname' => $realname, 'email' => $email, 'descr' => $description, 'level' => $level, 'can_modify_passwd' => $can_modify_passwd, 'twofactor' => $twofactor, 'user_id' => get_userid($username)), 'users');
if ($userid == false) {
return false;
} else {
foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc', array($userid)) as $notif) {
dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1), 'notifications_attribs');
}
}
return $userid;
} else {
return false;
}
// not supported so return 0
return 0;
}
function user_exists_in_db($username)
@@ -199,12 +220,43 @@ function get_userid($username)
$entries = ldap_get_entries($ldap_connection, $search);
if ($entries['count']) {
return preg_replace('/.*-(\d+)$/', '$1', sid_from_ldap($entries[0]['objectsid'][0]));
return get_userid_from_sid(sid_from_ldap($entries[0]['objectsid'][0]));
}
return -1;
}
function get_domain_sid()
{
global $config, $ldap_connection;
$search = ldap_read(
$ldap_connection,
$config['auth_ad_base_dn'],
'(objectClass=*)',
array('objectsid')
);
$entry = ldap_get_entries($ldap_connection, $search);
return substr(sid_from_ldap($entry[0]['objectsid'][0]), 0, 41);
}
function get_user($user_id)
{
global $config, $ldap_connection;
$domain_sid = get_domain_sid();
$search_filter = "(&(objectcategory=person)(objectclass=user)(objectsid=$domain_sid-$user_id))";
$attributes = array('samaccountname', 'displayname', 'objectsid', 'mail');
$search = ldap_search($ldap_connection, $config['auth_ad_base_dn'], $search_filter, $attributes);
$entry = ldap_get_entries($ldap_connection, $search);
if (isset($entry[0]['samaccountname'][0])) {
return user_from_ad($entry[0]);
}
return array();
}
function deluser($userid)
{
@@ -212,8 +264,7 @@ function deluser($userid)
dbDelete('devices_perms', '`user_id` = ?', array($userid));
dbDelete('ports_perms', '`user_id` = ?', array($userid));
dbDelete('users_prefs', '`user_id` = ?', array($userid));
dbDelete('users', '`user_id` = ?', array($userid));
return dbDelete('users', '`user_id` = ?', array($userid));
return 0;
}
@@ -221,7 +272,6 @@ function get_userlist()
{
global $config, $ldap_connection;
$userlist = array();
$userhash = array();
$ldap_groups = get_group_list();
@@ -230,37 +280,41 @@ function get_userlist()
if ($config['auth_ad_user_filter']) {
$search_filter = "(&{$config['auth_ad_user_filter']}$search_filter)";
}
$search = ldap_search($ldap_connection, $config['auth_ad_base_dn'], $search_filter, array('samaccountname','displayname','objectsid','mail'));
$attributes = array('samaccountname', 'displayname', 'objectsid', 'mail');
$search = ldap_search($ldap_connection, $config['auth_ad_base_dn'], $search_filter, $attributes);
$results = ldap_get_entries($ldap_connection, $search);
foreach ($results as $result) {
if (isset($result['samaccountname'][0])) {
$userid = preg_replace(
'/.*-(\d+)$/',
'$1',
sid_from_ldap($result['objectsid'][0])
);
// don't make duplicates, user may be member of more than one group
$userhash[$result['samaccountname'][0]] = array(
'realname' => $result['displayName'][0],
'user_id' => $userid,
'email' => $result['mail'][0]
);
$userlist[$result['samaccountname'][0]] = user_from_ad($result);
}
}
}
foreach (array_keys($userhash) as $key) {
$userlist[] = array(
'username' => $key,
'realname' => $userhash[$key]['realname'],
'user_id' => $userhash[$key]['user_id'],
'email' => $userhash[$key]['email']
);
}
return array_values($userlist);
}
return $userlist;
/**
* Generate a user array from an AD LDAP entry
* Must have the attributes: objectsid, samaccountname, displayname, mail
* @internal
*
* @param $entry
* @return array
*/
function user_from_ad($entry)
{
return array(
'user_id' => get_userid_from_sid(sid_from_ldap($entry['objectsid'][0])),
'username' => $entry['samaccountname'][0],
'realname' => $entry['displayname'][0],
'email' => $entry['mail'][0],
'descr' => '',
'level' => get_userlevel($entry['samaccountname'][0]),
'can_modify_passwd' => 0,
'twofactor' => 0,
// 'dashboard' => 'broken!',
);
}
@@ -271,18 +325,27 @@ function can_update_users()
}
function get_user($user_id)
{
// not supported so return 0
return dbFetchRow('SELECT * FROM `users` WHERE `user_id` = ?', array($user_id), true);
}
function update_user($user_id, $realname, $level, $can_modify_passwd, $email)
{
dbUpdate(array('realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'email' => $email), 'users', '`user_id` = ?', array($user_id));
// not supported so return 0
return 0;
}
function get_email($username)
{
global $config, $ldap_connection;
$attributes = array('mail');
$search = ldap_search(
$ldap_connection,
$config['auth_ad_base_dn'],
get_auth_ad_user_filter($username),
$attributes
);
$result = ldap_get_entries($ldap_connection, $search);
unset($result[0]['mail']['count']);
return current($result[0]['mail']);
}
function get_fullname($username)
{
@@ -359,6 +422,11 @@ function get_cn($dn)
return str_replace('~C0mmA~', ',', $matches[0][0]);
}
function get_userid_from_sid($sid)
{
return preg_replace('/.*-(\d+)$/', '$1', $sid);
}
function sid_from_ldap($sid)
{
$sidUnpacked = unpack('H*hex', $sid);
@@ -368,3 +436,32 @@ function sid_from_ldap($sid)
$authIdent = hexdec(substr($sidHex, 4, 12));
return 'S-'.$revLevel.'-'.$authIdent.'-'.implode('-', $subAuths);
}
/**
* Bind to AD with the bind user if available, otherwise anonymous bind
* @internal
*
* @param resource $connection the ldap connection resource
* @param bool $allow_anonymous attempt anonymous bind if bind user isn't available
* @return bool success or failure
*/
function ad_bind($connection, $allow_anonymous = true)
{
global $config;
if (isset($config['auth_ad_binduser']) && isset($config['auth_ad_bindpassword'])) {
// With specified bind user
return ldap_bind(
$connection,
"${config['auth_ad_binduser']}@${config['auth_ad_domain']}",
"${config['auth_ad_bindpassword']}"
);
}
if ($allow_anonymous) {
// Anonymous
return ldap_bind($connection);
}
return false;
}

