* Add a lib/sql/nas_list.php3 to also get the nas list from sql (naslist.conf still works)
* add realms nasdb and nasadmin in username.mappings. nasadmin is used to signify if the
user is allowed to use the nas_admin page. nasdb is used to shorten the nas list to only
a few specific entries. That way administrator responsible for a few access servers will
only be able to administer those access servers and not see the rest of the nas list.
* Add username searching in the find page as suggested by joram agten
* Don't use nas_list in nas_admin
+Ver 1.72:
+* Move the xlat function to a separate file in lib/xlat.php3
+* Add a lib/sql/nas_list.php3 to also get the nas list from sql (naslist.conf still works)
+* add realms nasdb and nasadmin in username.mappings. nasadmin is used to signify if the
+ user is allowed to use the nas_admin page. nasdb is used to shorten the nas list to only
+ a few specific entries. That way administrator responsible for a few access servers will
+ only be able to administer those access servers and not see the rest of the nas list.
+* Add username searching in the find page as suggested by joram agten
+* Don't use nas_list in nas_admin
Ver 1.70:
* Add the /bin postgresql compatibility patch from Guy Fraser
* Add ldap_userdn as a configuration directive. If set we use that for
# in the badusers table
#
general_restrict_badusers_access: no
+#
+# If set to yes then we restrict access to the nas administration page only to those
+# users which are allowed by their username mapping (nasadmin is set to yes)
+#
+general_restrict_nasadmin_access: yes
+
INCLUDE: %{general_base_dir}/conf/naslist.conf
# %U: username provided though http authentication
# %mu: mappings for userdb
# %ma: mappings for accounting
+# %mn: mappings for nasdb
+# %mN: mappings for nas administration
#
# One use of this would be to restrict access to only the user's belonging to
# a specific administrator like this:
if (ereg('^[[:space:]]*#',$val) || ereg('^[[:space:]]*$',$val))
continue;
list($key,$realm,$v)=split(":[[:space:]]*",$val,2);
- if ($realm == 'accounting' || $realm == 'userdb')
+ if ($realm == 'accounting' || $realm == 'userdb' || $realm == 'nasdb' || $realm == 'nasadmin')
$mappings["$key"][$realm] = $v;
+ if ($realm == 'nasdb'){
+ $NAS_ARR = array();
+ $NAS_ARR = split(',',$v);
+ foreach ($nas_list as $key => $nas){
+ foreach ($NAS_ARR as $nas_check){
+ if ($nas_check == $nas[name])
+ unset($nas_list[$key]);
+ }
+ }
+ }
}
if ($config[general_use_session] == 'yes')
session_register('mappings');
# Format:
# Username:realm:query
#
-# where realm is accounting or userdb
+# where realm is:
+# accounting: for the map to be used when querying the accounting db
+# userdb: for the map to be used when querying the user db
+# nasdb: To only map specific NASes to the username (separated by ,)
+# nasadmin: To allow the user to use the nas_admin page (yes or no)
#
library-admin:accounting:AND nasipaddress = '123.123.123.123'
library-admin:userdb:AND Admin = 'library-admin'
+library-admin:nasdb:nas.lib.company.com
+library-admin:nasadmin:no
+#
+lab-admin:accounting:AND nasipaddress = '123.123.124.123'
+lab-admin:userdb:AND Admin = 'lab-admin'
+lab-admin:nasdb:nas.lab.company.com
+lab-admin:nasadmin:no
+#
+admin:nasadmin:yes
* Parse the radius dictionary files so that we can show a pull down menu of possible values
for various attributes.
