diff --git a/README.md b/README.md index 0dc5ca1..fe41535 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ docker_ldapmanager_data_dir: /data1 docker_ldapmanager_service_id: ldapmanager docker_ldapmanager_rp_cert: LE docker_ldapmanager_rp_docker_host: machine.domaine.local -docker_ldapmanager_rp_restrict_users: admin1 admin2 +docker_ldapmanager_rp_access_policy: InternalAccessPolicy docker_ldapmanager_ldap_server: mon-serveur-ldap.domaine.local docker_ldapmanager_ldap_basedn: dc=domaine,dc=local docker_ldapmanager_ldap_binddn: uid=compte-service-ldapmanager,ou=comptes-de-service,dc=domaine,dc=local @@ -31,7 +31,8 @@ docker_ldapmanager_site_name: Ldap Manager Libretic docker_ldapmanager_mail_server: smtp.domaine.local docker_ldapmanager_mail_from_address: nepasrepondre@libretic.fr docker_ldapmanager_mail_from_name: Administrateur Libretic -docker_ldapmanager_mail_subject: Votre compte Libretic +docker_ldapmanager_mail_subject: Votre compte a été créé +docker_ldapmanager_mail_body: Corps du message ``` | Option | Valeur par défaut | Description | @@ -41,7 +42,7 @@ docker_ldapmanager_mail_subject: Votre compte Libretic | docker_ldapmanager_service_id | | Le nom de service souhaité : conditionne le nommage des volumes et le routage par traefik | | docker_ldapmanager_rp_docker_host | | pour configure_reverse_proxy.yml: fqdn de la machine contenant le conteneur docker | | docker_ldapmanager_rp_cert | LE | Type de certificat pour le reverse proxy (LE = letsencrypt) | -| docker_ldapmanager_rp_restrict_users | | Utilisateurs autorisés à passer le reverse proxy | +| docker_ldapmanager_rp_access_policy | | Modèle d'autorisation d'accès du reverse proxy | | docker_ldapmanager_ldap_server | | Adresse du serveur LDAP | | docker_ldapmanager_ldap_basedn | | DN de la racine | | docker_ldapmanager_ldap_binddn | | DN du compte de service de connexion à l'annuaire LDAP | @@ -59,5 +60,6 @@ docker_ldapmanager_mail_subject: Votre compte Libretic | docker_ldapmanager_mail_from_address | | Adresse mail émettrice des notifications | | docker_ldapmanager_mail_from_name | | Nom associé à l'adresse mail émettrice des notifications | | docker_ldapmanager_mail_subject | | Titre des mails de notification | +| docker_ldapmanager_mail_body | | Contenu des mails de notification (cf. doc ldap-user-manager pour macros et format | diff --git a/tasks/main.yml b/tasks/main.yml index fb87561..4a5ceb9 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -11,6 +11,7 @@ - docker-compose.yml - php.ini - ldapmanager.env + - new_user.php notify: docker-compose-up diff --git a/templates/0_vhost.conf b/templates/0_vhost.conf index 63a2a79..63ff2a0 100644 --- a/templates/0_vhost.conf +++ b/templates/0_vhost.conf @@ -1,2 +1,2 @@ # {{ ansible_managed }} -Use vhost_HTTPS_Generic {{ docker_ldapmanager_fqdn }} {{ docker_ldapmanager_rp_cert }} http {{ docker_ldapmanager_rp_docker_host }} info LDAPAdminAccessPolicy BlockCrawlerIndexing Off +Use vhost_HTTPS_Generic {{ docker_ldapmanager_fqdn }} {{ docker_ldapmanager_rp_cert }} http {{ docker_ldapmanager_rp_docker_host }} info {{ docker_ldapmanager_rp_access_policy }} BlockCrawlerIndexing Off diff --git a/templates/1_vhost_additional.conf b/templates/1_vhost_additional.conf index 3ea8183..e2bb153 100644 --- a/templates/1_vhost_additional.conf +++ b/templates/1_vhost_additional.conf @@ -1,4 +1 @@ # {{ ansible_managed }} - -Require user {{ docker_ldapmanager_rp_restrict_users }} - diff --git a/templates/docker-compose.yml b/templates/docker-compose.yml index 8ad2ddf..924fcba 100644 --- a/templates/docker-compose.yml +++ b/templates/docker-compose.yml @@ -2,7 +2,7 @@ version: '3.1' services: ldapman: - image: wheelybird/ldap-user-manager:v1.7 + image: wheelybird/ldap-user-manager:v1.8 env_file: - ldapmanager.env restart: always @@ -10,6 +10,7 @@ services: - /etc/timezone:/etc/timezone:ro - /etc/localtime:/etc/localtime:ro - ./php.ini:/usr/local/etc/php/php.ini + - ./new_user.php:/opt/ldap_user_manager/account_manager/new_user.php labels: - "traefik.enable=true" - "traefik.docker.network=traefik" diff --git a/templates/ldapmanager.env b/templates/ldapmanager.env index 58869b2..ae6b28c 100644 --- a/templates/ldapmanager.env +++ b/templates/ldapmanager.env @@ -19,4 +19,6 @@ LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES={{ docker_ldapmanager_account_additional_attr SMTP_HOSTNAME={{ docker_ldapmanager_mail_server }} EMAIL_FROM_ADDRESS={{ docker_ldapmanager_mail_from_address }} EMAIL_FROM_NAME={{ docker_ldapmanager_mail_from_name }} -MAIL_SUBJECT={{ docker_ldapmanager_mail_subject }} +NEW_ACCOUNT_EMAIL_SUBJECT={{ docker_ldapmanager_mail_subject }} +NEW_ACCOUNT_EMAIL_BODY={{ docker_ldapmanager_mail_body }} + diff --git a/templates/new_user.php b/templates/new_user.php new file mode 100644 index 0000000..61be84e --- /dev/null +++ b/templates/new_user.php @@ -0,0 +1,418 @@ + array("label" => "Account UID"))); +} + +if ( isset($_POST['setup_admin_account']) ) { + + $admin_setup = TRUE; + + validate_setup_cookie(); + set_page_access("setup"); + + $completed_action="${SERVER_PATH}log_in"; + $page_title="New administrator account"; + + render_header("$ORGANISATION_NAME account manager - setup administrator account", FALSE); + +} +else { + set_page_access("admin"); + + $completed_action="${THIS_MODULE_PATH}/"; + $page_title="New account"; + $admin_setup = FALSE; + + render_header("$ORGANISATION_NAME account manager"); + render_submenu(); +} + +$invalid_password = FALSE; +$mismatched_passwords = FALSE; +$invalid_username = FALSE; +$weak_password = FALSE; +$invalid_email = FALSE; +$disabled_email_tickbox = TRUE; +$invalid_cn = FALSE; +$invalid_account_identifier = FALSE; +$account_attribute = $LDAP['account_attribute']; + +$new_account_r = array(); + +foreach ($attribute_map as $attribute => $attr_r) { + + if (isset($_FILES[$attribute]['size']) and $_FILES[$attribute]['size'] > 0) { + + $this_attribute = array(); + $this_attribute['count'] = 1; + $this_attribute[0] = file_get_contents($_FILES[$attribute]['tmp_name']); + $$attribute = $this_attribute; + $new_account_r[$attribute] = $this_attribute; + unset($new_account_r[$attribute]['count']); + + } + + if (isset($_POST[$attribute])) { + + $this_attribute = array(); + + if (is_array($_POST[$attribute]) and count($_POST[$attribute]) > 0) { + foreach($_POST[$attribute] as $key => $value) { + if ($value != "") { $this_attribute[$key] = filter_var($value, FILTER_SANITIZE_FULL_SPECIAL_CHARS); } + } + if (count($this_attribute) > 0) { + $this_attribute['count'] = count($this_attribute); + $$attribute = $this_attribute; + } + } + elseif ($_POST[$attribute] != "") { + $this_attribute['count'] = 1; + $this_attribute[0] = filter_var($_POST[$attribute], FILTER_SANITIZE_FULL_SPECIAL_CHARS); + $$attribute = $this_attribute; + } + + } + + if (!isset($$attribute) and isset($attr_r['default'])) { + $$attribute['count'] = 1; + $$attribute[0] = $attr_r['default']; + } + + if (isset($$attribute)) { + $new_account_r[$attribute] = $$attribute; + unset($new_account_r[$attribute]['count']); + } + +} + +## + +if (isset($_GET['account_request'])) { + + $givenname[0]=filter_var($_GET['first_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); + $new_account_r['givenname'] = $givenname[0]; + unset($new_account_r['givenname']['count']); + + $sn[0]=filter_var($_GET['last_name'], FILTER_SANITIZE_FULL_SPECIAL_CHARS); + $new_account_r['sn'] = $sn[0]; + unset($new_account_r['sn']['count']); + + $mail[0]=filter_var($_GET['email'], FILTER_SANITIZE_EMAIL); + if ($mail[0] == "") { + if (isset($EMAIL_DOMAIN)) { + $mail[0] = $uid . "@" . $EMAIL_DOMAIN; + $disabled_email_tickbox = FALSE; + } + } + else { + $disabled_email_tickbox = FALSE; + } + $new_account_r['mail'] = $mail; + unset($new_account_r['mail']['count']); + +} + + +if (isset($_GET['account_request']) or isset($_POST['create_account'])) { + + if (!isset($uid[0])) { + $uid[0] = generate_username($givenname[0],$sn[0]); + $new_account_r['uid'] = $uid; + unset($new_account_r['uid']['count']); + } + + if (!isset($cn[0])) { + if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE) { + $cn[0] = $givenname[0] . $sn[0]; + } + else { + $cn[0] = $givenname[0] . " " . $sn[0]; + } + $new_account_r['cn'] = $cn; + unset($new_account_r['cn']['count']); + } + +} + + +if (isset($_POST['create_account'])) { + + $password = $_POST['password']; + $new_account_r['password'][0] = $password; + $account_identifier = $new_account_r[$account_attribute][0]; + $this_cn=$cn[0]; +// $this_mail=$mail[0]; + $this_mail=$registeredaddress[0]; + $this_givenname=$givenname[0]; + $this_sn=$sn[0]; + $this_password=$password[0]; + + if (!isset($this_cn) or $this_cn == "") { $invalid_cn = TRUE; } + if ((!isset($account_identifier) or $account_identifier == "") and $invalid_cn != TRUE) { $invalid_account_identifier = TRUE; } + if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $weak_password = TRUE; } + if (isset($this_mail) and !is_valid_email($this_mail)) { $invalid_email = TRUE; } + if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; } + if ($password != $_POST['password_match']) { $mismatched_passwords = TRUE; } + if ($ENFORCE_SAFE_SYSTEM_NAMES == TRUE and !preg_match("/$USERNAME_REGEX/",$account_identifier)) { $invalid_account_identifier = TRUE; } + if (isset($_POST['send_email']) and isset($mail) and $EMAIL_SENDING_ENABLED == TRUE) { $send_user_email = TRUE; } + + if ( isset($this_givenname) + and isset($this_sn) + and isset($this_password) + and !$mismatched_passwords + and !$weak_password + and !$invalid_password + and !$invalid_account_identifier + and !$invalid_cn + and !$invalid_email) { + + $ldap_connection = open_ldap_connection(); + $new_account = ldap_new_account($ldap_connection, $new_account_r); + + if ($new_account) { + + $creation_message = "The account was created."; + + if (isset($send_user_email) and $send_user_email == TRUE) { + + include_once "mail_functions.inc.php"; + + $mail_body = parse_mail_text($new_account_mail_body, $password, $account_identifier, $this_givenname, $this_sn); + $mail_subject = parse_mail_text($new_account_mail_subject, $password, $account_identifier, $this_givenname, $this_sn); + + $sent_email = send_email($this_mail,"$this_givenname $this_sn",$mail_subject,$mail_body); + $creation_message = "The account was created"; + if ($sent_email) { + $creation_message .= " and an email sent to $this_mail."; + } + else { + $creation_message .= " but unfortunately the email wasn't sent.
More information will be available in the logs."; + } + } + + if ($admin_setup == TRUE) { + $member_add = ldap_add_member_to_group($ldap_connection, $LDAP['admins_group'], $account_identifier); + if (!$member_add) { ?> +
+

