Updated version to 1.2.6.3

All code (including code originating from the blowfish PR) now correctly use tabs. Spaces are only used for alignment in comments where necessary.

INSTALL.md

@@ -5,7 +5,7 @@ For install instructions in non-English languages, see the wiki:
 
   phpLDAPadmin requires the following:
       a. A web server (Apache, IIS, etc).
-      b. PHP 5.0.0 or newer (with LDAP support)
+      b. PHP 7.0.0 or newer (with LDAP support)
 
 * To install
 

README.md

@@ -0,0 +1,13 @@
+phpLDAPadmin
+============
+
+phpLDAPadmin - Web based LDAP administration tool
+
+
+## Installation
+
+[INSTALL](INSTALL.md)
+
+## License
+
+[LICENSE](LICENSE)

VERSION

@@ -1 +1 @@
-RELEASE-1.2.3
+RELEASE-1.2.6.3

config/config.php.example

@@ -71,6 +71,31 @@
    environments. */
 #  $config->custom->password['no_random_crypt_salt'] = true;
 
+/* If you want to restrict password available types (encryption algorithms)
+	 Should be subset of:
+	 array(
+		''=>'clear',
+		'bcrypt'=>'bcrypt',
+		'blowfish'=>'blowfish',
+		'crypt'=>'crypt',
+		'ext_des'=>'ext_des',
+		'md5'=>'md5',
+		'k5key'=>'k5key',
+		'md5crypt'=>'md5crypt',
+		'sha'=>'sha',
+		'smd5'=>'smd5',
+		'ssha'=>'ssha',
+		'sha256'=>'sha256',
+		'ssha256'=>'ssha256',
+		'sha384'=>'sha384',
+		'ssha384'=>'ssha384',
+		'sha512'=>'sha512',
+		'ssha512'=>'ssha512',
+		'sha256crypt'=>'sha256crypt',
+		'sha512crypt'=>'sha512crypt',
+	 )*/
+#  $config->custom->password['available_types'] = array(''=>'clear','md5'=>'md5');
+
 /* PHP script timeout control. If php runs longer than this many seconds then
    PHP will stop with an Maximum Execution time error. Increase this value from
    the default if queries to your LDAP server are slow. The default is either
@@ -173,6 +198,10 @@ $config->custom->commands['script'] = array(
 // $config->custom->appearance['tree_width'] = null;
 #  $config->custom->appearance['tree_width'] = 250;
 
+/* Number of tree command icons to show, 0 = show all icons on 1 row. */
+// $config->custom->appearance['tree_icons'] = 0;
+#  $config->custom->appearance['tree_icons'] = 4;
+
 /* Confirm create and update operations, allowing you to review the changes
    and optionally skip attributes during the create/update operation. */
 // $config->custom->confirm['create'] = true;
@@ -235,7 +264,7 @@ $config->custom->appearance['friendly_attrs'] = array(
  *********************************************/
 
 /* Add "modify group members" link to the attribute. */
-// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid');
+// $config->custom->modify_member['groupattr'] = array('member','uniqueMember','memberUid','sudoUser');
 
 /* Configure filter for member search. This only applies to "modify group members" feature */
 // $config->custom->modify_member['filter'] = '(objectclass=Person)';
@@ -310,6 +339,7 @@ $servers->setValue('server','name','My LDAP Server');
       login will be required to use phpLDAPadmin for this server.
    5. 'sasl': login will be taken from the webserver's kerberos authentication.
       Currently only GSSAPI has been tested (using mod_auth_kerb).
+   6. 'sasl_external': login will be taken from SASL external mechanism.
 
    Choose wisely to protect your authentication information appropriately for
    your situation. If you choose 'cookie', your cookie contents will be
@@ -334,6 +364,22 @@ $servers->setValue('server','name','My LDAP Server');
 /* Use TLS (Transport Layer Security) to connect to the LDAP server. */
 // $servers->setValue('server','tls',false);
 
+/* TLS Certificate Authority file (overrides ldap.conf, PHP 7.1+) */
+// $servers->setValue('server','tls_cacert',null);
+#  $servers->setValue('server','tls_cacert','/etc/openldap/certs/ca.crt');
+
+/* TLS Certificate Authority hashed directory (overrides ldap.conf, PHP 7.1+) */
+// $servers->setValue('server','tls_cacertdir',null);
+#  $servers->setValue('server','tls_cacertdir','/etc/openldap/certs');
+
+/* TLS Client Certificate file (PHP 7.1+) */
+// $servers->setValue('server','tls_cert',null);
+#  $servers->setValue('server','tls_cert','/etc/pki/tls/certs/ldap_user.crt');
+
+/* TLS Client Certificate Key file (PHP 7.1+) */
+// $servers->setValue('server','tls_key',null);
+#  $servers->setValue('server','tls_key','/etc/pki/tls/private/ldap_user.key');
+
 /************************************
  *      SASL Authentication         *
  ************************************/
@@ -341,11 +387,19 @@ $servers->setValue('server','name','My LDAP Server');
 /* Enable SASL authentication LDAP SASL authentication requires PHP 5.x
    configured with --with-ldap-sasl=DIR. If this option is disabled (ie, set to
    false), then all other sasl options are ignored. */
-// $servers->setValue('login','auth_type','sasl');
+#  $servers->setValue('login','auth_type','sasl');
 
-/* SASL auth mechanism */
+/* SASL GSSAPI auth mechanism (requires auth_type of sasl) */
 // $servers->setValue('sasl','mech','GSSAPI');
 
+/* SASL PLAIN support... this mech converts simple binds to SASL
+   PLAIN binds using any auth_type (or other bind_id/pass) as credentials.
+   NOTE: auth_type must be simple auth compatible (ie not sasl) */
+#  $servers->setValue('sasl','mech','PLAIN');
+
+/* SASL EXTERNAL support... really a different auth_type */
+#  $servers->setValue('login','auth_type','sasl_external');
+
 /* SASL authentication realm name */
 // $servers->setValue('sasl','realm','');
 #  $servers->setValue('sasl','realm','EXAMPLE.COM');
@@ -379,7 +433,7 @@ $servers->setValue('server','name','My LDAP Server');
 
 /* Default password hashing algorithm. One of md5, ssha, sha, md5crpyt, smd5,
    blowfish, crypt or leave blank for now default algorithm. */
-// $servers->setValue('appearance','password_hash','md5');
+// $servers->setValue('appearance','pla_password_hash','md5');
 
 /* If you specified 'cookie' or 'session' as the auth_type above, you can
    optionally specify here an attribute to use when logging in. If you enter
@@ -400,6 +454,12 @@ $servers->setValue('server','name','My LDAP Server');
    setup. */
 // $servers->setValue('login','class',array());
 
+/* If login_attr was set to 'dn', it is possible to specify a template string to
+   build the DN from. Use '%s' where user input should be inserted. A user may
+   still enter the complete DN. In this case the template will not be used. */
+// $servers->setValue('login','bind_dn_template',null);
+#  $servers->setValue('login','bind_dn_template','cn=%s,ou=people,dc=example,dc=com');
+
 /* If you specified something different from 'dn', for example 'uid', as the
    login_attr above, you can optionally specify here to fall back to
    authentication with dn.
@@ -420,6 +480,9 @@ $servers->setValue('server','name','My LDAP Server');
 /* Set to true if you would like to initially open the first level of each tree. */
 // $servers->setValue('appearance','open_tree',false);
 
+/* Set to true to display authorization ID in place of login dn (PHP 7.2+) */
+// $servers->setValue('appearance','show_authz',false);
+
 /* This feature allows phpLDAPadmin to automatically determine the next
    available uidNumber for a new entry. */
 // $servers->setValue('auto_number','enable',true);
@@ -546,7 +609,7 @@ $servers->setValue('sasl','authz_id_regex','/^uid=([^,]+)(.+)/i');
 $servers->setValue('sasl','authz_id_replacement','$1');
 $servers->setValue('sasl','props',null);
 
