Hello,
recently I was asking if it is possible to restrict access for LDAP users
only for some and in specific time. I worked on it by myself and I want to
offer a solution. If you want you can implement it in the official version.
So here it is:
1. I found java class
*/openmeetings-core/src/main/java/org/apache/openmeetings/core/ldap\\/LdapLoginManager.java*
and here I implemented calling BASH script and sending variable
*inLogin* before
validating with LDAP server. To do so we need to import these two libraries:
*import java.io.BufferedReader;*
*import java.io.InputStreamReader;*
2. Then we find function: *public User login(String inLogin, String passwd,
Long domainId) throws OmException*
3. In very beginning that function we insert next code to call script://
*Process p;String[] cmd = {"sh", "/opt/skriptOMldap.sh " + inLogin};String
meno = "";try { p = Runtime.getRuntime().exec(cmd[1]); p.waitFor();
BufferedReader reader=new BufferedReader(new
InputStreamReader(p.getInputStream())); String line; while((line =
reader.readLine()) != null) { meno = line; }} catch (IOException e) {
TODO Auto-generated catch block e.printStackTrace();} catch
(InterruptedException e) { TODO Auto-generated catch block
e.printStackTrace();}inLogin = meno;*
In variable *String[] cmd* we can define where and how would be the name of
the script.
4. That's everything in these Java code so we save it and compile the code.
5. next is script we create it in folder that we defined in step 3 (in my
case */opt/skriptOMldap.sh*) so in /opt we create file skriptOMldap.sh and
insert next code:
*#!/bin/bashdir=./whitelists# If there are no whitelists, than everybody is
allowedif [ -z "$(ls -A $dir)" ]; then echo $1 exit 0fiexport
LC_ALL=en_US.utf8day=$(date +"%A")time=`echo "scale=3; ($(date +"%H") +
($(date +"%M") / 60))" | bc`for i in $(grep -l $1 $dir/* | cut -d /
-f3-)do start=`echo "scale=3; ($(echo $i | cut
-b$((${#i}-7))-$((${#i}-6))) + ($(echo $i | cut
-b$((${#i}-5))-$((${#i}-4))) / 60))" | bc` end=`echo "scale=3; ($(echo $i
| cut -b$((${#i}-3))-$((${#i}-2))) + ($(echo $i | cut -b$((${#i}-1))-${#i})
/ 60))" | bc` if [ $(echo $i | cut -b-$((${#i}-8))) = $day ] && [ $(echo
"$(echo "$start <= $time" | bc) && $(echo "$time <= $end" | bc)" | bc) -ne
0 ]; then echo $1 exit 0 fidoneecho xxx$1exit 0*
So basically this script does that login as an input variable to check if
there is a file in the whitelists directory for actual time and day. So we
need to create a directory with name *whitelists* in directory */opt*. In
this directory (*whitelists*) we can create a file with name: first 4
digits is for start and second 4 digits for end, next is the name of the
day in week (for example I want some people to have access on Wednesday
from 10:00 to 20:00 so I create a file named by *10002000Wednesday*). In
that file I simply write all logins I want (one row one login). So script
does that he checks current day find all files in current day and then he
checks time and chooses file that is correct (current time is between start
and end of file) next he checks if login is in file. If not, the script
will return login with start "xxx" and then is validation incorrect.
There is also an if statement for users who don't want to use this function
so if the directory is not any file simply script return login he got.
6. For secure we can set rights both for script and for directory
/whitelists and also we can set owner and group to nobody:nogroup
So that's it. I hope somebody will use this function. Of course there are
more options to do this but this was best for me.
Best regards,
Filip Žák
