private function auth($username, $password)
{
global $config;
$login_ok = false;
if (!empty($username) && !empty($password)) {
$attributes = array();
$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
if (authenticate_user($username, $password, $authcfg, $attributes) || authenticate_user($username, $password)) {
$login_ok = true;
}
}
if (!$login_ok) {
log_auth("webConfigurator authentication error for '" . $username . "' from " . $this->remote_addr);
require_once "XML/RPC2/Exception.php";
throw new XML_RPC2_FaultException(gettext('Authentication failed: Invalid username or password'), -1);
}
$user_entry = getUserEntry($username);
/*
* admin (uid = 0) is allowed
* or regular user with necessary privilege
*/
if (isset($user_entry['uid']) && $user_entry['uid'] != '0' && !userHasPrivilege($user_entry, 'system-xmlrpc-ha-sync')) {
log_auth("webConfigurator authentication error for '" . $username . "' from " . $this->remote_addr . " not enough privileges");
require_once "XML/RPC2/Exception.php";
throw new XML_RPC2_FaultException(gettext('Authentication failed: not enough privileges'), -2);
}
return;
}
$reqdfields[] = "radius_auth_port";
$reqdfieldsn[] = gettext("Authentication port value");
}
if ($id == null) {
$reqdfields[] = "radius_secret";
$reqdfieldsn[] = gettext("Shared Secret");
}
}
do_input_validation($pconfig, $reqdfields, $reqdfieldsn, $input_errors);
if (!empty($pconfig['ldap_host']) && preg_match("/[^a-zA-Z0-9\\.\\-_]/", $pconfig['ldap_host'])) {
$input_errors[] = gettext("The host name contains invalid characters.");
}
if (!empty($pconfig['radius_host']) && preg_match("/[^a-zA-Z0-9\\.\\-_]/", $pconfig['radius_host'])) {
$input_errors[] = gettext("The host name contains invalid characters.");
}
if (auth_get_authserver($pconfig['name']) && !isset($id)) {
$input_errors[] = gettext("An authentication server with the same name already exists.");
}
if ($pconfig['type'] == "radius" && isset($pconfig['radius_timeout']) && !empty($pconfig['radius_timeout']) && (!is_numeric($pconfig['radius_timeout']) || is_numeric($pconfig['radius_timeout']) && $pconfig['radius_timeout'] <= 0)) {
$input_errors[] = gettext("RADIUS Timeout value must be numeric and positive.");
}
if (count($input_errors) == 0) {
$server = array();
$server['refid'] = uniqid();
if (isset($id)) {
$server = $a_server[$id];
} else {
$server['type'] = $pconfig['type'];
$server['name'] = $pconfig['name'];
}
if ($server['type'] == "ldap") {
}
}
if (!is_array($authmodes)) {
syslog(LOG_WARNING, "No authentication server has been selected to authenticate against. Denying authentication for user {$username}");
if (isset($_GET['username'])) {
echo "FAILED";
closelog();
return;
} else {
closelog();
return 1;
}
}
$attributes = array();
foreach ($authmodes as $authmode) {
$authcfg = auth_get_authserver($authmode);
if (!$authcfg && $authmode != "Local Database") {
continue;
}
$authenticated = authenticate_user($username, $password, $authcfg, $attributes);
if ($authenticated == true) {
break;
}
}
if ($authenticated == false) {
syslog(LOG_WARNING, "user '{$username}' could not authenticate.\n");
if (isset($_GET['username'])) {
echo "FAILED";
closelog();
return;
} else {
*/
/*
pfSense_MODULE: auth
*/
##|+PRIV
##|*IDENT=page-diagnostics-authentication
##|*NAME=Diagnostics: Authentication
##|*DESCR=Allow access to the 'Diagnostics: Authentication' page.
