mirror of
https://github.com/snipe/snipe-it.git
synced 2025-03-05 20:52:15 -08:00
Got most of the stages working for the LDAP troubleshooter
This commit is contained in:
Brady Wetherington
Brady Wetherington
parent
8cd5ec6799
commit
ffd8f583b4
|
|
@ -67,7 +67,7 @@ class LdapTroubleshooter extends Command
|
||||||
exit(-1);
|
exit(-1);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
$settings = Setting::first();
|
$settings = Setting::getSettings();
|
||||||
//$this->line(print_r($settings,true));
|
//$this->line(print_r($settings,true));
|
||||||
$this->info("STAGE 1: Checking settings");
|
$this->info("STAGE 1: Checking settings");
|
||||||
if(!$settings->ldap_enabled) {
|
if(!$settings->ldap_enabled) {
|
||||||
|
|
@ -109,7 +109,11 @@ class LdapTroubleshooter extends Command
|
||||||
$this->error("ERROR: DNS lookup of host: ".$parsed['host']." has failed. ABORTING.");
|
$this->error("ERROR: DNS lookup of host: ".$parsed['host']." has failed. ABORTING.");
|
||||||
exit(-1);
|
exit(-1);
|
||||||
}
|
}
|
||||||
|
$this->info("IP's? ".print_r($ips,true));
|
||||||
foreach($ips as $ip) {
|
foreach($ips as $ip) {
|
||||||
|
if(!isset($ip['ip'])) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
$raw_ips[]=$ip['ip'];
|
$raw_ips[]=$ip['ip'];
|
||||||
if($ip['ip'] == "127.0.0.1") {
|
if($ip['ip'] == "127.0.0.1") {
|
||||||
$this->error("WARNING: Using the localhost IP as the LDAP server. This is usually wrong");
|
$this->error("WARNING: Using the localhost IP as the LDAP server. This is usually wrong");
|
||||||
|
|
@ -153,12 +157,14 @@ class LdapTroubleshooter extends Command
|
||||||
$this->info("STAGE 3: Determine encryption algorithm, if any");
|
$this->info("STAGE 3: Determine encryption algorithm, if any");
|
||||||
|
|
||||||
$ldap_urls = [];
|
$ldap_urls = [];
|
||||||
|
$pretty_ldap_urls = [];
|
||||||
foreach($open_ports as $port) {
|
foreach($open_ports as $port) {
|
||||||
$this->line("Trying TLS first for port $port");
|
$this->line("Trying TLS first for port $port");
|
||||||
$ldap_url = "ldaps://".$parsed['host'].":$port";
|
$ldap_url = "ldaps://".$parsed['host'].":$port";
|
||||||
if($this->test_anonymous_bind($ldap_url)) {
|
if($this->test_anonymous_bind($ldap_url)) {
|
||||||
$this->info("Anonymous bind succesful to $ldap_url!");
|
$this->info("Anonymous bind succesful to $ldap_url!");
|
||||||
$ldap_urls[] = [ $ldap_url, true, false ];
|
$ldap_urls[] = [ $ldap_url, true, false ];
|
||||||
|
$pretty_ldap_urls[] = [ $ldap_url, "YES", "no" ];
|
||||||
continue; // TODO - lots of copypasta in these if(test_anonymous_bind()) routines...
|
continue; // TODO - lots of copypasta in these if(test_anonymous_bind()) routines...