* Check the sql user code for sql injections
+* Also be able to keep username mappings in sql. Create and administration page
$query_view = ereg_replace(',$','',$query_view);
$sql_extra_query = '';
if ($config[sql_accounting_extra_query] != '')
- $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
$query="SELECT $query_view FROM $config[sql_accounting_table] $where $sql_extra_query ORDER BY $order LIMIT $maxresults;";
echo <<<EOM
$sql_extra_query = '';
if ($config[sql_accounting_extra_query] != '')
- $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
print <<<EOM
</table>
<?php
require('../conf/config.php3');
require('../lib/attrshow.php3');
+require('../lib/sql/nas_list.php3');
?>
<html>
<?php
if ($acct_attrs['fl'][9] != '') echo "<th>" . $acct_attrs['fl'][9] . "</th>\n";
$sql_extra_query = '';
if ($config[sql_accounting_extra_query] != '')
- $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
?>
</tr>
<?php
foreach ($nas_list as $nas){
$name = $nas[name];
+ if ($nas[ip] == '')
+ continue;
$servers[$name] = $nas[ip];
}
ksort($servers);
<?php
echo <<<EOM
<select name="search_IN" editable onChange="this.form.submit();">
+<option $selected[username] value="username">User Name
<option $selected[name] value="name">User Full Name
-<option $selected[ou] value="ou">User Department
+<option $selected[department] value="department">User Department
<option $selected[radius] value="radius">User Radius Attribute
EOM;
?>
EOM;
exit();
}
+if ($config[general_restrict_nasadmin_access == 'yes'){
+ $auth_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
+ if ($auth_user == '' || $mappings[$auth_user][nasadmin] != 'yes'){
+ echo <<<EOM
+<title>NAS Administration Page</title>
+<link rel="stylesheet" href="style.css">
+</head>
+<body bgcolor="#80a040" background="images/greenlines1.gif" link="black" alink="black">
+<center>
+<b>Access is not allowed to this username.</b>
+</body>
+</html>
+EOM;
+ exit();
+ }
+}
+
if ($clear_fields == 1)
$selected_nas = $readonly = '';
"SELECT * FROM $config[sql_nas_table] ORDER BY nasname;");
if ($search){
$num = 0;
- unset($nas_list);
+ unset($my_nas_list);
while($row = @da_sql_fetch_array($search,$config)){
$my_nas_name = $row['nasname'];
if ($my_nas_name != ''){
$num++;
if ($clear_fields == 0 && $selected_nas == $my_nas_name)
$selected[$my_nas_name] = 'selected';
- $nas_list[$my_nas_name]['name'] = $my_nas_name;
- $nas_list[$my_nas_name]['shortname'] = $row['shortname'];
- $nas_list[$my_nas_name]['type'] = $row['type'];
- $selected[$nas_list[$my_nas_name]['type']] = 'selected';
- $nas_list[$my_nas_name]['ports'] = $row['ports'];
- $nas_list[$my_nas_name]['secret'] = $row['secret'];
- $nas_list[$my_nas_name]['community'] = $row['community'];
- $nas_list[$my_nas_name]['description'] = $row['description'];
+ $my_nas_list[$my_nas_name]['name'] = $my_nas_name;
+ $my_nas_list[$my_nas_name]['shortname'] = $row['shortname'];
+ $my_nas_list[$my_nas_name]['type'] = $row['type'];
+ $selected[$my_nas_list[$my_nas_name]['type']] = 'selected';
+ $my_nas_list[$my_nas_name]['ports'] = $row['ports'];
+ $my_nas_list[$my_nas_name]['secret'] = $row['secret'];
+ $my_nas_list[$my_nas_name]['community'] = $row['community'];
+ $my_nas_list[$my_nas_name]['description'] = $row['description'];
}
}
}
<td>
<select name=selected_nas size=5 OnChange="this.form.select_nas.value=1;this.form.submit()">
<?php
-foreach ($nas_list as $member){
+foreach ($my_nas_list as $member){
$name = $member[name];
echo "<option $selected[$name] value=\"$name\">$name\n";
}
</td>
</tr>
<?php
-$array = $nas_list[$selected_nas];
+$array = $my_nas_list[$selected_nas];
echo <<<EOM
<tr>
