Release 1.2.6

* Set minimum PHP version to 5.5.0| Bcrypt Support
* Added Bcrypt hash support
* Update Install.md

INSTALL.md

@@ -5,7 +5,7 @@ For install instructions in non-English languages, see the wiki:
 
   phpLDAPadmin requires the following:
       a. A web server (Apache, IIS, etc).
-      b. PHP 5.0.0 or newer (with LDAP support)
+      b. PHP 5.5.0 or newer (with LDAP support)
 
 * To install
 

README.md

@@ -0,0 +1,13 @@
+phpLDAPadmin
+============
+
+phpLDAPadmin - Web based LDAP administration tool
+
+
+## Installation
+
+[INSTALL](INSTALL.md)
+
+## License
+
+[LICENSE](LICENSE)

VERSION

@@ -1 +1 @@
-RELEASE-1.2.1
+RELEASE-1.2.6

config/config.php.example

@@ -53,10 +53,11 @@
 // $config->custom->session['http_realm'] = sprintf('%s %s',app_name(),'login');
 
 /* The language setting. If you set this to 'auto', phpLDAPadmin will attempt
-   to determine your language automatically. Otherwise, available lanaguages
-   are: 'ct', 'de', 'en', 'es', 'fr', 'it', 'nl', and 'ru'
-   Localization is not complete yet, but most strings have been translated.
-   Please help by writing language files. See lang/en.php for an example. */
+   to determine your language automatically.
+   If PLA doesnt show (all) strings in your language, then you can do some
+   translation at http://translations.launchpad.net/phpldapadmin and download
+   the translation files, replacing those provided with PLA.
+   (We'll pick up the translations before making the next release too!) */
 // $config->custom->appearance['language'] = 'auto';
 
 /* The temporary storage directory where we will put jpegPhoto data
@@ -159,6 +160,9 @@ $config->custom->commands['script'] = array(
 /* Hide the warnings for invalid objectClasses/attributes in templates. */
 // $config->custom->appearance['hide_template_warning'] = false;
 
+/* Set to true if you would like to hide header and footer parts. */
+// $config->custom->appearance['minimalMode'] = false;
+
 /* Configure what objects are shown in left hand tree */
 // $config->custom->appearance['tree_filter'] = '(objectclass=*)';
 
@@ -169,6 +173,10 @@ $config->custom->commands['script'] = array(
 // $config->custom->appearance['tree_width'] = null;
 #  $config->custom->appearance['tree_width'] = 250;
 
+/* Number of tree command icons to show, 0 = show all icons on 1 row. */
+// $config->custom->appearance['tree_icons'] = 0;
+#  $config->custom->appearance['tree_icons'] = 4;
+
 /* Confirm create and update operations, allowing you to review the changes
    and optionally skip attributes during the create/update operation. */
 // $config->custom->confirm['create'] = true;
@@ -231,7 +239,7 @@ $config->custom->appearance['friendly_attrs'] = array(
  *********************************************/
 
 /* Add "modify group members" link to the attribute. */
-// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid');
+// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser');
 
 /* Configure filter for member search. This only applies to "modify group members" feature */
 // $config->custom->modify_member['filter'] = '(objectclass=Person)';
@@ -239,6 +247,7 @@ $config->custom->appearance['friendly_attrs'] = array(
 /* Attribute that is added to the group member attribute. */
 // $config->custom->modify_member['attr'] = 'dn';
 
+
 /* For Posix attributes */
 // $config->custom->modify_member['posixattr'] = 'uid';
 // $config->custom->modify_member['posixfilter'] = '(uid=*)';
@@ -295,7 +304,7 @@ $servers->setValue('server','name','My LDAP Server');
    auto-detect it for you. */
 // $servers->setValue('server','base',array(''));
 
-/* Four options for auth_type:
+/* Five options for auth_type:
    1. 'cookie': you will login via a web form, and a client-side cookie will
       store your login dn and password.
    2. 'session': same as cookie but your login dn and password are stored on the
@@ -304,6 +313,8 @@ $servers->setValue('server','name','My LDAP Server');
       HTTP authentication.
    4. 'config': specify your login dn and password here in this config file. No
       login will be required to use phpLDAPadmin for this server.
+   5. 'sasl': login will be taken from the webserver's kerberos authentication.
+      Currently only GSSAPI has been tested (using mod_auth_kerb).
 
    Choose wisely to protect your authentication information appropriately for
    your situation. If you choose 'cookie', your cookie contents will be
@@ -312,10 +323,11 @@ $servers->setValue('server','name','My LDAP Server');
 // $servers->setValue('login','auth_type','session');
 
 /* The DN of the user for phpLDAPadmin to bind with. For anonymous binds or
-   'cookie' or 'session' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS BLANK. If
-   you specify a login_attr in conjunction with a cookie or session auth_type,
-   then you can also specify the bind_id/bind_pass here for searching the
-   directory for users (ie, if your LDAP server does not allow anonymous binds. */
+   'cookie','session' or 'sasl' auth_types, LEAVE THE LOGIN_DN AND LOGIN_PASS
+   BLANK. If you specify a login_attr in conjunction with a cookie or session
+   auth_type, then you can also specify the bind_id/bind_pass here for searching
+   the directory for users (ie, if your LDAP server does not allow anonymous
+   binds. */
 // $servers->setValue('login','bind_id','');
 #  $servers->setValue('login','bind_id','cn=Manager,dc=example,dc=com');
 
@@ -334,22 +346,27 @@ $servers->setValue('server','name','My LDAP Server');
 /* Enable SASL authentication LDAP SASL authentication requires PHP 5.x
    configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to
    false), then all other sasl options are ignored. */
-// $servers->setValue('server','sasl_auth',false);
+#  $servers->setValue('login','auth_type','sasl');
 
-/* SASL auth mechanism */
-// $servers->setValue('server','sasl_mech','PLAIN');
+/* SASL GSSAPI auth mechanism (requires auth_type of sasl) */
+// $servers->setValue('sasl','mech','GSSAPI');
+
+/* SASL PLAIN support... this mech converts simple binds to SASL
+   PLAIN binds using any auth_type (or other bind_id/pass) as credentials.
+   NOTE: auth_type must be simple auth compatible (ie not sasl) */
+#  $servers->setValue('sasl','mech','PLAIN');
 
 /* SASL authentication realm name */
-// $servers->setValue('server','sasl_realm','');
-#  $servers->setValue('server','sasl_realm','example.com');
+// $servers->setValue('sasl','realm','');
+#  $servers->setValue('sasl','realm','EXAMPLE.COM');
 
 /* SASL authorization ID name
    If this option is undefined, authorization id will be computed from bind DN,
-   using sasl_authz_id_regex and sasl_authz_id_replacement. */
-// $servers->setValue('server','sasl_authz_id', null);
+   using authz_id_regex and authz_id_replacement. */
+// $servers->setValue('sasl','authz_id', null);
 
 /* SASL authorization id regex and replacement
-   When sasl_authz_id property is not set (default), phpLDAPAdmin will try to
+   When authz_id property is not set (default), phpLDAPAdmin will try to
    figure out authorization id by itself from bind distinguished name (DN).
 
    This procedure is done by calling preg_replace() php function in the
@@ -361,18 +378,18 @@ $servers->setValue('server','name','My LDAP Server');
    For info about pcre regexes, see:
    - pcre(3), perlre(3)
    - http://www.php.net/preg_replace */
-// $servers->setValue('server','sasl_authz_id_regex',null);
-// $servers->setValue('server','sasl_authz_id_replacement',null);
-#  $servers->setValue('server','sasl_authz_id_regex','/^uid=([^,]+)(.+)/i');
-#  $servers->setValue('server','sasl_authz_id_replacement','$1');
+// $servers->setValue('sasl','authz_id_regex',null);
+// $servers->setValue('sasl','authz_id_replacement',null);
+#  $servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i');
+#  $servers->setValue('sasl','authz_id_replacement','$1');
 
 /* SASL auth security props.
    See http://beepcore-tcl.sourceforge.net/tclsasl.html#anchor5 for explanation. */
-// $servers->setValue('server','sasl_props',null);
+// $servers->setValue('sasl','props',null);
 
 /* Default password hashing algorithm. One of md5, ssha, sha, md5crpyt, smd5,
    blowfish, crypt or leave blank for now default algorithm. */
-// $servers->setValue('appearance','password_hash','md5');
+// $servers->setValue('appearance','pla_password_hash','md5');
 
 /* If you specified 'cookie' or 'session' as the auth_type above, you can
    optionally specify here an attribute to use when logging in. If you enter
@@ -393,6 +410,12 @@ $servers->setValue('server','name','My LDAP Server');
    setup. */
 // $servers->setValue('login','class',array());
 
+/* If login_attr was set to 'dn', it is possible to specify a template string to
+   build the DN from. Use '%s' where user input should be inserted. A user may
+   still enter the complete DN. In this case the template will not be used. */
+// $servers->setValue('login','bind_dn_template',null);
+#  $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com');
+
 /* If you specified something different from 'dn', for example 'uid', as the
    login_attr above, you can optionally specify here to fall back to
    authentication with dn.
@@ -410,6 +433,12 @@ $servers->setValue('server','name','My LDAP Server');
    in the tree viewer. */
 // $servers->setValue('appearance','show_create',true);
 
+/* Set to true if you would like to initially open the first level of each tree. */
+// $servers->setValue('appearance','open_tree',false);
+
+/* Set to true to display authorization ID in place of login dn (PHP 7.2+) */
+// $servers->setValue('appearance','show_authz',false);
+
 /* This feature allows phpLDAPadmin to automatically determine the next
    available uidNumber for a new entry. */
 // $servers->setValue('auto_number','enable',true);
@@ -458,6 +487,11 @@ $servers->setValue('server','name','My LDAP Server');
 /* Set this if you dont want this LDAP server to show in the tree */
 // $servers->setValue('server','visible',true);
 
+/* Set this if you want to hide the base DNs that dont exist instead of
+   displaying the message "The base entry doesnt exist, create it?"
+// $servers->setValue('server','hide_noaccess_base',false);
+#  $servers->setValue('server','hide_noaccess_base',true);
+
 /* This is the time out value in minutes for the server. After as many minutes
    of inactivity you will be automatically logged out. If not set, the default
    value will be ( session_cache_expire()-1 ) */
@@ -483,8 +517,8 @@ $servers->setValue('server','name','My LDAP Server');
    server may automatically calculate a default value.
    In Fedora Directory Server using the DNA Plugin one could ignore uidNumber,
    gidNumber and sambaSID. */
-// $servers->setValue('force_may','attrs',array(''));
-#  $servers->setValue('force_may','attrs',array('uidNumber','gidNumber','sambaSID'));
+// $servers->setValue('server','force_may',array(''));
+#  $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
 
 /*********************************************
  * Unique attributes                         *
@@ -523,15 +557,15 @@ $servers->setValue('login','bind_pass','');
 $servers->setValue('server','tls',false);
 
 # SASL auth
-$servers->setValue('server','sasl_auth',true);
-$servers->setValue('server','sasl_mech','PLAIN');
-$servers->setValue('server','sasl_realm','EXAMPLE.COM');
-$servers->setValue('server','sasl_authz_id',null);
-$servers->setValue('server','sasl_authz_id_regex','/^uid=([^,]+)(.+)/i');
-$servers->setValue('server','sasl_authz_id_replacement','$1');
-$servers->setValue('server','sasl_props',null);
+$servers->setValue('login','auth_type','sasl');
+$servers->setValue('sasl','mech','GSSAPI');
+$servers->setValue('sasl','realm','EXAMPLE.COM');
+$servers->setValue('sasl','authz_id',null);
+$servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i');
+$servers->setValue('sasl','authz_id_replacement','$1');
+$servers->setValue('sasl','props',null);
 
-$servers->setValue('appearance','password_hash','md5');
+$servers->setValue('appearance','pla_password_hash','md5');
 $servers->setValue('login','attr','dn');
 $servers->setValue('login','fallback_dn',false);
 $servers->setValue('login','class',null);
@@ -556,6 +590,21 @@ $servers->setValue('login','timeout',30);
 $servers->setValue('server','branch_rename',false);
 $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','passwordAllowChangeTime'));
 $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
-$servers->setValue('force_may','attrs',array('uidNumber','gidNumber','sambaSID'));
+$servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
 */
+
+
+/***********************************************************************************
+ * If you want to configure Google reCAPTCHA on autentication form, do so below.   *
+ * Remove the commented lines and use this section as a template for all           *
+ * reCAPTCHA v2  Generate on https://www.google.com/recaptcha/                     *
+ *                                                                                 *
+ * IMPORTANT: Select reCAPTCHA v2   on  Type of reCAPTCHA                          *
+ ***********************************************************************************/
+
+
+$config->custom->session['reCAPTCHA-enable'] = false;
+$config->custom->session['reCAPTCHA-key-site'] = '<put-here-key-site>';
+$config->custom->session['reCAPTCHA-key-server'] = '<put-here-key-server>';
+
 ?>

doc/README-translation.txt

@@ -1,2 +1,2 @@
-Please see http://phpldapadmin.sourceforge.net/Translate now for information on
+Please see http://phpldapadmin.sourceforge.net/wiki/index.php/Translate now for information on
 translating PLA.

doc/phpldapadmin-demo.conf

@@ -80,6 +80,9 @@ index uidNumber,gidNumber,loginShell	eq,pres
 index uid,memberUid			eq,pres,sub
 index nisMapName,nisMapEntry		eq,pres,sub
 
+sasl-regexp	uid=(.*),cn=(.*),cn=gssapi,cn=auth
+	ldap:///dc=example.com??sub?(&(uid=$1)(objectClass=inetOrgPerson))
+
 database	bdb
 suffix		"o=Flintstones"
 rootdn		"cn=Manager,o=Flintstones"

htdocs/add_value_form.php

@@ -34,7 +34,7 @@ if ($request['attribute']->isReadOnly())
 # Render the form
 if (! strcasecmp($request['attr'],'objectclass') || get_request('meth','REQUEST') != 'ajax') {
 	# Render the form.
-	$request['page']->drawTitle(sprintf('%s <b>%s</b> %s <b>%s</b>',_('Add new'),$request['attr'],_('value to'),get_rdn($request['dn'])));
+	$request['page']->drawTitle(sprintf('%s <b>%s</b> %s <b>%s</b>',_('Add new'),htmlspecialchars($request['attr']),_('value to'),htmlspecialchars(get_rdn($request['dn']))));
 	$request['page']->drawSubTitle();
 
 	if (! strcasecmp($request['attr'],'objectclass')) {

htdocs/cmd.php

@@ -19,10 +19,6 @@ $www['meth'] = get_request('meth','REQUEST');
 ob_start();
 
 switch ($www['cmd']) {
-	case '_debug':
-		debug_dump($_REQUEST,1);
-		break;
-
 	default:
 		if (defined('HOOKSDIR') && file_exists(HOOKSDIR.$www['cmd'].'.php'))
 			$app['script_cmd'] = HOOKSDIR.$www['cmd'].'.php';

htdocs/copy.php

@@ -63,12 +63,12 @@ if ($request['recursive']) {
 	print '</small>';
 
