Hello Filip,
On Thu, 7 Jan 2021 at 02:21, Filip Žák <[email protected]> wrote:
> Hello,
> recently I was asking if it is possible to restrict access for LDAP users
> only for some and in specific time. I worked on it by myself and I want to
> offer a solution. If you want you can implement it in the official version.
> So here it is:
>
> 1. I found java class
> */openmeetings-core/src/main/java/org/apache/openmeetings/core/ldap\\/LdapLoginManager.java*
> and here I implemented calling BASH script and sending variable *inLogin*
> before
> validating with LDAP server. To do so we need to import these two libraries:
>
> *import java.io.BufferedReader;*
> *import java.io.InputStreamReader;*
>
> 2. Then we find function: *public User login(String inLogin, String
> passwd, Long domainId) throws OmException*
>
> 3. In very beginning that function we insert next code to call script://
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *Process p;String[] cmd = {"sh", "/opt/skriptOMldap.sh " + inLogin};String
> meno = "";try { p = Runtime.getRuntime().exec(cmd[1]); p.waitFor();
> BufferedReader reader=new BufferedReader(new
> InputStreamReader(p.getInputStream())); String line; while((line =
> reader.readLine()) != null) { meno = line; }} catch (IOException e) {
> TODO Auto-generated catch block e.printStackTrace();} catch
> (InterruptedException e) { TODO Auto-generated catch block
> e.printStackTrace();}inLogin = meno;*
>
You can use this helper:
https://github.com/apache/openmeetings/blob/master/openmeetings-util/src/main/java/org/apache/openmeetings/util/process/ProcessHelper.java
it will work with std out/err for you :)
>
>
> In variable *String[] cmd* we can define where and how would be the name
> of the script.
>
> 4. That's everything in these Java code so we save it and compile the code.
>
> 5. next is script we create it in folder that we defined in step 3 (in my
> case */opt/skriptOMldap.sh*) so in /opt we create file skriptOMldap.sh
> and insert next code:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *#!/bin/bashdir=./whitelists# If there are no whitelists, than everybody
> is allowedif [ -z "$(ls -A $dir)" ]; then echo $1 exit 0fiexport
> LC_ALL=en_US.utf8day=$(date +"%A")time=`echo "scale=3; ($(date +"%H") +
> ($(date +"%M") / 60))" | bc`for i in $(grep -l $1 $dir/* | cut -d /
> -f3-)do start=`echo "scale=3; ($(echo $i | cut
> -b$((${#i}-7))-$((${#i}-6))) + ($(echo $i | cut
> -b$((${#i}-5))-$((${#i}-4))) / 60))" | bc` end=`echo "scale=3; ($(echo $i
> | cut -b$((${#i}-3))-$((${#i}-2))) + ($(echo $i | cut -b$((${#i}-1))-${#i})
> / 60))" | bc` if [ $(echo $i | cut -b-$((${#i}-8))) = $day ] && [ $(echo
> "$(echo "$start <= $time" | bc) && $(echo "$time <= $end" | bc)" | bc) -ne
> 0 ]; then echo $1 exit 0 fidoneecho xxx$1exit 0*
>
> So basically this script does that login as an input variable to check if
> there is a file in the whitelists directory for actual time and day. So we
> need to create a directory with name *whitelists* in directory */opt*. In
> this directory (*whitelists*) we can create a file with name: first 4
> digits is for start and second 4 digits for end, next is the name of the
> day in week (for example I want some people to have access on Wednesday
> from 10:00 to 20:00 so I create a file named by *10002000Wednesday*). In
> that file I simply write all logins I want (one row one login). So script
> does that he checks current day find all files in current day and then he
> checks time and chooses file that is correct (current time is between start
> and end of file) next he checks if login is in file. If not, the script
> will return login with start "xxx" and then is validation incorrect.
> There is also an if statement for users who don't want to use this
> function so if the directory is not any file simply script return login he
> got.
>
> 6. For secure we can set rights both for script and for directory
> /whitelists and also we can set owner and group to nobody:nogroup
>
> So that's it. I hope somebody will use this function. Of course there are
> more options to do this but this was best for me.
>
Great you were able to solve this :)
>
> Best regards,
> Filip Žák
>
--
Best regards,
Maxim