<td align=right bgcolor="#d0ddb0">
<?php
require('../conf/config.php3');
+require('../lib/sql/nas_list.php3');
?>
<html>
<head>
$servers[all] = 'all';
foreach ($nas_list as $nas){
$name = $nas[name];
+ if ($nas[ip] == '')
+ continue;
$servers[$name] = $nas[ip];
$i++;
}
}
$sql_extra_query = '';
if ($config[sql_accounting_extra_query] != '')
- $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
$link = @da_sql_pconnect($config);
if ($link){
}
$sql_extra_query = '';
if ($config[sql_accounting_extra_query] != '')
- $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
?>
</tr>
<?php
require('../conf/config.php3');
require('../lib/attrshow.php3');
+require('../lib/sql/nas_list.php3');
if (!isset($usage_summary)){
echo <<<EOM
<html>
$sql_extra_query = '';
if ($config[sql_accounting_extra_query] != '')
- $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
$link = @da_sql_pconnect($config);
$link2 = connect2db($config);
}
else
$servers_num++;
+ if ($nas[ip] == '')
+ continue;
$name_data = $nas[ip];
$community_data = $nas[community];
$server_name[$servers_num] = $nas[name];
<?php
require('../conf/config.php3');
require('../lib/functions.php3');
+require('../lib/sql/nas_list.php3');
?>
<html>
<?php
$sql_extra_query = '';
if ($config[sql_accounting_extra_query] != '')
- $sql_extra_query = sql_xlat($config[sql_accounting_extra_query],$login,$config);
+ $sql_extra_query = xlat($config[sql_accounting_extra_query],$login,$config);
?>
<?php
foreach ($nas_list as $nas){
$name = $nas[name];
+ if ($nas[ip] == '')
+ continue;
$servers[$name] = $nas[ip];
}
ksort($servers);
if ($regular_profile_attr != ''){
$get_attrs = array("$regular_profile_attr");
if ($config[ldap_filter] != '')
- $filter = ldap_xlat($config[ldap_filter],$login,$config);
+ $filter = xlat($config[ldap_filter],$login,$config);
else
$filter = 'uid=' . $login;
if ($config[ldap_debug] == 'true')
<?php
-function ldap_xlat($filter,$login,$config)
-{
- $string = $filter;
- if ($filter != ''){
- $string = preg_replace('/%u/',$login,$string);
- $string = preg_replace('/%U/',$HTTP_SERVER_VARS["PHP_AUTH_USER"],$string);
- $string = preg_replace('/%ma/',$mappings[$http_user][accounting],$string);
- $string = preg_replace('/%mu/',$mappings[$http_user][userdb],$string);
- }
-
- return $string;
-}
+require('../lib/xlat.php3');
function da_ldap_bind($ds,$config)
{
$attrs = array('cn');
if ($config[ldap_userdn] == ''){
if ($config[ldap_filter] != '')
- $filter = ldap_xlat($config[ldap_filter],$login,$config);
+ $filter = xlat($config[ldap_filter],$login,$config);
else
$filter = 'uid=' . $login;
}
else
- $filter = ldap_xlat($config[ldap_userdn],$login,$config);
+ $filter = xlat($config[ldap_userdn],$login,$config);
if ($config[ldap_debug] == 'true'){
if ($config[ldap_userdn] == '')
print "<b>DEBUG(LDAP): Search Query: BASE='$config[ldap_base]',FILTER='$filter'</b><br>\n";
$attrs = array('dn');
if ($config[ldap_userdn] == ''){
if ($config[ldap_filter] != '')
- $filter = ldap_xlat($config[ldap_filter],$login,$config);
+ $filter = xlat($config[ldap_filter],$login,$config);
else
$filter = 'uid=' . $login;
}
else
- $filter = ldap_xlat($config[ldap_userdn],$login,$config);
+ $filter = xlat($config[ldap_userdn],$login,$config);
if ($config[ldap_debug] == 'true'){
if ($config[ldap_userdn] == '')
print "<b>DEBUG(LDAP): Search Query: BASE='$config[ldap_base]',FILTER='$filter'</b><br>\n";
$r=@da_ldap_bind($ds,$config);
if ($config[ldap_userdn] == ''){
if ($config[ldap_filter] != '')
- $filter = ldap_xlat($config[ldap_filter],$login,$config);
+ $filter = xlat($config[ldap_filter],$login,$config);
else
$filter = 'uid=' . $login;
}
else