-$servers->setValue('appearance','password_hash','md5');
+$servers->setValue('appearance','pla_password_hash','md5');
 $servers->setValue('login','attr','dn');
 $servers->setValue('login','fallback_dn',false);
 $servers->setValue('login','class',null);
@@ -573,4 +636,19 @@ $servers->setValue('server','custom_sys_attrs',array('passwordExpirationTime','p
 $servers->setValue('server','custom_attrs',array('nsRoleDN','nsRole','nsAccountLock'));
 $servers->setValue('server','force_may',array('uidNumber','gidNumber','sambaSID'));
 */
+
+
+/***********************************************************************************
+ * If you want to configure Google reCAPTCHA on autentication form, do so below.   *
+ * Remove the commented lines and use this section as a template for all           *
+ * reCAPTCHA v2  Generate on https://www.google.com/recaptcha/                     *
+ *                                                                                 *
+ * IMPORTANT: Select reCAPTCHA v2   on  Type of reCAPTCHA                          *
+ ***********************************************************************************/
+
+
+$config->custom->session['reCAPTCHA-enable'] = false;
+$config->custom->session['reCAPTCHA-key-site'] = '<put-here-key-site>';
+$config->custom->session['reCAPTCHA-key-server'] = '<put-here-key-server>';
+
 ?>

doc/README-translation.txt

@@ -1,2 +1,2 @@
-Please see http://phpldapadmin.sourceforge.net/Translate now for information on
+Please see http://phpldapadmin.sourceforge.net/wiki/index.php/Translate now for information on
 translating PLA.

htdocs/copy.php

@@ -63,7 +63,7 @@ if ($request['recursive']) {
 	print '</small>';
 
 } else {
-	if ($_SESSION[APPCONFIG]->getValue('confirm','copy')) {
+	if ($_SESSION[APPCONFIG]->getValue('confirm','copy') && !$request['remove']) {
 		$request['pageSRC'] = new TemplateRender($ldap['SRC']->getIndex(),get_request('template','REQUEST',false,null));
 		$request['pageSRC']->setDN($request['dnSRC']);
 		$request['pageSRC']->accept(true);

htdocs/create.php

@@ -46,8 +46,7 @@ if (! $request['template']->getRDN())
 # Some other attribute checking...
 foreach ($request['template']->getAttributes() as $attribute) {
 	# Check that our Required Attributes have a value - we shouldnt really return a hit here, the template engine shouldnt have allowed this to slip through.
-	# @todo this isIgnoredAttr() function is missing?
-	if ($attribute->isRequired() && ! count($attribute->getValues()) && ! $app['server']->isIgnoredAttr($attr->getName()))
+	if ($attribute->isRequired() && ! count($attribute->getValues()))
 		error(sprintf(_('You left the value blank for required attribute (%s).'),
 			$attribute->getName(false)),'error','index.php');
 }

htdocs/create_confirm.php

@@ -40,8 +40,7 @@ if (! $request['template']->getRDN())
 # Some other attribute checking...
 foreach ($request['template']->getAttributes() as $attribute) {
 	# Check that our Required Attributes have a value - we shouldnt really return a hit here, the template engine shouldnt have allowed this to slip through.
-	# @todo this isIgnoredAttr() function is missing?
-	if ($attribute->isRequired() && ! count($attribute->getValues()) && ! $app['server']->isIgnoredAttr($attr->getName()))
+	if ($attribute->isRequired() && ! count($attribute->getValues()))
 		error(sprintf(_('You left the value blank for required attribute (%s).'),
 			$attribute->getName(false)),'error','index.php');
 }

htdocs/entry_chooser.php

@@ -15,9 +15,9 @@ $www['page'] = new page();
 
 $request = array();
 $request['container'] = get_request('container','GET');
-$request['form'] = get_request('form','GET');
-$request['element'] = get_request('element','GET');
-$request['rdn'] = get_request('rdn','GET');
+$request['form'] = htmlspecialchars(addslashes(get_request('form','GET')));
+$request['element'] = htmlspecialchars(addslashes(get_request('element','GET')));
+$request['rdn'] = htmlspecialchars(addslashes(get_request('rdn','GET')));
 
 echo '<div class="popup">';
 printf('<h3 class="subtitle">%s</h3>',_('Entry Chooser'));
@@ -33,7 +33,7 @@ echo '</script>';
 echo '<table class="forminput" width="100%" border="0">';
 if ($request['container']) {
 	printf('<tr><td class="heading" colspan="3">%s:</td><td>%s</td></tr>',_('Server'),$app['server']->getName());
-	printf('<tr><td class="heading" colspan="3">%s:</td><td>%s</td></tr>',_('Looking in'),$request['container']);
+	printf('<tr><td class="heading" colspan="3">%s:</td><td>%s</td></tr>',_('Looking in'),htmlspecialchars($request['container']));
 	echo '<tr><td class="blank" colspan="4">&nbsp;</td></tr>';
 }
 

htdocs/export_form.php

@@ -81,7 +81,7 @@ printf('<tr><td>%s</td><td><input type="text" name="filter" style="width:300px"
 	_('Search Filter'),htmlspecialchars($request['filter']));
 
 printf('<tr><td>%s</td><td><input type="text" name="attributes" style="width:300px" value="%s" /></td></tr>',
-	_('Show Attributtes'),htmlspecialchars($request['attr']));
+	_('Show Attributes'),htmlspecialchars($request['attr']));
 
 printf('<tr><td>&nbsp;</td><td><input type="checkbox" name="sys_attr" id="sys_attr" %s/> <label for="sys_attr">%s</label></td></tr>',
 	$request['sys_attr'] ? 'checked="checked" ' : '',_('Include system attributes'));

htdocs/index.php

@@ -57,6 +57,11 @@ if (defined('CONFDIR'))
 else
 	$app['config_file'] = 'config.php';
 
+if (! is_readable($app['config_file'])) {
+	if (ob_get_level()) ob_end_clean();
+	die(sprintf("Missing configuration file <b>%s</b> - have you created it?",$app['config_file']));
+}
+
 # Make sure this PHP install has session support
 if (! extension_loaded('session'))
 	error('<p>Your install of PHP appears to be missing php-session support.</p><p>Please install php-session support before using phpLDAPadmin.<br /><small>(Dont forget to restart your web server afterwards)</small></p>','error',null,true);
@@ -120,8 +125,10 @@ if (! $config = check_config($app['config_file'])) {
 	$_SESSION[APPCONFIG] = $config;
 }
 
-if ($uri = get_request('URI','GET'))
+if ($uri = get_request('URI','GET')) {
 	header(sprintf('Location: cmd.php?%s',base64_decode($uri)));
+        exit;
+}
 
 if (! preg_match('/^([0-9]+\.?)+/',app_version())) {
 	system_message(array(

htdocs/js/ajax_functions.js

@@ -202,8 +202,6 @@ function makeHttpRequest(url,parameters,meth,successCallbackFunctionName,errorCa
 	http_request.open(meth,url,true);
 
 	http_request.setRequestHeader('Content-type','application/x-www-form-urlencoded');
-	http_request.setRequestHeader('Content-length',parameters.length);
-	http_request.setRequestHeader('Connection','close');
 
 	if (meth == 'GET') parameters = null;
 	http_request.send(parameters);

htdocs/login.php

@@ -11,27 +11,45 @@
 
 require './common.php';
 
-$user = array();
-$user['login'] = get_request('login');
-$user['password'] = get_request('login_pass');
+$pass = true;
+if ($_SESSION[APPCONFIG]->getValue('session', 'reCAPTCHA-enable')) {
+    $pass = !IsRobot(get_request('g-recaptcha-response'));
+}
 
-if ($user['login'] && ! strlen($user['password']))
-	system_message(array(
-		'title'=>_('Authenticate to server'),
-		'body'=>_('You left the password blank.'),
-		'type'=>'warn'),
-		sprintf('cmd.php?cmd=login_form&server_id=%s',get_request('server_id','REQUEST')));
+if ($pass) {
+    $user             = array();
+    $user['login']    = get_request('login');
+    $user['password'] = get_request('login_pass');
+    $user['password'] = html_entity_decode($user['password'], ENT_QUOTES);
+
+    if ($user['login'] && !strlen($user['password'])) {
+        system_message(array(
+            'title' => _('Authenticate to server'),
+            'body'  => _('You left the password blank.'),
+            'type'  => 'warn'),
+            sprintf('cmd.php?cmd=login_form&server_id=%s', get_request('server_id', 'REQUEST')));
+    }
+
+    if ($app['server']->login($user['login'], $user['password'], 'user')) {
+        system_message(array(
+            'title' => _('Authenticate to server'),
+            'body'  => _('Successfully logged into server.'),
+            'type'  => 'info'),
+            sprintf('cmd.php?server_id=%s', get_request('server_id', 'REQUEST')));
+    } else {
+        system_message(array(
+            'title' => _('Failed to Authenticate to server'),
+            'body'  => _('Invalid Username or Password.'),
+            'type'  => 'error'),
+            sprintf('cmd.php?cmd=login_form&server_id=%s', get_request('server_id', 'REQUEST')));
+    }
+
+} else {
+    system_message(array(
+        'title' => _('Authenticate to server'),
+        'body'  => _('Incorrect captcha.'),
+        'type'  => 'warn'),
+        sprintf('cmd.php?cmd=login_form&server_id=%s', get_request('server_id', 'REQUEST')));
+}
 