 } else {
-	if ($_SESSION[APPCONFIG]->getValue('confirm','copy')) {
-		$request['pageSRC'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,null));
+	if ($_SESSION[APPCONFIG]->getValue('confirm','copy') && !$request['remove']) {
+		$request['pageSRC'] = new TemplateRender($ldap['SRC']->getIndex(),get_request('template','REQUEST',false,null));
 		$request['pageSRC']->setDN($request['dnSRC']);
 		$request['pageSRC']->accept(true);
 
-		$request['pageDST'] = new TemplateRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
+		$request['pageDST'] = new TemplateRender($ldap['DST']->getIndex(),get_request('template','REQUEST',false,'none'));
 		$request['pageDST']->setContainer($app['server']->getContainer($request['dnDST']));
 		$request['pageDST']->accept(true);
 

htdocs/create.php

@@ -46,8 +46,7 @@ if (! $request['template']->getRDN())
 # Some other attribute checking...
 foreach ($request['template']->getAttributes() as $attribute) {
 	# Check that our Required Attributes have a value - we shouldnt really return a hit here, the template engine shouldnt have allowed this to slip through.
-	# @todo this isIgnoredAttr() function is missing?
-	if ($attribute->isRequired() && ! count($attribute->getValues()) && ! $app['server']->isIgnoredAttr($attr->getName()))
+	if ($attribute->isRequired() && ! count($attribute->getValues()))
 		error(sprintf(_('You left the value blank for required attribute (%s).'),
 			$attribute->getName(false)),'error','index.php');
 }

htdocs/create_confirm.php

@@ -40,8 +40,7 @@ if (! $request['template']->getRDN())
 # Some other attribute checking...
 foreach ($request['template']->getAttributes() as $attribute) {
 	# Check that our Required Attributes have a value - we shouldnt really return a hit here, the template engine shouldnt have allowed this to slip through.
-	# @todo this isIgnoredAttr() function is missing?
-	if ($attribute->isRequired() && ! count($attribute->getValues()) && ! $app['server']->isIgnoredAttr($attr->getName()))
+	if ($attribute->isRequired() && ! count($attribute->getValues()))
 		error(sprintf(_('You left the value blank for required attribute (%s).'),
 			$attribute->getName(false)),'error','index.php');
 }
@@ -82,7 +81,7 @@ if (count($request['template']->getLDAPadd(true))) {
 	echo "\n\n";
 
 	$counter = 0;
-	printf('<tr class="%s"><td colspan="3" style="text-align: center;"><b>%s</b></td></tr>',$counter%2 ? 'even' : 'odd',$request['template']->getDN());
+	printf('<tr class="%s"><td colspan="3" style="text-align: center;"><b>%s</b></td></tr>',$counter%2 ? 'even' : 'odd',htmlspecialchars($request['template']->getDN()));
 
 	foreach ($request['template']->getLDAPadd(true) as $attribute) {
 		$counter++;

htdocs/delete.php

@@ -21,13 +21,18 @@ if (! $app['server']->dnExists($request['dn']))
 # Delete the entry.
 $result = $app['server']->delete($request['dn']);
 
-if ($result)
+if ($result) {
+	$redirect_url = '';
+
+	if (isAjaxEnabled())
+		$redirect_url .= sprintf('&refresh=SID_%s_nodes&noheader=1',$app['server']->getIndex());
+
 	system_message(array(
 		'title'=>_('Delete DN'),
 		'body'=>_('Successfully deleted DN ').sprintf('<b>%s</b>',$request['dn']),
 		'type'=>'info'),
-		sprintf('index.php?server_id=%s',$app['server']->getIndex()));
-else
+		sprintf('index.php?server_id=%s%s',$app['server']->getIndex(),$redirect_url));
+} else
 	system_message(array(
 		'title'=>_('Could not delete the entry.').sprintf(' (%s)',pretty_print_dn($request['dn'])),
 		'body'=>ldap_error_msg($app['server']->getErrorMessage(null),$app['server']->getErrorNum(null)),

htdocs/delete_form.php

@@ -15,6 +15,11 @@ require './common.php';
 $request = array();
 $request['dn'] = get_request('dn','GET');
 
+$request['page'] = new PageRender($app['server']->getIndex(),get_request('template','REQUEST',false,'none'));
+$request['page']->setDN($request['dn']);
+$request['page']->accept();
+$request['template'] = $request['page']->getTemplate();
+
 # Check if the entry exists.
 if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
 	system_message(array(
@@ -25,7 +30,7 @@ if (! $request['dn'] || ! $app['server']->dnExists($request['dn']))
 # We search all children, not only the visible children in the tree
 $request['children'] = $app['server']->getContainerContents($request['dn'],null,0,'(objectClass=*)',LDAP_DEREF_NEVER);
 
-printf('<h3 class="title">%s %s</h3>',_('Delete'),get_rdn($request['dn']));
+printf('<h3 class="title">%s %s</h3>',_('Delete'),htmlspecialchars(get_rdn($request['dn'])));
 printf('<h3 class="subtitle">%s: <b>%s</b> &nbsp;&nbsp;&nbsp; %s: <b>%s</b></h3>',
 	_('Server'),$app['server']->getName(),_('Distinguished Name'),$request['dn']);
 echo "\n";
@@ -70,7 +75,7 @@ if (count($request['children'])) {
 	echo '<form action="cmd.php" method="post" id="delete_form">';
 	echo '<input type="hidden" name="cmd" value="rdelete" />';
 	printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
-	printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($request['dn']));
+	printf('<input type="hidden" name="dn" value="%s" />',$request['template']->getDNEncode(false));
 	//@todo need to refresh the tree after a delete
 	printf('<input type="submit" value="%s" %s />',
 		sprintf(_('Delete all %s objects'),count($request['search'])),
@@ -82,10 +87,10 @@ if (count($request['children'])) {
 	echo '<form action="cmd.php" method="get">';
 	echo '<input type="hidden" name="cmd" value="template_engine" />';
 	printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
-	printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($request['dn']));
+	printf('<input type="hidden" name="dn" value="%s" />',$request['template']->getDNEncode(false));
 	printf('<input type="submit" name="submit" value="%s" %s />',
 		_('Cancel'),
-		(isAjaxEnabled() ? sprintf('onclick="return ajDISPLAY(\'BODY\',\'cmd=template_engine&server_id=%s&dn=%s\',\'%s\');"',$app['server']->getIndex(),htmlspecialchars($request['dn']),_('Retrieving DN')) : ''));
+		(isAjaxEnabled() ? sprintf('onclick="return ajDISPLAY(\'BODY\',\'cmd=template_engine&server_id=%s&dn=%s\',\'%s\');"',$app['server']->getIndex(),$request['template']->getDNEncode(),_('Retrieving DN')) : ''));
 	echo '</form>';
 	echo '</td>';
 	echo '</tr>';
@@ -122,7 +127,7 @@ if (count($request['children'])) {
 	echo '<form action="cmd.php" method="post" id="delete_form">';
 	echo '<input type="hidden" name="cmd" value="delete" />';
 	printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
-	printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($request['dn']));
+	printf('<input type="hidden" name="dn" value="%s" />',$request['template']->getDNEncode(false));
 	//@todo need to refresh the tree after a delete
 	printf('<input type="submit" name="submit" value="%s" %s />',
 		_('Delete'),
@@ -135,10 +140,10 @@ if (count($request['children'])) {
 	echo '<form action="cmd.php" method="get">';
 	echo '<input type="hidden" name="cmd" value="template_engine" />';
 	printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
-	printf('<input type="hidden" name="dn" value="%s" />',htmlspecialchars($request['dn']));
+	printf('<input type="hidden" name="dn" value="%s" />',$request['template']->getDNEncode(false));
 	printf('<input type="submit" name="submit" value="%s" %s />',
 		_('Cancel'),
-		(isAjaxEnabled() ? sprintf('onclick="return ajDISPLAY(\'BODY\',\'cmd=template_engine&server_id=%s&dn=%s\',\'%s\');"',$app['server']->getIndex(),htmlspecialchars($request['dn']),_('Retrieving DN')) : ''));
+		(isAjaxEnabled() ? sprintf('onclick="return ajDISPLAY(\'BODY\',\'cmd=template_engine&server_id=%s&dn=%s\',\'%s\');"',$app['server']->getIndex(),$request['template']->getDNEncode(),_('Retrieving DN')) : ''));
 	echo '</form>';
 
 	echo '</td>';

htdocs/entry_chooser.php

@@ -15,9 +15,9 @@ $www['page'] = new page();
 
 $request = array();
 $request['container'] = get_request('container','GET');
-$request['form'] = get_request('form','GET');
-$request['element'] = get_request('element','GET');
-$request['rdn'] = get_request('rdn','GET');
+$request['form'] = htmlspecialchars(addslashes(get_request('form','GET')));
+$request['element'] = htmlspecialchars(addslashes(get_request('element','GET')));
+$request['rdn'] = htmlspecialchars(addslashes(get_request('rdn','GET')));
 
 echo '<div class="popup">';
 printf('<h3 class="subtitle">%s</h3>',_('Entry Chooser'));
@@ -33,12 +33,13 @@ echo '</script>';
 echo '<table class="forminput" width="100%" border="0">';
 if ($request['container']) {
 	printf('<tr><td class="heading" colspan="3">%s:</td><td>%s</td></tr>',_('Server'),$app['server']->getName());
-	printf('<tr><td class="heading" colspan="3">%s:</td><td>%s</td></tr>',_('Looking in'),$request['container']);
+	printf('<tr><td class="heading" colspan="3">%s:</td><td>%s</td></tr>',_('Looking in'),htmlspecialchars($request['container']));
 	echo '<tr><td class="blank" colspan="4">&nbsp;</td></tr>';
 }
 
 # Has the user already begun to descend into a specific server tree?
 if (isset($app['server']) && ! is_null($request['container'])) {
+	$tree = get_cached_item($app['server']->getIndex(),'tree');
 
 	$request['children'] = $app['server']->getContainerContents($request['container'],null,0,'(objectClass=*)',$_SESSION[APPCONFIG]->getValue('deref','tree'));
 	sort($request['children']);
@@ -78,7 +79,18 @@ if (isset($app['server']) && ! is_null($request['container'])) {
 			echo '<td class="blank">&nbsp;</td>';
 			printf('<td class="icon"><a href="%s"><img src="%s/plus.png" alt="Plus" /></a></td>',$href['expand'],IMGDIR);
 
-			printf('<td colspan="2"><a href="%s">%s</a></td>',$href['return'],$dn);
+			$entry = $tree->getEntry($dn);
+			if (is_null($entry)) {
+				$tree->addEntry($dn);
+				$entry = $tree->getEntry($dn);
+			}
+
+			if ($entry)
+				$item = draw_formatted_dn($app['server'], $entry);
+			else
+				$item = $dn;
+
+			printf('<td colspan="2"><a href="%s">%s</a></td>',$href['return'], $item );
 			echo '</tr>';
 			echo "\n\n";
 		}

htdocs/export.php

@@ -29,12 +29,12 @@ if ($request['file']) {
 
 	header('Content-type: application/download');
 	header(sprintf('Content-Disposition: inline; filename="%s.%s"','export',$types['extension'].($request['export']->isCompressed() ? '.gz' : '')));
-	$request['export']->export();
+	echo $request['export']->export();
 	die();
 
 } else {
 	print '<span style="font-size: 14px; font-family: courier;"><pre>';
-	$request['export']->export();
+	echo htmlspecialchars($request['export']->export());
 	print '</pre></span>';
 }
 ?>

htdocs/export_form.php

@@ -81,7 +81,7 @@ printf('<tr><td>%s</td><td><input type="text" name="filter" style="width:300px"
 	_('Search Filter'),htmlspecialchars($request['filter']));
 
 printf('<tr><td>%s</td><td><input type="text" name="attributes" style="width:300px" value="%s" /></td></tr>',
-	_('Show Attributtes'),htmlspecialchars($request['attr']));
+	_('Show Attributes'),htmlspecialchars($request['attr']));
 
 printf('<tr><td>&nbsp;</td><td><input type="checkbox" name="sys_attr" id="sys_attr" %s/> <label for="sys_attr">%s</label></td></tr>',
 	$request['sys_attr'] ? 'checked="checked" ' : '',_('Include system attributes'));

htdocs/index.php

@@ -57,6 +57,11 @@ if (defined('CONFDIR'))
 else
 	$app['config_file'] = 'config.php';
 
+if (! is_readable($app['config_file'])) {
+	if (ob_get_level()) ob_end_clean();
+	die(sprintf("Missing configuration file <b>%s</b> - have you created it?",$app['config_file']));
+}
+
 # Make sure this PHP install has session support
 if (! extension_loaded('session'))
 	error('<p>Your install of PHP appears to be missing php-session support.</p><p>Please install php-session support before using phpLDAPadmin.<br /><small>(Dont forget to restart your web server afterwards)</small></p>','error',null,true);
@@ -120,8 +125,10 @@ if (! $config = check_config($app['config_file'])) {
 	$_SESSION[APPCONFIG] = $config;
 }
 
-if ($uri = get_request('URI','GET'))
+if ($uri = get_request('URI','GET')) {
 	header(sprintf('Location: cmd.php?%s',base64_decode($uri)));
+        exit;
+}
 
 if (! preg_match('/^([0-9]+\.?)+/',app_version())) {
 	system_message(array(

htdocs/js/ajax_functions.js

@@ -15,13 +15,13 @@ function ajSUBMIT(div,obj,display) {
 
 	window.scrollTo(0,95);
 
+	makeHttpRequest('cmd.php',getParameters(obj.parentNode)+'meth=ajax','POST','alertAJ','cancelAJ',div);
+
 	if (pageDiv)
 		includeHTML(pageDiv,'<img src="images/ajax-progress.gif"><br><small>'+display+'...</small>');
 	else
 		return true;
 
-	makeHttpRequest('cmd.php',getParameters(obj.parentNode)+'meth=ajax','POST','alertAJ','cancelAJ',div);
-
 	return false;
 }
 
@@ -31,13 +31,13 @@ function ajDISPLAY(div,urlParameters,display,ns) {
 	if (! ns)
 		window.scrollTo(0,95);
 
+	makeHttpRequest('cmd.php',urlParameters+'&meth=ajax','GET','alertAJ','cancelAJ',div);
+
 	if (pageDiv)
 		includeHTML(pageDiv,'<img src="images/ajax-progress.gif"><br><small>'+display+'...</small>');
 	else
 		return true;
 
-	makeHttpRequest('cmd.php',urlParameters+'&meth=ajax','GET','alertAJ','cancelAJ',div);
-
 	return false;
 }
 
@@ -202,8 +202,6 @@ function makeHttpRequest(url,parameters,meth,successCallbackFunctionName,errorCa
 	http_request.open(meth,url,true);
 
 	http_request.setRequestHeader('Content-type','application/x-www-form-urlencoded');
-	http_request.setRequestHeader('Content-length',parameters.length);
-	http_request.setRequestHeader('Connection','close');
 
 	if (meth == 'GET') parameters = null;
 	http_request.send(parameters);

htdocs/login.php

@@ -11,27 +11,44 @@
 
 require './common.php';
 
-$user = array();
-$user['login'] = get_request('login');
-$user['password'] = get_request('login_pass');
+$pass = true;
+if ($_SESSION[APPCONFIG]->getValue('session', 'reCAPTCHA-enable')) {
+    $pass = !IsRobot(get_request('g-recaptcha-response'));
+}
 
-if ($user['login'] && ! strlen($user['password']))
-	system_message(array(
-		'title'=>_('Authenticate to server'),
-		'body'=>_('You left the password blank.'),
-		'type'=>'warn'),
-		sprintf('cmd.php?cmd=login_form&server_id=%s',get_request('server_id','REQUEST')));
+if ($pass) {
+    $user             = array();
+    $user['login']    = get_request('login');
+    $user['password'] = get_request('login_pass');
+
+    if ($user['login'] && !strlen($user['password'])) {
+        system_message(array(
+            'title' => _('Authenticate to server'),
+            'body'  => _('You left the password blank.'),
+            'type'  => 'warn'),
+            sprintf('cmd.php?cmd=login_form&server_id=%s', get_request('server_id', 'REQUEST')));
+    }
+
+    if ($app['server']->login($user['login'], $user['password'], 'user')) {
+        system_message(array(
+            'title' => _('Authenticate to server'),
+            'body'  => _('Successfully logged into server.'),
+            'type'  => 'info'),
+            sprintf('cmd.php?server_id=%s', get_request('server_id', 'REQUEST')));
+    } else {
+        system_message(array(
+            'title' => _('Failed to Authenticate to server'),
+            'body'  => _('Invalid Username or Password.'),
+            'type'  => 'error'),
+            sprintf('cmd.php?cmd=login_form&server_id=%s', get_request('server_id', 'REQUEST')));
+    }
+
+} else {
+    system_message(array(
+        'title' => _('Authenticate to server'),
+        'body'  => _('Incorrect captcha.'),
+        'type'  => 'warn'),
+        sprintf('cmd.php?cmd=login_form&server_id=%s', get_request('server_id', 'REQUEST')));
+}
 
-if ($app['server']->login($user['login'],$user['password'],'user'))
-	system_message(array(
-		'title'=>_('Authenticate to server'),
-		'body'=>_('Successfully logged into server.'),
-		'type'=>'info'),
-		sprintf('cmd.php?server_id=%s',get_request('server_id','REQUEST')));
-else
-	system_message(array(
-		'title'=>_('Failed to Authenticate to server'),
-		'body'=>_('Invalid Username or Password.'),
-		'type'=>'error'),
-		sprintf('cmd.php?cmd=login_form&server_id=%s',get_request('server_id','REQUEST')));
 ?>

htdocs/login_form.php

@@ -16,7 +16,19 @@ printf('<h3 class="title">%s %s</h3>',_('Authenticate to server'),$app['server']
 echo '<br />';
 
 # Check for a secure connection
-if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') {
+$isHTTPS = false;
+
+# Check if the current connection is encrypted
+if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
+        $isHTTPS = true;
+}
+# Check if a proxy server downstream does encryption for us
+elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && strtolower($_SERVER['HTTP_X_FORWARDED_SSL'])
+== 'on') {
+        $isHTTPS = true;
+}
+
+if (!$isHTTPS) {
 	echo '<div style="text-align: center; color:red">';
 	printf('<acronym title="%s"><b>%s: %s.</b></acronym>',
 		_('You are not using \'https\'. Web browser will transmit login information in clear text.'),
@@ -25,6 +37,7 @@ if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') {
 
 	echo '<br />';
 }
+unset($isSecure);
 
 # HTTP Basic Auth Form.
 if ($app['server']->getAuthType() == 'http') {
@@ -52,7 +65,7 @@ if ($app['server']->getAuthType() == 'http') {
 
 # HTML Login Form
 } else {
-	echo '<form action="cmd.php" method="post">';
+	echo '<form action="cmd.php" method="post" autocomplete="off">';
 	echo '<div>';
 	echo '<input type="hidden" name="cmd" value="login" />';
 	printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
@@ -67,7 +80,7 @@ if ($app['server']->getAuthType() == 'http') {
 
 	printf('<tr><td><b>%s:</b></td></tr>',
 		$app['server']->getValue('login','auth_text') ? $app['server']->getValue('login','auth_text') :
-			($app['server']->getValue('login','attr') == 'dn' ? _('Login DN') : $_SESSION[APPCONFIG]->getFriendlyName($app['server']->getValue('login','attr'))));
+			($app['server']->getValue('login','attr') == 'dn' ? ($app['server']->getValue('login', 'bind_dn_template') ? _('User Name') . ' / ' . _('Login DN') : _('Login DN')) : $_SESSION[APPCONFIG]->getFriendlyName($app['server']->getValue('login','attr'))));
 
 	printf('<tr><td><input type="text" id="login" name="login" size="40" value="%s" /></td></tr>',
 		$app['server']->getValue('login','attr',false) == 'dn' ? $app['server']->getValue('login','bind_id') : '');
@@ -77,6 +90,13 @@ if ($app['server']->getAuthType() == 'http') {
 	echo '<tr><td><input type="password" id="password" size="40" value="" name="login_pass" /></td></tr>';
 	echo '<tr><td colspan="2">&nbsp;</td></tr>';
 
+	#reCAPTCHA
+	if ($_SESSION[APPCONFIG]->getValue('session', 'reCAPTCHA-enable')) {
+		echo '<script src="https://www.google.com/recaptcha/api.js"></script>';
+		echo '<tr><td><div class="g-recaptcha" data-sitekey="'.$_SESSION[APPCONFIG]->getValue('session', 'reCAPTCHA-key-site').'"></div></td></tr>';
+		echo '<tr><td colspan="2">&nbsp;</td></tr>';
+	}
+
 	# If Anon bind allowed, then disable the form if the user choose to bind anonymously.
 	if ($app['server']->isAnonBindAllowed())
 		printf('<tr><td colspan="2"><small><b>%s</b></small> <input type="checkbox" name="anonymous_bind" onclick="form_field_toggle_enable(this,[\'login\',\'password\'],\'login\')" id="anonymous_bind_checkbox" /></td></tr>',

htdocs/logout.php

@@ -11,13 +11,16 @@
 
 require './common.php';
 
-if ($app['server']->logout())
+if ($app['server']->logout()) {
+	unset($_SESSION['ACTIVITY'][$app['server']->getIndex()]);
+
 	system_message(array(
-		'title'=>_('Authenticate to server'),
+		'title'=>_('Logout from Server'),
 		'body'=>_('Successfully logged out of server.'),
 		'type'=>'info'),
 		sprintf('index.php?server_id=%s',$app['server']->getIndex()));
-else
+
+} else
 	system_message(array(
 		'title'=>_('Failed to Logout of server'),
 		'body'=>_('Please report this error to the admins.'),

htdocs/modify_member_form.php

@@ -65,7 +65,7 @@ for ($i=0;$i<count($possible_values);$i++) {
 	if (preg_match("/^".$request['attr']."$/i",$_SESSION[APPCONFIG]->getValue('modify_member','posixgroupattr')))
 		$possible_members[$i] = $possible_values[$i][$_SESSION[APPCONFIG]->getValue('modify_member','posixattr')][0];
 	else
-		$possible_members[$i] = $possible_values[$i][$_SESSION[APPCONFIG]->getValue('modify_member','attr')];
+		$possible_members[$i] = $possible_values[$i][$_SESSION[APPCONFIG]->getValue('modify_member','attr')][0];
 }
 
 # Show only user that are not already in group.

htdocs/monitor.php

@@ -129,15 +129,15 @@ foreach (array(
 }
 
 # cn=Connections,cn=Monitor
-printf('<tr class="list_item"><td class="heading" rowspan="2"><acronym title="%s">%s</acronym></td></tr>',$results['cn=Connections,cn=Monitor']['description'],_('LDAP Connections'));
+printf('<tr class="list_item"><td class="heading" rowspan="2"><acronym title="%s">%s</acronym></td></tr>',$results['cn=Connections,cn=Monitor']['description'][0],_('LDAP Connections'));
 printf('<tr class="list_item"><td class="value">');
 echo '<table class="result"><tr><td>';
 echo '<table class="result_table" border="0" width="100%">';
 
 printf('<tr class="highlight"><td class="20%%">%s</td><td class="value" style="width: 80%%;">%s</td></tr>',
-	_('Total Connections'),$results['cn=Total,cn=Connections,cn=Monitor']['monitorcounter']);
+	_('Total Connections'),$results['cn=Total,cn=Connections,cn=Monitor']['monitorcounter'][0]);
 printf('<tr class="highlight"><td class="20%%">%s</td><td class="value" style="width: 80%%;">%s</td></tr>',
-	_('Current Connections'),$results['cn=Current,cn=Connections,cn=Monitor']['monitorcounter']);
+	_('Current Connections'),$results['cn=Current,cn=Connections,cn=Monitor']['monitorcounter'][0]);
 
 # Look for some connections
 foreach ($results as $key => $value) {

htdocs/server_info.php

@@ -31,7 +31,7 @@ foreach ($attrs as $key => $values) {
 
 	$sattr = $app['server']->getSchemaAttribute($key);
 
-	if ($sattr) {
+	if ($sattr && $_SESSION[APPCONFIG]->isCommandAvailable('script','schema') && $_SESSION[APPCONFIG]->getValue('appearance','show_schema_link')) {
 		$href = sprintf('cmd.php?cmd=schema&server_id=%s&view=attributes&viewvalue=%s',$app['server']->getIndex(),$sattr->getName());
 		printf('<a href="%s" title="%s: %s" >%s</a>',
 			$href,_('Click to view the schema definition for attribute type'),$sattr->getName(false),$sattr->getName(false));

lib/Attribute.php

@@ -778,7 +778,20 @@ class Attribute {
 
 					case 'value':
 						if (is_array($value))
-							$this->values = $value;
+							foreach ($value as $x => $y) {
+								if (! $this->haveMoreValues()) {
+									system_message(array(
+									'title'=>_('Automatically removed attribute values from template'),
+										'body'=>sprintf('%s <small>[%s]</small>',_('Template defines more values than can be accepted by attribute.'),$this->getName(true)),
+										'type'=>'warn'));
+
+									$this->clearValue();
+
+									break;
+
+								} else
+									$this->addValue($x,$y);
+							}
 
 						else
 							# Check to see if the value is auto generated.
@@ -791,7 +804,7 @@ class Attribute {
 									$this->hint = _('Automatically determined');
 
 							} else
-								$this->values = array($value);
+								$this->addValue($value);
 
 						break;
 

lib/HTMLTree.php

@@ -45,7 +45,8 @@ class HTMLTree extends Tree {
 			if (! $onlytree) {
 				$this->draw_menu();
 
-				if ($server->getAuthType() != 'config')
+				if (($server->getAuthType() != 'config') ||
+				    $server->getValue('appearance', 'show_authz'))
 					$this->draw_logged_in_user();
 				else
 					printf('<tr><td class="blank" colspan="%s">&nbsp;</td></tr>',$this->getDepth()+3);
@@ -183,10 +184,15 @@ class HTMLTree extends Tree {
 
 		$links = '';
 
+		$i = 0;
+		$icons = $_SESSION[APPCONFIG]->getValue('appearance','tree_icons');
 		if (is_array($_SESSION[APPCONFIG]->getValue('menu','session')))
 			foreach ($_SESSION[APPCONFIG]->getValue('menu','session') as $link => $title) {
 				if ($this->get_menu_item($link))
 					$links .= sprintf('<td class="server_links">%s</td>',$this->get_menu_item($link));
+
+				if ($icons && ++$i%$icons == 0)
+					$links .= '</tr><tr>';
 			}
 
 		# Finally add our logout link.
@@ -328,7 +334,7 @@ class HTMLTree extends Tree {
 		$server = $this->getServer();
 		$href = sprintf('cmd.php?cmd=logout&server_id=%s',$server->getIndex());
 
-		if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy')))
+		if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl')))
 			return '';
 		else
 			return sprintf('<a href="%s" title="%s"><img src="%s/%s" alt="%s" /><br />%s</a>',
@@ -344,7 +350,7 @@ class HTMLTree extends Tree {
 
 		$server = $this->getServer();
 
-		$logged_in_dn = $server->getLogin(null);
+		$logged_in_dn = $server->displayLogin(null);
 		echo '<tr>';
 		echo '<td class="spacer"></td>';
 		printf('<td class="logged_in" colspan="%s">%s: ',$this->getDepth()+3-1,_('Logged in as'));

lib/PageRender.php

@@ -97,6 +97,10 @@ class PageRender extends Visitor {
 
 				$this->visit('',$attribute);
 			}
+
+			// Sort our attribute values for display, if we are the custom template.
+			if ($this->template->getID() == 'none')
+				$this->template->sort();
 		}
 	}
 
@@ -283,7 +287,7 @@ class PageRender extends Visitor {
 						break;
 
 					default:
-						$vals[$i] = password_hash($passwordvalue,$enc);
+						$vals[$i] = pla_password_hash($passwordvalue,$enc);
 				}
 
 				$vals = array_unique($vals);
@@ -331,7 +335,17 @@ class PageRender extends Visitor {
 			if (DEBUGTMP) printf('<font size=-2>%s:<u>%s</u></font><br />',__METHOD__,'Choosing the DEFAULT template, no other template applicable');
 
 			# Since getTemplate() returns a default template if the one we want doesnt exist, we can return $templates->getID(), it should be the default.
-			return $template->getID();
+			if ($_SESSION[APPCONFIG]->getValue('appearance','disable_default_template') AND $this->getMode() == 'creation') {
+
+				system_message(array(
+					'title'=>_('No available templates'),
+					'body'=>_('There are no available active templates for this container.'),
+					'type'=>'warn'));
+
+				return 'invalid';
+
+			} else
+				return $template->getID();
 
 		# If there is only 1 defined template, and no default available, then that is our template.
 		} elseif ((count($templates->getTemplates($this->getMode(),$this->getModeContainer(),true)) == 1) && ! $this->haveDefaultTemplate()) {
@@ -365,7 +379,7 @@ class PageRender extends Visitor {
 		$href = sprintf('cmd.php?cmd=schema&server_id=%s&view=attributes&viewvalue=%s',
 			$this->getServerID(),$attribute->getName());
 
-		if (! $_SESSION[APPCONFIG]->getValue('appearance','show_schema_link'))
+		if (! $_SESSION[APPCONFIG]->getValue('appearance','show_schema_link') || !$_SESSION[APPCONFIG]->isCommandAvailable('script','schema'))
 			printf('%s',_($attribute->getFriendlyName()));
 
 		elseif ($attribute->getLDAPtype())
@@ -943,7 +957,7 @@ class PageRender extends Visitor {
 		if (trim($val))
 			$enc_type = get_enc_type($val);
 		else
-			$enc_type = $server->getValue('appearance','password_hash');
+			$enc_type = $server->getValue('appearance','pla_password_hash');
 
 		$obfuscate_password = obfuscate_password_display($enc_type);
 
@@ -968,7 +982,7 @@ class PageRender extends Visitor {
 		if (trim($val))
 			$enc_type = get_enc_type($val);
 		else
-			$enc_type = $server->getValue('appearance','password_hash');
+			$enc_type = $server->getValue('appearance','pla_password_hash');
 
 		echo '<table cellspacing="0" cellpadding="0"><tr><td valign="top">';
 
@@ -1056,6 +1070,11 @@ class PageRender extends Visitor {
 			} else {
 				echo '<table cellspacing="0" cellpadding="0" border="0">';
 
+				// For checkbox items, we need to render a blank entry, so that we detect an all-unselect situation
+				printf('<tr><td colspan="2"><input type="hidden" id="new_values_%s_%s" name="new_values[%s][]" value="%s"/></td></tr>',
+					htmlspecialchars($attribute->getName()),$j++,
+					htmlspecialchars($attribute->getName()),'');
+
 				foreach ($attribute->getSelection() as $value => $description) {
 					if (in_array($value,$vals))
 						$selected[$value] = true;
@@ -1106,10 +1125,7 @@ class PageRender extends Visitor {
 
 			foreach ($attribute->getSelection() as $value => $description) {
 				printf('<option value="%s" %s>%s</option>',$value,
-					($value == $val) ? 'selected="selected"' : '',$description);
-
-				if ($value == $val)
-					$found = true;
+					((strcasecmp($value,$val) == 0) && $found = true) ? 'selected="selected"' : '',$description);
 
 				if ($value == '')
 					$empty_value = true;

lib/Query.php

@@ -247,8 +247,8 @@ class Query extends xmlTemplate {
 		# If our display order is empty, then dynamically build it
 		if (! count($result)) {
 			foreach ($this->results as $details)
-					foreach ($details as $attrs)
-						$result = array_merge($result,array_keys(array_change_key_case($attrs)));
+				foreach ($details as $attrs)
+					$result = array_merge($result,array_keys(array_change_key_case($attrs)));
 
 			$result = array_unique($result);
 			sort($result);

lib/QueryRender.php

@@ -229,7 +229,6 @@ class QueryRender extends PageRender {
 		# If Mass Actions Enabled
 		if ($_SESSION[APPCONFIG]->getValue('mass','enabled')) {
 			$mass_actions = array(
-				' ' => '',
 				_('delete') => 'mass_delete',
 				_('edit') => 'mass_edit'
 			);
@@ -281,6 +280,8 @@ class QueryRender extends PageRender {
 
 						# Iterate over each attribute for this entry
 						foreach (explode(',',$ado) as $attr) {
+							$attr = strtolower($attr);
+
 							# Ignore DN, we've already displayed it.
 							if ($attr == 'dn')
 								continue;
@@ -320,7 +321,7 @@ class QueryRender extends PageRender {
 					if (! $results) {
 						echo _('Search returned no results');
 
-						continue;
+						continue 2;
 					}
 
 					printf('<form action="cmd.php" method="post" id="massform_%s">',$counter);
@@ -406,12 +407,10 @@ class QueryRender extends PageRender {
 						printf('<tr class="%s">',++$j%2 ? 'odd' : 'even');
 						printf('<td><input type="checkbox" name="allbox" value="1" onclick="CheckAll(1,\'massform_\',%s);" /></td>',$counter);
 						printf('<td colspan="%s">',2+count(explode(',',$ado)));
-						echo '<select name="cmd" onchange="if (this.value) submit();" style="font-size: 12px">';
 
-						foreach ($mass_actions as $action => $display)
-							printf('<option value="%s">%s</option>',$display,$action);
+						foreach ($mass_actions as $display => $action)
+							printf('<button type="submit" name="cmd" value="%s">%s</button>&nbsp;&nbsp;',$action,$display);
 
-						echo '</select>';
 						echo '</td>';
 						echo '</tr>';
 					}
@@ -462,7 +461,7 @@ class QueryRender extends PageRender {
 		$results = array();
 
 		foreach (explode(',',$this->template->getAttrDisplayOrder()) as $attr)
-			$results[$attr] = $attribute_factory->newAttribute($attr,array('values'=>array()),$this->getServerID());
+			$results[strtolower($attr)] = $attribute_factory->newAttribute($attr,array('values'=>array()),$this->getServerID());
 
 		return $results;
 	}
@@ -497,7 +496,7 @@ class QueryRender extends PageRender {
 				$this->getAjaxRef($base),
 				$this->getAjaxRef($base),
 				($show == $this->getAjaxRef($base) ? '#F0F0F0' : '#E0E0E0'),
-				$base);
+				htmlspecialchars($base));
 		}
 		echo '</tr>';
 		echo '</table>';
@@ -545,7 +544,7 @@ class QueryRender extends PageRender {
 		echo ' ]</small>';
 
 		echo '<br />';
-		printf('<small>%s: <b>%s</b></small>',_('Base DN'),$base);
+		printf('<small>%s: <b>%s</b></small>',_('Base DN'),htmlspecialchars($base));
 
 		echo '<br />';
 		printf('<small>%s: <b>%s</b></small>',_('Filter performed'),htmlspecialchars($this->template->resultsdata[$base]['filter']));

lib/SelectionAttribute.php

@@ -37,6 +37,13 @@ class SelectionAttribute extends Attribute {
 		$this->selection[$value] = $description;
 	}
 
+	public function addValue($new_val,$i=-1) {
+		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
+			debug_log('Entered (%%)',5,0,__FILE__,__LINE__,__METHOD__,$fargs);
+
+		$this->addOption($new_val,$i);
+	}
+
 	public function getOptionCount() {
 		return count($this->selection);
 	}

lib/Template.php

@@ -258,7 +258,7 @@ class Template extends xmlTemplate {
 	 * or delete.
 	 * (OLD values are IGNORED, we will have got them when we build this object from the LDAP server DN.)
 	 */
-	public function accept($makeVisible=false) {
+	public function accept($makeVisible=false,$nocache=false) {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',5,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
@@ -275,7 +275,7 @@ class Template extends xmlTemplate {
 			$rdnarray = rdn_explode(strtolower(get_rdn(dn_escape($this->dn))));
 
 			$counter = 1;
-			foreach ($server->getDNAttrValues($this->dn,null,LDAP_DEREF_NEVER,array_merge(array('*'),$server->getValue('server','custom_attrs'))) as $attr => $values) {
+			foreach ($server->getDNAttrValues($this->dn,null,LDAP_DEREF_NEVER,array_merge(array('*'),$server->getValue('server','custom_attrs')),$nocache) as $attr => $values) {
 				# We ignore DNs.
 				if ($attr == 'dn')
 					continue;
@@ -852,7 +852,7 @@ class Template extends xmlTemplate {
 				return '';
 
 			foreach ($vals as $val)
-				$rdn .= sprintf('%s=%s+',$attribute->getName(),$val);
+				$rdn .= sprintf('%s=%s+',$attribute->getName(false),$val);
 		}
 
 		# Chop the last plus sign off when returning
@@ -913,6 +913,14 @@ class Template extends xmlTemplate {
 		return $this->visible;
 	}
 
+	public function setVisible() {
+		$this->visible = true;
+	}
+
+	public function setInvisible() {
+		$this->visible = false;
+	}
+
 	public function getRegExp() {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',5,1,__FILE__,__LINE__,__METHOD__,$fargs,$this->regexp);
@@ -1334,7 +1342,7 @@ class Template extends xmlTemplate {
 							continue;
 
 						if (! $this->isAttrType($objectclassattr,'may'))
-							$this->setAttrLDAPtype($sattr->getName(false),'optional');
+							$this->setAttrLDAPtype($sattr->getName(false),'may');
 
 						if (! in_array($objectclassattr,$allattrs))
 							array_push($allattrs,$objectclassattr);
@@ -1555,5 +1563,9 @@ class Template extends xmlTemplate {
 	public function isNoLeaf() {
 		return $this->noleaf;
 	}
+
+	public function sort() {
+		usort($this->attributes,'sortAttrs');
+	}
 }
 ?>

lib/TemplateRender.php

@@ -48,7 +48,7 @@ class TemplateRender extends PageRender {
 
 		$this->page = get_request('page','REQUEST',false,1);
 
-		if ($this->template_id) {
+		if ($this->template_id AND $this->template_id != 'invalid') {
 			if (! $this->template)
 				parent::accept();
 
@@ -59,7 +59,7 @@ class TemplateRender extends PageRender {
 			$this->layout['action'] = '<td class="icon"><img src="%s/%s" alt="%s" /></td><td><a href="cmd.php?%s" title="%s">%s</a></td>';
 			$this->layout['actionajax'] = '<td class="icon"><img src="%s/%s" alt="%s" /></td><td><a href="cmd.php?%s" title="%s" onclick="return ajDISPLAY(\'BODY\',\'%s\',\'%s\');">%s</a></td>';
 
-			# If we dont want to render this template automatically, we'll return here.
+			# If we don't want to render this template automatically, we'll return here.
 			if ($norender)
 				return;
 
@@ -200,7 +200,7 @@ class TemplateRender extends PageRender {
 					$next_number = $vals;
 
 					foreach ($mod as $calc) {
-						$operand = $calc{0};
+						$operand = $calc[0];
 						$operator = substr ($calc,1);
 
 						switch ($operand) {
@@ -264,6 +264,9 @@ class TemplateRender extends PageRender {
 			 *
 			 * * arg 8 (for MultiList)
 			 *   - size of displayed list (default: 10 lines)
+			 *
+			 * * arg 9
+			 *   - if whether to include parent in sub query TRUE|FALSE
 			 */
 			case 'MultiList':
 			case 'PickList':
@@ -273,7 +276,7 @@ class TemplateRender extends PageRender {
 				else
 					$container = $args[5];
 
-				# Process filter (arg 1), eventually replace %attr% by it's value set in a previous page.
+				# Process filter (arg 1), eventually replace %attr% by its value set in a previous page.
 				preg_match_all('/%(\w+)(\|.+)?(\/[lUC])?%/U',$args[1],$filtermatchall);
 				//print_r($matchall); // -1 = highlevel match, 1 = attr, 2 = subst, 3 = mod
 
@@ -322,6 +325,9 @@ class TemplateRender extends PageRender {
 				$vals = array();
 
 				foreach ($picklistvalues as $key => $values) {
+					if (! empty($args[9]) && $container == $key)
+						continue;
+
 					$display = $args[3];
 
 					foreach ($matchall[1] as $key => $arg) {
@@ -1679,7 +1685,7 @@ function validateForm(silence) {
 
 				// Sometimes the alert gives us enough time!
 				if (typeof getAttributeComponents != "undefined")
-					alert("Dont bother, our JS is loaded now!");
+					alert("Don\'t bother, our JS is loaded now!");
 			}
 
 			validateForm(true);
@@ -2371,6 +2377,9 @@ function deleteAttribute(attrName,friendlyName,i)
 	protected function drawIconObjectClassAttribute($attribute,$val) {
 		if (DEBUGTMP) printf('<font size=-2>%s</font><br />',__METHOD__);
 
+		if (! $_SESSION[APPCONFIG]->getValue('appearance','show_schema_link') || !$_SESSION[APPCONFIG]->isCommandAvailable('script','schema'))
+			return;
+
 		if (strlen($val) > 0) {
 			$href = sprintf('cmd.php?cmd=schema&server_id=%s&view=objectclasses&viewvalue=%s',
 				$this->getServerID(),$val);
@@ -2463,7 +2472,7 @@ function deleteAttribute(attrName,friendlyName,i)
 		if ($val = $attribute->getValue($i))
 			$default = get_enc_type($val);
 		else
-			$default = $this->getServer()->getValue('appearance','password_hash');
+			$default = $this->getServer()->getValue('appearance','pla_password_hash');
 
 		if (! $attribute->getPostValue())
 			printf('<input type="hidden" name="post_value[%s][]" value="%s" />',$attribute->getName(),$i);

lib/Tree.php

@@ -51,16 +51,23 @@ abstract class Tree {
 				return null;
 
 			$treeclass = $_SESSION[APPCONFIG]->getValue('appearance','tree');
-			eval('$tree = new '.$treeclass.'($server_id);');
+			$tree = new $treeclass($server_id);
 
 			# If we are not logged in, just return the empty tree.
 			if (is_null($server->getLogin(null)))
 				return $tree;
 
-			foreach ($server->getBaseDN(null) as $base)
-				if ($base)
+			foreach ($server->getBaseDN(null) as $base) {
+				if ($base) {
 					$tree->addEntry($base);
 
+					if ($server->getValue('appearance','open_tree')) {
+						$baseEntry = $tree->getEntry($base);
+						$baseEntry->open();
+					}
+				}
+			}
+
 			set_cached_item($server_id,'tree','null',$tree);
 		}
 
@@ -103,7 +110,7 @@ abstract class Tree {
 		$return = array();
 
 		foreach ($this->entries as $details)
-			if ($details->isBaseDN())
+			if ($details->isBaseDN() AND ((! $this->getServer()->getValue('server','hide_noaccess_base')) OR $details->isInLdap()))
 				array_push($return,$details);
 
 		return $return;

lib/Visitor.php

@@ -55,20 +55,7 @@ abstract class Visitor {
 			printf('<font size=-2>Method Exists: %s::%s (%s)</font><br />',get_class($this),$call,$args);
 
 		if (method_exists($this,$call)) {
-			$call .= '(';
-
-			for ($i = 0; $i < count($args); $i++)
-				if ($i == 0)
-					$call .= sprintf('$args[%s]',$i);
-				else
-					$call .= sprintf(',$args[%s]',$i);
-
-			$call .= ');';
-
-			if (defined('DEBUGTMP') && DEBUGTMP)
-				printf('<font size=-2><b>Invoking Method: $this->%s</b></font><br />',$call);
-
-			eval('$r = $this->'.$call);
+			$r = call_user_func_array(array($this,$call),$args);
 
 			if (isset($r))
 				return $r;

lib/config_default.php

@@ -8,7 +8,7 @@
  */
 
 /** The minimum version of PHP required to run phpLDAPadmin. */
-define('REQUIRED_PHP_VERSION','5.0.0');
+define('REQUIRED_PHP_VERSION','5.5.0');
 
 /**
  * The config class contains all our configuration settings for a session.
@@ -107,6 +107,10 @@ class Config {
 			'desc'=>'Hide the features that may provide sensitive debugging information to the browser',
 			'default'=>true);
 
+		$this->default->appearance['hide_template_regexp'] = array(
+			'desc'=>'Templates that are disabled by their regex are not shown',
+			'default'=>false);
+
 		$this->default->appearance['hide_template_warning'] = array(
 			'desc'=>'Hide template errors from being displayed',
 			'default'=>false);
@@ -257,6 +261,15 @@ class Config {
 			'desc'=>'LDAP search filter for the tree entries',
 			'default'=>'(objectClass=*)');
 
+		$this->default->appearance['tree_icons'] = array(
+			'desc'=>'Number of Tree Icons to display on a row',
+			'default'=>0);
+
+		# PLA will not display the header and footer parts in minimal mode.
+		$this->default->appearance['minimalMode'] = array(
+			'desc'=>'Minimal mode hides header and footer parts',
+			'default'=>false);
+
 		## Caching
 		$this->default->cache['schema'] = array(
 			'desc'=>'Cache Schema Activity',
@@ -435,7 +448,7 @@ class Config {
 		 */
 		$this->default->modify_member['groupattr'] = array(
 			'desc'=>'Group member attributes',
-			'default'=>array('member','uniqueMember','memberUid'));
+			'default'=>array('member','uniqueMember','memberUid','uid'));
 
