Account additional attributes update

.gitignore

@@ -0,0 +1,4 @@
+.idea
+*.iml
+*.sublime-project
+*.sublime-workspace

README.md

@@ -115,6 +115,8 @@ These settings should only be changed if you're trying to make the user manager
 * `LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES` (no default): A comma-separated list of additional objectClasses to use when creating an account.  See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information.
 
 * `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES` (no default): A comma-separated list of extra attributes to display when creating an account.  See [Extra objectClasses and attributes](#extra-objectclasses-and-attributes) for more information.
+
+* `LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES_PERSONAL` (default: *FALSE*): If *TRUE* then user is able to modify all his account additional attributes himself in module "Additional Attributes" (also some account additional attributes have to be set), otherwise just admin is able to update them. Personal account attributes can be e.g. SSH public key.
 
 * `LDAP_GROUP_MEMBERSHIP_USES_UID` (default: *TRUE* or *FALSE*): If *TRUE* then the entry for a member of a group will be just the username, otherwise it's the member's full DN.  When the `groupOfMembers` objectClass is detected or `FORCE_RFC2307BIS` is `TRUE` it  defaults to `FALSE`, otherwise it'll default to `TRUE`. Explicitly setting this variable will override the default.
 
@@ -181,6 +183,24 @@ To send emails you'll need to use an existing SMTP server.  Email sending will b
 
 * `SESSION_TIMEOUT` (default: *10 minutes*):  How long before an idle session will be timed out.
 
+#### Website customization
+
+* `$CUSTOM_LOGO` (default: *FALSE*)*: If this is defined with path to image file, then this image will be displayed in header. You need also mount volume with this file. 
+
+* `$CUSTOM_STYLES` (default: *FALSE*)*:  If this is defined with path to css file, then this style will be used in header. Also helps vith logo positioninig. You need also mount volume with this file.
+
+docker-compose.yml example:
+
+```yaml
+ldap-user-manager:
+  environment:
+    CUSTOM_LOGO: "../gfx/logo.svg"
+    CUSTOM_STYLES: "../css/custom.css"
+  volumes:
+    - '/opt/openldap/www/gfx:/opt/ldap_user_manager/gfx'
+    - '/opt/openldap/www/css:/opt/ldap_user_manager/css'
+```
+
 #### Debugging settings
 
 * `LDAP_DEBUG` (default: *FALSE*): Set to TRUE to increase the logging level for LDAP requests.  This will output passwords to the error log - don't enable this in a production environment.  This is for information on problems updating LDAP records and such.  To debug problems connecting to the LDAP server in the first place use `LDAP_VERBOSE_CONNECTION_LOGS`.