-if ($app['server']->login($user['login'],$user['password'],'user'))
-	system_message(array(
-		'title'=>_('Authenticate to server'),
-		'body'=>_('Successfully logged into server.'),
-		'type'=>'info'),
-		sprintf('cmd.php?server_id=%s',get_request('server_id','REQUEST')));
-else
-	system_message(array(
-		'title'=>_('Failed to Authenticate to server'),
-		'body'=>_('Invalid Username or Password.'),
-		'type'=>'error'),
-		sprintf('cmd.php?cmd=login_form&server_id=%s',get_request('server_id','REQUEST')));
 ?>

htdocs/login_form.php

@@ -16,7 +16,19 @@ printf('<h3 class="title">%s %s</h3>',_('Authenticate to server'),$app['server']
 echo '<br />';
 
 # Check for a secure connection
-if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') {
+$isHTTPS = false;
+
+# Check if the current connection is encrypted
+if (isset($_SERVER['HTTPS']) && strtolower($_SERVER['HTTPS']) == 'on') {
+        $isHTTPS = true;
+}
+# Check if a proxy server downstream does encryption for us
+elseif (!empty($_SERVER['HTTP_X_FORWARDED_PROTO']) && strtolower($_SERVER['HTTP_X_FORWARDED_PROTO']) == 'https' || !empty($_SERVER['HTTP_X_FORWARDED_SSL']) && strtolower($_SERVER['HTTP_X_FORWARDED_SSL'])
+== 'on') {
+        $isHTTPS = true;
+}
+
+if (!$isHTTPS) {
 	echo '<div style="text-align: center; color:red">';
 	printf('<acronym title="%s"><b>%s: %s.</b></acronym>',
 		_('You are not using \'https\'. Web browser will transmit login information in clear text.'),
@@ -25,6 +37,7 @@ if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on') {
 
 	echo '<br />';
 }
+unset($isSecure);
 
 # HTTP Basic Auth Form.
 if ($app['server']->getAuthType() == 'http') {
@@ -52,7 +65,7 @@ if ($app['server']->getAuthType() == 'http') {
 
 # HTML Login Form
 } else {
-	echo '<form action="cmd.php" method="post">';
+	echo '<form action="cmd.php" method="post" autocomplete="off">';
 	echo '<div>';
 	echo '<input type="hidden" name="cmd" value="login" />';
 	printf('<input type="hidden" name="server_id" value="%s" />',$app['server']->getIndex());
@@ -67,7 +80,7 @@ if ($app['server']->getAuthType() == 'http') {
 
 	printf('<tr><td><b>%s:</b></td></tr>',
 		$app['server']->getValue('login','auth_text') ? $app['server']->getValue('login','auth_text') :
-			($app['server']->getValue('login','attr') == 'dn' ? _('Login DN') : $_SESSION[APPCONFIG]->getFriendlyName($app['server']->getValue('login','attr'))));
+			($app['server']->getValue('login','attr') == 'dn' ? ($app['server']->getValue('login', 'bind_dn_template') ? _('User Name') . ' / ' . _('Login DN') : _('Login DN')) : $_SESSION[APPCONFIG]->getFriendlyName($app['server']->getValue('login','attr'))));
 
 	printf('<tr><td><input type="text" id="login" name="login" size="40" value="%s" /></td></tr>',
 		$app['server']->getValue('login','attr',false) == 'dn' ? $app['server']->getValue('login','bind_id') : '');
@@ -77,6 +90,13 @@ if ($app['server']->getAuthType() == 'http') {
 	echo '<tr><td><input type="password" id="password" size="40" value="" name="login_pass" /></td></tr>';
 	echo '<tr><td colspan="2">&nbsp;</td></tr>';
 
+	#reCAPTCHA
+	if ($_SESSION[APPCONFIG]->getValue('session', 'reCAPTCHA-enable')) {
+		echo '<script src="https://www.google.com/recaptcha/api.js"></script>';
+		echo '<tr><td><div class="g-recaptcha" data-sitekey="'.$_SESSION[APPCONFIG]->getValue('session', 'reCAPTCHA-key-site').'"></div></td></tr>';
+		echo '<tr><td colspan="2">&nbsp;</td></tr>';
+	}
+
 	# If Anon bind allowed, then disable the form if the user choose to bind anonymously.
 	if ($app['server']->isAnonBindAllowed())
 		printf('<tr><td colspan="2"><small><b>%s</b></small> <input type="checkbox" name="anonymous_bind" onclick="form_field_toggle_enable(this,[\'login\',\'password\'],\'login\')" id="anonymous_bind_checkbox" /></td></tr>',

htdocs/monitor.php

@@ -129,15 +129,15 @@ foreach (array(
 }
 
 # cn=Connections,cn=Monitor
-printf('<tr class="list_item"><td class="heading" rowspan="2"><acronym title="%s">%s</acronym></td></tr>',$results['cn=Connections,cn=Monitor']['description'],_('LDAP Connections'));
+printf('<tr class="list_item"><td class="heading" rowspan="2"><acronym title="%s">%s</acronym></td></tr>',$results['cn=Connections,cn=Monitor']['description'][0],_('LDAP Connections'));
 printf('<tr class="list_item"><td class="value">');
 echo '<table class="result"><tr><td>';
 echo '<table class="result_table" border="0" width="100%">';
 
 printf('<tr class="highlight"><td class="20%%">%s</td><td class="value" style="width: 80%%;">%s</td></tr>',
-	_('Total Connections'),$results['cn=Total,cn=Connections,cn=Monitor']['monitorcounter']);
+	_('Total Connections'),$results['cn=Total,cn=Connections,cn=Monitor']['monitorcounter'][0]);
 printf('<tr class="highlight"><td class="20%%">%s</td><td class="value" style="width: 80%%;">%s</td></tr>',
-	_('Current Connections'),$results['cn=Current,cn=Connections,cn=Monitor']['monitorcounter']);
+	_('Current Connections'),$results['cn=Current,cn=Connections,cn=Monitor']['monitorcounter'][0]);
 
 # Look for some connections
 foreach ($results as $key => $value) {

lib/HTMLTree.php

@@ -45,7 +45,8 @@ class HTMLTree extends Tree {
 			if (! $onlytree) {
 				$this->draw_menu();
 
-				if ($server->getAuthType() != 'config')
+				if (($server->getAuthType() != 'config') ||
+				    $server->getValue('appearance', 'show_authz'))
 					$this->draw_logged_in_user();
 				else
 					printf('<tr><td class="blank" colspan="%s">&nbsp;</td></tr>',$this->getDepth()+3);
@@ -135,6 +136,7 @@ class HTMLTree extends Tree {
 				case 'config':
 				case 'proxy':
 				case 'sasl':
+				case 'sasl_external':
 					break;
 
 				default:
@@ -183,10 +185,15 @@ class HTMLTree extends Tree {
 
 		$links = '';
 
+		$i = 0;
+		$icons = $_SESSION[APPCONFIG]->getValue('appearance','tree_icons');
 		if (is_array($_SESSION[APPCONFIG]->getValue('menu','session')))
 			foreach ($_SESSION[APPCONFIG]->getValue('menu','session') as $link => $title) {
 				if ($this->get_menu_item($link))
 					$links .= sprintf('<td class="server_links">%s</td>',$this->get_menu_item($link));
+
+				if ($icons && ++$i%$icons == 0)
+					$links .= '</tr><tr>';
 			}
 
 		# Finally add our logout link.
@@ -328,7 +335,7 @@ class HTMLTree extends Tree {
 		$server = $this->getServer();
 		$href = sprintf('cmd.php?cmd=logout&server_id=%s',$server->getIndex());
 
-		if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl')))
+		if (! $_SESSION[APPCONFIG]->isCommandAvailable('script','logout') || in_array($server->getAuthType(),array('config','http','proxy','sasl','sasl_external')))
 			return '';
 		else
 			return sprintf('<a href="%s" title="%s"><img src="%s/%s" alt="%s" /><br />%s</a>',
@@ -344,7 +351,7 @@ class HTMLTree extends Tree {
 