- $filter = ldap_xlat($config[ldap_userdn],$login,$config);
+ $filter = xlat($config[ldap_userdn],$login,$config);
if ($config[ldap_debug] == 'true'){
if ($config[ldap_userdn] == '')
print "<b>DEBUG(LDAP): Search Query: BASE='$config[ldap_base]',FILTER='$filter'</b><br>\n";
$search = da_sql_escape_string($search);
if (!is_int($max_results))
$max_results = 10;
- if (($search_IN == 'name' || $search_IN == 'ou') && $config[sql_use_user_info_table] == 'true'){
- $attr = ($search_IN == 'name') ? 'name' : 'department';
+ if (($search_IN == 'name' || $search_IN == 'department' || $search_IN == 'username) &&
+ $config[sql_use_user_info_table] == 'true'){
$res = @da_sql_query($link,$config,
"SELECT username FROM $config[sql_user_info_table] WHERE
- lower($attr) LIKE '%$search%' LIMIT $max_results;");
+ lower($search_IN) LIKE '%$search%' LIMIT $max_results;");
if ($res){
while(($row = @da_sql_fetch_array($res,$config)))
$found_users[] = $row[username];
echo "<b>Could not include SQL library</b><br>\n";
exit();
}
+require('../lib/xlat.php3');
function connect2db($config)
{
{
return 1;
}
-function sql_xlat($filter,$login,$config)
-{
- $string = $filter;
- $http_user = $HTTP_SERVER_VARS["PHP_AUTH_USER"];
- if ($filter != ''){
- $string = preg_replace('/%u/',$login,$string);
- $string = preg_replace('/%U/',$http_user,$string);
- $string = preg_replace('/%m/',$mappings[$http_user],$string);
- }
-
- return $string;
-}
?>
--- /dev/null
+<?php
+require('../conf/config.php3');
+
+if ($config[sql_nas_table] != ''){
+
+ if (is_file("../lib/sql/drivers/$config[sql_type]/functions.php3"))
+ include_once("../lib/sql/drivers/$config[sql_type]/functions.php3");
+ else{
+ echo "<b>Could not include SQL library</b><br>\n";
+ exit();
+ }
+ $link = @da_sql_pconnect($config);
+ if ($link){
+ $auth_user = HTTP_SERVER_VARS["PHP_AUTH_USER"];
+ $extra = '';
+ if (isset($mappings[$auth_user][nasdb]){
+ $NAS_ARR = array();
+ $NAS_ARR = split(',',$mappings[$auth_user][nasdb]);
+ $extra = 'WHERE nasname IN (';
+ foreach ($NAS_ARR as $nas)
+ $extra .= "'$nasname',";
+ unset($NAS_ARR);
+ $extra = rtrim($extra,",");
+ $extra .= ')';
+ }
+ $search = @da_sql_query($link,$config,
+ "SELECT * FROM $config[sql_nas_table] $extra;");
+ if ($search){
+ while($row = @da_sql_fetch_array($search,$config)){
+ $num = 0;
+ $my_nas_name = $row['nasname'];
+ if ($my_nas_name != ''){
+ $nas_list[$my_nas_name]['name'] = $my_nas_name;
+ $nas_server = $da_name_cache[$my_nas_name];
+ if (!isset($nas_server)){
+ $nas_server = @gethostbyname($nas_server);
+ if (!isset($da_name_cache) && $config[general_use_session] == 'yes'){
+ $da_name_cache[$my_nas_name] = $nas_server;
+ session_register('da_name_cache');
+ }
+ }
+ if ($nas_server != $my_nas_name)
+ $nas_list[$my_nas_name]['ip'] = $nas_server;
+ $nas_list[$my_nas_name]['port_num'] = $row['ports'];
+ $nas_list[$my_nas_name]['community'] = $row['community'];
+ $nas_list[$my_nas_name]['model'] = $row['description'];
+ }
+ }
+ }
+ }
+ else
+ echo "<b>Could not connect to SQL database</b><br>\n";
+}
+
+?>
--- /dev/null
+<?php
+function xlat($filter,$login,$config)
+{
+ $string = $filter;
+ if ($filter != ''){
+ $string = preg_replace('/%u/',$login,$string);
+ $string = preg_replace('/%U/',$HTTP_SERVER_VARS["PHP_AUTH_USER"],$string);
+ $string = preg_replace('/%ma/',$mappings[$http_user][accounting],$string);
+ $string = preg_replace('/%mu/',$mappings[$http_user][userdb],$string);
+ $string = preg_replace('/%mn/',$mappings[$http_user][nasdb],$string);
+ $string = preg_replace('/%mN/',$mappings[$http_user][nasadmin],$string);
+ }
+
+ return $string;
+}
+?>
projects / freeradius-dialup-admin.git / commitdiff