##|*MATCH=diag_authentication.php*
##|-PRIV
require "guiconfig.inc";
require_once "radius.inc";
if ($_POST) {
$pconfig = $_POST;
unset($input_errors);
$authcfg = auth_get_authserver($_POST['authmode']);
if (!$authcfg) {
$input_errors[] = $_POST['authmode'] . " " . gettext("is not a valid authentication server");
}
if (empty($_POST['username']) || empty($_POST['password'])) {
$input_errors[] = gettext("A username and password must be specified.");
}
if (!$input_errors) {
$attributes = array();
if (authenticate_user($_POST['username'], $_POST['password'], $authcfg, $attributes)) {
$savemsg = gettext("User") . ": " . $_POST['username'] . " " . gettext("authenticated successfully.");
$groups = getUserGroups($_POST['username'], $authcfg, $attributes);
$savemsg .= " " . gettext("This user is a member of groups") . ": <br />";
$savemsg .= "<ul>";
foreach ($groups as $group) {
$savemsg .= "<li>" . "{$group} " . "</li>";
$priv = $priv_list[$pname];
$priv['group'] = $group['name'];
$privs[] = $priv;
}
}
foreach ($user_privs as $pname) {
if ($priv_list[$pname]) {
$privs[] = $priv_list[$pname];
}
}
return $privs;
}
// start admin user code
$pgtitle = array(gettext('System'), gettext('Users'));
// find web ui authentication method
$authcfg_type = auth_get_authserver($config['system']['webgui']['authmode'])['type'];
$input_errors = array();
if (isset($_POST['userid']) && is_numericint($_POST['userid'])) {
$id = $_POST['userid'];
} elseif (isset($_GET['userid']) && is_numericint($_GET['userid'])) {
$id = $_GET['userid'];
}
if (!isset($config['system']['user']) || !is_array($config['system']['user'])) {
$config['system']['user'] = array();
}
$a_user =& $config['system']['user'];
if (isset($_SERVER['HTTP_REFERER'])) {
$referer = $_SERVER['HTTP_REFERER'];
} else {
$referer = '/system_usermanager.php';
}
$new_user['scope'] = 'user';
$new_user['name'] = $username;
$new_user['user_dn'] = $userdn;
$new_user['descr'] = $userfullname;
local_user_set_password($new_user, $user_password);
$new_user['uid'] = $config['system']['nextuid']++;
$config['system']['user'][] = $new_user;
local_user_set($new_user);
}
global $config;
// attributes used in page
$ldap_users = array();
$ldap_is_connected = false;
$exit_form = false;
// find gui auth server
$authcfg = auth_get_authserver($config['system']['webgui']['authmode']);
if ($authcfg['type'] == 'ldap') {
// setup peer ca
ldap_setup_caenv($authcfg);
// connect to ldap server
$ldap_auth = new OPNsense\Auth\LDAP($authcfg['ldap_basedn'], $authcfg['ldap_protver']);
$ldap_is_connected = $ldap_auth->connect($authcfg['ldap_full_url'], $authcfg['ldap_binddn'], $authcfg['ldap_bindpw']);
if ($ldap_is_connected) {
// collect list of current ldap users from config
$confDNs = array();
foreach ($config['system']['user'] as $confUser) {
if (!empty($confUser['user_dn'])) {
$confDNs[] = trim($confUser['user_dn']);
}
}
// search ldap
}
if ($pconfig['tfc_bytes'] && !is_numericint($pconfig['tfc_bytes'])) {
$input_errors[] = gettext("A numeric value must be specified for TFC bytes.");
}
if (!empty($pconfig['iketype']) && $pconfig['iketype'] != "ikev1" && $pconfig['iketype'] != "ikev2" && $pconfig['iketype'] != "auto") {
$input_errors[] = gettext("Valid arguments for IKE type are v1, v2 or auto");
}
if (preg_match("/aes\\d+gcm/", $_POST['ealgo']) && $_POST['iketype'] != "ikev2") {
$input_errors[] = gettext("Encryption Algorithm AES-GCM can only be used with IKEv2");
}
/* auth backend for mobile eap-radius VPNs should be a RADIUS server */
if ($pconfig['authentication_method'] == 'eap-radius' && $pconfig['mobile']) {
if (!empty($config['ipsec']['client']['user_source'])) {
$auth_server_list = explode(',', $config['ipsec']['client']['user_source']);
foreach ($auth_server_list as $auth_server_name) {
$auth_server = auth_get_authserver($auth_server_name);
if (!is_array($auth_server) || $auth_server['type'] != 'radius') {
