feature: bind user for active_directory auth (#6255)

* feature: bind user for active_directory auth Optional, allows the use of "remember me", API, and alerting. * missing global (but still may not be working) * always return a value from reauthenticate() * Make sure the ldapbind credentials are correct on reauth. Do not send output if they are incorrect (use d_echo) this breaks ajax calls, etc. Add scripts/auth_test.php, to make it easier to debug authentication. * Refine auth_test.php a bit more A few small cleanups in other places of the auth * Add auth_test.php to docs Some more improvements in the auth_test.php output. * Update Authentication.md
2024-10-07 16:52:45 +00:00 · 2017-03-29 08:22:02 -05:00
parent 5d2aa30153
commit 1ea7af424b
8 changed files with 303 additions and 65 deletions
--- a/doc/Extensions/Authentication.md
+++ b/doc/Extensions/Authentication.md
@@ -41,7 +41,14 @@ When using SELinux on the LibreNMS server, you need to allow Apache (httpd) to c
 setsebool -P httpd_can_connect_ldap=1
 ```
-#### MySQL Authentication
+#### Testing authentication
 You can test authentication with this script:
 ```shell
 ./scripts/auth_test.php
 ```
 Enable debug output to troubleshoot issues
 ### MySQL Authentication
 Config option: `mysql`
@@ -54,7 +61,7 @@ $config['db_pass'] = "DBPASS";
 $config['db_name'] = "DBNAME";
 ```
-#### HTTP Authentication
+### HTTP Authentication
 Config option: `http-auth`
@@ -69,7 +76,7 @@ $config['http_auth_guest'] = "guest";
 ```
 This will then assign the userlevel for guest to all authenticated users.
-#### LDAP Authentication
+### LDAP Authentication
 Config option: `ldap`
@@ -84,6 +91,8 @@ $config['auth_ldap_port']   = 389;
 $config['auth_ldap_prefix'] = "uid=";
 $config['auth_ldap_suffix'] = ",ou=People,dc=example,dc=com";
 $config['auth_ldap_group']  = "cn=groupname,ou=groups,dc=example,dc=com";
 $config['auth_ad_binduser'] = 'examplebinduser';
 $config['auth_ad_bindpassword'] = 'examplepassword';
 $config['auth_ldap_groupbase'] = "ou=group,dc=example,dc=com";
 $config['auth_ldap_groups']['admin']['level'] = 10;
@@ -93,6 +102,7 @@ $config['auth_ldap_groupmemberattr'] = "memberUid";
 ```
 Typically auth_ldap_suffix, auth_ldap_group, auth_ldap_groupbase, auth_ldap_groups are what's required to be configured.
 It is highly suggested to create a bind user, other wise "remember me", alerting AD users, and the API will not work.
 An example config setup for use with Jumpcloud LDAP as a service is:
@@ -112,7 +122,7 @@ $config['auth_ldap_groupmemberattr'] = "memberUid";
 Replace {id} with the unique ID provided by Jumpcloud.
-#### HTTP Authentication / LDAP Authorization
+### HTTP Authentication / LDAP Authorization
 Config option: `ldap-authorization`
@@ -130,7 +140,7 @@ To disabled this caching (highly discourage) set this option to 0.
 $config['auth_ldap_cache_ttl'] = 300;
 ```
-#### Active Directory Authentication
+### Active Directory Authentication
 Config option: `active_directory`
@@ -183,7 +193,7 @@ $config['auth_ad_group_filter'] = "(objectclass=group)";
 This yields `(&(objectclass=user)(sAMAccountName=$username))` for the user filter and `(&(objectclass=group)(sAMAccountName=$group))` for the group filter.
-#### Radius Authentication
+### Radius Authentication
 Please note that a mysql user is created for each user the logs in successfully. User level 1 is assigned to those accounts so you will then need to assign the relevant permissions unless you set `$config['radius']['userlevel']` to be something other than 1.
@@ -199,7 +209,7 @@ $config['radius']['users_purge'] = 14;//Purge users who haven't logged in for 14
 $config['radius']['default_level'] = 1;//Set the default user level when automatically creating a user.