www/additional_attributes/index.php

@@ -0,0 +1,143 @@
+<?php
+
+set_include_path( ".:" . __DIR__ . "/../includes/");
+
+include_once "web_functions.inc.php";
+include_once "ldap_functions.inc.php";
+include_once "module_functions.inc.php";
+
+set_page_access("user");
+
+render_header('Update additional attributes');
+
+$to_update = array();
+
+$attribute_map = ldap_additional_account_attribute_array();
+
+$account_identifier = $USER_ID;
+
+$ldap_connection = open_ldap_connection();
+$ldap_search_query="(${LDAP['account_attribute']}=". ldap_escape($account_identifier, "", LDAP_ESCAPE_FILTER) . ")";
+$ldap_search = ldap_search( $ldap_connection, $LDAP['user_dn'], $ldap_search_query);
+
+
+if ($ldap_search) {
+ $user = ldap_get_entries($ldap_connection, $ldap_search);
+
+ foreach ($attribute_map as $attribute => $attr_r) {
+
+   $$attribute = $user[0][$attribute][0];
+
+   if (isset($_POST['update_account']) and isset($_POST[$attribute]) and $_POST[$attribute] != $$attribute) {
+     $$attribute = filter_var($_POST[$attribute], FILTER_SANITIZE_STRING);
+     $to_update[$attribute] = $$attribute;
+   }
+   elseif (isset($attr_r['default'])) {
+     $$attribute = $attr_r['default'];
+   }
+
+ }
+ $dn = $user[0]['dn'];
+
+
+  ### Update values
+
+ if (isset($_POST['update_account'])) {
+
+  if (array_key_exists($LDAP['account_attribute'], $to_update)) {
+    $new_rdn = "${LDAP['account_attribute']}=${to_update[$LDAP['account_attribute']]}";
+    $renamed_entry = ldap_rename($ldap_connection, $dn, $new_rdn, $LDAP['user_dn'], true);
+    if ($renamed_entry) {
+      $dn = "${new_rdn},${LDAP['user_dn']}";
+      $account_identifier = $to_update[$LDAP['account_attribute']];
+    }
+    else {
+      ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $detailed_err);
+      error_log("$log_prefix Failed to rename the DN for ${account_identifier}: " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
+    }
+  }
+
+  $updated_account = @ ldap_mod_replace($ldap_connection, $dn, $to_update);
+  if (!$updated_account) {
+    ldap_get_option($ldap_connection, LDAP_OPT_DIAGNOSTIC_MESSAGE, $detailed_err);
+    error_log("$log_prefix Failed to modify account details for ${account_identifier}: " . ldap_error($ldap_connection) . " -- " . $detailed_err,0);
+  }
+
+  if ($updated_account) {
+   ?>
+   <script>
+     window.setTimeout(function() {
+                                   $(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
+                                  }, 4000);
+   </script>
+   <div class="alert alert-success" role="alert">
+    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
+    <p class="text-center">The account has been updated.<?php print $sent_email_message; ?></p>
+   </div>
+  <?php
+  }
+  else {
+   ?>
+   <script>
+     window.setTimeout(function() {
+                                   $(".alert").fadeTo(500, 0).slideUp(500, function(){ $(this).remove(); });
+                                  }, 4000);
+   </script>
+   <div class="alert alert-danger" role="alert">
+    <button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="TRUE">&times;</span></button>
+    <p class="text-center">There was a problem updating the account.  Check the logs for more information.</p>
+   </div>
+  <?php
+  }
+ }
+}
+
+?>
+
+<div class="container">
+ <div class="col-sm-8">
+
+  <div class="panel panel-default"> 
+   <div class="panel-heading text-center">Update your additional attributes</div>
+   <div class="panel-body text-center">
+
+    <form class="form-horizontal" action='' method='post'>
+
+     <input type="hidden" name="update_account">
+     <input type="hidden" id="pass_score" value="0" name="pass_score">
+     <input type="hidden" name="account_identifier" value="<?php print $account_identifier; ?>">
+
+<?php
+
+  foreach ($attribute_map as $attribute => $attr_r) {
+    $label   = $attr_r['label'];
+
+    if ($attribute == $LDAP['account_attribute']) { $label = "<strong>$label</strong><sup>&ast;</sup>"; }
+  ?>
+     <div class="form-group" id="<?php print $attribute; ?>_div">
+      <label for="<?php print $attribute; ?>" class="col-sm-3 control-label"><?php print $label; ?></label>
+      <div class="col-sm-8">
+       <input type="text" class="form-control" id="<?php print $attribute; ?>" name="<?php print $attribute; ?>" value="<?php if (isset($$attribute)) { print $$attribute; } ?>" >
+      </div>
+     </div>
+  <?php
+  }
+?>
+
+     <div class="form-group">
+       <button type="submit" class="btn btn-default">Update account</button>
+     </div>
+
+    </form>
+
+   </div>
+  </div>
+
+ </div>
+</div>
+<?php
+
+render_footer();
+
+?>
+

www/additional_attributes/module_functions.inc.php

@@ -0,0 +1,47 @@
+<?php
+
+
+
+##################################
+
+function ldap_additional_account_attribute_array() {
+
+ global $LDAP;
+
+  $additional_attributes_r = array();
+
+ if (isset($LDAP['account_additional_attributes'])) {
+
+  $user_attribute_r = explode(",", $LDAP['account_additional_attributes']);
+
+  foreach ($user_attribute_r as $this_attr) {
+
+    $this_r = array();
+    $kv = explode(":", $this_attr);
+    $attr_name = strtolower(filter_var($kv[0], FILTER_SANITIZE_STRING));
+
+    if (preg_match('/^[a-zA-Z0-9\-]+$/', $attr_name) == 1) {
+
+     if (isset($kv[1]) and $kv[1] != "") {
+      $this_r['label'] = filter_var($kv[1], FILTER_SANITIZE_STRING);
+     }
+     else {
+      $this_r['label'] = $attr_name;
+     }
+
+     if (isset($kv[2]) and $kv[2] != "") {
+      $this_r['default'] = filter_var($kv[2], FILTER_SANITIZE_STRING);
+     }
+
+     $additional_attributes_r[$attr_name] = $this_r;
+
+   }
+  }
+ }
+
+ return($additional_attributes_r);
+
+}
+
+
+?>

www/includes/config.inc.php

@@ -32,6 +32,8 @@
  if (getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')) { $LDAP['account_additional_objectclasses'] = strtolower(getenv('LDAP_ACCOUNT_ADDITIONAL_OBJECTCLASSES')); }
  if (getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES')) { $LDAP['account_additional_attributes'] = getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES'); }
 