 		/**
 		 * Attribute that is added to the group member attribute. For groupOfNames or groupOfUniqueNames this is dn,
@@ -565,6 +578,20 @@ class Config {
 		$this->default->search['time_limit'] = array(
 			'desc'=>'Maximum time to allow unlimited size_limit searches to the ldap server',
 			'default'=>120);
+
+		/* reCAPTCHA Login */
+
+		$this->default->session['reCAPTCHA-enable'] = array(
+			'desc'=>'Status reCAPTCHA (true | false)',
+			'default'=>false);
+
+		$this->default->session['reCAPTCHA-key-site'] = array(
+			'desc'=>'Site Key',
+			'default'=>"<put-here-key-site>");
+
+		$this->default->session['reCAPTCHA-key-server'] = array(
+			'desc'=>'Server key',
+			'default'=>"<put-here-key-server>");
 	}
 
 	/**

lib/ds.php

@@ -212,7 +212,7 @@ abstract class DS {
 			case 'cookie':
 				set_cookie($method.'-USER',blowfish_encrypt($user),NULL,'/');
 				set_cookie($method.'-PASS',blowfish_encrypt($pass),NULL,'/');
-				return TRUE;
+				return true;
 
 			case 'config':
 				return true;
@@ -368,11 +368,11 @@ abstract class DS {
 					$userDN = preg_replace($regex, $replacement, $_SERVER['REMOTE_USER']);
 
 					$CACHE[$this->index][$method] = $this->login($userDN, '', $method);
-				}
+
 				# Otherwise, use the user name as is
-				else {
-					$CACHE[$this->index][$method] = $this->login($_SERVER['REMOTE_USER'], '', $method);
-				}
+				# For GSSAPI Authentication + mod_auth_kerb and Basic Authentication
+				} else
+					$CACHE[$this->index][$method] = $this->login(isset($_SERVER['REMOTE_USER']) ? $_SERVER['REMOTE_USER'] : '', '', $method);
 
 				break;
 
@@ -542,6 +542,10 @@ class Datastore {
 			'desc'=>'Whether this server is visible',
 			'default'=>true);
 
+		$this->default->server['hide_noaccess_base'] = array(
+			'desc'=>'If base DNs are not accessible, hide them instead of showing create',
+			'default'=>false);
+
 		# Authentication Information
 		$this->default->login['auth_type'] = array(
 			'desc'=>'Authentication Type',
@@ -570,6 +574,10 @@ class Datastore {
 			'desc'=>'User Login ID to bind to this DS',
 			'default'=>null);
 
+		$this->default->login['bind_dn_template'] = array(
+			'desc'=>'Template string for user login DN to bind to this DS. Use \'%s\' where user input should be inserted.',
+			'default'=>null);
+
 		$this->default->login['bind_pass'] = array(
 			'desc'=>'User Login Password to bind to this DS',
 			'default'=>null);
@@ -588,7 +596,6 @@ class Datastore {
 			'untested'=>true,
 			'default'=>null);
 
-
 		# Prefix for custom pages
 		$this->default->custom['pages_prefix'] = array(
 			'desc'=>'Prefix name for custom pages',

lib/ds_ldap.php

@@ -19,8 +19,6 @@ class ldap extends DS {
 	private $_schema_entries = null;
 	# Schema DN
 	private $_schemaDN = null;
-	# Attributes that should be treated as MAY attributes, even though the scheme has them as MUST attributes.
-	private $force_may = array();
 
 	public function __construct($index) {
 		if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
@@ -82,14 +80,9 @@ class ldap extends DS {
 			'default'=>array());
 
 		# SASL configuration
-		$this->default->server['sasl'] = array(
-			'desc'=>'Use SASL authentication when binding LDAP server',
-			'default'=>false);
-
 		$this->default->sasl['mech'] = array(
 			'desc'=>'SASL mechanism used while binding LDAP server',
-			'untested'=>true,
-			'default'=>'PLAIN');
+			'default'=>'GSSAPI');
 
 		$this->default->sasl['realm'] = array(
 			'desc'=>'SASL realm name',
@@ -188,13 +181,21 @@ class ldap extends DS {
 		 * specifies deref behavior for each ldap_search operation. */
 		ldap_set_option($resource,LDAP_OPT_REFERRALS,0);
 
+		/* Enabling manageDsaIt to be able to browse through glued entries
+		 * 2.16.840.1.113730.3.4.2 :  "ManageDsaIT Control" "RFC 3296" "The client may provide
+		 * the ManageDsaIT control with an operation to indicate that the operation is intended
+		 * to manage objects within the DSA (server) Information Tree. The control causes
+		 * Directory-specific entries (DSEs), regardless of type, to be treated as normal entries
+		 * allowing clients to interrogate and update these entries using LDAP operations." */
+		ldap_set_option($resource,LDAP_OPT_SERVER_CONTROLS,array(array('oid'=>'2.16.840.1.113730.3.4.2')));
+
 		# Try to fire up TLS is specified in the config
 		if ($this->isTLSEnabled())
 			$this->startTLS($resource);
 
 		# If SASL has been configured for binding, then start it now.
 		if ($this->isSASLEnabled())
-			$bind['result'] = $this->startSASL($resource,$method);
+			$bind['result'] = $this->startSASL($resource,$method,$bind['id'],$bind['pass']);
 
 		# Normal bind...
 		else
@@ -254,11 +255,11 @@ class ldap extends DS {
 		if (! is_null($user)) {
 			# If login,attr is set to DN, then user should be a DN
 			if (($this->getValue('login','attr') == 'dn') || $method != 'user')
-				$userDN = $user;
+				$userDN = $this->getValue('login', 'bind_dn_template') ? $this->fillDNTemplate($user) : $user;
 			else
 				$userDN = $this->getLoginID($user,'login');
 
-			if (! $userDN && $this->getValue('login','fallback_dn'))
+			if (! $userDN && $this->getValue('login','fallback_dn') && strpos($user, '='))
 				$userDN = $user;
 
 			if (! $userDN)
@@ -511,6 +512,15 @@ class ldap extends DS {
 			return $this->getBaseDN();
 	}
 
+	private function fillDNTemplate($user) {
+		foreach($this->getLoginBaseDN() as $base)
+			if(substr_compare($user, $base, -strlen($base)) === 0)
+				return $user; // $user already passed as DN
+
+		// fill template
+		return sprintf($this->getValue('login', 'bind_dn_template'), preg_replace('/([,\\\\#+<>;"=])/', '\\\\$1', $user));
+	}
+
 	/**
 	 * Return the login classes that a user must have to login
 	 */
@@ -577,7 +587,9 @@ class ldap extends DS {
 	 *
 	 * Users may configure phpLDAPadmin to use SASL in config,php thus:
 	 * <code>
-	 *	$servers->setValue('server','sasl',true|false);
+	 *	$servers->setValue('login','auth_type','sasl');
+	 * OR
+	 *      $servers->setValue('sasl','mech','PLAIN');
 	 * </code>
 	 *
 	 * @return boolean
@@ -586,12 +598,20 @@ class ldap extends DS {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
-		if ($this->getValue('server','sasl') && ! function_exists('ldap_sasl_bind')) {
-				error(_('SASL has been enabled in your config, but your PHP install does not support SASL. SASL will be disabled.'),'warn');
-			return false;
+		if (! in_array($this->getValue('login','auth_type'), array('sasl'))) {
+			// check if SASL mech uses login from other auth_types
+			if (! in_array(strtolower($this->getValue('sasl', 'mech')), array('plain')))
+				return false;
+		}
 
-		} else
-			return $this->getValue('server','sasl');
+		if (! function_exists('ldap_sasl_bind')) {
+			error(_('SASL has been enabled in your config, but your PHP install does not support SASL. SASL will be disabled.'),'warn');
+
+			return false;
+		}
+
+		# If we get here, SASL must be configured.
+		return true;
 	}
 
 	/**
@@ -600,54 +620,71 @@ class ldap extends DS {
 	 *
 	 * @todo This has not been tested, please let the developers know if this function works as expected.
 	 */
-	private function startSASL($resource,$method) {
+	private function startSASL($resource,$method,$login,$pass) {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
 		static $CACHE = array();
 
-		if (! $this->getValue('server','sasl') || ! function_exists('ldap_start_tls'))
+		# We shouldnt be doing SASL binds for anonymous queries?
+		if ($method == 'anon')
 			return false;
 
-		if (! isset($CACHE['login_dn'])) {
-			$CACHE['login_dn'] = is_null($this->getLogin($method)) ? $this->getLogin('user') : $this->getLogin($method);
-			$CACHE['login_pass'] = is_null($this->getPassword($method)) ? $this->getPassword('user') : $this->getPassword($method);
+		# At the moment, we have only implemented GSSAPI and PLAIN
+		if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi','plain'))) {
+			system_message(array(
+				'title'=>_('SASL Method not implemented'),
+				'body'=>sprintf('<b>%s</b>: %s %s',_('Error'),$this->getValue('sasl','mech'),_('has not been implemented yet')),
+				'type'=>'error'));
+
+			return false;
 		}
 
-		$mech = strtolower($this->getValue('sasl','mech'));
+		if (strtolower($this->getValue('sasl','mech')) == 'plain') {
+			return @ldap_sasl_bind($resource,NULL,$pass,'PLAIN',
+					       $this->getValue('sasl','realm'),
+					       $login,
+					       $this->getValue('sasl','props'));
+		}
 
+		if (! isset($CACHE['login_dn']))
+			$CACHE['login_dn'] = $login;
+
+		$CACHE['authz_id'] = '';
+
+		/*
 		# Do we need to rewrite authz_id?
 		if (! isset($CACHE['authz_id']))
-			if (! trim($this->getValue('sasl','authz_id')) && $mech != 'gssapi') {
+			if (! trim($this->getValue('sasl','authz_id')) && strtolower($this->getValue('sasl','mech')) != 'gssapi') {
+				if (DEBUG_ENABLED)
+					debug_log('Rewriting bind DN [%s] -> authz_id with regex [%s] and replacement [%s].',9,0,__FILE__,__LINE__,__METHOD__,
+						$CACHE['login_dn'],
+						$this->getValue('sasl','authz_id_regex'),
+						$this->getValue('sasl','authz_id_replacement'));
 
-			if (DEBUG_ENABLED)
-				debug_log('Rewriting bind DN [%s] -> authz_id with regex [%s] and replacement [%s].',9,0,__FILE__,__LINE__,__METHOD__,
-					$CACHE['login_dn'],
-					$this->getValue('sasl','authz_id_regex'),
-					$this->getValue('sasl','authz_id_replacement'));
+				$CACHE['authz_id'] = @preg_replace($this->getValue('sasl','authz_id_regex'),
+					$this->getValue('sasl','authz_id_replacement'),$CACHE['login_dn']);
 
-			$CACHE['authz_id'] = @preg_replace($this->getValue('sasl','authz_id_regex'),
-				$this->getValue('sasl','authz_id_replacement'),$CACHE['login_dn']);
+				# Invalid regex?
+				if (is_null($CACHE['authz_id']))
+					error(sprintf(_('It seems that sasl_authz_id_regex "%s" contains invalid PCRE regular expression. The error is "%s".'),
+						$this->getValue('sasl','authz_id_regex'),(isset($php_errormsg) ? $php_errormsg : '')),
+						'error','index.php');
 
-			# Invalid regex?
-			if (is_null($CACHE['authz_id']))
-				error(sprintf(_('It seems that sasl_authz_id_regex "%s" contains invalid PCRE regular expression. The error is "%s".'),
-					$this->getValue('sasl','authz_id_regex'),(isset($php_errormsg) ? $php_errormsg : '')),
-					'error','index.php');
-
-			if (DEBUG_ENABLED)
-				debug_log('Resource [%s], SASL OPTIONS: mech [%s], realm [%s], authz_id [%s], props [%s]',9,0,__FILE__,__LINE__,__METHOD__,
-					$resource,
-					$this->getValue('sasl','mech'),
-					$this->getValue('sasl','realm'),
-					$CACHE['authz_id'],
-					$this->getValue('sasl','props'));
+				if (DEBUG_ENABLED)
+					debug_log('Resource [%s], SASL OPTIONS: mech [%s], realm [%s], authz_id [%s], props [%s]',9,0,__FILE__,__LINE__,__METHOD__,
+						$resource,
+						$this->getValue('sasl','mech'),
+						$this->getValue('sasl','realm'),
+						$CACHE['authz_id'],
+						$this->getValue('sasl','props'));
 
 			} else
 				$CACHE['authz_id'] = $this->getValue('sasl','authz_id');
+		*/
 
 		# @todo this function is different in PHP5.1 and PHP5.2
-		return @ldap_sasl_bind($resource,$CACHE['login_dn'],$CACHE['login_pass'],
+		return @ldap_sasl_bind($resource,NULL,'',
 			$this->getValue('sasl','mech'),
 			$this->getValue('sasl','realm'),
 			$CACHE['authz_id'],
@@ -902,7 +939,7 @@ class ldap extends DS {
 					$dn = $this->getContainer($dn);
 
 				if ($dn == $top)
-					break;
+					continue;
 
 			} elseif($value)
 				$dn = sprintf('%s,%s',$value,$dn);
@@ -1108,13 +1145,14 @@ class ldap extends DS {
 
 		if (is_array($dn)) {
 			$a = array();
-			foreach ($dn as $key => $rdn)
-				$a[$key] = preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$rdn);
-
+			foreach ($dn as $key => $rdn) {
+				$a[$key] = preg_replace_callback('/\\\([0-9A-Fa-f]{2})/', function($m) { return chr(hexdec('${m[1]}')); }, $rdn);
+			}
 			return $a;
 
-		} else
-			return preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$dn);
+		} else {
+			return preg_replace_callback('/\\\([0-9A-Fa-f]{2})/', function($m) { return chr(hexdec('${m[1]}')); }, $dn);
+		}
 	}
 
 	public function getRootDSE($method=null) {
@@ -1367,6 +1405,40 @@ class ldap extends DS {
 			}
 		}
 
+		# Option 3: try cn=config
+		$olc_schema = 'olc'.$schema_to_fetch;
+		$olc_schema_found = false;
+		if (is_null($schema_search)) {
+			if (DEBUG_ENABLED)
+				debug_log('Attempting cn=config work-around...',24,0,__FILE__,__LINE__,__METHOD__);
+
+			$ldap_dn = 'cn=schema,cn=config';
+			$ldap_filter = '(objectClass=*)';
+
+			$schema_search = @ldap_search($this->connect($method),$ldap_dn,$ldap_filter,array($olc_schema),false,0,10,LDAP_DEREF_NEVER);
+
+			if (! is_null($schema_search)) {
+				$schema_entries = @ldap_get_entries($this->connect($method),$schema_search);
+
+				if (DEBUG_ENABLED)
+					debug_log('Search returned [%s]',24,0,__FILE__,__LINE__,__METHOD__,$schema_entries);
+
+				if ($schema_entries) {
+					if (DEBUG_ENABLED)
+						debug_log('Found schema with filter of (%s) and attribute filter (%s)',24,0,__FILE__,__LINE__,__METHOD__,$ldap_filter,$olc_schema);
+
+					$olc_schema_found = true;
+
+				} else {
+					if (DEBUG_ENABLED)
+						debug_log('Didnt find schema with filter (%s) and attribute filter (%s)',24,0,__FILE__,__LINE__,__METHOD__,$ldap_filter,$olc_schema);
+
+					unset($schema_entries);
+					$schema_search = null;
+				}
+			}
+		}
+
 		if (is_null($schema_search)) {
 			/* Still cant find the schema, try with the RootDSE
 			 * Attempt to pull schema from Root DSE with scope "base", or
@@ -1436,9 +1508,35 @@ class ldap extends DS {
 			return $return;
 		}
 