Unfortunately adding it to the admin group failed.

+
+ +
+

+
+
+

+ +

+
+ +
+

Failed to create the account:

+ 
+     
+
+
+ The Common Name is required\n"; } +if ($invalid_account_identifier) { $errors.="
  • The account identifier (" . $attribute_map[$account_attribute]['label'] . ") is invalid.
    • \n"; } +if ($weak_password) { $errors.="
  • The password is too weak
    • \n"; } +if ($invalid_password) { $errors.="
  • The password contained invalid characters
    • \n"; } +if ($invalid_email) { $errors.="
  • The email address is invalid
    • \n"; } +if ($mismatched_passwords) { $errors.="
  • The passwords are mismatched
    • \n"; } +if ($invalid_username) { $errors.="
  • The username is invalid
    • \n"; } + +if ($errors != "") { ?> +
    +

    + There were issues creating the account: +

    +

    +
    + + + + + + + + + + + +
    +
    + +
    +
    +
    + +
    + + + + + + $attr_r) { + $label = $attr_r['label']; + if (isset($attr_r['onkeyup'])) { $onkeyup = $attr_r['onkeyup']; } else { $onkeyup = ""; } + if ($attribute == $LDAP['account_attribute']) { $label = "$label*"; } + if (isset($$attribute)) { $these_values=$$attribute; } else { $these_values = array(); } + if (isset($attr_r['inputtype'])) { $inputtype = $attr_r['inputtype']; } else { $inputtype = ""; } + render_attribute_fields($attribute,$label,$these_values,"",$onkeyup,$inputtype,$tabindex); + $tabindex++; + } + ?> + +
    + +
    + +
    +
    + +
    +
    + +
    + +
    + +
    +
    + + +
    + +
    + > Email these credentials to the user? +
    +
    + + +
    + +
    + +
    + +
    +
    +
    + +
    *The account identifier
    + +
    +
    + +
    +
    +