+ $LDAP['account_additional_attributes_personal'] = ((strcasecmp(getenv('LDAP_ACCOUNT_ADDITIONAL_ATTRIBUTES_PERSONAL'), 'TRUE') == 0) ? TRUE : FALSE);
+
  if (getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE')) { $LDAP['group_membership_attribute'] = getenv('LDAP_GROUP_MEMBERSHIP_ATTRIBUTE'); }
  if (getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) {
    if (strtoupper(getenv('LDAP_GROUP_MEMBERSHIP_USES_UID')) == TRUE )   { $LDAP['group_membership_uses_uid']  = TRUE;  }
@@ -109,6 +111,9 @@
 
  ###
 
+ $CUSTOM_LOGO = (getenv('CUSTOM_LOGO') ? getenv('CUSTOM_LOGO') : FALSE);
+ $CUSTOM_STYLES = (getenv('CUSTOM_STYLES') ? getenv('CUSTOM_STYLES') : FALSE);
+
  $errors = "";
 
  if (empty($LDAP['uri'])) {

www/includes/modules.inc.php

@@ -7,12 +7,25 @@
  #hidden_on_login = only visible when not logged in
  #admin = need to be logged in as an admin to see it
 
- $MODULES = array(
-                    'log_in'          => 'hidden_on_login',
-                    'change_password' => 'auth',
-                    'account_manager' => 'admin',
-                    'log_out'         => 'auth'
-                  );
+if (isset($LDAP['account_additional_attributes']) && $LDAP['account_additional_attributes_personal']) {
+
+    $MODULES = array(
+        'log_in'                => 'hidden_on_login',
+        'account_manager'       => 'admin',
+        'change_password'       => 'auth',
+        'additional_attributes' => 'auth',
+        'log_out'               => 'auth'
+    );
+
+} else {
+
+    $MODULES = array(
+        'log_in'          => 'hidden_on_login',
+        'account_manager' => 'admin',
+        'change_password' => 'auth',
+        'log_out'         => 'auth'
+    );
+}
 
 if ($ACCOUNT_REQUESTS_ENABLED == TRUE) {
   $MODULES['request_account'] = 'hidden_on_login';

www/includes/web_functions.inc.php

@@ -229,7 +229,7 @@ function log_out($method='normal') {
 
 function render_header($title="",$menu=TRUE) {
 
- global $SITE_NAME, $IS_ADMIN, $SENT_HEADERS, $SERVER_PATH;
+ global $SITE_NAME, $IS_ADMIN, $SENT_HEADERS, $SERVER_PATH, $CUSTOM_STYLES;
 
  if (empty($title)) { $title = $SITE_NAME; }
 
@@ -242,6 +242,7 @@ function render_header($title="",$menu=TRUE) {
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="stylesheet" href="<?php print $SERVER_PATH; ?>bootstrap/css/bootstrap.min.css">
+ <?php if ($CUSTOM_STYLES) echo '<link rel="stylesheet" href="'.$CUSTOM_STYLES.'">' ?>
  <script src="<?php print $SERVER_PATH; ?>js/jquery-3.6.0.min.js"></script>
  <script src="<?php print $SERVER_PATH; ?>bootstrap/js/bootstrap.min.js"></script>
 </HEAD>
@@ -277,14 +278,15 @@ function render_menu() {
  #Render the navigation menu.
  #The menu is dynamically rendered the $MODULES hash
 
- global $SITE_NAME, $MODULES, $THIS_MODULE, $VALIDATED, $IS_ADMIN, $USER_ID, $SERVER_PATH;
+ global $SITE_NAME, $MODULES, $THIS_MODULE, $VALIDATED, $IS_ADMIN, $USER_ID, $SERVER_PATH, $CUSTOM_LOGO;
 
  ?>
   <nav class="navbar navbar-default">
    <div class="container-fluid">
-     <div class="navbar-header">
-       <a class="navbar-brand" href="#"><?php print $SITE_NAME ?></a>
-     </div>
+   <div class="navbar-header"><?php
+      if ($CUSTOM_LOGO) echo '<span class="navbar-brand"><img src="'.$CUSTOM_LOGO.'" class="logo" alt="logo"></span>'
+     ?><a class="navbar-brand" href="./"><?php print $SITE_NAME ?></a>
+   </div>
      <ul class="nav navbar-nav">
      <?php
      foreach ($MODULES as $module => $access) {