|
1
|
|
|
#!/usr/bin/php |
|
2
|
|
|
<?php |
|
3
|
|
|
|
|
4
|
|
|
use Illuminate\Support\Str; |
|
5
|
|
|
use LibreNMS\Authentication\LegacyAuth; |
|
6
|
|
|
use LibreNMS\Config; |
|
|
|
|
|
|
7
|
|
|
use LibreNMS\Util\Debug; |
|
8
|
|
|
|
|
9
|
|
|
$options = getopt('u:rldvh'); |
|
10
|
|
|
if (isset($options['h']) || (! isset($options['l']) && ! isset($options['u']))) { |
|
11
|
|
|
echo ' -u <username> (Required) username to test |
|
12
|
|
|
-l List all users (checks that auth can enumerate all allowed users) |
|
13
|
|
|
-d Enable debug output |
|
14
|
|
|
-v Enable verbose debug output |
|
15
|
|
|
-h Display this help message |
|
16
|
|
|
'; |
|
17
|
|
|
exit; |
|
18
|
|
|
} |
|
19
|
|
|
|
|
20
|
|
|
if (isset($options['d'])) { |
|
21
|
|
|
Debug::set(); |
|
22
|
|
|
} |
|
23
|
|
|
|
|
24
|
|
|
$init_modules = []; |
|
25
|
|
|
require realpath(__DIR__ . '/..') . '/includes/init.php'; |
|
26
|
|
|
|
|
27
|
|
|
if (isset($options['v'])) { |
|
28
|
|
|
// Enable debug mode for auth methods that have it |
|
29
|
|
|
Config::set('auth_ad_debug', 1); |
|
30
|
|
|
Config::set('auth_ldap_debug', 1); |
|
31
|
|
|
} |
|
32
|
|
|
|
|
33
|
|
|
echo 'Authentication Method: ' . Config::get('auth_mechanism') . PHP_EOL; |
|
34
|
|
|
|
|
35
|
|
|
// if ldap like, check selinux |
|
36
|
|
|
if (Config::get('auth_mechanism') == 'ldap' || Config::get('auth_mechanism') == 'active_directory') { |
|
37
|
|
|
$enforce = shell_exec('getenforce 2>/dev/null'); |
|
38
|
|
|
if (Str::contains($enforce, 'Enforcing')) { |
|
39
|
|
|
// has selinux |
|
40
|
|
|
$output = shell_exec('getsebool httpd_can_connect_ldap'); |
|
41
|
|
|
if ($output != "httpd_can_connect_ldap --> on\n") { |
|
42
|
|
|
print_error('You need to run: setsebool -P httpd_can_connect_ldap=1'); |
|
43
|
|
|
exit; |
|
44
|
|
|
} |
|
45
|
|
|
} |
|
46
|
|
|
} |
|
47
|
|
|
try { |
|
48
|
|
|
$authorizer = LegacyAuth::get(); |
|
49
|
|
|
|
|
50
|
|
|
// ldap based auth we should bind before using, otherwise searches may fail due to anonymous bind |
|
51
|
|
|
if (method_exists($authorizer, 'bind')) { |
|
52
|
|
|
$authorizer->bind([]); |
|
53
|
|
|
} |
|
54
|
|
|
|
|
55
|
|
|
// AD bind tests |
|
56
|
|
|
if ($authorizer instanceof \LibreNMS\Authentication\ActiveDirectoryAuthorizer) { |
|
57
|
|
|
// peek inside the class |
|
58
|
|
|
$lc_rp = new ReflectionProperty($authorizer, 'ldap_connection'); |
|
59
|
|
|
$lc_rp->setAccessible(true); |
|
60
|
|
|
$adbind_rm = new ReflectionMethod($authorizer, 'bind'); |
|
61
|
|
|
$adbind_rm->setAccessible(true); |
|
62
|
|
|
|
|
63
|
|
|
$bind_success = false; |
|
64
|
|
|
if (Config::has('auth_ad_binduser') && Config::has('auth_ad_bindpassword')) { |
|
65
|
|
|
$bind_success = $adbind_rm->invoke($authorizer, false, true); |
|
66
|
|
|
if (! $bind_success) { |
|
67
|
|
|
$ldap_error = ldap_error($lc_rp->getValue($authorizer)); |
|
68
|
|
|
echo $ldap_error . PHP_EOL; |
|
69
|
|
|
if ($ldap_error == 'Invalid credentials') { |
|
70
|
|
|
print_error('AD bind failed for user ' . Config::get('auth_ad_binduser') . '@' . Config::get('auth_ad_domain') . |
|
71
|
|
|
'. Check \'auth_ad_binduser\' and \'auth_ad_bindpassword\' in your config'); |
|
72
|
|
|
} |
|
73
|
|
|
} else { |
|
74
|
|
|
print_message('AD bind success'); |
|
75
|
|
|
} |
|
76
|
|
|
} else { |
|
77
|
|
|
$bind_success = $adbind_rm->invoke($authorizer, true, true); |
|
78
|
|
|
if (! $bind_success) { |
|
79
|
|
|
echo ldap_error($lc_rp->getValue($authorizer)) . PHP_EOL; |
|
80
|
|
|
print_message('Could not anonymous bind to AD'); |
|
81
|
|
|
} else { |
|
82
|
|
|
print_message('AD bind anonymous successful'); |
|
83
|
|
|
} |
|
84
|
|
|
} |
|
85
|
|
|
|
|
86
|
|
|
if (! $bind_success) { |
|
87
|
|
|
print_error('Could not bind to AD, you will not be able to use the API or alert AD users'); |
|
88
|
|
|
} |
|
89
|
|
|
} |
|
90
|
|
|
|
|
91
|
|
|
if (isset($options['l'])) { |
|
92
|
|
|
$users = $authorizer->getUserlist(); |
|
93
|
|
|
$output = array_map(function ($user) { |
|
94
|
|
|
return "{$user['username']} ({$user['user_id']})"; |
|
95
|
|
|
}, $users); |
|
96
|
|
|
|
|
97
|
|
|
echo 'Users: ' . implode(', ', $output) . PHP_EOL; |
|
98
|
|
|
echo 'Total users: ' . count($users) . PHP_EOL; |
|
99
|
|
|
exit; |
|
100
|
|
|
} |
|
101
|
|
|
|
|
102
|
|
|
$test_username = $options['u']; |
|
103
|
|
|
$auth = false; |
|
104
|
|
|
|
|
105
|
|
|
echo 'Password: '; |
|
106
|
|
|
`stty -echo`; |
|
107
|
|
|
$test_password = trim(fgets(STDIN)); |
|
108
|
|
|
`stty echo`; |
|
109
|
|
|
echo PHP_EOL; |
|
110
|
|
|
|
|
111
|
|
|
echo "Authenticate user $test_username: \n"; |
|
112
|
|
|
$auth = $authorizer->authenticate(['username' => $test_username, 'password' => $test_password]); |
|
113
|
|
|
unset($test_password); |
|
114
|
|
|
|
|
115
|
|
|
if ($auth) { |
|
116
|
|
|
print_message("AUTH SUCCESS\n"); |
|
117
|
|
|
} else { |
|
118
|
|
|
if (isset($ldap_connection)) { |
|
119
|
|
|
echo ldap_error($ldap_connection) . PHP_EOL; |
|
120
|
|
|
} |
|
121
|
|
|
print_error('AUTH FAILURE'); |
|
122
|
|
|
} |
|
123
|
|
|
|
|
124
|
|
|
if ($auth) { |
|
125
|
|
|
$user_id = $authorizer->getUserid($test_username); |
|
126
|
|
|
|
|
127
|
|
|
echo "User ($user_id):\n"; |
|
128
|
|
|
if (method_exists($authorizer, 'getUser')) { |
|
129
|
|
|
$user = $authorizer->getUser($user_id); |
|
130
|
|
|
|
|
131
|
|
|
unset($user['password']); |
|
132
|
|
|
unset($user['remember_token']); |
|
133
|
|
|
foreach ($user as $property => $value) { |
|
134
|
|
|
echo " $property => $value\n"; |
|
135
|
|
|
} |
|
136
|
|
|
} |
|
137
|
|
|
|
|
138
|
|
|
if (method_exists($authorizer, 'getGroupList')) { |
|
139
|
|
|
echo 'Groups: ' . implode('; ', $authorizer->getGroupList()) . PHP_EOL; |
|
140
|
|
|
} |
|
141
|
|
|
} |
|
142
|
|
|
} catch (Exception $e) { |
|
143
|
|
|
echo 'Error: ' . get_class($e) . " thrown!\n"; |
|
144
|
|
|
echo $e->getMessage() . PHP_EOL; |
|
145
|
|
|
} |
|
146
|
|
|
|
librenms /
librenms
Jellyfrog
Let?s assume that you have a directory layout like this:
. |-- OtherDir | |-- Bar.php | `-- Foo.php `-- SomeDir `-- Foo.phpand let?s assume the following content of
Bar.php:If both files
OtherDir/Foo.phpandSomeDir/Foo.phpare loaded in the same runtime, you will see a PHP error such as the following:PHP Fatal error: Cannot use SomeDir\Foo as Foo because the name is already in use in OtherDir/Foo.phpHowever, as
OtherDir/Foo.phpdoes not necessarily have to be loaded and the error is only triggered if it is loaded beforeOtherDir/Bar.php, this problem might go unnoticed for a while. In order to prevent this error from surfacing, you must import the namespace with a different alias: