LDAP users - restricted access Solution

[Filip Žák <fi...@gmail.com>]

Hello,
recently I was asking if it is possible to restrict access for LDAP users
only for some and in specific time. I worked on it by myself and I want to
offer a solution. If you want you can implement it in the official version.
So here it is:

1. I found java class
*/openmeetings-core/src/main/java/org/apache/openmeetings/core/ldap\\/LdapLoginManager.java*
and here I implemented calling BASH script and sending variable
*inLogin* before
validating with LDAP server. To do so we need to import these two libraries:

*import java.io.BufferedReader;*
*import java.io.InputStreamReader;*

2. Then we find function: *public User login(String inLogin, String passwd,
Long domainId) throws OmException*

3. In very beginning that function we insert next code to call script://



















*Process p;String[] cmd = {"sh", "/opt/skriptOMldap.sh " + inLogin};String
meno = "";try {  p = Runtime.getRuntime().exec(cmd[1]);  p.waitFor();
BufferedReader reader=new BufferedReader(new
InputStreamReader(p.getInputStream()));  String line;  while((line =
reader.readLine()) != null) {    meno = line;  }} catch (IOException e) {
TODO Auto-generated catch block  e.printStackTrace();} catch
(InterruptedException e) {  TODO Auto-generated catch block
e.printStackTrace();}inLogin = meno;*

In variable *String[] cmd* we can define where and how would be the name of
the script.

4. That's everything in these Java code so we save it and compile the code.

5. next is script we create it in folder that we defined in step 3 (in my
case */opt/skriptOMldap.sh*) so in /opt we create file skriptOMldap.sh and
insert next code:



























*#!/bin/bashdir=./whitelists# If there are no whitelists, than everybody is
allowedif [ -z "$(ls -A $dir)" ]; then  echo $1  exit 0fiexport
LC_ALL=en_US.utf8day=$(date +"%A")time=`echo "scale=3; ($(date +"%H") +
($(date +"%M") / 60))" | bc`for i in $(grep -l $1 $dir/* | cut -d /
-f3-)do  start=`echo "scale=3; ($(echo $i | cut
-b$((${#i}-7))-$((${#i}-6))) + ($(echo $i | cut
-b$((${#i}-5))-$((${#i}-4))) / 60))" | bc`  end=`echo "scale=3; ($(echo $i
| cut -b$((${#i}-3))-$((${#i}-2))) + ($(echo $i | cut -b$((${#i}-1))-${#i})
/ 60))" | bc`  if [ $(echo $i | cut -b-$((${#i}-8))) = $day ] && [ $(echo
"$(echo "$start <= $time" | bc) && $(echo "$time <= $end" | bc)" | bc) -ne
0 ];  then    echo $1    exit 0  fidoneecho xxx$1exit 0*

So basically this script does that login as an input variable to check if
there is a file in the whitelists directory for actual time and day. So we
need to create a directory with name *whitelists* in directory */opt*. In
this directory (*whitelists*) we can create a file with name: first 4
digits is for start and second 4 digits for end, next is the name of the
day in week (for example I want some people to have access on Wednesday
from 10:00 to 20:00 so I create a file named by *10002000Wednesday*). In
that file I simply write all logins I want (one row one login). So script
does that he checks current day find all files in current day and then he
checks time and chooses file that is correct (current time is between start
and end of file) next he checks if login is in file. If not, the script
will return login with start "xxx" and then is validation incorrect.
There is also an if statement for users who don't want to use this function
so if the directory is not any file simply script return login he got.

6. For secure we can set rights both for script and for directory
/whitelists and also we can set owner and group to nobody:nogroup

So that's it. I hope somebody will use this function. Of course there are
more options to do this but this was best for me.

