LDAP Account Manager

security.inc

This file includes functions to perform several security checks on each page load.

Tags
author

Roland Gruber

Table of Contents

lam_start_session()  : mixed
Starts a session and sets the cookie options.
startSecureSession()  : bool
Starts a session and checks the environment.
checkClientIP()  : mixed
Checks if the client's IP address is on the list of allowed IPs.
logoffAndBackToLoginPage()  : mixed
Logs off the user and displays the login page.
isDebugLoggingEnabled()  : bool
Returns if debug messages are to be logged.
logNewMessage()  : void
Puts a new message in the log file.
checkIfWriteAccessIsAllowed()  : bool
Checks if write access to LDAP is allowed.
checkIfPasswordChangeIsAllowed()  : bool
Checks if passwords may be changed.
checkIfNewEntriesAreAllowed()  : bool
Checks if it is allowed to create new LDAP entries of the given type.
checkIfDeleteEntriesIsAllowed()  : bool
Checks if it is allowed to delete LDAP entries of the given type.
checkPasswordStrength()  : mixed
Checks if the password fulfills the password policies.
checkPwdWithExternalPasswordService()  : bool
Checks the password against the external password service.
checkIfToolIsActive()  : mixed
Checks if the given tool is active.
isLoggedIn()  : bool
Returns if the user is logged in.
getClientIPForLogging()  : string
Returns the client IP and comma separated proxy IPs if any (HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP).
getLamLdapUser()  : string
Returns the login dn of the current user.
addSecurityTokenToSession()  : mixed
Adds a security token to the session to prevent CSRF attacks.
validateSecurityToken()  : mixed
Checks if the security token from SESSION matches POST data.
addSecurityTokenToMetaHTML()  : mixed
Adds a hidden input field to the given meta HTML table.
getSecurityTokenName()  : string
Returns the name of the security token parameter.
getSecurityTokenValue()  : string
Returns the value of the security token parameter.
setLAMHeaders()  : mixed
Sets the X-Frame-Options and Content-Security-Policy header to prevent clickjacking.
lamEncrypt()  : object
Encrypts a string
lamDecrypt()  : string
Decrypts a string
lamEncryptionAlgo()  : string
Returns the encryption algorithm to use.
lamLogRemoteMessage()  : mixed
Logs a message to a remote logging service.

Functions

lam_start_session()

Starts a session and sets the cookie options.

lam_start_session() : mixed
Return values
mixed

startSecureSession()

Starts a session and checks the environment.

startSecureSession([bool $redirectToLogin = true ][, bool $initSecureData = false ]) : bool

The script is stopped if one of the checks fail (timeout redirection may be overridden).

Parameters
$redirectToLogin : bool = true

redirect user to login page (default: true)

$initSecureData : bool = false

init verification data like session ID and client IP (default: false)

Return values
bool

true if all ok, false if session expired

checkClientIP()

Checks if the client's IP address is on the list of allowed IPs.

checkClientIP() : mixed

The script is stopped if the host is not valid.

Return values
mixed

logoffAndBackToLoginPage()

Logs off the user and displays the login page.

logoffAndBackToLoginPage() : mixed
Return values
mixed

isDebugLoggingEnabled()

Returns if debug messages are to be logged.

isDebugLoggingEnabled() : bool
Return values
bool

debug enabled

logNewMessage()

Puts a new message in the log file.

logNewMessage(string $level, string $message) : void
Parameters
$level : string

log level (LOG_DEBUG, LOG_NOTICE, LOG_WARNING, LOG_ERR)

$message : string

log message

Return values
void

checkIfWriteAccessIsAllowed()

Checks if write access to LDAP is allowed.

checkIfWriteAccessIsAllowed([string $scope = null ]) : bool
Parameters
$scope : string = null

account type (e.g. user)

Return values
bool

true, if allowed

checkIfPasswordChangeIsAllowed()

Checks if passwords may be changed.

checkIfPasswordChangeIsAllowed() : bool
Return values
bool

true, if allowed

checkIfNewEntriesAreAllowed()

Checks if it is allowed to create new LDAP entries of the given type.

checkIfNewEntriesAreAllowed(string $scope) : bool

This also checks if general write access is enabled.

Parameters
$scope : string

account type (e.g. 'user')

Return values
bool

true, if new entries are allowed

checkIfDeleteEntriesIsAllowed()

Checks if it is allowed to delete LDAP entries of the given type.

checkIfDeleteEntriesIsAllowed(string $scope) : bool
Parameters
$scope : string

account type (e.g. 'user')

Return values
bool

true, if entries may be deleted

checkPasswordStrength()

Checks if the password fulfills the password policies.

checkPasswordStrength(string $password, string|array<string|int, mixed> $userNames, array<string|int, mixed> $otherUserAttrs) : mixed
Parameters
$password : string

password

$userNames : string|array<string|int, mixed>

user name(s)

$otherUserAttrs : array<string|int, mixed>

user's first/last name

Return values
mixed

true if ok, string with error message if not valid

checkPwdWithExternalPasswordService()

Checks the password against the external password service.

checkPwdWithExternalPasswordService(LAMCfgMain $cfg, string $password) : bool
Parameters
$cfg : LAMCfgMain

main configuration

$password : string

password

Return values
bool

password accepted as secure

checkIfToolIsActive()

Checks if the given tool is active.

checkIfToolIsActive(string $tool) : mixed

Otherwise, an error message is logged and the execution is stopped (die()).

Parameters
$tool : string

tool class name (e.g. toolFileUpload)

Return values
mixed

isLoggedIn()

Returns if the user is logged in.

isLoggedIn() : bool
Return values
bool

is logged in

getClientIPForLogging()

Returns the client IP and comma separated proxy IPs if any (HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP).

getClientIPForLogging() : string
Return values
string

client IP (e.g. 10.10.10.10,11.11.11.11)

getLamLdapUser()

Returns the login dn of the current user.

getLamLdapUser() : string
Return values
string

user DN

addSecurityTokenToSession()

Adds a security token to the session to prevent CSRF attacks.

addSecurityTokenToSession([bool $overwrite = true ]) : mixed
Parameters
$overwrite : bool = true

overwrite existing token

Return values
mixed

validateSecurityToken()

Checks if the security token from SESSION matches POST data.

validateSecurityToken() : mixed
Return values
mixed

getSecurityTokenName()

Returns the name of the security token parameter.

getSecurityTokenName() : string
Return values
string

name

getSecurityTokenValue()

Returns the value of the security token parameter.

getSecurityTokenValue() : string
Return values
string

value

setLAMHeaders()

Sets the X-Frame-Options and Content-Security-Policy header to prevent clickjacking.

setLAMHeaders() : mixed
Return values
mixed

lamEncrypt()

Encrypts a string

lamEncrypt(string $data[, string $prefix = '' ]) : object
Parameters
$data : string

string to encrypt

$prefix : string = ''

prefix for cookie names

Return values
object

encrypted string

lamDecrypt()

Decrypts a string

lamDecrypt(object $data[, string $prefix = '' ]) : string
Parameters
$data : object

string to decrypt

$prefix : string = ''

prefix for cookie names

Return values
string

decrypted string

lamEncryptionAlgo()

Returns the encryption algorithm to use.

lamEncryptionAlgo() : string
Return values
string

algorithm name

lamLogRemoteMessage()

Logs a message to a remote logging service.

lamLogRemoteMessage(int $level, string $message, LAMCfgMain $cfgMain) : mixed
Parameters
$level : int

log level

$message : string

log message

$cfgMain : LAMCfgMain

main configuration

Return values
mixed

Search results