First bug is that if you have a dollar sign in your ldap password
openfiler doesn't properly escape it and the password sent is incorrect.
This is easy to work around, I just changed my password.
Second bug is a lot harder. I've setup my ldap server using openldap and
requiring TLS authentication. When I run from the command line
"ldapsearch -ZZ -x" I can see my ldap directory. However when I tell
openfiler to point at my ldap server and check the little TLS box and
then goto the account administration page I'm greeted with the error below:
Please configure the LDAP section of the Authentication
<https://minnetonka.bbn.com:446/admin/index.html> page before attempting
to use this page.
Error message:
ldap_bind: Confidentiality required (13)
additional info: confidentiality required
I did some poking around and found that ldap.inc doesn't pay any
attention to the TLS flag. If I add the -ZZ to the commands in
ldap.incl, then the page works fine.
Attached is a patch that fixes this.
--
Jon Schewe
Research Scientist
BBN Technologies
5775 Wayzata Blvd.
Suite 630
St. Louis Park, MN 55416
952-545-5720 - Office
952-545-5727 - Fax
www.bbn.com
--- ldap.incl.orig 2008-06-18 17:02:56.000000000 -0500
+++ ldap.incl 2008-06-18 17:13:55.000000000 -0500
@@ -18,7 +18,7 @@
function getvalues()
{
- global $ldap_password, $ldap_basedn, $ldap_rootdn;
+ global $ldap_password, $ldap_basedn, $ldap_rootdn, $ldap_tls;
$authp = popen("/usr/bin/sudo /usr/sbin/authconfig --openfiler
--kickstart", "r");
while (!feof($authp))
@@ -28,12 +28,17 @@
$ldap_password=$aresult[40];
$ldap_basedn=$aresult[22];
$ldap_rootdn=$aresult[39];
+ if($aresult[20] == "YES") {
+ $ldap_tls = "-ZZ";
+ } else {
+ $ldap_tls = "";
+ }
}
function testconnection()
{
- global $ldap_password, $ldap_basedn, $ldap_rootdn;
- $cmd="/usr/bin/ldapwhoami -x -D \"$ldap_rootdn\" -w $ldap_password 2>&1
1>&3";
+ global $ldap_password, $ldap_basedn, $ldap_rootdn, $ldap_tls;
+ $cmd="/usr/bin/ldapwhoami $ldap_tls -x -D \"$ldap_rootdn\" -w
$ldap_password 2>&1 1>&3";
exec($cmd, $output, $ret);
@@ -43,10 +48,10 @@
function ldapadd($string)
{
- global $ldap_password, $ldap_rootdn;
+ global $ldap_password, $ldap_rootdn, $ldap_tls;
$string = str_replace("\n","\\n", $string);
- $cmd="echo -e \"$string\" | /usr/bin/sudo /usr/bin/ldapadd -x -D
\"$ldap_rootdn\" -w $ldap_password 2>&1 1>&3";
+ $cmd="echo -e \"$string\" | /usr/bin/sudo /usr/bin/ldapadd $ldap_tls -x
-D \"$ldap_rootdn\" -w $ldap_password 2>&1 1>&3";
exec($cmd,$output, $ret);
if ($ret != 0)
@@ -55,10 +60,10 @@
function ldapmodify($string)
{
- global $ldap_password, $ldap_rootdn;
+ global $ldap_password, $ldap_rootdn, $ldap_tls;
$string = str_replace("\n","\\n", $string);
- $cmd="echo -e \"$string\" | /usr/bin/sudo /usr/bin/ldapmodify -x -D
\"$ldap_rootdn\" -w $ldap_password 2>&1 1>&3";
+ $cmd="echo -e \"$string\" | /usr/bin/sudo /usr/bin/ldapmodify $ldap_tls
-x -D \"$ldap_rootdn\" -w $ldap_password 2>&1 1>&3";
exec($cmd,$output, $ret);
if ($ret != 0)
@@ -68,12 +73,12 @@
function getLDAPgroup($getUsers)
{
- global $ldap_password, $ldap_basedn, $ldap_rootdn, $ldap_usersuffix,
$ldap_groupsuffix;
+ global $ldap_password, $ldap_basedn, $ldap_rootdn, $ldap_usersuffix,
$ldap_groupsuffix, $ldap_tls;
$grouparray = array();
$memberarray = array();
$searchstring = "objectclass=posixgroup";
- $cmd = "/usr/bin/ldapsearch -x -D \"" . $ldap_rootdn . "\" -w \"" .
$ldap_password . "\" -S gidNumber \"" . $searchstring . "\"";
+ $cmd = "/usr/bin/ldapsearch $ldap_tls -x -D \"" . $ldap_rootdn . "\" -w
\"" . $ldap_password . "\" -S gidNumber \"" . $searchstring . "\"";
$groupp = popen($cmd, "r");
while (!feof($groupp))
@@ -116,10 +121,10 @@
function getLDAPuser()
{
- global $ldap_password, $ldap_basedn, $ldap_rootdn, $ldap_usersuffix,
$ldap_groupsuffix;
+ global $ldap_password, $ldap_basedn, $ldap_rootdn, $ldap_usersuffix,
$ldap_groupsuffix, $ldap_tls;
$searchstring = "objectclass=posixaccount";
$userarray = array();
- $userp = popen("/usr/bin/ldapsearch -x -D \"" . $ldap_rootdn . "\" -w
\"" . $ldap_password . "\" -b \"" . $ldap_usersuffix . "," . $ldap_basedn . "\"
\"" . $searchstring . "\" uid uidNumber objectClass", "r");
+ $userp = popen("/usr/bin/ldapsearch $ldap_tls -x -D \"" . $ldap_rootdn
. "\" -w \"" . $ldap_password . "\" -b \"" . $ldap_usersuffix . "," .