 		$server = $this->getServer();
 
-		$logged_in_dn = $server->getLogin(null);
+		$logged_in_dn = $server->displayLogin(null);
 		echo '<tr>';
 		echo '<td class="spacer"></td>';
 		printf('<td class="logged_in" colspan="%s">%s: ',$this->getDepth()+3-1,_('Logged in as'));

lib/PageRender.php

@@ -287,7 +287,7 @@ class PageRender extends Visitor {
 						break;
 
 					default:
-						$vals[$i] = password_hash($passwordvalue,$enc);
+						$vals[$i] = pla_password_hash($passwordvalue,$enc);
 				}
 
 				$vals = array_unique($vals);
@@ -957,7 +957,7 @@ class PageRender extends Visitor {
 		if (trim($val))
 			$enc_type = get_enc_type($val);
 		else
-			$enc_type = $server->getValue('appearance','password_hash');
+			$enc_type = $server->getValue('appearance','pla_password_hash');
 
 		$obfuscate_password = obfuscate_password_display($enc_type);
 
@@ -982,7 +982,7 @@ class PageRender extends Visitor {
 		if (trim($val))
 			$enc_type = get_enc_type($val);
 		else
-			$enc_type = $server->getValue('appearance','password_hash');
+			$enc_type = $server->getValue('appearance','pla_password_hash');
 
 		echo '<table cellspacing="0" cellpadding="0"><tr><td valign="top">';
 

lib/QueryRender.php

@@ -321,7 +321,7 @@ class QueryRender extends PageRender {
 					if (! $results) {
 						echo _('Search returned no results');
 
-						continue;
+						continue 2;
 					}
 
 					printf('<form action="cmd.php" method="post" id="massform_%s">',$counter);

lib/Template.php

@@ -1123,10 +1123,11 @@ class Template extends xmlTemplate {
 		switch ($command) {
 			/*
 			autoFill:string
-			string is a literal string, and may contain many fields like %attr|start-end/flags%
+			string is a literal string, and may contain many fields like %attr|start-end/flags|additionalcontrolchar%
 				to substitute values read from other fields.
 			|start-end is optional, but must be present if the k flag is used.
 			/flags is optional.
+			|additionalcontrolchar is optional.
 
 			flags may be:
 			T:	Read display text from selection item (drop-down list), otherwise, read the value of the field
@@ -1141,8 +1142,11 @@ class Template extends xmlTemplate {
 					The string read will be split into fields, using : as a delimiter
 					"start" indicates which field number to pass through.
 			K:	The string read will be split into fields, using ' ' as a delimiter "start" indicates which field number to pass through.
+				If additionalcontrolchar is given, it will be used as delimiter (e.g. this allows for splitting e-mail addresses 
+				into domain and domain-local part).
 			l:	Make the result lower case.
 			U:	Make the result upper case.
+			A:	Remap special characters to their corresponding ASCII value
 			*/
 			case 'autoFill':
 				if (! preg_match('/;/',$arg)) {
@@ -1155,8 +1159,8 @@ class Template extends xmlTemplate {
 				}
 
 				list($attr,$string) = preg_split('(([^,]+);(.*))',$arg,-1,PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY);
-				preg_match_all('/%(\w+)(\|[0-9]*-[0-9]*)?(\/[KklTUA]+)?%/U',$string,$matchall);
-				//print"<PRE>";print_r($matchall); //0 = highlevel match, 1 = attr, 2 = subst, 3 = mod
+				preg_match_all('/%(\w+)(\|[0-9]*-[0-9]*)?(\/[KklTUA]+)?(?:\|(.))?%/U',$string,$matchall);
+				//print"<PRE>";print_r($matchall); //0 = highlevel match, 1 = attr, 2 = subst, 3 = mod, 4 = delimiter
 
 				if (! isset($attribute->js['autoFill']))
 					$attribute->js['autoFill'] = '';
@@ -1183,6 +1187,7 @@ class Template extends xmlTemplate {
 					$match_attr = strtolower($matchall[1][$index]);
 					$match_subst = $matchall[2][$index];
 					$match_mod = $matchall[3][$index];
+					$match_delim = $matchall[4][$index];
 
 					$substrarray = array();
 
@@ -1220,13 +1225,19 @@ class Template extends xmlTemplate {
 						$attribute->js['autoFill'] .= sprintf("   %s = %s.split(':')[%s];\n",$match_attr,$match_attr,$tok_idx);
 
 					} elseif (strstr($match_mod,'K')) {
-						preg_match_all('/([0-9]+)/',trim($match_subst),$substrarray); 
-						if (isset($substrarray[1][0])) { 
-							$tok_idx = $substrarray[1][0]; 
-						} else { 
-							$tok_idx = '0'; 
-						} 
-						$attribute->js['autoFill'] .= sprintf("   %s = %s.split(' ')[%s];\n",$match_attr,$match_attr,$tok_idx); 
+						preg_match_all('/([0-9]+)/',trim($match_subst),$substrarray);
+						if (isset($substrarray[1][0])) {
+							$tok_idx = $substrarray[1][0];
+						} else {
+							$tok_idx = '0';
+						}
+
+						if ($match_delim == '') {
+							$delimiter = ' ';
+						} else {
+							$delimiter = preg_quote($match_delim);
+						}
+						$attribute->js['autoFill'] .= sprintf("   %s = %s.split('%s')[%s];\n",$match_attr,$match_attr,$delimiter,$tok_idx);
 
 					} else {
 						preg_match_all('/([0-9]*)-([0-9]*)/',trim($match_subst),$substrarray);
@@ -1251,13 +1262,13 @@ class Template extends xmlTemplate {
 					# Matchfor only entry without modifiers.
 					$formula = preg_replace('/^%('.$match_attr.')%$/U','$1 + \'\'',$formula);
 					# Matchfor only entry with modifiers.
-					$formula = preg_replace('/^%('.$match_attr.')(\|[0-9]*-[0-9]*)?(\/[KklTUA]+)?%$/U','$1 + \'\'',$formula);
+					$formula = preg_replace('/^%('.$match_attr.')(\|[0-9]*-[0-9]*)?(\/[KklTUA]+)?(?:\|(.))?%$/U','$1 + \'\'',$formula);
 					# Matchfor begining entry.
-					$formula = preg_replace('/^%('.$match_attr.')(\|[0-9]*-[0-9]*)?(\/[KklTUA]+)?%/U','$1 + \'',$formula);
+					$formula = preg_replace('/^%('.$match_attr.')(\|[0-9]*-[0-9]*)?(\/[KklTUA]+)?(?:\|(.))?%/U','$1 + \'',$formula);
 					# Matchfor ending entry.
-					$formula = preg_replace('/%('.$match_attr.')(\|[0-9]*-[0-9]*)?(\/[KklTUA]+)?%$/U','\' + $1 ',$formula);
+					$formula = preg_replace('/%('.$match_attr.')(\|[0-9]*-[0-9]*)?(\/[KklTUA]+)?(?:\|(.))?%$/U','\' + $1 ',$formula);
 					# Match for entries not at begin/end.
-					$formula = preg_replace('/%('.$match_attr.')(\|[0-9]*-[0-9]*)?(\/[:lTUA]+)?%/U','\' + $1 + \'',$formula);
+					$formula = preg_replace('/%('.$match_attr.')(\|[0-9]*-[0-9]*)?(\/[KklTUA]+)?(?:\|(.))?%/U','\' + $1 + \'',$formula);
 					$attribute->js['autoFill'] .= "\n";
 				}
 

lib/TemplateRender.php

@@ -59,7 +59,7 @@ class TemplateRender extends PageRender {
 			$this->layout['action'] = '<td class="icon"><img src="%s/%s" alt="%s" /></td><td><a href="cmd.php?%s" title="%s">%s</a></td>';
 			$this->layout['actionajax'] = '<td class="icon"><img src="%s/%s" alt="%s" /></td><td><a href="cmd.php?%s" title="%s" onclick="return ajDISPLAY(\'BODY\',\'%s\',\'%s\');">%s</a></td>';
 
-			# If we dont want to render this template automatically, we'll return here.
+			# If we don't want to render this template automatically, we'll return here.
 			if ($norender)
 				return;
 
@@ -139,16 +139,23 @@ class TemplateRender extends PageRender {
 					return;
 				}
 