|
||||||
} else {
|
} else {
|
||||||
$this->error("WARNING: Failed to bind to $ldap_url - trying without certificate checks.");
|
$this->error("WARNING: Failed to bind to $ldap_url - trying without certificate checks.");
|
||||||
|
|
@ -167,6 +173,7 @@ class LdapTroubleshooter extends Command
|
||||||
if($this->test_anonymous_bind($ldap_url, false)) {
|
if($this->test_anonymous_bind($ldap_url, false)) {
|
||||||
$this->info("Anonymous bind succesful to $ldap_url with certifcate-checks disabled");
|
$this->info("Anonymous bind succesful to $ldap_url with certifcate-checks disabled");
|
||||||
$ldap_urls[] = [ $ldap_url, false, false ];
|
$ldap_urls[] = [ $ldap_url, false, false ];
|
||||||
|
$pretty_ldap_urls[] = [ $ldap_url, "no", "no" ];
|
||||||
continue;
|
continue;
|
||||||
} else {
|
} else {
|
||||||
$this->error("WARNING: Failed to bind to $ldap_url with certificate checks disabled. Trying unencrypted with STARTTLS");
|
$this->error("WARNING: Failed to bind to $ldap_url with certificate checks disabled. Trying unencrypted with STARTTLS");
|
||||||
|
|
@ -176,6 +183,7 @@ class LdapTroubleshooter extends Command
|
||||||
if($this->test_anonymous_bind($ldap_url, true, true)) {
|
if($this->test_anonymous_bind($ldap_url, true, true)) {
|
||||||
$this->info("Plain connection to $ldap_url with STARTTLS succesful!");
|
$this->info("Plain connection to $ldap_url with STARTTLS succesful!");
|
||||||
$ldap_urls[] = [ $ldap_url, true, false ];
|
$ldap_urls[] = [ $ldap_url, true, false ];
|
||||||
|
$pretty_ldap_urls[] = [ $ldap_url, "YES", "no" ];
|
||||||
continue;
|
continue;
|
||||||
} else {
|
} else {
|
||||||
$this->error("WARNING: Failed to bind to $ldap_url with STARTTLS enabled. Trying without STARTTLS");
|
$this->error("WARNING: Failed to bind to $ldap_url with STARTTLS enabled. Trying without STARTTLS");
|
||||||
|
|
@ -184,24 +192,52 @@ class LdapTroubleshooter extends Command
|
||||||
if($this->test_anonymous_bind($ldap_url)) {
|
if($this->test_anonymous_bind($ldap_url)) {
|
||||||
$this->info("Plain connection to $ldap_url succesful!");
|
$this->info("Plain connection to $ldap_url succesful!");
|
||||||
$ldap_urls[] = [ $ldap_url, true, false ];
|
$ldap_urls[] = [ $ldap_url, true, false ];
|
||||||
|
$pretty_ldap_urls[] = [ $ldap_url, "YES", false ];
|
||||||
continue;
|
continue;
|
||||||
} else {
|
} else {
|
||||||
$this->error("WARNING: Failed to bind to $ldap_url. Giving up on port $port");
|
$this->error("WARNING: Failed to bind to $ldap_url. Giving up on port $port");
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
$this->info(print_r($ldap_urls,true));
|
||||||
|
|
||||||
if(count($ldap_urls) > 0 ) {
|
if(count($ldap_urls) > 0 ) {
|
||||||
$this->info("Found working LDAP URL's: ");
|
$this->info("Found working LDAP URL's: ");
|
||||||
foreach($ldap_urls as $ldap_url) { // TODO maybe do this as a $this->table() instead?
|
foreach($ldap_urls as $ldap_url) { // TODO maybe do this as a $this->table() instead?
