1 | #!/usr/bin/php |
||
2 | <?php |
||
3 | |||
4 | use Illuminate\Support\Str; |
||
5 | use LibreNMS\Authentication\LegacyAuth; |
||
6 | use LibreNMS\Config; |
||
7 | use LibreNMS\Util\Debug; |
||
8 | |||
9 | $options = getopt('u:rldvh'); |
||
10 | if (isset($options['h']) || (! isset($options['l']) && ! isset($options['u']))) { |
||
11 | echo ' -u <username> (Required) username to test |
||
12 | -l List all users (checks that auth can enumerate all allowed users) |
||
13 | -d Enable debug output |
||
14 | -v Enable verbose debug output |
||
15 | -h Display this help message |
||
16 | '; |
||
17 | exit; |
||
18 | } |
||
19 | |||
20 | if (isset($options['d'])) { |
||
21 | Debug::set(); |
||
22 | } |
||
23 | |||
24 | $init_modules = []; |
||
25 | require realpath(__DIR__ . '/..') . '/includes/init.php'; |
||
26 | |||
27 | if (isset($options['v'])) { |
||
28 | // Enable debug mode for auth methods that have it |
||
29 | Config::set('auth_ad_debug', 1); |
||
30 | Config::set('auth_ldap_debug', 1); |
||
31 | } |
||
32 | |||
33 | echo 'Authentication Method: ' . Config::get('auth_mechanism') . PHP_EOL; |
||
34 | |||
35 | // if ldap like, check selinux |
||
36 | if (Config::get('auth_mechanism') == 'ldap' || Config::get('auth_mechanism') == 'active_directory') { |
||
37 | $enforce = shell_exec('getenforce 2>/dev/null'); |
||
38 | if (Str::contains($enforce, 'Enforcing')) { |
||
39 | // has selinux |
||
40 | $output = shell_exec('getsebool httpd_can_connect_ldap'); |
||
41 | if ($output != "httpd_can_connect_ldap --> on\n") { |
||
42 | print_error('You need to run: setsebool -P httpd_can_connect_ldap=1'); |
||
43 | exit; |
||
44 | } |
||
45 | } |
||
46 | } |
||
47 | try { |
||
48 | $authorizer = LegacyAuth::get(); |
||
49 | |||
50 | // ldap based auth we should bind before using, otherwise searches may fail due to anonymous bind |
||
51 | if (method_exists($authorizer, 'bind')) { |
||
52 | $authorizer->bind([]); |
||
53 | } |
||
54 | |||
55 | // AD bind tests |
||
56 | if ($authorizer instanceof \LibreNMS\Authentication\ActiveDirectoryAuthorizer) { |
||
57 | // peek inside the class |
||
58 | $lc_rp = new ReflectionProperty($authorizer, 'ldap_connection'); |
||
59 | $lc_rp->setAccessible(true); |
||
60 | $adbind_rm = new ReflectionMethod($authorizer, 'bind'); |
||
61 | $adbind_rm->setAccessible(true); |
||
62 | |||
63 | $bind_success = false; |
||
64 | if (Config::has('auth_ad_binduser') && Config::has('auth_ad_bindpassword')) { |
||
65 | $bind_success = $adbind_rm->invoke($authorizer, false, true); |
||
66 | if (! $bind_success) { |
||
67 | $ldap_error = ldap_error($lc_rp->getValue($authorizer)); |
||
68 | echo $ldap_error . PHP_EOL; |
||
69 | if ($ldap_error == 'Invalid credentials') { |
||
70 | print_error('AD bind failed for user ' . Config::get('auth_ad_binduser') . '@' . Config::get('auth_ad_domain') . |
||
71 | '. Check \'auth_ad_binduser\' and \'auth_ad_bindpassword\' in your config'); |
||
72 | } |
||
73 | } else { |
||
74 | print_message('AD bind success'); |
||
75 | } |
||
76 | } else { |
||
77 | $bind_success = $adbind_rm->invoke($authorizer, true, true); |
||
78 | if (! $bind_success) { |
||
79 | echo ldap_error($lc_rp->getValue($authorizer)) . PHP_EOL; |
||
80 | print_message('Could not anonymous bind to AD'); |
||
81 | } else { |
||
82 | print_message('AD bind anonymous successful'); |
||
83 | } |
||
84 | } |
||
85 | |||
86 | if (! $bind_success) { |
||
87 | print_error('Could not bind to AD, you will not be able to use the API or alert AD users'); |
||
88 | } |
||
89 | } |
||
90 | |||
91 | if (isset($options['l'])) { |
||
92 | $users = $authorizer->getUserlist(); |
||
93 | $output = array_map(function ($user) { |
||
94 | return "{$user['username']} ({$user['user_id']})"; |
||
95 | }, $users); |
||
96 | |||
97 | echo 'Users: ' . implode(', ', $output) . PHP_EOL; |
||
98 | echo 'Total users: ' . count($users) . PHP_EOL; |
||
99 | exit; |
||
100 | } |
||
101 | |||
102 | $test_username = $options['u']; |
||
103 | $auth = false; |
||
104 | |||
105 | echo 'Password: '; |
||
106 | `stty -echo`; |
||
107 | $test_password = trim(fgets(STDIN)); |
||
108 | `stty echo`; |
||
109 | echo PHP_EOL; |
||
110 | |||
111 | echo "Authenticate user $test_username: \n"; |
||
112 | $auth = $authorizer->authenticate(['username' => $test_username, 'password' => $test_password]); |
||
113 | unset($test_password); |
||
114 | |||
115 | if ($auth) { |
||
116 | print_message("AUTH SUCCESS\n"); |
||
117 | } else { |
||
118 | if (isset($ldap_connection)) { |
||
119 | echo ldap_error($ldap_connection) . PHP_EOL; |
||
120 | } |
||
121 | print_error('AUTH FAILURE'); |
||
122 | } |
||
123 | |||
124 | if ($auth) { |
||
0 ignored issues
–
show
introduced
by
Loading history...
|
|||
125 | $user_id = $authorizer->getUserid($test_username); |
||
126 | |||
127 | echo "User ($user_id):\n"; |
||
128 | if (method_exists($authorizer, 'getUser')) { |
||
129 | $user = $authorizer->getUser($user_id); |
||
130 | |||
131 | unset($user['password']); |
||
132 | unset($user['remember_token']); |
||
133 | foreach ($user as $property => $value) { |
||
134 | echo " $property => $value\n"; |
||
135 | } |
||
136 | } |
||
137 | |||
138 | if (method_exists($authorizer, 'getGroupList')) { |
||
139 | echo 'Groups: ' . implode('; ', $authorizer->getGroupList()) . PHP_EOL; |
||
140 | } |
||
141 | } |
||
142 | } catch (Exception $e) { |
||
143 | echo 'Error: ' . get_class($e) . " thrown!\n"; |
||
144 | echo $e->getMessage() . PHP_EOL; |
||
145 | } |
||
146 |