$ldap_basedn . "\" \"" . $searchstring . "\" uid uidNumber objectClass", "r");
$i = 0;
while (!feof($userp))
@@ -152,13 +157,13 @@
function getLDAPgroupuser($gidNumber)
{
- global $ldap_password, $ldap_basedn, $ldap_rootdn, $ldap_usersuffix,
$ldap_groupsuffix;
+ global $ldap_password, $ldap_basedn, $ldap_rootdn, $ldap_usersuffix,
$ldap_groupsuffix, $ldap_tls;
if (!$gidNumber)
return;
$groupuserarray = array();
- $groupuserp = popen("/usr/bin/ldapsearch -x -D \"$ldap_rootdn\" -w
$ldap_password 'gidNumber=$gidNumber'", "r");
+ $groupuserp = popen("/usr/bin/ldapsearch $ldap_tls -x -D
\"$ldap_rootdn\" -w $ldap_password 'gidNumber=$gidNumber'", "r");
while (!feof($groupuserp))
{
@@ -268,7 +273,7 @@
if ($ret)
return $ret;
- $cmd = "/usr/bin/sudo /usr/bin/ldappasswd -x -w $ldap_password -D
\"$ldap_rootdn\" -h localhost -s $password
uid=$user,\"$ldap_usersuffix\",\"$ldap_basedn\" 2>&1 1>&3";
+ $cmd = "/usr/bin/sudo /usr/bin/ldappasswd $ldap_tls -x -w
$ldap_password -D \"$ldap_rootdn\" -h localhost -s $password
uid=$user,\"$ldap_usersuffix\",\"$ldap_basedn\" 2>&1 1>&3";
exec($cmd, $output, $ret);
if ($ret)
return $ret;
@@ -326,6 +331,7 @@
var $rootdn;
var $rootpw;
var $directory = "/var/lib/ldap";
+ var $tls;
function LDAPServer($basedn, $rootdn, $rootpw){
$authp = popen("/usr/bin/sudo /usr/sbin/authconfig --openfiler
--kickstart", "r");
@@ -336,6 +342,11 @@
$this->basedn = ($basedn)? $basedn : $aresult[22];
$this->rootdn = ($rootdn)? $rootdn : $aresult[39];
$this->rootpw = ($rootpw)? $rootpw : $aresult[40];
+ if($aresult[20] == "YES") {
+ $this->tls = ($tls) ? $tls : "-ZZ";
+ } else {
+ $this->tls = ($tls) ? $tls : "";
+ }
}
function Start()
@@ -392,7 +403,7 @@
function Backup()
{
- exec("/usr/bin/ldapsearch -x -D \"" . $this->rootdn . "\" -w
\"" . $this->rootpw . "\" -L", $output, $ret);
+ exec("/usr/bin/ldapsearch " . $this->tls . " -x -D \"" .
$this->rootdn . "\" -w \"" . $this->rootpw . "\" -L", $output, $ret);
return $output;
}
@@ -407,7 +418,7 @@
1 => array("pipe", "w"),
2 => array("pipe", "w"));
- $process = proc_open("/usr/bin/sudo /usr/bin/ldapadd -x -D \""
. $this->rootdn . "\" -w \"" . $this->rootpw . "\"", $descriptorspec, $pipes);
+ $process = proc_open("/usr/bin/sudo /usr/bin/ldapadd " .
$this->tls . " -x -D \"" . $this->rootdn . "\" -w \"" . $this->rootpw . "\"",
$descriptorspec, $pipes);
foreach ($input as $line)
fwrite($pipes[0], $line);
fclose($pipes[0]);
@@ -523,7 +534,7 @@
dc: $ldap_name
o: $ldap_name";
- exec("echo -e \"" . str_replace("\n","\\n",$LDIF) . "\" |
/usr/bin/sudo /usr/bin/ldapadd -x -D \"" . $this->rootdn. "\" -w " .
$this->rootpw);
+ exec("echo -e \"" . str_replace("\n","\\n",$LDIF) . "\" |
/usr/bin/sudo /usr/bin/ldapadd " . $this->tls . " -x -D \"" . $this->rootdn.
"\" -w " . $this->rootpw);
$LDIF="#create user
dn: $ldap_usersuffix, $this->basedn
@@ -531,7 +542,7 @@
objectClass: top
objectClass: organizationalUnit";
- exec("echo -e \"" . str_replace("\n","\\n",$LDIF) . "\" |
/usr/bin/sudo /usr/bin/ldapadd -x -D \"" . $this->rootdn . "\" -w " .
$this->rootpw);
+ exec("echo -e \"" . str_replace("\n","\\n",$LDIF) . "\" |
/usr/bin/sudo /usr/bin/ldapadd " . $this->tls . " -x -D \"" . $this->rootdn .
"\" -w " . $this->rootpw);
$LDIF="#create group
dn: $ldap_groupsuffix, $this->basedn
@@ -539,7 +550,7 @@
objectClass: top
objectClass: organizationalUnit";
- exec("echo -e \"" . str_replace("\n","\\n",$LDIF) . "\" |
/usr/bin/sudo /usr/bin/ldapadd -x -D \"" . $this->rootdn . "\" -w " .
$this->rootpw);
+ exec("echo -e \"" . str_replace("\n","\\n",$LDIF) . "\" |
/usr/bin/sudo /usr/bin/ldapadd " . $this->tls . " -x -D \"" . $this->rootdn .
"\" -w " . $this->rootpw);
}
}
_______________________________________________
Openfiler-users mailing list
[email protected]
https://lists.openfiler.com/mailman/listinfo/openfiler-users