 ```
-#### HTTP Authentication / AD Authorization
+### HTTP Authentication / AD Authorization
 Config option: `ad-authorization`
--- a/html/includes/authenticate.inc.php
+++ b/html/includes/authenticate.inc.php
@@ -74,7 +74,6 @@ if ((isset($_SESSION['username'])) || (isset($_COOKIE['sess_id'],$_COOKIE['token
        if (isset($_POST['remember'])) {
            $sess_id  = session_id();
            $hasher   = new PasswordHash(8, false);
            $token    = strgen();
            $auth     = strgen();
            $hasher   = new PasswordHash(8, false);
--- a/html/includes/authentication/active_directory.inc.php
+++ b/html/includes/authentication/active_directory.inc.php
@@ -1,5 +1,7 @@
 <?php
 use Phpass\PasswordHash;
 // easier to rewrite for Active Directory than to bash it into existing LDAP implementation
 // disable certificate checking before connect if required
@@ -19,6 +21,11 @@ $ldap_connection = @ldap_connect($config['auth_ad_url']);
 ldap_set_option($ldap_connection, LDAP_OPT_REFERRALS, 0);
 ldap_set_option($ldap_connection, LDAP_OPT_PROTOCOL_VERSION, 3);
 // Bind to AD
 if (!ad_bind($ldap_connection)) {
    d_echo(ldap_error($ldap_connection) . PHP_EOL);
 }
 function authenticate($username, $password)
 {
    global $config, $ldap_connection, $auth_error;
@@ -78,9 +85,35 @@ function authenticate($username, $password)
    return 0;
 }
-function reauthenticate()
+function reauthenticate($sess_id, $token)
 {
-    // not supported so return 0
+    global $ldap_connection;
    if (ad_bind($ldap_connection, false)) {
        $sess_id = clean($sess_id);
        $token = clean($token);
        list($username, $hash) = explode('|', $token);
        if (!user_exists($username)) {
            d_echo("$username is not a valid AD user\n");
            return 0;
        }
        $session = dbFetchRow(
            "SELECT * FROM `session` WHERE `session_username`=? AND session_value=?",
            array($username, $sess_id),
            true
        );
        $hasher = new PasswordHash(8, false);
        if ($hasher->CheckPassword($username . $session['session_token'], $hash)) {
            $_SESSION['username'] = $username;
            return 1;
        } else {
            d_echo("Reauthenticate token check failed\n");
            return 0;
        }
    }
    return 0;
 }
@@ -108,20 +141,8 @@ function auth_usermanagement()
 function adduser($username, $level = 0, $email = '', $realname = '', $can_modify_passwd = 0, $description = '', $twofactor = 0)
 {
-    // Check to see if user is already added in the database
+    // not supported so return 0
-    if (!user_exists_in_db($username)) {
+    return 0;
        $userid = dbInsert(array('username' => $username, 'realname' => $realname, 'email' => $email, 'descr' => $description, 'level' => $level, 'can_modify_passwd' => $can_modify_passwd, 'twofactor' => $twofactor, 'user_id' => get_userid($username)), 'users');
        if ($userid == false) {
            return false;
        } else {
            foreach (dbFetchRows('select notifications.* from notifications where not exists( select 1 from notifications_attribs where notifications.notifications_id = notifications_attribs.notifications_id and notifications_attribs.user_id = ?) order by notifications.notifications_id desc', array($userid)) as $notif) {
                dbInsert(array('notifications_id'=>$notif['notifications_id'],'user_id'=>$userid,'key'=>'read','value'=>1), 'notifications_attribs');
            }
        }
        return $userid;
    } else {
        return false;
    }
 }
 function user_exists_in_db($username)
@@ -199,12 +220,43 @@ function get_userid($username)
    $entries = ldap_get_entries($ldap_connection, $search);
    if ($entries['count']) {
-        return preg_replace('/.*-(\d+)$/', '$1', sid_from_ldap($entries[0]['objectsid'][0]));
+        return get_userid_from_sid(sid_from_ldap($entries[0]['objectsid'][0]));
    }
    return -1;
 }
 function get_domain_sid()
 {
    global $config, $ldap_connection;
    $search = ldap_read(
        $ldap_connection,
        $config['auth_ad_base_dn'],
        '(objectClass=*)',
        array('objectsid')
    );
    $entry = ldap_get_entries($ldap_connection, $search);
    return substr(sid_from_ldap($entry[0]['objectsid'][0]), 0, 41);
 }
 function get_user($user_id)
 {
    global $config, $ldap_connection;
    $domain_sid = get_domain_sid();
    $search_filter = "(&(objectcategory=person)(objectclass=user)(objectsid=$domain_sid-$user_id))";
    $attributes = array('samaccountname', 'displayname', 'objectsid', 'mail');
    $search = ldap_search($ldap_connection, $config['auth_ad_base_dn'], $search_filter, $attributes);
    $entry = ldap_get_entries($ldap_connection, $search);
    if (isset($entry[0]['samaccountname'][0])) {
        return user_from_ad($entry[0]);
    }
    return array();
 }
 function deluser($userid)
 {
@@ -212,8 +264,7 @@ function deluser($userid)
    dbDelete('devices_perms', '`user_id` =  ?', array($userid));
    dbDelete('ports_perms', '`user_id` =  ?', array($userid));
    dbDelete('users_prefs', '`user_id` =  ?', array($userid));
-    dbDelete('users', '`user_id` =  ?', array($userid));
+    return 0;
    return dbDelete('users', '`user_id` =  ?', array($userid));
 }
@@ -221,7 +272,6 @@ function get_userlist()
 {
    global $config, $ldap_connection;
    $userlist = array();
    $userhash = array();
    $ldap_groups = get_group_list();
@@ -230,37 +280,41 @@ function get_userlist()
        if ($config['auth_ad_user_filter']) {
            $search_filter = "(&{$config['auth_ad_user_filter']}$search_filter)";
        }
-        $search = ldap_search($ldap_connection, $config['auth_ad_base_dn'], $search_filter, array('samaccountname','displayname','objectsid','mail'));
+        $attributes = array('samaccountname', 'displayname', 'objectsid', 'mail');
        $search = ldap_search($ldap_connection, $config['auth_ad_base_dn'], $search_filter, $attributes);
        $results = ldap_get_entries($ldap_connection, $search);
        foreach ($results as $result) {
            if (isset($result['samaccountname'][0])) {
-                $userid = preg_replace(
+                $userlist[$result['samaccountname'][0]] = user_from_ad($result);
                    '/.*-(\d+)$/',
                    '$1',
                    sid_from_ldap($result['objectsid'][0])
                );
                // don't make duplicates, user may be member of more than one group
                $userhash[$result['samaccountname'][0]] = array(
                    'realname' => $result['displayName'][0],
                    'user_id'  => $userid,
                    'email'    => $result['mail'][0]
                );
            }
        }
    }
-    foreach (array_keys($userhash) as $key) {
+    return array_values($userlist);
-        $userlist[] = array(
+}
            'username' => $key,
            'realname' => $userhash[$key]['realname'],
            'user_id'  => $userhash[$key]['user_id'],
            'email'    => $userhash[$key]['email']
        );
    }
-    return $userlist;
+/**
 * Generate a user array from an AD LDAP entry
 * Must have the attributes: objectsid, samaccountname, displayname, mail
 * @internal
 *
 * @param $entry
 * @return array
 */
 function user_from_ad($entry)
 {
    return array(
        'user_id' => get_userid_from_sid(sid_from_ldap($entry['objectsid'][0])),
        'username' => $entry['samaccountname'][0],
        'realname' => $entry['displayname'][0],
        'email' => $entry['mail'][0],
        'descr' => '',
        'level' => get_userlevel($entry['samaccountname'][0]),
        'can_modify_passwd' => 0,
        'twofactor' => 0,
        // 'dashboard' => 'broken!',
    );
 }
@@ -271,18 +325,27 @@ function can_update_users()
 }
 function get_user($user_id)
 {
    // not supported so return 0
    return dbFetchRow('SELECT * FROM `users` WHERE `user_id` = ?', array($user_id), true);
