mirror of
https://github.com/librenms/librenms.git
synced 2024-10-07 16:52:45 +00:00
feature: bind user for active_directory auth (#6255)
* feature: bind user for active_directory auth Optional, allows the use of "remember me", API, and alerting. * missing global (but still may not be working) * always return a value from reauthenticate() * Make sure the ldapbind credentials are correct on reauth. Do not send output if they are incorrect (use d_echo) this breaks ajax calls, etc. Add scripts/auth_test.php, to make it easier to debug authentication. * Refine auth_test.php a bit more A few small cleanups in other places of the auth * Add auth_test.php to docs Some more improvements in the auth_test.php output. * Update Authentication.md
This commit is contained in:
Tony Murray
GitHub
126
scripts/auth_test.php
Executable file
126
scripts/auth_test.php
Executable file
@@ -0,0 +1,126 @@
|
||||
#!/usr/bin/php
|
||||
<?php
|
||||
|
||||
use Phpass\PasswordHash;
|
||||
|
||||
$options = getopt('u:rdvh');
|
||||
if (isset($options['h']) || !isset($options['u'])) {
|
||||
echo ' -u <username> (Required) username to test
|
||||
-r Reauthenticate user, (requires previous web login with "Remember me" enabled)
|
||||
-d Enable debug output
|
||||
-v Enable verbose debug output
|
||||
-h Display this help message
|
||||
';
|
||||
exit;
|
||||
}
|
||||
|
||||
$username = $options['u'];
|
||||
|
||||
if (isset($options['d'])) {
|
||||
$debug = true;
|
||||
}
|
||||
|
||||
if (isset($options['v'])) {
|
||||
// might need more options for other auth methods
|
||||
$config['auth_ad_debug'] = 1; // active_directory
|
||||
}
|
||||
|
||||
$init_modules = array('auth');
|
||||
require realpath(__DIR__ . '/..') . '/includes/init.php';
|
||||
|
||||
echo "Authentication Method: {$config['auth_mechanism']}\n";
|
||||
|
||||
// if ldap like, check selinux
|
||||
if ($config['auth_mechanism'] = 'ldap' || $config['auth_mechanism'] = "active_directory") {
|
||||
$enforce = shell_exec('getenforce 2>/dev/null');
|
||||
if (str_contains($enforce, 'Enforcing')) {
|
||||
// has selinux
|
||||
$output = shell_exec('getsebool httpd_can_connect_ldap');
|
||||
if ($output != "httpd_can_connect_ldap --> on\n") {
|
||||
print_error("You need to run: setsebool -P httpd_can_connect_ldap=1");
|
||||
exit;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (function_exists('ad_bind')) {
|
||||
if (isset($config['auth_ad_binduser']) && isset($config['auth_ad_bindpassword'])) {
|
||||
if (!ad_bind($ldap_connection, false)) {
|
||||
$ldap_error = ldap_error($ldap_connection);
|
||||
echo $ldap_error . PHP_EOL;
|
||||
if ($ldap_error == 'Invalid credentials') {
|
||||
print_error('AD bind failed for user ' . $config['auth_ad_binduser'] . '@' . $config['auth_ad_domain'] .
|
||||
'. Check $config[\'auth_ad_binduser\'] and $config[\'auth_ad_bindpassword\'] in your config.php');
|
||||
}
|
||||
} else {
|
||||
print_message('AD bind success');
|
||||
}
|
||||
} else {
|
||||
if (!ad_bind($ldap_connection)) {
|
||||
echo ldap_error($ldap_connection) . PHP_EOL;
|
||||
print_warn("Could not anonymous bind to AD");
|
||||
} else {
|
||||
print_message('AD bind anonymous successful');
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
$auth = false;
|
||||
if (isset($options['r'])) {
|
||||
echo "Reauthenticate Test\n";
|
||||
|
||||
$session = dbFetchRow('SELECT * FROM `session` WHERE `session_username`=? ORDER BY `session_id` DESC LIMIT 1', array($username));
|
||||
d_echo($session);
|
||||
if (empty($session)) {
|
||||
print_error('Requires previous login with \'Remember me\' box checked on the webui');
|
||||
exit;
|
||||
}
|
||||
|
||||
$hasher = new PasswordHash(8, false);
|
||||
$token = $session['session_username'] . '|' . $hasher->HashPassword($session['session_username'] . $session['session_token']);
|
||||
|
||||
$auth = reauthenticate($session['session_value'], $token);
|
||||
if ($auth) {
|
||||
print_message("Reauthentication successful.\n");
|
||||
} else {
|
||||
print_error('Reauthentication failed or is unsupported');
|
||||
}
|
||||
} else {
|
||||
echo 'Password: ';
|
||||
`stty -echo`;
|
||||
$password = trim(fgets(STDIN));
|
||||
`stty echo`;
|
||||
echo PHP_EOL;
|
||||
|
||||
echo "Authenticate user $username: \n";
|
||||
$auth = authenticate($username, $password);
|
||||
unset($password);
|
||||
|
||||
if ($auth) {
|
||||
print_message("AUTH SUCCESS\n");
|
||||
} else {
|
||||
if (isset($ldap_connection)) {
|
||||
echo ldap_error($ldap_connection) . PHP_EOL;
|
||||
}
|
||||
print_error('AUTH FAILURE');
|
||||
}
|
||||
}
|
||||
|
||||
if ($auth) {
|
||||
$user_id = get_userid($username);
|
||||
|
||||
echo "User:\n";
|
||||
if (function_exists('get_user')) {
|
||||
$user = get_user($user_id);
|
||||
|
||||
unset($user['password']);
|
||||
unset($user['remember_token']);
|
||||
foreach ($user as $property => $value) {
|
||||
echo " $property => $value\n";
|
||||
}
|
||||
}
|
||||
|
||||
if (function_exists('get_group_list')) {
|
||||
echo 'Groups: ' . implode('; ', get_group_list()) . PHP_EOL;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user