2
html/includes/authentication/ad-authorization.inc.php
View File

@@ -54,7 +54,7 @@ function authenticate($username, $password)
}
function reauthenticate()
function reauthenticate($sess_id, $token)
{
// not supported so return 0
return 0;

2
html/includes/authentication/radius.inc.php
View File

@@ -25,7 +25,7 @@ function authenticate($username, $password)
}
}
function reauthenticate()
function reauthenticate($sess_id, $token)
{
return 0;
}

9
includes/alerts.inc.php
View File

@@ -271,11 +271,14 @@ function GetContacts($results)
}
foreach ($users as $user) {
if (empty($user['email'])) {
continue;
} elseif (empty($user['realname'])) {
continue; // no email, skip this user
}
if (empty($user['realname'])) {
$user['realname'] = $user['username'];
}
$user['level'] = get_userlevel($user['username']);
if (empty($user['level'])) {
$user['level'] = get_userlevel($user['username']);
}
if ($config["alert"]["globals"] && ( $user['level'] >= 5 && $user['level'] < 10 )) {
$contacts[$user['email']] = $user['realname'];
} elseif ($config["alert"]["admins"] && $user['level'] == 10) {

7
includes/common.php
View File

@@ -1454,10 +1454,13 @@ function starts_with($haystack, $needles, $case_insensitive = false)
function get_auth_ad_user_filter($username)
{
global $config;
$user_filter = "(samaccountname=$username)";
// don't return disabled users
$user_filter = "(&(samaccountname=$username)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))";
if ($config['auth_ad_user_filter']) {
$user_filter = "(&{$config['auth_ad_user_filter']}$user_filter)";
$user_filter .= $config['auth_ad_user_filter'];
}
$user_filter .= ')';
return $user_filter;
}