-				$function_args = explode(',',$args[0]);
-
-				if (function_exists($function))
-					$vals = call_user_func_array($function,$function_args);
-
+				if (!empty($args[0]))
+					$function_args = explode(',',$args[0]);
 				else
+					$function_args = '';
+
+				if (function_exists($function)) {
+					if (empty($function_args))
+                                                $vals = call_user_func($function);
+					else
+						$vals = call_user_func_array($function,$function_args);
+
+				} else {
 					system_message(array(
 						'title'=>_('Function doesnt exist'),
 						'body'=>sprintf('%s (<b>%s</b>)',_('An attempt was made to call a function that doesnt exist'),$function),
 						'type'=>'warn'));
+				}
 
 				break;
 
@@ -200,7 +207,7 @@ class TemplateRender extends PageRender {
 					$next_number = $vals;
 
 					foreach ($mod as $calc) {
-						$operand = $calc{0};
+						$operand = $calc[0];
 						$operator = substr ($calc,1);
 
 						switch ($operand) {
@@ -264,6 +271,9 @@ class TemplateRender extends PageRender {
 			 *
 			 * * arg 8 (for MultiList)
 			 *   - size of displayed list (default: 10 lines)
+			 *
+			 * * arg 9
+			 *   - if whether to include parent in sub query TRUE|FALSE
 			 */
 			case 'MultiList':
 			case 'PickList':
@@ -273,7 +283,7 @@ class TemplateRender extends PageRender {
 				else
 					$container = $args[5];
 
-				# Process filter (arg 1), eventually replace %attr% by it's value set in a previous page.
+				# Process filter (arg 1), eventually replace %attr% by its value set in a previous page.
 				preg_match_all('/%(\w+)(\|.+)?(\/[lUC])?%/U',$args[1],$filtermatchall);
 				//print_r($matchall); // -1 = highlevel match, 1 = attr, 2 = subst, 3 = mod
 
@@ -322,6 +332,9 @@ class TemplateRender extends PageRender {
 				$vals = array();
 
 				foreach ($picklistvalues as $key => $values) {
+					if (! empty($args[9]) && $container == $key)
+						continue;
+
 					$display = $args[3];
 
 					foreach ($matchall[1] as $key => $arg) {
@@ -1679,7 +1692,7 @@ function validateForm(silence) {
 
 				// Sometimes the alert gives us enough time!
 				if (typeof getAttributeComponents != "undefined")
-					alert("Dont bother, our JS is loaded now!");
+					alert("Don\'t bother, our JS is loaded now!");
 			}
 
 			validateForm(true);
@@ -2466,7 +2479,7 @@ function deleteAttribute(attrName,friendlyName,i)
 		if ($val = $attribute->getValue($i))
 			$default = get_enc_type($val);
 		else
-			$default = $this->getServer()->getValue('appearance','password_hash');
+			$default = $this->getServer()->getValue('appearance','pla_password_hash');
 
 		if (! $attribute->getPostValue())
 			printf('<input type="hidden" name="post_value[%s][]" value="%s" />',$attribute->getName(),$i);

lib/config_default.php

@@ -8,7 +8,7 @@
  */
 
 /** The minimum version of PHP required to run phpLDAPadmin. */
-define('REQUIRED_PHP_VERSION','5.0.0');
+define('REQUIRED_PHP_VERSION','7.0.0');
 
 /**
  * The config class contains all our configuration settings for a session.
@@ -261,6 +261,10 @@ class Config {
 			'desc'=>'LDAP search filter for the tree entries',
 			'default'=>'(objectClass=*)');
 
+		$this->default->appearance['tree_icons'] = array(
+			'desc'=>'Number of Tree Icons to display on a row',
+			'default'=>0);
+
 		# PLA will not display the header and footer parts in minimal mode.
 		$this->default->appearance['minimalMode'] = array(
 			'desc'=>'Minimal mode hides header and footer parts',
@@ -444,7 +448,7 @@ class Config {
 		 */
 		$this->default->modify_member['groupattr'] = array(
 			'desc'=>'Group member attributes',
-			'default'=>array('member','uniqueMember','memberUid'));
+			'default'=>array('member','uniqueMember','memberUid','uid'));
 
 		/**
 		 * Attribute that is added to the group member attribute. For groupOfNames or groupOfUniqueNames this is dn,
@@ -550,6 +554,30 @@ class Config {
 			'desc'=>'Disable random salt for crypt()',
 			'default'=>false);
 
+		$this->default->password['available_types'] = array(
+			'desc'=>'List of available password types used for encryption',
+			'default'=>array(
+				''=>'clear',
+				'bcrypt'=>'bcrypt',
+				'blowfish'=>'blowfish',
+				'crypt'=>'crypt',
+				'ext_des'=>'ext_des',
+				'md5'=>'md5',
+				'k5key'=>'k5key',
+				'md5crypt'=>'md5crypt',
+				'sha'=>'sha',
+				'smd5'=>'smd5',
+				'ssha'=>'ssha',
+				'sha256'=>'sha256',
+				'ssha256'=>'ssha256',
+				'sha384'=>'sha384',
+				'ssha384'=>'ssha384',
+				'sha512'=>'sha512',
+				'ssha512'=>'ssha512',
+				'sha256crypt'=>'sha256crypt',
+				'sha512crypt'=>'sha512crypt',
+			));
+
 		/** Search display
 		 * By default, when searching you may display a list or a table of results.
 		 * Set this to 'table' to see table formatted results.
@@ -574,6 +602,20 @@ class Config {
 		$this->default->search['time_limit'] = array(
 			'desc'=>'Maximum time to allow unlimited size_limit searches to the ldap server',
 			'default'=>120);
+
+		/* reCAPTCHA Login */
+
+		$this->default->session['reCAPTCHA-enable'] = array(
+			'desc'=>'Status reCAPTCHA (true | false)',
+			'default'=>false);
+
+		$this->default->session['reCAPTCHA-key-site'] = array(
+			'desc'=>'Site Key',
+			'default'=>"<put-here-key-site>");
+
+		$this->default->session['reCAPTCHA-key-server'] = array(
+			'desc'=>'Server key',
+			'default'=>"<put-here-key-server>");
 	}
 
 	/**

lib/ds.php

@@ -139,6 +139,7 @@ abstract class DS {
 			case 'proxy':
 			case 'session':
 			case 'sasl':
+			case 'sasl_external':
 				return $this->getValue('login','auth_type');
 
 			default:
@@ -194,6 +195,8 @@ abstract class DS {
 				else
 					return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['name']);
 
+			case 'sasl_external':
+				return 'external';
 			default:
 				die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType()));
 		}
@@ -215,6 +218,7 @@ abstract class DS {
 				return true;
 
 			case 'config':
+			case 'sasl_external':
 				return true;
 
 			case 'proxy':
@@ -274,6 +278,8 @@ abstract class DS {
 				else
 					return blowfish_decrypt($_SESSION['USER'][$this->index][$method]['pass']);
 
+			case 'sasl_external':
+				return '';
 			default:
 				die(sprintf('Error: %s hasnt been configured for auth_type %s',__METHOD__,$this->getAuthType()));
 		}
@@ -400,6 +406,7 @@ abstract class DS {
 				set_cookie($method.'-PASS','',time()-3600,'/');
 
 			case 'config':
+			case 'sasl_external':
 				return true;
 
 			case 'http':
@@ -574,6 +581,10 @@ class Datastore {
 			'desc'=>'User Login ID to bind to this DS',
 			'default'=>null);
 
+		$this->default->login['bind_dn_template'] = array(
+			'desc'=>'Template string for user login DN to bind to this DS. Use \'%s\' where user input should be inserted.',
+			'default'=>null);
+
 		$this->default->login['bind_pass'] = array(
 			'desc'=>'User Login Password to bind to this DS',
 			'default'=>null);

lib/ds_ldap.php

@@ -54,6 +54,22 @@ class ldap extends DS {
 			'desc'=>'Connect using TLS',
 			'default'=>false);
 
+		$this->default->server['tls_cacert'] = array(
+			'desc'=>'TLS Certificate Authority',
+			'default'=>null);
+
+		$this->default->server['tls_cacertdir'] = array(
+			'desc'=>'TLS Certificate Authority Directory',
+			'default'=>null);
+
+		$this->default->server['tls_cert'] = array(
+			'desc'=>'TLS Client Certificate',
+			'default'=>null);
+
+		$this->default->server['tls_key'] = array(
+			'desc'=>'TLS Client Certificate Key',
+			'default'=>null);
+
 		# Login Details
 		$this->default->login['attr'] = array(
 			'desc'=>'Attribute to use to find the users DN',
@@ -110,6 +126,35 @@ class ldap extends DS {
 			'default'=>null);
 	}
 