-		if(! isset($schema_entries[0][$schema_to_fetch])) {
+		if ($olc_schema_found) {
+			unset ($schema_entries['count']);
+
+			foreach ($schema_entries as $entry) {
+				if (isset($entry[$olc_schema])) {
+					unset($entry[$olc_schema]['count']);
+
+					foreach ($entry[$olc_schema] as $schema_definition)
+						/* Schema definitions in child nodes prefix the schema entries with "{n}"
+						  the preg_replace call strips out this prefix. */
+						$schema[] = preg_replace('/^\{\d*\}\(/','(',$schema_definition);
+				}
+			}
+
+			if (isset($schema)) {
+				$this->_schema_entries[$olc_schema] = $schema;
+
+				if (DEBUG_ENABLED)
+					debug_log('Returning (%s)',25,0,__FILE__,__LINE__,__METHOD__,$schema);
+
+				return $schema;
+
+			} else
+				return null;
+		}
+
+		if (! isset($schema_entries[0][$schema_to_fetch])) {
 			if (in_array($schema_to_fetch,$schema_error_message_array)) {
-				error(sprintf('Our attempts to find your SCHEMA for "%s" has return UNEXPECTED results.<br /><br /><small>(We expected a "%s" in the $schema array but it wasnt there.)</small><br /><br />%s<br /><br />Dump of $schema_search:<hr /><pre><small>%s</small></pre>',
+				error(sprintf('Our attempts to find your SCHEMA for "%s" have return UNEXPECTED results.<br /><br /><small>(We expected a "%s" in the $schema array but it wasnt there.)</small><br /><br />%s<br /><br />Dump of $schema_search:<hr /><pre><small>%s</small></pre>',
 					$schema_to_fetch,gettype($schema_search),$schema_error_message,serialize($schema_entries)),'error','index.php');
 
 			} else {
@@ -1902,14 +2000,13 @@ class ldap extends DS {
 	 * This function determines if the specified attribute is contained in the force_may list
 	 * as configured in config.php.
 	 *
-	 * @return boolean True if the specified attribute is in the $force_may list and false
-	 *              otherwise.
+	 * @return boolean True if the specified attribute is configured to be force as a may attribute
 	 */
 	function isForceMay($attr_name) {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
-		return in_array($attr_name,$this->force_may);
+		return in_array($attr_name,unserialize(strtolower(serialize($this->getValue('server','force_may')))));
 	}
 
 	/**
@@ -1994,7 +2091,7 @@ class ldap extends DS {
 	 * @see getDNSysAttrs
 	 * @see getDNAttrValue
 	 */
-	public function getDNAttrValues($dn,$method=null,$deref=LDAP_DEREF_NEVER,$attrs=array('*','+')) {
+	public function getDNAttrValues($dn,$method=null,$deref=LDAP_DEREF_NEVER,$attrs=array('*','+'),$nocache=false) {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
@@ -2010,7 +2107,7 @@ class ldap extends DS {
 		elseif (in_array('*',$attrs))
 			$cacheindex = '*';
 
-		if (! is_null($cacheindex) && isset($CACHE[$this->index][$method][$dn][$cacheindex])) {
+		if (! $nocache && ! is_null($cacheindex) && isset($CACHE[$this->index][$method][$dn][$cacheindex])) {
 			$results = $CACHE[$this->index][$method][$dn][$cacheindex];
 
 			if (DEBUG_ENABLED)
@@ -2210,6 +2307,8 @@ class ldap extends DS {
 			strcasecmp($attr_name,'objectSID') == 0 ||
 			strcasecmp($attr_name,'auditingPolicy') == 0 ||
 			strcasecmp($attr_name,'jpegPhoto') == 0 ||
+			strcasecmp($attr_name,'krbExtraData') == 0 ||
+			strcasecmp($attr_name,'krbPrincipalKey') == 0 ||
 			$syntax == '1.3.6.1.4.1.1466.115.121.1.10' ||
 			$syntax == '1.3.6.1.4.1.1466.115.121.1.28' ||
 			$syntax == '1.3.6.1.4.1.1466.115.121.1.5' ||

lib/ds_ldap_pla.php

@@ -13,13 +13,10 @@
  * @subpackage DataStore
  */
 class ldap_pla extends ldap {
-	# Attributes that should be treated as MAY attributes, even though the scheme has them as MUST attributes.
-	private $force_may = array();
-
 	function __construct($index) {
 		parent::__construct($index);
 
-		$this->default->appearance['password_hash'] = array(
+		$this->default->appearance['pla_password_hash'] = array(
 			'desc'=>'Default HASH to use for passwords',
 			'default'=>'md5');
 
@@ -27,6 +24,14 @@ class ldap_pla extends ldap {
 			'desc'=>'Whether to show the "Create new Entry here" in the tree browser',
 			'default'=>true);
 
+		$this->default->appearance['open_tree'] = array(
+			'desc'=>'Whether to initially open each tree',
+			'default'=>false);
+
+		$this->default->appearance['show_authz'] = array(
+			'desc'=>'Enable display of authorization ID as login',
+			'default'=>false);
+
 		$this->default->login['fallback_dn'] = array(
 			'desc'=>'If the attribute base login fails, see if a DN was entered',
 			'default'=>false);
@@ -89,6 +94,11 @@ class ldap_pla extends ldap {
 				'*'
 			));
 
+		$this->default->server['force_may'] = array(
+			'desc'=>'Force server MUST attributes as MAY attributes',
+			'default'=>array(
+			));
+
 		# Settings for auto_number
 		$this->default->auto_number['enable'] = array(
 			'desc'=>'Enable the AUTO UID feature',
@@ -649,5 +659,23 @@ class ldap_pla extends ldap {
 		$_SESSION['ACTIVITY'][$this->getIndex()] = $this->inactivityTime();
 		return true;
 	}
+
+	/**
+	 * Return login, or authorization ID if show_authz enabled
+	 */
+	public function displayLogin($method=null) {
+		// check for whoami function, added in 7.2
+		if ($this->getValue('appearance', 'show_authz') && function_exists('ldap_exop_whoami')) {
+			$result = @ldap_exop_whoami($this->connect($method));
+			if ($result) // strip any dn: or u: prefix
+				$result = preg_replace('/^(u|dn):/i', '', $result);
+			else // fall back to login on error
+				$result = $this->getLogin($method);
+			return $result;
+		}
+		else {
+			return $this->getLogin($method);
+		}
+	}
 }
 ?>

lib/export_functions.php

@@ -223,7 +223,7 @@ abstract class Export {
 	 */
 	protected function isSafeAscii($str) {
 		for ($i=0;$i<strlen($str);$i++)
-			if (ord($str{$i}) < 32 || ord($str{$i}) > 127)
+			if (ord($str[$i]) < 32 || ord($str[$i]) > 127)
 				return false;
 
 		return true;
@@ -324,9 +324,9 @@ class ExportCSV extends Export {
 		}
 
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 
 	/**
@@ -428,9 +428,9 @@ class ExportDSML extends Export {
 		$output .= sprintf('</dsml>%s',$this->br);
 
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 }
 
@@ -506,9 +506,9 @@ class ExportLDIF extends Export {
 		}
 
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 
 	/**
@@ -578,6 +578,7 @@ class ExportVCARD extends Export {
 	 */
 	function export() {
 		$server = $this->getServer();
+		$output = '';
 
 		# Sift through the entries.
 		foreach ($this->results as $base => $results) {
@@ -591,10 +592,11 @@ class ExportVCARD extends Export {
 						$addr .= $dndetails[$attr];
 						unset($dndetails[$attr]);
 					}
+
 					$addr .= ';';
 				}
 
-				$output = sprintf('BEGIN:VCARD%s',$this->br);
+				$output .= sprintf('BEGIN:VCARD%s',$this->br);
 
 				# Loop for the attributes
 				foreach ($dndetails as $key => $attr) {
@@ -633,9 +635,9 @@ class ExportVCARD extends Export {
 		}
 
 		if ($this->compress)
-			echo gzencode($output);
+			return gzencode($output);
 		else
-			echo $output;
+			return $output;
 	}
 }
 ?>

lib/functions.php

@@ -51,7 +51,7 @@ if (file_exists(LIBDIR.'functions.custom.php'))
 /**
  * Loads class definition
  */
-function __autoload($className) {
+function pla_autoload($className) {
 	if (file_exists(HOOKSDIR."classes/$className.php"))
 		require_once(HOOKSDIR."classes/$className.php");
 	elseif (file_exists(LIBDIR."$className.php"))
@@ -66,10 +66,16 @@ function __autoload($className) {
 			'type'=>'error'));
 }
 
+if (version_compare(phpversion(), '7.0', '>=')) {
+	spl_autoload_register('pla_autoload');
+} else {
+	eval('function __autoload($className) {pla_autoload($className);}');
+}
+
 /**
  * Strips all slashes from the specified array in place (pass by ref).
  * @param Array The array to strip slashes from, typically one of
- *                     $_GET, $_POST, or $_COOKIE.
+ *        $_GET, $_POST, or $_COOKIE.
  */
 function array_stripslashes(&$array) {
 	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
@@ -362,7 +368,7 @@ function cmd_control_pane($type) {
 
 				'hide_debug_info'=>array(
 					'title'=>_('Show Cache'),
-					'enable'=>isset($_SESSION[APPCONFIG]) ? $_SESSION[APPCONFIG]->isCommandAvailable('script','show_cache') : false,
+					'enable'=>isset($_SESSION[APPCONFIG]) ? ($_SESSION[APPCONFIG]->isCommandAvailable('script','show_cache')) && (! $_SESSION[APPCONFIG]->getValue('appearance','hide_debug_info')) : false,
 					'link'=>sprintf('href="cmd.php?cmd=show_cache" onclick="return ajDISPLAY(\'BODY\',\'cmd=show_cache\',\'%s\');" title="%s"',
 						_('Loading'),_('Show Cache'),_('Show Cache')),
 					'image'=>sprintf('<img src="%s/debug-cache.png" alt="%s" />',IMGDIR,_('Show Cache'))),
@@ -645,14 +651,14 @@ function error($msg,$type='note',$redirect=null,$fatal=false,$backtrace=false) {
  *
  * @return The form GET/REQUEST/SESSION/POST variable value or its default
  */
-function get_request($attr,$type='POST',$die=false,$default=null) {
+function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=true) {
 	switch($type) {
 		case 'GET':
-			$value = isset($_GET[$attr]) ? (is_array($_GET[$attr]) ? $_GET[$attr] : (trim(empty($_GET['nodecode'][$attr]) ? rawurldecode($_GET[$attr]) : $_GET[$attr]))) : $default;
+			$value = isset($_GET[$attr]) ? (is_array($_GET[$attr]) ? $_GET[$attr] : (empty($_GET['nodecode'][$attr]) ? rawurldecode($_GET[$attr]) : $_GET[$attr])) : $default;
 			break;
 
 		case 'REQUEST':
-			$value = isset($_REQUEST[$attr]) ? (is_array($_REQUEST[$attr]) ? $_REQUEST[$attr] : trim(empty($_REQUEST['nodecode'][$attr]) ? rawurldecode($_REQUEST[$attr]) : $_REQUEST[$attr])) : $default;
+			$value = isset($_REQUEST[$attr]) ? (is_array($_REQUEST[$attr]) ? $_REQUEST[$attr] : (empty($_REQUEST['nodecode'][$attr]) ? rawurldecode($_REQUEST[$attr]) : $_REQUEST[$attr])) : $default;
 			break;
 
 		case 'SESSION':
@@ -661,22 +667,39 @@ function get_request($attr,$type='POST',$die=false,$default=null) {
 
 		case 'POST':
 		default:
-			$value = isset($_POST[$attr]) ? (is_array($_POST[$attr]) ? $_POST[$attr] : trim(empty($_POST['nodecode'][$attr]) ? rawurldecode($_POST[$attr]) : $_POST[$attr])) : $default;
+			$value = isset($_POST[$attr]) ? (is_array($_POST[$attr]) ? $_POST[$attr] : (empty($_POST['nodecode'][$attr]) ? rawurldecode($_POST[$attr]) : $_POST[$attr])) : $default;
 			break;
 	}
-
+	
 	if ($die && is_null($value))
 		system_message(array(
 			'title'=>_('Generic Error'),
 			'body'=>sprintf('%s: Called "%s" without "%s" using "%s"',
-				basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),$attr,$type),
+				basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),preventXSS($attr),preventXSS($type)),
 			'type'=>'error'),
 			'index.php');
-
+	if($preventXSS && !is_null($value))
+		$value = preventXSS($value);
 	return $value;
 }
-
 /**
+*  Prevent XSS function. This function can usage has preventXSS(get_request('cmd','REQUEST'))
+*  Return valor escape XSS.
+*/
+ function preventXSS($data){
+        if (gettype($data) == 'array') {
+            foreach ($data as $key => $value) {
+                if (gettype($value) == 'array')
+                    $data[$key] = preventXSS($value);
+                else
+                    $data[$key] = htmlspecialchars($value);
+            }
+            return $data;
+        }
+        return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
+}
+
+/*
  * Record a system message.
  * This function can be used as an alternative to generate a system message, if page hasnt yet been defined.
  */
@@ -745,7 +768,12 @@ function blowfish_encrypt($data,$secret=null) {
 	if (! trim($secret))
 		return $data;
 
-	if (function_exists('mcrypt_module_open')) {
+	if (! empty($data) && function_exists('openssl_encrypt') && in_array('bf-ecb', openssl_get_cipher_methods())) {
+		$keylen = openssl_cipher_iv_length('bf-ecb') * 2;
+		return openssl_encrypt($data, 'bf-ecb', substr($secret,0,$keylen));
+	}
+
+	if (function_exists('mcrypt_module_open') && ! empty($data)) {
 		$td = mcrypt_module_open(MCRYPT_BLOWFISH,'',MCRYPT_MODE_ECB,'');
 		$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td),MCRYPT_DEV_URANDOM);
 		mcrypt_generic_init($td,substr($secret,0,mcrypt_enc_get_key_size($td)),$iv);
@@ -771,6 +799,7 @@ function blowfish_encrypt($data,$secret=null) {
 
 		$encrypt .= $pma_cipher->encryptBlock($block, $secret);
 	}
+
 	return base64_encode($encrypt);
 }
 
@@ -800,7 +829,12 @@ function blowfish_decrypt($encdata,$secret=null) {
 	if (! trim($secret))
 		return $encdata;
 