 }
 function update_user($user_id, $realname, $level, $can_modify_passwd, $email)
 {
-    dbUpdate(array('realname' => $realname, 'can_modify_passwd' => $can_modify_passwd, 'email' => $email), 'users', '`user_id` = ?', array($user_id));
+    // not supported so return 0
    return 0;
 }
 function get_email($username)
 {
    global $config, $ldap_connection;
    $attributes = array('mail');
    $search = ldap_search(
        $ldap_connection,
        $config['auth_ad_base_dn'],
        get_auth_ad_user_filter($username),
        $attributes
    );
    $result = ldap_get_entries($ldap_connection, $search);
    unset($result[0]['mail']['count']);
    return current($result[0]['mail']);
 }
 function get_fullname($username)
 {
@@ -359,6 +422,11 @@ function get_cn($dn)
    return str_replace('~C0mmA~', ',', $matches[0][0]);
 }
 function get_userid_from_sid($sid)
 {
    return preg_replace('/.*-(\d+)$/', '$1', $sid);
 }
 function sid_from_ldap($sid)
 {
        $sidUnpacked = unpack('H*hex', $sid);
@@ -368,3 +436,32 @@ function sid_from_ldap($sid)
        $authIdent = hexdec(substr($sidHex, 4, 12));
        return 'S-'.$revLevel.'-'.$authIdent.'-'.implode('-', $subAuths);
 }
 /**
 * Bind to AD with the bind user if available, otherwise anonymous bind
 * @internal
 *
 * @param resource $connection the ldap connection resource
 * @param bool $allow_anonymous attempt anonymous bind if bind user isn't available
 * @return bool success or failure
 */
 function ad_bind($connection, $allow_anonymous = true)
 {
    global $config;
    if (isset($config['auth_ad_binduser']) && isset($config['auth_ad_bindpassword'])) {
        // With specified bind user
        return ldap_bind(
            $connection,
            "${config['auth_ad_binduser']}@${config['auth_ad_domain']}",
            "${config['auth_ad_bindpassword']}"
        );
    }
    if ($allow_anonymous) {
        // Anonymous
        return ldap_bind($connection);
    }
    return false;
 }
--- a/html/includes/authentication/ad-authorization.inc.php
+++ b/html/includes/authentication/ad-authorization.inc.php
@@ -54,7 +54,7 @@ function authenticate($username, $password)
 }
-function reauthenticate()
+function reauthenticate($sess_id, $token)
 {
    // not supported so return 0
    return 0;
--- a/html/includes/authentication/radius.inc.php
+++ b/html/includes/authentication/radius.inc.php
@@ -25,7 +25,7 @@ function authenticate($username, $password)
    }
 }
-function reauthenticate()
+function reauthenticate($sess_id, $token)
 {
    return 0;
 }
--- a/includes/alerts.inc.php
+++ b/includes/alerts.inc.php
@@ -271,11 +271,14 @@ function GetContacts($results)
    }
    foreach ($users as $user) {
        if (empty($user['email'])) {
-            continue;
+            continue; // no email, skip this user
-        } elseif (empty($user['realname'])) {
+        }
        if (empty($user['realname'])) {
            $user['realname'] = $user['username'];
        }
        if (empty($user['level'])) {
            $user['level'] = get_userlevel($user['username']);
        }
        if ($config["alert"]["globals"] && ( $user['level'] >= 5 && $user['level'] < 10 )) {
            $contacts[$user['email']] = $user['realname'];
        } elseif ($config["alert"]["admins"] && $user['level'] == 10) {
--- a/includes/common.php
+++ b/includes/common.php
@@ -1454,10 +1454,13 @@ function starts_with($haystack, $needles, $case_insensitive = false)
 function get_auth_ad_user_filter($username)
 {
    global $config;
-    $user_filter = "(samaccountname=$username)";
+
    // don't return disabled users
    $user_filter = "(&(samaccountname=$username)(!(useraccountcontrol:1.2.840.113556.1.4.803:=2))";
    if ($config['auth_ad_user_filter']) {
-        $user_filter = "(&{$config['auth_ad_user_filter']}$user_filter)";
+        $user_filter .= $config['auth_ad_user_filter'];
    }
    $user_filter .= ')';
    return $user_filter;
 }
--- a/scripts/auth_test.php
+++ b/scripts/auth_test.php
@@ -0,0 +1,126 @@
 #!/usr/bin/php
 <?php
 use Phpass\PasswordHash;
 $options = getopt('u:rdvh');
 if (isset($options['h']) || !isset($options['u'])) {
    echo ' -u <username>  (Required) username to test
 -r             Reauthenticate user, (requires previous web login with "Remember me" enabled)
 -d             Enable debug output
 -v             Enable verbose debug output
 -h             Display this help message
 ';
    exit;
 }
 $username = $options['u'];
 if (isset($options['d'])) {
    $debug = true;
 }
 if (isset($options['v'])) {
    // might need more options for other auth methods
    $config['auth_ad_debug'] = 1; // active_directory
 }
 $init_modules = array('auth');
 require realpath(__DIR__ . '/..') . '/includes/init.php';
 echo "Authentication Method: {$config['auth_mechanism']}\n";
 // if ldap like, check selinux
 if ($config['auth_mechanism'] = 'ldap' || $config['auth_mechanism'] = "active_directory") {
    $enforce = shell_exec('getenforce 2>/dev/null');
    if (str_contains($enforce, 'Enforcing')) {
        // has selinux
        $output = shell_exec('getsebool httpd_can_connect_ldap');
        if ($output != "httpd_can_connect_ldap --> on\n") {
            print_error("You need to run: setsebool -P httpd_can_connect_ldap=1");
            exit;
        }
    }
 }
 if (function_exists('ad_bind')) {
    if (isset($config['auth_ad_binduser']) && isset($config['auth_ad_bindpassword'])) {
        if (!ad_bind($ldap_connection, false)) {
            $ldap_error = ldap_error($ldap_connection);
            echo $ldap_error . PHP_EOL;
            if ($ldap_error == 'Invalid credentials') {
                print_error('AD bind failed for user ' . $config['auth_ad_binduser'] . '@' . $config['auth_ad_domain'] .
                    '. Check $config[\'auth_ad_binduser\'] and $config[\'auth_ad_bindpassword\'] in your config.php');
            }
        } else {
            print_message('AD bind success');
        }
    } else {
        if (!ad_bind($ldap_connection)) {
            echo ldap_error($ldap_connection) . PHP_EOL;
            print_warn("Could not anonymous bind to AD");
        } else {
            print_message('AD bind anonymous successful');
        }
    }
 }
 $auth = false;
 if (isset($options['r'])) {
    echo "Reauthenticate Test\n";
    $session = dbFetchRow('SELECT * FROM `session` WHERE `session_username`=? ORDER BY `session_id` DESC LIMIT 1', array($username));
    d_echo($session);
    if (empty($session)) {
        print_error('Requires previous login with \'Remember me\' box checked on the webui');
        exit;
    }
    $hasher   = new PasswordHash(8, false);
    $token = $session['session_username'] . '|' . $hasher->HashPassword($session['session_username'] . $session['session_token']);
    $auth = reauthenticate($session['session_value'], $token);
    if ($auth) {
        print_message("Reauthentication successful.\n");
    } else {
        print_error('Reauthentication failed or is unsupported');
    }
 } else {
    echo 'Password: ';
    `stty -echo`;
    $password = trim(fgets(STDIN));
    `stty echo`;
    echo PHP_EOL;
    echo "Authenticate user $username: \n";
    $auth = authenticate($username, $password);
    unset($password);
    if ($auth) {
        print_message("AUTH SUCCESS\n");
    } else {
        if (isset($ldap_connection)) {
            echo ldap_error($ldap_connection) . PHP_EOL;
        }
        print_error('AUTH FAILURE');
    }
 }
 if ($auth) {
    $user_id = get_userid($username);
    echo "User:\n";
    if (function_exists('get_user')) {
        $user = get_user($user_id);
        unset($user['password']);
        unset($user['remember_token']);
        foreach ($user as $property => $value) {
            echo "  $property => $value\n";
        }
    }
    if (function_exists('get_group_list')) {
        echo 'Groups: ' . implode('; ', get_group_list()) . PHP_EOL;
    }
 }