+	/**
+	 * Set LDAP option with error checking...
+	 *
+	 * @param resource Connection resource
+	 * @param string Name of option to set
+	 * @param mixed Option value
+	 * @return boolean false if error
+	 */
+	private function setLdapOption($resource, $option, $value) {
+		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
+			debug_log('Entered (%%)',16,0,__FILE__,__LINE__,__METHOD__,$fargs);
+
+		if (! defined($option)) {
+			system_message(array(
+				'title'=>sprintf('%s',_('Undefined LDAP option')),
+				'body'=>sprintf('<b>%s</b>: %s <b>%s</b>',_('Error'),_('Required LDAP option not defined'),$option),
+				'type'=>'error'));
+			return false;
+		}
+		if (! @ldap_set_option($resource,constant($option),$value)) {
+			system_message(array(
+				'title'=>sprintf('%s',_('Failed to set LDAP option')),
+				'body'=>sprintf('<b>%s</b>: %s <b>%s</b>',_('Error'),_('Failed to set LDAP option'),$option),
+				'type'=>'error'));
+			return false;
+		}
+		return true;
+	}
+
 	/**
 	 * Required ABSTRACT functions
 	 */
@@ -164,6 +209,7 @@ class ldap extends DS {
 		else
 			$resource = ldap_connect($this->getValue('server','host'));
 
+		$this->noconnect = false;
 		$CACHE[$this->index][$method] = $resource;
 
 		if (DEBUG_ENABLED)
@@ -174,20 +220,34 @@ class ldap extends DS {
 			debug_dump_backtrace('UNHANDLED, $resource is not a resource',1);
 
 		# Go with LDAP version 3 if possible (needed for renaming and Novell schema fetching)
-		ldap_set_option($resource,LDAP_OPT_PROTOCOL_VERSION,3);
+		if (! $this->setLdapOption($resource,'LDAP_OPT_PROTOCOL_VERSION',3))
+			$this->noconnect = true;
 
 		/* Disabling this makes it possible to browse the tree for Active Directory, and seems
 		 * to not affect other LDAP servers (tested with OpenLDAP) as phpLDAPadmin explicitly
 		 * specifies deref behavior for each ldap_search operation. */
-		ldap_set_option($resource,LDAP_OPT_REFERRALS,0);
+		elseif (! $this->setLdapOption($resource,'LDAP_OPT_REFERRALS',0))
+			$this->noconnect = true;
+
+		/* Enabling manageDsaIt to be able to browse through glued entries
+		 * 2.16.840.1.113730.3.4.2 :  "ManageDsaIT Control" "RFC 3296" "The client may provide
+		 * the ManageDsaIT control with an operation to indicate that the operation is intended
+		 * to manage objects within the DSA (server) Information Tree. The control causes
+		 * Directory-specific entries (DSEs), regardless of type, to be treated as normal entries
+		 * allowing clients to interrogate and update these entries using LDAP operations." */
+		elseif (! $this->setLdapOption($resource,'LDAP_OPT_SERVER_CONTROLS',array(array('oid'=>'2.16.840.1.113730.3.4.2'))))
+			$this->noconnect = true;
 
 		# Try to fire up TLS is specified in the config
-		if ($this->isTLSEnabled())
-			$this->startTLS($resource);
+		if ($this->isTLSEnabled() && !$this->noconnect)
+			if(! $this->startTLS($resource))
+				$this->noconnect = true;
 
 		# If SASL has been configured for binding, then start it now.
-		if ($this->isSASLEnabled())
-			$bind['result'] = $this->startSASL($resource,$method);
+		if ($this->noconnect)
+			$bind['result'] = false;
+		elseif ($this->isSASLEnabled())
+			$bind['result'] = $this->startSASL($resource,$method,$bind['id'],$bind['pass']);
 
 		# Normal bind...
 		else
@@ -203,17 +263,16 @@ class ldap extends DS {
 			if (DEBUG_ENABLED)
 				debug_log('Leaving with FALSE, bind FAILed',16,0,__FILE__,__LINE__,__METHOD__);
 
-			$this->noconnect = true;
-
-			system_message(array(
-				'title'=>sprintf('%s %s',_('Unable to connect to LDAP server'),$this->getName()),
-				'body'=>sprintf('<b>%s</b>: %s (%s) for <b>%s</b>',_('Error'),$this->getErrorMessage($method),$this->getErrorNum($method),$method),
-				'type'=>'error'));
-
+			if (! $this->noconnect) {
+				$this->noconnect = true;
+				system_message(array(
+					'title'=>sprintf('%s %s',_('Unable to connect to LDAP server'),$this->getName()),
+					'body'=>sprintf('<b>%s</b>: %s (%s) for <b>%s</b>',_('Error'),$this->getErrorMessage($method),$this->getErrorNum($method),$method),
+					'type'=>'error'));
+			}
 			$CACHE[$this->index][$method] = null;
 
 		} else {
-			$this->noconnect = false;
 
 			# If this is a proxy session, we need to switch to the proxy user
 			if ($this->isProxyEnabled() && $bind['id'] && $method != 'anon')
@@ -247,11 +306,11 @@ class ldap extends DS {
 		if (! is_null($user)) {
 			# If login,attr is set to DN, then user should be a DN
 			if (($this->getValue('login','attr') == 'dn') || $method != 'user')
-				$userDN = $user;
+				$userDN = $this->getValue('login', 'bind_dn_template') ? $this->fillDNTemplate($user) : $user;
 			else
 				$userDN = $this->getLoginID($user,'login');
 
-			if (! $userDN && $this->getValue('login','fallback_dn'))
+			if (! $userDN && $this->getValue('login','fallback_dn') && strpos($user, '='))
 				$userDN = $user;
 
 			if (! $userDN)
@@ -504,6 +563,15 @@ class ldap extends DS {
 			return $this->getBaseDN();
 	}
 
+	private function fillDNTemplate($user) {
+		foreach($this->getLoginBaseDN() as $base)
+			if(substr_compare($user, $base, -strlen($base)) === 0)
+				return $user; // $user already passed as DN
+
+		// fill template
+		return sprintf($this->getValue('login', 'bind_dn_template'), preg_replace('/([,\\\\#+<>;"=])/', '\\\\$1', $user));
+	}
+
 	/**
 	 * Return the login classes that a user must have to login
 	 */
@@ -553,10 +621,41 @@ class ldap extends DS {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
-		if (! $this->getValue('server','tls') || (function_exists('ldap_start_tls') && ! @ldap_start_tls($resource))) {
+		// LDAP_OPT_X_TLS_ options must be set globally ($res = null)
+		// until LDAP_OPT_X_TLS_NEWCTX is exported,
+		// NOTE: new values will require php-fpm or other stateful
+		// php servers to be restarted, and are global for all php
+		// users in the process pool!
+		$val = $this->getValue('server','tls_cacert');
+		if (! empty($val))
+			if (! $this->setLdapOption(null, 'LDAP_OPT_X_TLS_CACERTFILE', $val))
+				return false;
+
+		$val = $this->getValue('server','tls_cacertdir');
+		if (! empty($val))
+			if (! $this->setLdapOption(null, 'LDAP_OPT_X_TLS_CACERTDIR', $val))
+				return false;
+
+		$val = $this->getValue('server','tls_cert');
+		if (! empty($val))
+			if (! $this->setLdapOption(null, 'LDAP_OPT_X_TLS_CERTFILE', $val))
+				return false;
+
+		$val = $this->getValue('server','tls_key');
+		if (! empty($val))
+			if (! $this->setLdapOption(null, 'LDAP_OPT_X_TLS_KEYFILE', $val))
+				return false;
+
+		if (! @ldap_start_tls($resource)) {
+			$diag_error='';
+			ldap_get_option($resource, LDAP_OPT_DIAGNOSTIC_MESSAGE, $diag_error);
+			if (! empty($diag_error)) {
+				$diag_error = '<br>'.$diag_error;
+			}
+			$error = ldap_error($resource);
 			system_message(array(
 				'title'=>sprintf('%s (%s)',_('Could not start TLS.'),$this->getName()),
-				'body'=>sprintf('<b>%s</b>: %s',_('Error'),_('Could not start TLS. Please check your LDAP server configuration.')),
+				'body'=>sprintf('<b>%s</b>: %s %s%s',_('Error'),_('Could not start TLS.'),$error,$diag_error),
 				'type'=>'error'));
 