-	if (function_exists('mcrypt_module_open')) {
+	if (! empty($encdata) && function_exists('openssl_encrypt') && in_array('bf-ecb', openssl_get_cipher_methods())) {
+		$keylen = openssl_cipher_iv_length('bf-ecb') * 2;
+		return trim(openssl_decrypt($encdata, 'bf-ecb', substr($secret,0,$keylen)));
+	}
+
+	if (function_exists('mcrypt_module_open') && ! empty($encdata)) {
 		$td = mcrypt_module_open(MCRYPT_BLOWFISH,'',MCRYPT_MODE_ECB,'');
 		$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td),MCRYPT_DEV_URANDOM);
 		mcrypt_generic_init($td,substr($secret,0,mcrypt_enc_get_key_size($td)),$iv);
@@ -822,7 +856,8 @@ function blowfish_decrypt($encdata,$secret=null) {
 	for ($i=0; $i<strlen($data); $i+=8)
 		$decrypt .= $pma_cipher->decryptBlock(substr($data, $i, 8), $secret);
 
-	$return = trim($decrypt);
+	// Strip off our \0's that were added.
+	$return = preg_replace("/\\0*$/",'',$decrypt);
 	$CACHE[$encdata] = $return;
 	return $return;
 }
@@ -991,6 +1026,23 @@ function get_custom_file($index,$filename,$path) {
 	return $return;
 }
 
+/**
+ * Replacement for create_function() which is deprecated as of php 7.2
+ *
+ * @param string The function arguments
+ * @param string The function code
+ */
+function pla_create_function($args, $code) {
+	if (version_compare(phpversion(),'7.0','>=')) {
+		# anonymous functions were introduced in PHP 5.3.0
+		return eval("return function(".$args."){".$code."};");
+
+	} else {
+		# create_function is deprecated in php 7.2
+		return create_function($args, $code);
+	}
+}
+
 /**
  * Sort a multi dimensional array.
  *
@@ -1003,8 +1055,9 @@ function masort(&$data,$sortby,$rev=0) {
 	if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
-	# if the array to sort is null or empty
-	if (! $data) return;
+	# if the array to sort is null or empty, or if we have some nasty chars
+	if (! preg_match('/^[a-zA-Z0-9_]+(\([a-zA-Z0-9_,]*\))?$/',$sortby) || ! $data)
+		return;
 
 	static $CACHE = array();
 
@@ -1077,7 +1130,7 @@ function masort(&$data,$sortby,$rev=0) {
 
 		$code .= 'return $c;';
 
-		$CACHE[$sortby] = create_function('$a, $b',$code);
+		$CACHE[$sortby] = pla_create_function('$a, $b',$code);
 	}
 
 	uasort($data,$CACHE[$sortby]);
@@ -1468,10 +1521,10 @@ function get_next_number($base,$attr,$increment=false,$filter=false,$startmin=nu
 			for ($i=0;$i<count($autonum);$i++) {
 				$num = $autonum[$i] < $minNumber ? $minNumber : $autonum[$i];
 
-				/* If we're at the end of the list, or we've found a gap between this number and the 
-				   following, use the next available number in the gap. */ 
-				if ($i+1 == count($autonum) || $autonum[$i+1] > $num+1) 
-					return $autonum[$i] >= $num ? $num+1 : $num; 
+				/* If we're at the end of the list, or we've found a gap between this number and the
+				   following, use the next available number in the gap. */
+				if ($i+1 == count($autonum) || $autonum[$i+1] > $num+1)
+					return $autonum[$i] >= $num ? $num+1 : $num;
 			}
 
 			# If we didnt find a suitable gap and are all above the minNumber, we'll just return the $minNumber
@@ -1585,7 +1638,7 @@ function get_icon($server_id,$dn,$object_classes=array()) {
 
 	# Return icon filename based upon objectClass value
 	if (in_array('sambaaccount',$object_classes) &&
-		'$' == $rdn{ strlen($rdn) - 1 })
+		'$' == $rdn[ strlen($rdn) - 1 ])
 		return 'nt_machine.png';
 
 	if (in_array('sambaaccount',$object_classes))
@@ -1621,6 +1674,9 @@ function get_icon($server_id,$dn,$object_classes=array()) {
 	elseif (in_array('room',$object_classes))
 		return 'door.png';
 
+	elseif (in_array('iphost',$object_classes))
+		return 'host.png';
+
 	elseif (in_array('device',$object_classes))
 		return 'device.png';
 
@@ -1658,9 +1714,6 @@ function get_icon($server_id,$dn,$object_classes=array()) {
 	elseif (in_array('groupofuniquenames',$object_classes))
 		return 'ldap-uniquegroup.png';
 
-	elseif (in_array('iphost',$object_classes))
-		return 'host.png';
-
 	elseif (in_array('nlsproductcontainer',$object_classes))
 		return 'n.png';
 
@@ -2103,7 +2156,8 @@ function password_types() {
 
 	return array(
 		''=>'clear',
-		'blowfish'=>'blowfish',
+		'bcrypt'=>'bcrypt',
+                'blowfish'=>'blowfish',
 		'crypt'=>'crypt',
 		'ext_des'=>'ext_des',
 		'md5'=>'md5',
@@ -2111,7 +2165,10 @@ function password_types() {
 		'md5crypt'=>'md5crypt',
 		'sha'=>'sha',
 		'smd5'=>'smd5',
-		'ssha'=>'ssha'
+		'ssha'=>'ssha',
+		'sha512'=>'sha512',
+		'sha256crypt'=>'sha256crypt',
+		'sha512crypt'=>'sha512crypt',
 	);
 }
 
@@ -2120,10 +2177,11 @@ function password_types() {
  *
  * @param string The password to hash in clear text.
  * @param string Standard LDAP encryption type which must be one of
- *        crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, or clear.
+ *        crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, sha512,
+ *        sha256crypt, sha512crypt, or clear.
  * @return string The hashed password.
  */
-function password_hash($password_clear,$enc_type) {
+function pla_password_hash($password_clear,$enc_type) {
 	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
@@ -2201,6 +2259,19 @@ function password_hash($password_clear,$enc_type) {
 
 			break;
 
+                case 'bcrypt':
+                        $options = [
+                                    'cost' => 8,
+                                   ];
+                        #Checking if password_hash() function is available.
+                        if (function_exists('password_hash'))
+                                $new_value = sprintf('{BCRYPT}%s',base64_encode(password_hash($password_clear, PASSWORD_BCRYPT, $options)));
+                        else
+                                error(_('Your PHP install does not have the password_hash() function. Cannot do BCRYPT hashes.'),'error','index.php');
+
+                        break;
+
+
 		case 'smd5':
 			if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
 				mt_srand((double)microtime()*1000000);
@@ -2213,6 +2284,30 @@ function password_hash($password_clear,$enc_type) {
 
 			break;
 
+		case 'sha512':
+			if (function_exists('openssl_digest') && function_exists('base64_encode')) {
+				$new_value = sprintf('{SHA512}%s', base64_encode(openssl_digest($password_clear, 'sha512', true)));
+
+			} else {
+				error(_('Your PHP install doest not have the openssl_digest() or base64_encode() function. Cannot do SHA512 hashes. '),'error','index.php');
+			}
+
+			break;
+
+		case 'sha256crypt':
+			if (! defined('CRYPT_SHA256') || CRYPT_SHA256 == 0)
+				error(_('Your system crypt library does not support sha256crypt encryption.'),'error','index.php');
+			$new_value = sprintf('{CRYPT}%s',crypt($password_clear,'$5$'.random_salt(8)));
+
+			break;
+
+		case 'sha512crypt':
+			if (! defined('CRYPT_SHA512') || CRYPT_SHA512 == 0)
+				error(_('Your system crypt library does not support sha512crypt encryption.'),'error','index.php');
+			$new_value = sprintf('{CRYPT}%s',crypt($password_clear,'$6$'.random_salt(8)));
+
+			break;
+
 		case 'clear':
 		default:
 			$new_value = $password_clear;
@@ -2230,6 +2325,7 @@ function password_hash($password_clear,$enc_type) {
  * @return Boolean True if the clear password matches the hash, and false otherwise.
  */
 function password_check($cryptedpassword,$plainpassword,$attribute='userpassword') {
+    $plainpassword = htmlspecialchars_decode($plainpassword);
 	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
@@ -2238,13 +2334,13 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
 
 		switch($attribute) {
 			case 'sambalmpassword':
-				if (strcmp($smb->lmhash($plainpassword),$cryptedpassword) == 0)
+				if (strcmp($smb->lmhash($plainpassword),strtoupper($cryptedpassword)) == 0)
 					return true;
 				else
 					return false;
 
 			case 'sambantpassword':
-				if (strcmp($smb->nthash($plainpassword),$cryptedpassword) == 0)
+				if (strcmp($smb->nthash($plainpassword),strtoupper($cryptedpassword)) == 0)
 					return true;
 				else
 					return false;
@@ -2282,6 +2378,23 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
 			}
 
 			break;
+                 
+                #BCRYPT hashed passwords
+                case 'bcrypt':
+                        # Check php password_verify support before using it
+                        if (function_exists('password_verify')) {
+                                $hash = base64_decode($cryptedpassword);
+                                if (password_verify($plainpassword, $hash)) {
+                                    return true;
+                                } else {
+                                    return false;
+                                }
+
+                        } else {
+                                error(_('Your PHP install does not have the password_verify() function. Cannot do Bcrypt hashes.'),'error','index.php');
+                        }
+
+                        break;
 
 		# Salted MD5
 		case 'smd5':
@@ -2304,7 +2417,7 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
 
 		# SHA crypted passwords
 		case 'sha':
-			if (strcasecmp(password_hash($plainpassword,'sha'),'{SHA}'.$cryptedpassword) == 0)
+			if (strcasecmp(pla_password_hash($plainpassword,'sha'),'{SHA}'.$cryptedpassword) == 0)
 				return true;
 			else
 				return false;
@@ -2313,7 +2426,7 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
 
 		# MD5 crypted passwords
 		case 'md5':
-			if( strcasecmp(password_hash($plainpassword,'md5'),'{MD5}'.$cryptedpassword) == 0)
+			if( strcasecmp(pla_password_hash($plainpassword,'md5'),'{MD5}'.$cryptedpassword) == 0)
 				return true;
 			else
 				return false;
@@ -2376,6 +2489,15 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
 
 			break;
 
+		# SHA512 crypted passwords
+		case 'sha512':
+			if (strcasecmp(pla_password_hash($plainpassword,'sha512'),'{SHA512}'.$cryptedpassword) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
 		# No crypt is given assume plaintext passwords are used
 		default:
 			if ($plainpassword == $cryptedpassword)
@@ -2447,6 +2569,32 @@ function draw_chooser_link($form,$element,$include_choose_text=true,$rdn='none')
 		printf('<span class="x-small"><a href="%s" title="%s">%s</a></span>',$href,$title,_('browse'));
 }
 
+/**
+ * http://php.net/manual/en/function.ldap-explode-dn.php#34724
+ * fixed for:
+ * Keep attention on UTF8 encoded DNs. Since openLDAP >=2.1.2
+ * ldap_explode_dn turns unprintable chars (in the ASCII sense, UTF8
+ * encoded) into \<hexcode>.
+ */
+function ldap_explode_dn_patch($dn,$with_attrib) {
+	$result = ldap_explode_dn($dn,$with_attrib);
+	if (! $result)
+		return null;
+
+	# translate hex code into ascii again
+	foreach ($result as $key => $value) {
+		$result[$key] = preg_replace_callback(
+			"/\\\([0-9A-Fa-f]{2})/",
+			function ($matches) {
+				return chr(hexdec($matches[1]));
+			},
+			$value
+		);
+	}
+
+	return $result;
+}
+
 /**
  * Explode a DN into an array of its RDN parts.
  *
@@ -2482,8 +2630,8 @@ function pla_explode_dn($dn,$with_attributes=0) {
 	$dn = addcslashes($dn,'<>+";');
 
 	# split the dn
-	$result[0] = ldap_explode_dn(dn_escape($dn),0);
-	$result[1] = ldap_explode_dn(dn_escape($dn),1);
+	$result[0] = ldap_explode_dn_patch(dn_escape($dn),0);
+	$result[1] = ldap_explode_dn_patch(dn_escape($dn),1);
 	if (! $result[$with_attributes]) {
 		if (DEBUG_ENABLED)
 			debug_log('Returning NULL - NO result.',1,0,__FILE__,__LINE__,__METHOD__);
@@ -2542,12 +2690,22 @@ function dn_unescape($dn) {
 		$a = array();
 
 		foreach ($dn as $key => $rdn)
-			$a[$key] = preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$rdn);
+			$a[$key] = preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',
+				function ($r) {
+					return chr(hexdec($r[1]));
+				},
+				$rdn
+			);
 
 		return $a;
 
 	} else {
-		return preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$dn);
+		return preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',
+			function ($r) {
+				return chr(hexdec($r[1]));
+			},
+			$dn
+		);
 	}
 }
 
@@ -2560,35 +2718,21 @@ function dn_unescape($dn) {
  * @return string The URL to the requested item.
  */
 function get_href($type,$extra_info='') {
-	$sf = 'https://sourceforge.net';
 	$pla = 'http://phpldapadmin.sourceforge.net';
-	$group_id = '61828';
-	$bug_atid = '498546';
-	$rfe_atid = '498549';
-	$forum_id = 'phpldapadmin-users';
 
 	switch($type) {
 		case 'add_bug':
-			return sprintf('%s/tracker/?func=add&amp;group_id=%s&amp;atid=%s',$sf,$group_id,$bug_atid);
+			return 'https://github.com/leenooks/phpLDAPadmin/issues';
 		case 'add_rfe':
-			return sprintf('%s/tracker/?func=add&amp;group_id=%s&amp;atid=%s',$sf,$group_id,$rfe_atid);
+			return 'https://github.com/leenooks/phpLDAPadmin/issues';
 		case 'credits':
 			return sprintf('%s/Credits',$pla);
 		case 'documentation':
 			return sprintf('%s/Documentation',$pla);
 		case 'donate':
-			return sprintf('%s/donate/index.php?group_id=%s',$sf,$group_id);
+			return 'https://sourceforge.net/donate/index.php?group_id=61828';
 		case 'forum':
-			return sprintf('%s/mailarchive/forum.php?forum_name=%s',$sf,$forum_id);
-		case 'logo':
-			if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on')
-				$proto = 'http';
-			else
-				$proto = 'https';
-
-			return isset($_SESSION) && ! $_SESSION[APPCONFIG]->getValue('appearance','remoteurls') ? '' : sprintf('%s://sflogo.sourceforge.net/sflogo.php?group_id=%s&amp;type=10',$proto,$group_id);
-		case 'sf':
-			return sprintf('%s/projects/phpldapadmin',$sf);
+			return 'https://stackoverflow.com/questions/tagged/phpldapadmin';
 		case 'web':
 			return sprintf('%s',$pla);
 		default:
@@ -2779,7 +2923,7 @@ function draw_formatted_dn($server,$entry) {
 
 	$formats = $_SESSION[APPCONFIG]->getValue('appearance','tree_display_format');
 