126
scripts/auth_test.php Executable file
View File

@@ -0,0 +1,126 @@
#!/usr/bin/php
<?php
use Phpass\PasswordHash;
$options = getopt('u:rdvh');
if (isset($options['h']) || !isset($options['u'])) {
echo ' -u <username> (Required) username to test
-r Reauthenticate user, (requires previous web login with "Remember me" enabled)
-d Enable debug output
-v Enable verbose debug output
-h Display this help message
';
exit;
}
$username = $options['u'];
if (isset($options['d'])) {
$debug = true;
}
if (isset($options['v'])) {
// might need more options for other auth methods
$config['auth_ad_debug'] = 1; // active_directory
}
$init_modules = array('auth');
require realpath(__DIR__ . '/..') . '/includes/init.php';
echo "Authentication Method: {$config['auth_mechanism']}\n";
// if ldap like, check selinux
if ($config['auth_mechanism'] = 'ldap' || $config['auth_mechanism'] = "active_directory") {
$enforce = shell_exec('getenforce 2>/dev/null');
if (str_contains($enforce, 'Enforcing')) {
// has selinux
$output = shell_exec('getsebool httpd_can_connect_ldap');
if ($output != "httpd_can_connect_ldap --> on\n") {
print_error("You need to run: setsebool -P httpd_can_connect_ldap=1");
exit;
}
}
}
if (function_exists('ad_bind')) {
if (isset($config['auth_ad_binduser']) && isset($config['auth_ad_bindpassword'])) {
if (!ad_bind($ldap_connection, false)) {
$ldap_error = ldap_error($ldap_connection);
echo $ldap_error . PHP_EOL;
if ($ldap_error == 'Invalid credentials') {
print_error('AD bind failed for user ' . $config['auth_ad_binduser'] . '@' . $config['auth_ad_domain'] .
'. Check $config[\'auth_ad_binduser\'] and $config[\'auth_ad_bindpassword\'] in your config.php');
}
} else {
print_message('AD bind success');
}
} else {
if (!ad_bind($ldap_connection)) {
echo ldap_error($ldap_connection) . PHP_EOL;
print_warn("Could not anonymous bind to AD");
} else {
print_message('AD bind anonymous successful');
}
}
}
$auth = false;
if (isset($options['r'])) {
echo "Reauthenticate Test\n";
$session = dbFetchRow('SELECT * FROM `session` WHERE `session_username`=? ORDER BY `session_id` DESC LIMIT 1', array($username));
d_echo($session);
if (empty($session)) {
print_error('Requires previous login with \'Remember me\' box checked on the webui');
exit;
}
$hasher = new PasswordHash(8, false);
$token = $session['session_username'] . '|' . $hasher->HashPassword($session['session_username'] . $session['session_token']);
$auth = reauthenticate($session['session_value'], $token);
if ($auth) {
print_message("Reauthentication successful.\n");
} else {
print_error('Reauthentication failed or is unsupported');
}
} else {
echo 'Password: ';
`stty -echo`;
$password = trim(fgets(STDIN));
`stty echo`;
echo PHP_EOL;
echo "Authenticate user $username: \n";
$auth = authenticate($username, $password);
unset($password);
if ($auth) {
print_message("AUTH SUCCESS\n");
} else {
if (isset($ldap_connection)) {
echo ldap_error($ldap_connection) . PHP_EOL;
}
print_error('AUTH FAILURE');
}
}
if ($auth) {
$user_id = get_userid($username);
echo "User:\n";
if (function_exists('get_user')) {
$user = get_user($user_id);
unset($user['password']);
unset($user['remember_token']);
foreach ($user as $property => $value) {
echo " $property => $value\n";
}
}
if (function_exists('get_group_list')) {
echo 'Groups: ' . implode('; ', get_group_list()) . PHP_EOL;
}
}