From cdf3182a70db5184f28844d7201d7f9322d3d794 Mon Sep 17 00:00:00 2001 From: Georgios Kasapoglou Date: Thu, 24 Sep 2020 16:57:41 +0200 Subject: [PATCH 1/2] Setting bind user in configuration is not safe in some deployments, as this user should have permissions to modify the following attributes in LDAP: * userPassword * pwdReset * pwdAccountLockedTime For that reason, the `always_authenticate_admin` variable has been introduced in `config.inc.php`. When set to true, input fields for administrator's username and password appear in `Reset Password` and `Lock/Unlock Account` forms. When user submits one of this form, then `ldap_bidndn` and `ldap_bindpw` are taken from the respective `POST` variables, overwriting any value they have in `config.inc.php` or `config.inc.local.php` files. The default value of `always_authenticate_admin` is false, providing the old functionality. --- conf/config.inc.php | 1 + htdocs/index.php | 1 + htdocs/lockaccount.php | 13 ++++++++---- htdocs/resetpassword.php | 9 ++++---- htdocs/unlockaccount.php | 7 +++--- lang/en.inc.php | 4 ++++ lang/fr.inc.php | 4 ++++ lib/authenticate_admin.inc.php | 15 +++++++++++++ templates/display.tpl | 39 ++++++++++++++++++++++++++++++++++ 9 files changed, 82 insertions(+), 11 deletions(-) create mode 100644 lib/authenticate_admin.inc.php diff --git a/conf/config.inc.php b/conf/config.inc.php index bd12aa78..cc3f6e2e 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -96,6 +96,7 @@ $resetpassword_reset_default = true; $use_unlockaccount = true; $use_lockaccount = true; +$always_authenticate_admin = false; # Language $lang ="en"; diff --git a/htdocs/index.php b/htdocs/index.php index 8afcaab5..37a40fcd 100644 --- a/htdocs/index.php +++ b/htdocs/index.php @@ -68,6 +68,7 @@ $smarty->assign('resetpassword_reset_default',$resetpassword_reset_default); $smarty->assign('use_unlockaccount',$use_unlockaccount); $smarty->assign('use_lockaccount',$use_lockaccount); +$smarty->assign('always_authenticate_admin',$always_authenticate_admin); # Assign messages $smarty->assign('lang',$lang); diff --git a/htdocs/lockaccount.php b/htdocs/lockaccount.php index bb4f6901..7fa9ebe8 100644 --- a/htdocs/lockaccount.php +++ b/htdocs/lockaccount.php @@ -6,6 +6,8 @@ $result = ""; $dn = ""; $password = ""; +$ldap_binddn = ""; +$ldap_bindpw = ""; if (isset($_POST["dn"]) and $_POST["dn"]) { $dn = $_POST["dn"]; @@ -13,10 +15,11 @@ $result = "dnrequired"; } -if ($result === "") { +require_once("../conf/config.inc.php"); +require_once("../lib/ldap.inc.php"); +require_once("../lib/authenticate_admin.inc.php"); - require_once("../conf/config.inc.php"); - require_once("../lib/ldap.inc.php"); +if ($result === "") { # Connect to LDAP $ldap_connection = wp_ldap_connect($ldap_url, $ldap_starttls, $ldap_binddn, $ldap_bindpw); @@ -25,7 +28,9 @@ $result = $ldap_connection[1]; if ($ldap) { - $modification = ldap_mod_replace($ldap, $dn, array("pwdAccountLockedTime" => array("000001010000Z"))); + date_default_timezone_set("UTC"); + $lock_time = date("YmdHis")."Z"; + $modification = ldap_mod_replace($ldap, $dn, array("pwdAccountLockedTime" => array($lock_time))); $errno = ldap_errno($ldap); if ( $errno ) { $result = "ldaperror"; diff --git a/htdocs/resetpassword.php b/htdocs/resetpassword.php index d537b7ad..36bcd79b 100644 --- a/htdocs/resetpassword.php +++ b/htdocs/resetpassword.php @@ -25,11 +25,12 @@ $pwdreset = $_POST["pwdreset"]; } -if ($result === "") { +require_once("../conf/config.inc.php"); +require_once("../lib/ldap.inc.php"); +require_once("../lib/posthook.inc.php"); +require_once("../lib/authenticate_admin.inc.php"); - require_once("../conf/config.inc.php"); - require_once("../lib/ldap.inc.php"); - require_once("../lib/posthook.inc.php"); +if ($result === "") { # Connect to LDAP $ldap_connection = wp_ldap_connect($ldap_url, $ldap_starttls, $ldap_binddn, $ldap_bindpw); diff --git a/htdocs/unlockaccount.php b/htdocs/unlockaccount.php index 58c10bc3..49e9b7c9 100644 --- a/htdocs/unlockaccount.php +++ b/htdocs/unlockaccount.php @@ -13,10 +13,11 @@ $result = "dnrequired"; } -if ($result === "") { +require_once("../conf/config.inc.php"); +require_once("../lib/ldap.inc.php"); +require_once("../lib/authenticate_admin.inc.php"); - require_once("../conf/config.inc.php"); - require_once("../lib/ldap.inc.php"); +if ($result === "") { # Connect to LDAP $ldap_connection = wp_ldap_connect($ldap_url, $ldap_starttls, $ldap_binddn, $ldap_bindpw); diff --git a/lang/en.inc.php b/lang/en.inc.php index ae016af3..0f755233 100644 --- a/lang/en.inc.php +++ b/lang/en.inc.php @@ -78,5 +78,9 @@ $messages['unlockaccount'] = "Unlock account"; $messages['unlockdate'] = "Automatic unlock date:"; $messages['welcome'] = "Welcome to LDAP Tool Box service desk"; +$messages['label_admin_credentials'] = "Administrator's Credentials"; +$messages['admin_username'] = "Administrator's username"; +$messages['admin_password'] = "Administrator's password"; +$messages['admincredentialsrequired'] = "Administrator's Credentials required"; ?> diff --git a/lang/fr.inc.php b/lang/fr.inc.php index eed99ca3..0c3d666e 100644 --- a/lang/fr.inc.php +++ b/lang/fr.inc.php @@ -78,5 +78,9 @@ $messages['unlockaccount'] = "Débloquer le compte"; $messages['unlockdate'] = "Date de déblocage automatique :"; $messages['welcome'] = "Bienvenue sur le guichet de service LDAP Tool Box"; +$messages['label_admin_credentials'] = "Informations d'identification de l'administrateur"; +$messages['admin_username'] = "Nom d'utilisateur de l'administrateur"; +$messages['admin_password'] = "Mot de passe administrateur"; +$messages['admincredentialsrequired'] = "Informations d'identification de l'administrateur requises"; ?> diff --git a/lib/authenticate_admin.inc.php b/lib/authenticate_admin.inc.php new file mode 100644 index 00000000..9e6918f5 --- /dev/null +++ b/lib/authenticate_admin.inc.php @@ -0,0 +1,15 @@ + \ No newline at end of file diff --git a/templates/display.tpl b/templates/display.tpl index 8b09d345..a2c34b6f 100644 --- a/templates/display.tpl +++ b/templates/display.tpl @@ -179,6 +179,19 @@ + {if $always_authenticate_admin} +
+

{$msg_label_admin_credentials}

+
+ + +
+
+ + +
+
+ {/if}