-	foreach ($formats as $format) { 
+	foreach ($formats as $format) {
 		$has_none = false;
 		preg_match_all('/%[a-zA-Z_0-9]+/',$format,$tokens);
 		$tokens = $tokens[0];
@@ -3105,4 +3249,30 @@ function isAjaxEnabled() {
 	else
 		return false;
 }
+/**
+* Check if user is a robot with reCAPTCHA
+**/
+function IsRobot($gResponse){
+	$isRobot = true;
+	$url = 'https://www.google.com/recaptcha/api/siteverify';
+	$data = array(
+		'secret' => $_SESSION[APPCONFIG]->getValue('session','reCAPTCHA-key-server'),
+		'response' => $gResponse
+	);
+	$options = array(
+		'http' => array (
+			'method' => 'POST','header' =>
+	        'Content-Type: application/x-www-form-urlencoded',
+			'content' => http_build_query($data)
+		)
+	);
+	$context  = stream_context_create($options);
+	$verify = file_get_contents($url, false, $context);
+	$captcha_success = json_decode($verify);
+	if ($captcha_success->success) {
+		$isRobot = false;
+	}
+	return $isRobot;
+
+}
 ?>

lib/hooks.php

@@ -32,7 +32,7 @@
  * element priority. 1 otherwise.
  */
 function sort_array_by_priority($a,$b) {
-	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
+	if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',257,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
 	return (($a['priority'] < $b['priority']) ? -1 : 1 );
@@ -68,7 +68,7 @@ function run_hook($hook_name,$args) {
 	/* Execution of procedures attached is done using a numeric order
 	 * since all procedures have been attached to the hook with a
 	 * numerical weight. */
-	while (list($key,$hook) = each($hooks[$hook_name])) {
+	foreach ($hooks[$hook_name] as $key=>$hook) {
 		if (DEBUG_ENABLED)
 			debug_log('Calling HOOK Function (%s)(%s)',257,0,__FILE__,__LINE__,__METHOD__,
 				$hook['hook_function'],$args);
@@ -159,7 +159,7 @@ function remove_hook($hook_name,$hook_function,$priority,$rollback_function) {
 	if (array_key_exists($hook_name,$_SESSION[APPCONFIG]->hooks)) {
 		reset($_SESSION[APPCONFIG]->hooks[$hook_name]);
 
-		while (list($key,$hook) = each($_SESSION[APPCONFIG]->hooks[$hook_name])) {
+		foreach ($_SESSION[APPCONFIG]->hooks[$hook_name] as $key=>$hook) {
 			if (($priority >= 0 && $priority == $hook['priority']) ||
 				($hook_function && $hook_function == $hook['hook_function']) ||
 				($rollback_function && $rollback_function == $hook['rollback_function'])) {

lib/import_functions.php

@@ -215,7 +215,7 @@ class ImportLDIF extends Import {
 							return $this->error(sprintf('%s %s',_('DN does not exist'),$dn),$lines);
 
 						$this->template->setDN($dn);
-						$this->template->accept();
+						$this->template->accept(false,true);
 
 						return $this->getModifyDetails($lines);
 
@@ -511,7 +511,7 @@ class ImportLDIF extends Import {
 							case 'delete':
 								$deleteattr = false;
 
-								if ($key = array_search($attribute_value_part,$attribute->getValues()))
+								if (($key = array_search($attribute_value_part,$attribute->getValues())) !== false)
 									$attribute->delValue($key);
 								else
 									return $this->error(sprintf('%s %s',_('Delete value doesnt exist in DN'),$attribute_value_part),
@@ -589,7 +589,7 @@ class ImportLDIF extends Import {
 							$attrs['newsuperior'] = $attrvalue[1];
 
 						} else
-							return $this->error(_('A valid newsuperier attribute should be specified'),$lines);
+							return $this->error(_('A valid newsuperior attribute should be specified'),$lines);
 
 					} else
 						$attrs['newsuperior'] = $server->getContainer($this->template->getDN());

lib/ldap_supported_oids.txt

@@ -48,6 +48,7 @@
 1.3.6.1.1.13.1					"Pre-Read Controls" "" "The Pre-Read request control, indicates that a copy of the entry before application of update is to be returned."
 1.3.6.1.1.13.2					"Post-Read Controls" "" "The Pre-Read request control, indicates that a copy of the entry before application of update is to be returned."
 1.3.6.1.1.14		"Modify-Increment Extension" "RFC 4525" "An extension to the Lightweight Directory Access Protocol (LDAP) Modify operation to support an increment capability."
+1.3.6.1.1.22		"Don't Use Copy Control" "RFC 9171" "When the control is attached to an LDAP request, the requested operation MUST NOT be performed on copied information. That is, the requested operation MUST be performed on original information."
 1.3.6.1.4.1.42.2.27.8.5.1	"passwordPolicyRequest"
 1.3.6.1.4.1.42.2.27.9.5.2	"GetEffectiveRights control" "" "May be used to determine what operations a given user may perform on a specified entry."
 1.3.6.1.4.1.1466.101.119.1	"Dynamic Directory Services Refresh Request" "RFC 2589"

lib/page.php

@@ -79,8 +79,6 @@ class page {
 		ob_start();
 
 		# Initial Values
-		#$this->_pageheader[] .= '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML Basic 1.0//EN"';
-		#$this->_pageheader[] .= '"http://www.w3.org/TR/xhtml-basic/xhtml-basic10.dtd">'."\n";
 		$this->_pageheader[] = '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">';
 		$this->_pageheader[] .= '<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="auto">'."\n";
 	}
@@ -106,11 +104,15 @@ class page {
 		echo '<head>';
 		printf('<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />');
 
+		$DNs = get_request('dn','REQUEST');
+		if (is_array($DNs))
+			$DNs = '';
+
 		if (isset($_SESSION[APPCONFIG]))
 			printf('<title>%s (%s) - %s%s</title>',
 				$this->_app['title'],
 				app_version(),
-				(get_request('dn','REQUEST') ? htmlspecialchars(get_request('dn','REQUEST')).' ' : ''),
+				$DNs ? htmlspecialchars($DNs).' ' : '',
 				$_SESSION[APPCONFIG]->getValue('appearance','page_title'));
 		else
 			printf('<title>%s - %s</title>',$this->_app['title'],app_version());
@@ -321,7 +323,7 @@ class page {
 		printf('<tr class="foot"><td><small>%s</small></td><td colspan="2"><div id="ajFOOT">%s</div>%s</td></tr>',
 			isCompress() ? '[C]' : '&nbsp;',
 			app_version(),
-			get_href('logo') ? sprintf('<a href="%s"><img src="%s" alt="SourceForge.net Logo" style="border: 0px;" /></a>',get_href('sf'),get_href('logo')) : '&nbsp;');
+			'&nbsp;');
 	}
 
 	/**
@@ -373,6 +375,15 @@ class page {
 			'TREE'=>true,
 			'FOOT'=>true
 		);
+		
+		if ($_SESSION[APPCONFIG]->getValue('appearance','minimalMode')) {
+			$display = array(
+				'HEAD'=>false,
+				'CONTROL'=>false,
+				'TREE'=>true,
+				'FOOT'=>false
+			);
+		}
 
 		$display = array_merge($display,$filter);
 

lib/xmlTemplates.php

@@ -57,7 +57,7 @@ abstract class xmlTemplates {
 						'type'=>'info','special'=>true));
 
 					$changed = true;
-					eval(sprintf('$this->templates[$index] = new %s($this->server_id,$template->getName(false),$template->getFileName(),$template->getType(),$index);',$class['name']));
+					$this->templates[$index] = new $class['name']($this->server_id,$template->getName(false),$template->getFileName(),$template->getType(),$index);
 				}
 			}
 
@@ -87,7 +87,7 @@ abstract class xmlTemplates {
 					if (! in_array($filename,$this->getTemplateFiles())) {
 						$templatename = preg_replace('/.xml$/','',$file);
 	
-						eval(sprintf('$this->templates[$index] = new %s($this->server_id,$templatename,$filename,$type,$index);',$class['name']));
+						$this->templates[$index] = new $class['name']($this->server_id,$templatename,$filename,$type,$index);
 						$index++;
 
 						$changed = true;
@@ -129,7 +129,7 @@ abstract class xmlTemplates {
 
 					# Store the template
 					$templatename = preg_replace('/.xml$/','',$file);
-					eval(sprintf('$this->templates[$counter] = new %s($this->server_id,$templatename,$filename,$type,$counter);',$class['name']));
+					$this->templates[$counter] = new $class['name']($this->server_id,$templatename,$filename,$type,$counter);
 					$counter++;
 				}
 			}
@@ -198,9 +198,13 @@ abstract class xmlTemplates {
 
 				# Clone this, as we'll disable some templates, as a result of the container being requested.
 				$template = clone $details;
-				if (! is_null($container) && ($regexp = $template->getRegExp()) && (! @preg_match('/'.$regexp.'/i',$container)))
+				if (! is_null($container) && ($regexp = $template->getRegExp()) && (! @preg_match('/'.$regexp.'/i',$container))) {
 					$template->setInvalid(_('This template is not valid in this container'),true);
 
+					if ($_SESSION[APPCONFIG]->getValue('appearance','hide_template_regexp'))
+						$template->setInvisible();
+				}
+
 				if ($template->isVisible() && (! $disabled || ! $template->isAdminDisabled()))
 					if (is_null($type) || (! is_null($type) && $template->isType($type)))
 						array_push($result,$template);
@@ -226,7 +230,7 @@ abstract class xmlTemplates {
 				return clone $template;
 
 		# If we get here, the template ID didnt exist, so return a blank template, which be interpreted as the default template
-		eval(sprintf('$object = new %s($this->server_id,null,null,"default");',$class['name']));
+		$object = new $class['name']($this->server_id,null,null,'default');
 		return $object;
 	}
 
@@ -433,6 +437,12 @@ abstract class xmlTemplate {
 		# Initialise the Attribute Factory.
 		$attribute_factory = new AttributeFactory();
 
+		if (preg_match('/;/',$name))
+			system_message(array(
+				'title'=>'phpLDAPadmin doesnt support RFC3866.',
+				'body'=>sprintf('%s {%s} (%s)','PLA might not do what you expect...',$name,(is_array($value) ? serialize($value) : $value)),
+				'type'=>'warn'));
+
 		# If there isnt a schema item for this attribute
 		$attribute = $attribute_factory->newAttribute($name,$value,$server->getIndex(),$source);
 
@@ -440,11 +450,6 @@ abstract class xmlTemplate {
 
 		if (is_null($attrid))
 			array_push($this->attributes,$attribute);
-		else
-			debug_dump_backtrace(sprintf('There was a request to add an attribute (%s), but it was already defined? (%s)',$attrid,__METHOD__),true);
-
-		if ($this->getID() == 'none')
-			usort($this->attributes,'sortAttrs');
 
 		return $attribute;
 	}

queries/SambaUsers.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE template SYSTEM "query.dtd">
+<!DOCTYPE query SYSTEM "query.dtd">
+
 <query>
 <title>Samba User List</title>
 <bases>
-<base></base>
+	<base></base>
 </bases>
 <filter><![CDATA[(&(|(objectClass=sambaAccount)(objectClass=sambaSamAccount))(objectClass=posixAccount)(!(uid=*$)))]]></filter>
 <description>Samba Users</description>

queries/UserList.xml

@@ -1,9 +1,10 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE template SYSTEM "query.dtd">
+<!DOCTYPE query SYSTEM "query.dtd">
+
 <query>
 <title>User List</title>
 <bases>
-<base></base>
+	<base></base>
 </bases>
 <filter><![CDATA[(&(objectClass=posixAccount)(uid=*))]]></filter>
 <description>User List</description>

queries/query.dtd

@@ -0,0 +1,35 @@
+<!--
+==========================================================================
+ This is the DTD for phpLDAPAdmin Queries.
+
+ Copyright (c) 2011
+
+ Temporary URI for the DTD: http://phpldapadmin.sf.net/release/templates/query.dtd
+ Validate your templates here: http://www.xmlvalidation.com
+==========================================================================
+-->
+
+<!-- Query Definition -->
+<!ELEMENT query (title,bases,filter,description,icon?,scope,visible?,attributes)>
+
+<!-- Bases Definition -->
+<!ELEMENT bases (base*)>
+
+<!-- Attributes Definition -->
+<!ELEMENT attributes (attribute*)>
+<!ELEMENT attribute (display?,order?,ordersort?)?>
+<!ATTLIST attribute id CDATA #REQUIRED>
+
+<!-- Header Parameters -->
+<!ELEMENT base (#PCDATA)>
+<!ELEMENT title (#PCDATA)>
+<!ELEMENT filter (#PCDATA)>
+<!ELEMENT description (#PCDATA)>
+<!ELEMENT icon (#PCDATA)>
+<!ELEMENT scope (#PCDATA)>
+<!ELEMENT visible (#PCDATA)>
+
+<!-- Attribute Parameters -->
+<!ELEMENT display (#PCDATA)>
+<!ELEMENT order (#PCDATA)>
+<!ELEMENT ordersort (#PCDATA)>

templates/creation/alias.xml

@@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
 <!DOCTYPE template SYSTEM "template.dtd">
-<!--This template doesnt work needs modification to the Engine.-->
 
 <template>
 <askcontainer>1</askcontainer>

templates/creation/posixAccount.xml

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8" standalone="no"?>
-<!DOCTYPE template SYSTEM "template.dtd">
+<!DOCTYPE template SYSTEM "../template.dtd">
 
 <template>
 <askcontainer>1</askcontainer>
@@ -72,9 +72,13 @@
 	<page>1</page>
 	<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
 	<type>select</type>
-	<value id="/bin/sh">/bin/sh</value>
-	<value id="/bin/csh">/bin/csh</value>
-	<value id="/bin/tsh">/bin/tsh</value>
+	<value id="/bin/bash">Bash</value>
+	<value id="/bin/csh">C Shell</value>
+	<value id="/bin/dash">Dash</value>
+	<value id="/bin/sh">Shell</value>
+	<value id="/bin/tsh">Turbo C Shell</value>
+	<value id="/bin/false">False</value>
+	<value id="/usr/sbin/nologin">No Login</value>
 </attribute>
 <attribute id="userPassword">
 	<display>Password</display>

templates/creation/posixGroup.xml

@@ -35,7 +35,7 @@
 	<hidden>0</hidden>
 	<order>3</order>
 	<page>1</page>
-	<value><![CDATA[=php.MultiList(/;(&(objectClass=posixAccount));cn;%cn% (%uid|-4%))]]></value>
+	<value><![CDATA[=php.MultiList(/;(&(objectClass=posixAccount));uid;%cn% (%uid|-4%))]]></value>
 </attribute>
 </attributes>
 

templates/modification/inetOrgPerson.xml

@@ -9,7 +9,7 @@
 <noleaf>1</noleaf>
 <!--<regexp>^ou=People,o=.*,</regexp>-->
 <title>Generic: Address Book Entry</title>
-<visible>1</visible>
+<visible>0</visible>
 
 <objectClasses>
 <objectClass id="inetOrgPerson"></objectClass>

templates/modification/posixGroup.xml

@@ -10,7 +10,7 @@
 <rdn>cn</rdn>
 <!-- <regexp>^ou=.*,</regexp> -->
 <title>Generic: Posix Group</title>
-<visible>1</visible>
+<visible>0</visible>
 
 <objectClasses>
 <objectClass id="posixGroup"></objectClass>