Best regards,
Filip Žák

Re: LDAP users - restricted access Solution

[Maxim Solodovnik <so...@gmail.com>]

Hello Filip,

On Thu, 7 Jan 2021 at 02:21, Filip Žák <fi...@gmail.com> wrote:

> Hello,
> recently I was asking if it is possible to restrict access for LDAP users
> only for some and in specific time. I worked on it by myself and I want to
> offer a solution. If you want you can implement it in the official version.
> So here it is:
>
> 1. I found java class
> */openmeetings-core/src/main/java/org/apache/openmeetings/core/ldap\\/LdapLoginManager.java*
> and here I implemented calling BASH script and sending variable *inLogin* before
> validating with LDAP server. To do so we need to import these two libraries:
>
> *import java.io.BufferedReader;*
> *import java.io.InputStreamReader;*
>
> 2. Then we find function: *public User login(String inLogin, String
> passwd, Long domainId) throws OmException*
>
> 3. In very beginning that function we insert next code to call script://
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *Process p;String[] cmd = {"sh", "/opt/skriptOMldap.sh " + inLogin};String
> meno = "";try {  p = Runtime.getRuntime().exec(cmd[1]);  p.waitFor();
> BufferedReader reader=new BufferedReader(new
> InputStreamReader(p.getInputStream()));  String line;  while((line =
> reader.readLine()) != null) {    meno = line;  }} catch (IOException e) {
> TODO Auto-generated catch block  e.printStackTrace();} catch
> (InterruptedException e) {  TODO Auto-generated catch block
> e.printStackTrace();}inLogin = meno;*
>

You can use this helper:
https://github.com/apache/openmeetings/blob/master/openmeetings-util/src/main/java/org/apache/openmeetings/util/process/ProcessHelper.java

it will work with std out/err for you :)


>
>
> In variable *String[] cmd* we can define where and how would be the name
> of the script.
>
> 4. That's everything in these Java code so we save it and compile the code.
>
> 5. next is script we create it in folder that we defined in step 3 (in my
> case */opt/skriptOMldap.sh*) so in /opt we create file skriptOMldap.sh
> and insert next code:
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *#!/bin/bashdir=./whitelists# If there are no whitelists, than everybody
> is allowedif [ -z "$(ls -A $dir)" ]; then  echo $1  exit 0fiexport
> LC_ALL=en_US.utf8day=$(date +"%A")time=`echo "scale=3; ($(date +"%H") +
> ($(date +"%M") / 60))" | bc`for i in $(grep -l $1 $dir/* | cut -d /
> -f3-)do  start=`echo "scale=3; ($(echo $i | cut
> -b$((${#i}-7))-$((${#i}-6))) + ($(echo $i | cut
> -b$((${#i}-5))-$((${#i}-4))) / 60))" | bc`  end=`echo "scale=3; ($(echo $i
> | cut -b$((${#i}-3))-$((${#i}-2))) + ($(echo $i | cut -b$((${#i}-1))-${#i})
> / 60))" | bc`  if [ $(echo $i | cut -b-$((${#i}-8))) = $day ] && [ $(echo
> "$(echo "$start <= $time" | bc) && $(echo "$time <= $end" | bc)" | bc) -ne
> 0 ];  then    echo $1    exit 0  fidoneecho xxx$1exit 0*
>
> So basically this script does that login as an input variable to check if
> there is a file in the whitelists directory for actual time and day. So we
> need to create a directory with name *whitelists* in directory */opt*. In
> this directory (*whitelists*) we can create a file with name: first 4
> digits is for start and second 4 digits for end, next is the name of the
> day in week (for example I want some people to have access on Wednesday
> from 10:00 to 20:00 so I create a file named by *10002000Wednesday*). In
> that file I simply write all logins I want (one row one login). So script
> does that he checks current day find all files in current day and then he
> checks time and chooses file that is correct (current time is between start
> and end of file) next he checks if login is in file. If not, the script
> will return login with start "xxx" and then is validation incorrect.
> There is also an if statement for users who don't want to use this
> function so if the directory is not any file simply script return login he
> got.
>
> 6. For secure we can set rights both for script and for directory
> /whitelists and also we can set owner and group to nobody:nogroup
>
> So that's it. I hope somebody will use this function. Of course there are
> more options to do this but this was best for me.
>

Great you were able to solve this :)


>
> Best regards,
> Filip Žák
>


-- 
Best regards,
Maxim