$input_errors[] = gettext("A valid RADIUS server must be selected for user authentication on the Mobile Clients tab in order to set EAP-RADIUS as the authentication method.");
}
}
}
}
/* build our encryption algorithms array */
$pconfig['ealgo'] = array();
$pconfig['ealgo']['name'] = $_POST['ealgo'];
if ($pconfig['ealgo_keylen']) {
$pconfig['ealgo']['keylen'] = $_POST['ealgo_keylen'];
}
if (!$input_errors) {
$ph1ent['ikeid'] = $pconfig['ikeid'];
$ph1ent['iketype'] = $pconfig['iketype'];
AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
*/
require_once "guiconfig.inc";
require_once "auth.inc";
include 'head.inc';
if (isset($config['system']['authserver'][0]['host'])) {
$auth_server = $config['system']['authserver'][0]['host'];
$authserver = $_GET['authserver'];
$authcfg = auth_get_authserver($authserver);
$ldap_auth = new OPNsense\Auth\LDAP($authcfg['ldap_basedn'], $authcfg['ldap_protver']);
ldap_setup_caenv($authcfg);
$ldap_is_connected = $ldap_auth->connect($authcfg['ldap_full_url'], $authcfg['ldap_binddn'], $authcfg['ldap_bindpw']);
}
?>
<body>
<form method="post" name="iform" id="iform">
<?php
if (!$authcfg) {
printf(gettext("Could not find settings for %s%s"), htmlspecialchars($authserver), "<p/>");
} else {
echo "<table class='table table-striped'>";
echo "<tr><th colspan='2'>" . sprintf(gettext("Testing %s LDAP settings... One moment please..."), $g['product_name']) . "</th></tr>";
$reqdfieldsn[] = gettext("Authentication port value");
}
if ($pconfig['radisu_srvcs'] == "both" || $pconfig['radisu_srvcs'] == "acct") {
$reqdfields[] = "radius_acct_port";
$reqdfieldsn[] = gettext("Accounting port value");
}
if ($id == null) {
$reqdfields[] = "radius_secret";
$reqdfieldsn[] = gettext("Shared Secret");
}
}
do_input_validation($_POST, $reqdfields, $reqdfieldsn, $input_errors);
if (preg_match("/[^a-zA-Z0-9\\.\\-_]/", $_POST['host'])) {
$input_errors[] = gettext("The host name contains invalid characters.");
}
if (auth_get_authserver($pconfig['name']) && $id == null) {
$input_errors[] = gettext("An authentication server with the same name already exists.");
}
if ($pconfig['type'] == "radius" && isset($_POST['radius_timeout']) && !empty($_POST['radius_timeout']) && (!is_numeric($_POST['radius_timeout']) || is_numeric($_POST['radius_timeout']) && $_POST['radius_timeout'] <= 0)) {
$input_errors[] = gettext("RADIUS Timeout value must be numeric and positive.");
}
if (count($input_errors) == 0) {
$server = array();
$server['refid'] = uniqid();
if ($id != null && isset($a_server[$id])) {
$server = $a_server[$id];
}
$server['type'] = $pconfig['type'];
$server['name'] = $pconfig['name'];
if ($server['type'] == "ldap") {
if (!empty($pconfig['ldap_caref'])) {
*/
require_once "guiconfig.inc";
$save_and_test = false;
if ($_SERVER['REQUEST_METHOD'] === 'GET') {
$pconfig = array();
$pconfig['session_timeout'] = $config['system']['webgui']['session_timeout'];
$pconfig['authmode'] = $config['system']['webgui']['authmode'];
$pconfig['backend'] = $config['system']['webgui']['backend'];
} elseif ($_SERVER['REQUEST_METHOD'] === 'POST') {
$pconfig = $_POST;
$input_errors = array();
if (!empty($pconfig['session_timeout']) && (!is_numeric($pconfig['session_timeout']) || $pconfig['session_timeout'] <= 0)) {
$input_errors[] = gettext("Session timeout must be an integer value.");
}
if (count($input_errors) == 0) {
$authsrv = auth_get_authserver($pconfig['authmode']);
if (!empty($pconfig['savetest'])) {
if ($authsrv['type'] == "ldap") {
$save_and_test = true;
} else {
$savemsg = gettext("The test was not performed because it is supported only for ldap based backends.");
}
}
if (!empty($pconfig['session_timeout'])) {
$config['system']['webgui']['session_timeout'] = intval($pconfig['session_timeout']);
} elseif (isset($config['system']['webgui']['session_timeout'])) {
unset($config['system']['webgui']['session_timeout']);
}
if (!empty($pconfig['authmode'])) {
$config['system']['webgui']['authmode'] = $pconfig['authmode'];
} elseif (isset($config['system']['webgui']['authmode'])) {