|
||||||
|
$this->info("LDAP URL: ".$ldap_url[0]);
|
||||||
$this->info($ldap_url[0]. ($ldap_url[1] ? " certificate checks enabled" : " certificate checks disabled"). $ldap_url[2] ? " STARTTLS Enabled ": " STARTTLS Disabled");
|
$this->info($ldap_url[0]. ($ldap_url[1] ? " certificate checks enabled" : " certificate checks disabled"). $ldap_url[2] ? " STARTTLS Enabled ": " STARTTLS Disabled");
|
||||||
}
|
}
|
||||||
|
$this->table(["URL", "Cert Checks Enabled?", "STARTTLS Enabled?"],$pretty_ldap_urls);
|
||||||
|
} else {
|
||||||
|
$this->error("ERROR - no valid LDAP URL's available - ABORTING");
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->info("STAGE 4: Test Administrative Bind for LDAP Sync");
|
||||||
|
foreach($ldap_urls AS $ldap_url) {
|
||||||
|
$this->test_authed_bind($ldap_url[0], $ldap_url[1], $ldap_url[2], $settings->ldap_uname, \Crypt::decrypt($settings->ldap_pword));
|
||||||
|
}
|
||||||
|
|
||||||
|
$this->info("STAGE 5: Test LDAP Login to Snipe-IT");
|
||||||
|
foreach($ldap_urls AS $ldap_url) {
|
||||||
|
$this->info("Starting auth to ".$ldap_url[0]);
|
||||||
|
while(true) {
|
||||||
|
if(!$this->confirm('Do you wish to try to authenticate to the directory?')) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
$username = $this->ask("Username");
|
||||||
|
$password = $this->secret("Password");
|
||||||
|
$this->test_authed_bind($ldap_url[0], $ldap_url[1], $ldap_url[2], $username, $password);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
public function test_anonymous_bind($ldap_url, $check_cert = true, $start_tls = false)
|
$this->info("LDAP TROUBLESHOOTING COMPLETE!");
|
||||||
|
}
|
||||||
|
|
||||||
|
public function connect_to_ldap($ldap_url, $check_cert, $start_tls)
|
||||||
{
|
{
|
||||||
try {
|
|
||||||
$lconn = ldap_connect($ldap_url);
|
$lconn = ldap_connect($ldap_url);
|
||||||
|
ldap_set_option($lconn,LDAP_OPT_PROTOCOL_VERSION,3); // should we 'test' different protocol versions here? Does anyone even use anything other than LDAPv3?
|
||||||
|
// no - it's formally deprecated: https://tools.ietf.org/html/rfc3494
|
||||||
if(!$check_cert) {
|
if(!$check_cert) {
|
||||||
ldap_set_option($lconn, LDAP_OPT_X_TLS_REQUIRE_CERT, 0);
|
ldap_set_option($lconn, LDAP_OPT_X_TLS_REQUIRE_CERT, 0);
|
||||||
}
|
}
|
||||||
|
|
@ -215,10 +251,33 @@ class LdapTroubleshooter extends Command
|
||||||
$this->error("WARNING: Failed to generate connection string - using: ".$ldap_url);
|
$this->error("WARNING: Failed to generate connection string - using: ".$ldap_url);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
return $lconn;
|
||||||
|
}
|
||||||
|
|
||||||
|
public function test_anonymous_bind($ldap_url, $check_cert = true, $start_tls = false)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$lconn = $this->connect_to_ldap($ldap_url,$check_cert,$start_tls);
|
||||||
return ldap_bind($lconn);
|
return ldap_bind($lconn);
|
||||||
} catch (Exception $e) {
|
} catch (Exception $e) {
|
||||||
$this->error("WARNING: Exception caught during bind - ".$e->getMessage());
|
$this->error("WARNING: Exception caught during bind - ".$e->getMessage());
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function test_authed_bind($ldap_url, $check_cert, $start_tls, $username, $password)
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$lconn = $this->connect_to_ldap($ldap_url,$check_cert,$start_tls);
|
||||||
|
$bind_results = ldap_bind($lconn,$username,$password);
|
||||||
|
if(!$bind_results) {
|
||||||
|
$this->error("WARNING: Failed to bind to $ldap_url as $username");
|
||||||
|
} else {
|
||||||
|
$this->info("SUCCESS - Able to bind to $ldap_url as $username");
|
||||||
|
}
|
||||||
|
return $bind_results;
|
||||||
|
} catch (Exception $e) {
|
||||||
|
$this->error("WARNING: Exception caught during Admin bind - ".$e->getMessage());
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue