apr 19 update

jails/config/r-ldap-mgr/config.php.phpldapadmin.github

@@ -71,6 +71,31 @@
    environments. */
 #  $config->custom->password['no_random_crypt_salt'] = true;
 
+/* If you want to restrict password available types (encryption algorithms)
+	 Should be subset of:
+	 array(
+		''=>'clear',
+		'bcrypt'=>'bcrypt',
+		'blowfish'=>'blowfish',
+		'crypt'=>'crypt',
+		'ext_des'=>'ext_des',
+		'md5'=>'md5',
+		'k5key'=>'k5key',
+		'md5crypt'=>'md5crypt',
+		'sha'=>'sha',
+		'smd5'=>'smd5',
+		'ssha'=>'ssha',
+		'sha256'=>'sha256',
+		'ssha256'=>'ssha256',
+		'sha384'=>'sha384',
+		'ssha384'=>'ssha384',
+		'sha512'=>'sha512',
+		'ssha512'=>'ssha512',
+		'sha256crypt'=>'sha256crypt',
+		'sha512crypt'=>'sha512crypt',
+	 )*/
+#  $config->custom->password['available_types'] = array(''=>'clear','md5'=>'md5');
+
 /* PHP script timeout control. If php runs longer than this many seconds then
    PHP will stop with an Maximum Execution time error. Increase this value from
    the default if queries to your LDAP server are slow. The default is either
@@ -173,6 +198,10 @@ $config->custom->commands['script'] = array(
 // $config->custom->appearance['tree_width'] = null;
 #  $config->custom->appearance['tree_width'] = 250;
 
+/* Number of tree command icons to show, 0 = show all icons on 1 row. */
+// $config->custom->appearance['tree_icons'] = 0;
+#  $config->custom->appearance['tree_icons'] = 4;
+
 /* Confirm create and update operations, allowing you to review the changes
    and optionally skip attributes during the create/update operation. */
 // $config->custom->confirm['create'] = true;
@@ -235,7 +264,7 @@ $config->custom->appearance['friendly_attrs'] = array(
  *********************************************/
 
 /* Add "modify group members" link to the attribute. */
-// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid');
+// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser');
 
 /* Configure filter for member search. This only applies to "modify group members" feature */
 // $config->custom->modify_member['filter'] = '(objectclass=Person)';
@@ -283,7 +312,7 @@ $servers->newServer('ldap_pla');
 
 /* A convenient name that will appear in the tree viewer and throughout
    phpLDAPadmin to identify this LDAP server to users. */
-$servers->setValue('server','name','BeyondBell infra LDAP Server');
+$servers->setValue('server','name','infra LDAP Server');
 
 /* Examples:
    'ldap.example.com',
@@ -297,7 +326,7 @@ $servers->setValue('server','port',636);
 
 /* Array of base DNs of your LDAP server. Leave this blank to have phpLDAPadmin
    auto-detect it for you. */
-$servers->setValue('server','base',array('dc=beyondbell,dc=com'));
+$servers->setValue('server','base',array('dc=infra'));
 
 /* Five options for auth_type:
    1. 'cookie': you will login via a web form, and a client-side cookie will
@@ -310,12 +339,13 @@ $servers->setValue('server','base',array('dc=beyondbell,dc=com'));
       login will be required to use phpLDAPadmin for this server.
    5. 'sasl': login will be taken from the webserver's kerberos authentication.
       Currently only GSSAPI has been tested (using mod_auth_kerb).
+   6. 'sasl_external': login will be taken from SASL external mechanism.
 
    Choose wisely to protect your authentication information appropriately for
    your situation. If you choose 'cookie', your cookie contents will be
    encrypted using blowfish and the secret your specify above as
    session['blowfish']. */
-$servers->setValue('login','auth_type','cookie');
+// $servers->setValue('login','auth_type','session');
 
 /* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
    'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
@@ -323,7 +353,7 @@ $servers->setValue('login','auth_type','cookie');
    auth_type, then you can also specify the bind_id/bind_pass here for searching
    the directory for users (ie, if your LDAP server does not allow anonymous
    binds. */
-$servers->setValue('login','bind_id','cn=Manager,dc=beyondbell,dc=com');
+$servers->setValue('login','bind_id','cn=admin,dc=infra');
 #  $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
 
 /* Your LDAP password. If you specified an empty bind_id above, this MUST also
@@ -334,6 +364,22 @@ $servers->setValue('login','bind_pass','');
 /* Use TLS (Transport Layer Security) to connect to the LDAP server. */
 $servers->setValue('server','tls',false);
 
+/* TLS Certificate Authority file (overrides ldap.conf, PHP 7.1+) */
+// $servers->setValue('server','tls_cacert',null);
+#  $servers->setValue('server','tls_cacert','/etc/openldap/certs/ca.crt');
+
+/* TLS Certificate Authority hashed directory (overrides ldap.conf, PHP 7.1+) */
+// $servers->setValue('server','tls_cacertdir',null);
+#  $servers->setValue('server','tls_cacertdir','/etc/openldap/certs');
+
+/* TLS Client Certificate file (PHP 7.1+) */
+// $servers->setValue('server','tls_cert',null);
+#  $servers->setValue('server','tls_cert','/etc/pki/tls/certs/ldap_user.crt');
+
+/* TLS Client Certificate Key file (PHP 7.1+) */
+// $servers->setValue('server','tls_key',null);
+#  $servers->setValue('server','tls_key','/etc/pki/tls/private/ldap_user.key');
+
 /************************************
  *      SASL Authentication         *
  ************************************/
@@ -341,11 +387,19 @@ $servers->setValue('server','tls',false);
 /* Enable SASL authentication LDAP SASL authentication requires PHP 5.x
    configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to
    false), then all other sasl options are ignored. */
-// $servers->setValue('login','auth_type','sasl');
+#  $servers->setValue('login','auth_type','sasl');
 
-/* SASL auth mechanism */
+/* SASL GSSAPI auth mechanism (requires auth_type of sasl) */
 // $servers->setValue('sasl','mech','GSSAPI');
 
+/* SASL PLAIN support... this mech converts simple binds to SASL
+   PLAIN binds using any auth_type (or other bind_id/pass) as credentials.
+   NOTE: auth_type must be simple auth compatible (ie not sasl) */
+#  $servers->setValue('sasl','mech','PLAIN');
+
+/* SASL EXTERNAL support... really a different auth_type */
+#  $servers->setValue('login','auth_type','sasl_external');
+
 /* SASL authentication realm name */
 // $servers->setValue('sasl','realm','');
 #  $servers->setValue('sasl','realm','EXAMPLE.COM');
@@ -400,6 +454,12 @@ $servers->setValue('server','tls',false);
    setup. */
 // $servers->setValue('login','class',array());
 
+/* If login_attr was set to 'dn', it is possible to specify a template string to
+   build the DN from. Use '%s' where user input should be inserted. A user may
+   still enter the complete DN. In this case the template will not be used. */
+// $servers->setValue('login','bind_dn_template',null);
+#  $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com');
+
 /* If you specified something different from 'dn', for example 'uid', as the
    login_attr above, you can optionally specify here to fall back to
    authentication with dn.
@@ -420,6 +480,9 @@ $servers->setValue('server','tls',false);
 /* Set to true if you would like to initially open the first level of each tree. */
 // $servers->setValue('appearance','open_tree',false);
 
+/* Set to true to display authorization ID in place of login dn (PHP 7.2+) */
+// $servers->setValue('appearance','show_authz',false);
+
 /* This feature allows phpLDAPadmin to automatically determine the next
    available uidNumber for a new entry. */
 // $servers->setValue('auto_number','enable',true);
@@ -556,7 +619,7 @@ $servers->setValue('appearance','show_create',true);
 $servers->setValue('auto_number','enable',true);
 $servers->setValue('auto_number','mechanism','search');
 $servers->setValue('auto_number','search_base',null);
-$servers->setValue('auto_number','min',array('uidNumber'=>10000,'gidNumber'=>5000));
+$servers->setValue('auto_number','min',array('uidNumber'=>1000,'gidNumber'=>500));
 $servers->setValue('auto_number','dn',null);
 $servers->setValue('auto_number','pass',null);
 
@@ -573,4 +636,19 @@ $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','p
 $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
 $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
 */
+
+
+/***********************************************************************************
+ * If you want to configure Google reCAPTCHA on autentication form, do so below.   *
+ * Remove the commented lines and use this section as a template for all           *
+ * reCAPTCHA v2  Generate on https://www.google.com/recaptcha/                     *
+ *                                                                                 *
+ * IMPORTANT: Select reCAPTCHA v2   on  Type of reCAPTCHA                          *
+ ***********************************************************************************/
+
+
+$config->custom->session['reCAPTCHA-enable'] = false;
+$config->custom->session['reCAPTCHA-key-site'] = '<put-here-key-site>';
+$config->custom->session['reCAPTCHA-key-server'] = '<put-here-key-server>';
+
 ?>

jails/config/r-ldap-mgr/httpd.conf

@@ -49,7 +49,7 @@ ServerRoot "/usr/local"
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
-Listen 80
+#Listen 80
 
 #
 # Dynamic Shared Object (DSO) Support
@@ -178,7 +178,8 @@ LoadModule dir_module libexec/apache24/mod_dir.so
 #LoadModule userdir_module libexec/apache24/mod_userdir.so
 LoadModule alias_module libexec/apache24/mod_alias.so
 #LoadModule rewrite_module libexec/apache24/mod_rewrite.so
-LoadModule php7_module        libexec/apache24/libphp7.so
+#LoadModule php7_module        libexec/apache24/libphp7.so
+LoadModule php_module         libexec/apache24/libphp.so
 
 # Third party modules
 IncludeOptional etc/apache24/modules.d/[0-9][0-9][0-9]_*.conf
@@ -214,7 +215,7 @@ Group www
 # e-mailed.  This address appears on some server-generated pages, such
 # as error documents.  e.g. admin@your-domain.com
 #
-ServerAdmin you@example.com
+ServerAdmin rishabh@beyondbell.com
 
 #
 # ServerName gives the name and port that the server uses to identify itself.
@@ -223,7 +224,7 @@ ServerAdmin you@example.com
 #
 # If your host doesn't have a registered DNS name, enter its IP address here.
 #
-#ServerName www.example.com:80
+ServerName ldap-mgr.beyondbell.com
 
 #
 # Deny access to the entirety of your server's filesystem. You must

jails/config/r-ldap-mgr/php.ini

@@ -401,7 +401,7 @@ max_input_time = 60
 
 ; Maximum amount of memory a script may consume (128MB)
 ; http://php.net/memory-limit
-memory_limit = 128M
+memory_limit = 256M
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ; Error handling and logging ;

jails/config/r-ldap-mgr/pkg-list-details.txt

@@ -0,0 +1,9 @@
+pkgp-freebsd-pkg____apache24-2.4.53
+pkgp-freebsd-pkg____bash-5.1.16
+pkgp-freebsd-pkg____bash-completion-2.11_1,2
+pkgp-freebsd-pkg____ldap-account-manager-7.9
+pkgp-freebsd-pkg____mod_php80-8.0.17_1
+pkgp-freebsd-pkg____nano-6.0
+pkgp-freebsd-pkg____phpldapadmin-php80-1.2.6.3_1
+pkgp-freebsd-pkg____pkg-1.17.5_1
+pkgp-freebsd-pkg____sudo-1.9.10

jails/config/r-ldap-mgr/pkg-list.txt

@@ -0,0 +1 @@
+apache24 bash bash-completion ldap-account-manager mod_php80 nano phpldapadmin-php80 pkg sudo