 			return false;
@@ -571,6 +670,10 @@ class ldap extends DS {
 	 * Users may configure phpLDAPadmin to use SASL in config,php thus:
 	 * <code>
 	 *	$servers->setValue('login','auth_type','sasl');
+	 * OR
+	 *      $servers->setValue('sasl','mech','PLAIN');
+	 * OR
+	 *	$servers->setValue('login','auth_type','sasl_external');
 	 * </code>
 	 *
 	 * @return boolean
@@ -579,8 +682,11 @@ class ldap extends DS {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
-		if ($this->getValue('login','auth_type') != 'sasl')
-			return false;
+		if (! in_array($this->getValue('login','auth_type'), array('sasl','sasl_external'))) {
+			// check if SASL mech uses login from other auth_types
+			if (! in_array(strtolower($this->getValue('sasl', 'mech')), array('plain')))
+				return false;
+		}
 
 		if (! function_exists('ldap_sasl_bind')) {
 			error(_('SASL has been enabled in your config, but your PHP install does not support SASL. SASL will be disabled.'),'warn');
@@ -598,7 +704,7 @@ class ldap extends DS {
 	 *
 	 * @todo This has not been tested, please let the developers know if this function works as expected.
 	 */
-	private function startSASL($resource,$method) {
+	private function startSASL($resource,$method,$login,$pass) {
 		if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 			debug_log('Entered (%%)',17,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
@@ -608,8 +714,15 @@ class ldap extends DS {
 		if ($method == 'anon')
 			return false;
 
-		# At the moment, we have only implemented GSSAPI
-		if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi'))) {
+		# EXTERNAL mech is really a different authType
+		if ($this->getAuthType() == 'sasl_external') {
+			return @ldap_sasl_bind($resource,NULL,NULL,
+					       'EXTERNAL',NULL,NULL,
+					       $this->getValue('sasl','props'));
+		}
+
+		# At the moment, we have only implemented GSSAPI and PLAIN
+		if (! in_array(strtolower($this->getValue('sasl','mech')),array('gssapi','plain'))) {
 			system_message(array(
 				'title'=>_('SASL Method not implemented'),
 				'body'=>sprintf('<b>%s</b>: %s %s',_('Error'),$this->getValue('sasl','mech'),_('has not been implemented yet')),
@@ -618,8 +731,15 @@ class ldap extends DS {
 			return false;
 		}
 
+		if (strtolower($this->getValue('sasl','mech')) == 'plain') {
+			return @ldap_sasl_bind($resource,NULL,$pass,'PLAIN',
+					       $this->getValue('sasl','realm'),
+					       $login,
+					       $this->getValue('sasl','props'));
+		}
+
 		if (! isset($CACHE['login_dn']))
-			$CACHE['login_dn'] = is_null($this->getLogin($method)) ? $this->getLogin('user') : $this->getLogin($method);
+			$CACHE['login_dn'] = $login;
 
 		$CACHE['authz_id'] = '';
 
@@ -754,7 +874,7 @@ class ldap extends DS {
 			'value'=>sprintf('dn:%s',$dn),
 			'iscritical' => true);
 
-		if (! ldap_set_option($resource,LDAP_OPT_SERVER_CONTROLS,array($ctrl))) {
+		if (! @ldap_set_option($resource,LDAP_OPT_SERVER_CONTROLS,array($ctrl))) {
 			system_message(array(
 				'title'=>sprintf('%s %s',_('Unable to start proxy connection'),$this->getName()),
 				'body'=>sprintf('<b>%s</b>: %s (%s) for <b>%s</b>',_('Error'),$this->getErrorMessage($method),$this->getErrorNum($method),$method),
@@ -910,7 +1030,7 @@ class ldap extends DS {
 					$dn = $this->getContainer($dn);
 
 				if ($dn == $top)
-					break;
+					continue;
 
 			} elseif($value)
 				$dn = sprintf('%s,%s',$value,$dn);
@@ -1116,13 +1236,14 @@ class ldap extends DS {
 
 		if (is_array($dn)) {
 			$a = array();
-			foreach ($dn as $key => $rdn)
-				$a[$key] = preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$rdn);
-
+			foreach ($dn as $key => $rdn) {
+				$a[$key] = preg_replace_callback('/\\\([0-9A-Fa-f]{2})/', function($m) { return chr(hexdec($m[1])); }, $rdn);
+			}
 			return $a;
 
-		} else
-			return preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$dn);
+		} else {
+			return preg_replace_callback('/\\\([0-9A-Fa-f]{2})/', function($m) { return chr(hexdec($m[1])); }, $dn);
+		}
 	}
 
 	public function getRootDSE($method=null) {

lib/ds_ldap_pla.php

@@ -16,7 +16,7 @@ class ldap_pla extends ldap {
 	function __construct($index) {
 		parent::__construct($index);
 
-		$this->default->appearance['password_hash'] = array(
+		$this->default->appearance['pla_password_hash'] = array(
 			'desc'=>'Default HASH to use for passwords',
 			'default'=>'md5');
 
@@ -28,6 +28,10 @@ class ldap_pla extends ldap {
 			'desc'=>'Whether to initially open each tree',
 			'default'=>false);
 
+		$this->default->appearance['show_authz'] = array(
+			'desc'=>'Enable display of authorization ID as login',
+			'default'=>false);
+
 		$this->default->login['fallback_dn'] = array(
 			'desc'=>'If the attribute base login fails, see if a DN was entered',
 			'default'=>false);
@@ -595,10 +599,16 @@ class ldap_pla extends ldap {
 
 		# Build our search filter to double check each attribute.
 		$query['filter'] = '(|';
-		foreach ($checkattrs as $attr)
+		foreach ($checkattrs as $attr) {
+			if (!is_array($attrs[$attr])) {
+				$val = $attrs[$attr];
+				$query['filter'] .= sprintf('(%s=%s)',$attr,$val);
+				continue;
+			}
 			foreach ($attrs[$attr] as $val)
 				if ($val)
 					$query['filter'] .= sprintf('(%s=%s)',$attr,$val);
+		}
 		$query['filter'] .= ')';
 
 		$query['attrs'] = $checkattrs;
@@ -655,5 +665,23 @@ class ldap_pla extends ldap {
 		$_SESSION['ACTIVITY'][$this->getIndex()] = $this->inactivityTime();
 		return true;
 	}
+
+	/**
+	 * Return login, or authorization ID if show_authz enabled
+	 */
+	public function displayLogin($method=null) {
+		// check for whoami function, added in 7.2
+		if ($this->getValue('appearance', 'show_authz') && function_exists('ldap_exop_whoami')) {
+			$result = @ldap_exop_whoami($this->connect($method));
+			if ($result) // strip any dn: or u: prefix
+				$result = preg_replace('/^(u|dn):/i', '', $result);
+			else // fall back to login on error
+				$result = $this->getLogin($method);
+			return $result;
+		}
+		else {
+			return $this->getLogin($method);
+		}
+	}
 }
 ?>

lib/export_functions.php

@@ -223,7 +223,7 @@ abstract class Export {
 	 */
 	protected function isSafeAscii($str) {
 		for ($i=0;$i<strlen($str);$i++)
-			if (ord($str{$i}) < 32 || ord($str{$i}) > 127)
+			if (ord($str[$i]) < 32 || ord($str[$i]) > 127)
 				return false;
 
 		return true;

lib/functions.php

@@ -51,7 +51,7 @@ if (file_exists(LIBDIR.'functions.custom.php'))
 /**
  * Loads class definition
  */
-function __autoload($className) {
+function pla_autoload($className) {
 	if (file_exists(HOOKSDIR."classes/$className.php"))
 		require_once(HOOKSDIR."classes/$className.php");
 	elseif (file_exists(LIBDIR."$className.php"))
@@ -66,10 +66,16 @@ function __autoload($className) {
 			'type'=>'error'));
 }
 
+if (version_compare(phpversion(), '7.0', '>=')) {
+	spl_autoload_register('pla_autoload');
+} else {
+	eval('function __autoload($className) {pla_autoload($className);}');
+}
+
 /**
  * Strips all slashes from the specified array in place (pass by ref).
  * @param Array The array to strip slashes from, typically one of
- *                     $_GET, $_POST, or $_COOKIE.
+ *        $_GET, $_POST, or $_COOKIE.
  */
 function array_stripslashes(&$array) {
 	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
@@ -362,7 +368,7 @@ function cmd_control_pane($type) {
 
 				'hide_debug_info'=>array(
 					'title'=>_('Show Cache'),
-					'enable'=>isset($_SESSION[APPCONFIG]) ? $_SESSION[APPCONFIG]->isCommandAvailable('script','show_cache') : false,
+					'enable'=>isset($_SESSION[APPCONFIG]) ? ($_SESSION[APPCONFIG]->isCommandAvailable('script','show_cache')) && (! $_SESSION[APPCONFIG]->getValue('appearance','hide_debug_info')) : false,
 					'link'=>sprintf('href="cmd.php?cmd=show_cache" onclick="return ajDISPLAY(\'BODY\',\'cmd=show_cache\',\'%s\');" title="%s"',
 						_('Loading'),_('Show Cache'),_('Show Cache')),
 					'image'=>sprintf('<img src="%s/debug-cache.png" alt="%s" />',IMGDIR,_('Show Cache'))),
@@ -645,7 +651,7 @@ function error($msg,$type='note',$redirect=null,$fatal=false,$backtrace=false) {
  *
  * @return The form GET/REQUEST/SESSION/POST variable value or its default
  */
-function get_request($attr,$type='POST',$die=false,$default=null) {
+function get_request($attr,$type='POST',$die=false,$default=null,$preventXSS=true) {
 	switch($type) {
 		case 'GET':
 			$value = isset($_GET[$attr]) ? (is_array($_GET[$attr]) ? $_GET[$attr] : (empty($_GET['nodecode'][$attr]) ? rawurldecode($_GET[$attr]) : $_GET[$attr])) : $default;
@@ -664,19 +670,36 @@ function get_request($attr,$type='POST',$die=false,$default=null) {
 			$value = isset($_POST[$attr]) ? (is_array($_POST[$attr]) ? $_POST[$attr] : (empty($_POST['nodecode'][$attr]) ? rawurldecode($_POST[$attr]) : $_POST[$attr])) : $default;
 			break;
 	}
-
+	
 	if ($die && is_null($value))
 		system_message(array(
 			'title'=>_('Generic Error'),
 			'body'=>sprintf('%s: Called "%s" without "%s" using "%s"',
-				basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),$attr,$type),
+				basename($_SERVER['PHP_SELF']),get_request('cmd','REQUEST'),preventXSS($attr),preventXSS($type)),
 			'type'=>'error'),
 			'index.php');
-
+	if($preventXSS && !is_null($value))
+		$value = preventXSS($value);
 	return $value;
 }
-
 /**
+*  Prevent XSS function. This function can usage has preventXSS(get_request('cmd','REQUEST'))
+*  Return valor escape XSS.
+*/
+ function preventXSS($data){
+		if (gettype($data) == 'array') {
+			foreach ($data as $key => $value) {
+				if (gettype($value) == 'array')
+					$data[$key] = preventXSS($value);
+				else
+					$data[$key] = htmlspecialchars($value);
+			}
+			return $data;
+		}
+		return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
+}
+
+/*
  * Record a system message.
  * This function can be used as an alternative to generate a system message, if page hasnt yet been defined.
  */
@@ -745,6 +768,11 @@ function blowfish_encrypt($data,$secret=null) {
 	if (! trim($secret))
 		return $data;
 
+	if (! empty($data) && function_exists('openssl_encrypt') && in_array('bf-ecb', openssl_get_cipher_methods())) {
+		$keylen = openssl_cipher_iv_length('bf-ecb') * 2;
+		return openssl_encrypt($data, 'bf-ecb', substr($secret,0,$keylen));
+	}
+
 	if (function_exists('mcrypt_module_open') && ! empty($data)) {
 		$td = mcrypt_module_open(MCRYPT_BLOWFISH,'',MCRYPT_MODE_ECB,'');
 		$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td),MCRYPT_DEV_URANDOM);
@@ -801,6 +829,11 @@ function blowfish_decrypt($encdata,$secret=null) {
 	if (! trim($secret))
 		return $encdata;
 
+	if (! empty($encdata) && function_exists('openssl_encrypt') && in_array('bf-ecb', openssl_get_cipher_methods())) {
+		$keylen = openssl_cipher_iv_length('bf-ecb') * 2;
+		return trim(openssl_decrypt($encdata, 'bf-ecb', substr($secret,0,$keylen)));
+	}
+
 	if (function_exists('mcrypt_module_open') && ! empty($encdata)) {
 		$td = mcrypt_module_open(MCRYPT_BLOWFISH,'',MCRYPT_MODE_ECB,'');
 		$iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td),MCRYPT_DEV_URANDOM);
@@ -993,6 +1026,23 @@ function get_custom_file($index,$filename,$path) {
 	return $return;
 }
 
+/**
+ * Replacement for create_function() which is deprecated as of php 7.2
+ *
+ * @param string The function arguments
+ * @param string The function code
+ */
+function pla_create_function($args, $code) {
+	if (version_compare(phpversion(),'7.0','>=')) {
+		# anonymous functions were introduced in PHP 5.3.0
+		return eval("return function(".$args."){".$code."};");
+
+	} else {
+		# create_function is deprecated in php 7.2
+		return create_function($args, $code);
+	}
+}
+
 /**
  * Sort a multi dimensional array.
  *
@@ -1080,7 +1130,7 @@ function masort(&$data,$sortby,$rev=0) {
 
 		$code .= 'return $c;';
 
-		$CACHE[$sortby] = create_function('$a, $b',$code);
+		$CACHE[$sortby] = pla_create_function('$a, $b',$code);
 	}
 
 	uasort($data,$CACHE[$sortby]);
@@ -1248,29 +1298,29 @@ function is_url_string($str) {
 /**
  * Compares 2 DNs. If they are equivelant, returns 0, otherwise,
  * returns their sorting order (similar to strcmp()):
- *      Returns < 0 if dn1 is less than dn2.
- *      Returns > 0 if dn1 is greater than dn2.
+ *		Returns < 0 if dn1 is less than dn2.
+ *		Returns > 0 if dn1 is greater than dn2.
  *
  * The comparison is performed starting with the top-most element
  * of the DN. Thus, the following list:
- *    <code>
- *       ou=people,dc=example,dc=com
- *       cn=Admin,ou=People,dc=example,dc=com
- *       cn=Joe,ou=people,dc=example,dc=com
- *       dc=example,dc=com
- *       cn=Fred,ou=people,dc=example,dc=org
- *       cn=Dave,ou=people,dc=example,dc=org
- *    </code>
+ *	<code>
+ *		ou=people,dc=example,dc=com
+ *		cn=Admin,ou=People,dc=example,dc=com
+ *		cn=Joe,ou=people,dc=example,dc=com
+ *		dc=example,dc=com
+ *		cn=Fred,ou=people,dc=example,dc=org
+ *		cn=Dave,ou=people,dc=example,dc=org
+ *	</code>
  * Will be sorted thus using usort( $list, "pla_compare_dns" ):
- *    <code>
- *       dc=com
- *       dc=example,dc=com
- *       ou=people,dc=example,dc=com
- *       cn=Admin,ou=People,dc=example,dc=com
- *       cn=Joe,ou=people,dc=example,dc=com
- *       cn=Dave,ou=people,dc=example,dc=org
- *       cn=Fred,ou=people,dc=example,dc=org
- *    </code>
+ *	<code>
+ *		dc=com
+ *		dc=example,dc=com
+ *		ou=people,dc=example,dc=com
+ *		cn=Admin,ou=People,dc=example,dc=com
+ *		cn=Joe,ou=people,dc=example,dc=com
+ *		cn=Dave,ou=people,dc=example,dc=org
+ *		cn=Fred,ou=people,dc=example,dc=org
+ *	</code>
  *
  * @param string The first of two DNs to compare
  * @param string The second of two DNs to compare
@@ -1588,7 +1638,7 @@ function get_icon($server_id,$dn,$object_classes=array()) {
 
 	# Return icon filename based upon objectClass value
 	if (in_array('sambaaccount',$object_classes) &&
-		'$' == $rdn{ strlen($rdn) - 1 })
+		'$' == $rdn[ strlen($rdn) - 1 ])
 		return 'nt_machine.png';
 
 	if (in_array('sambaaccount',$object_classes))
@@ -1778,15 +1828,9 @@ function random_salt($length) {
 	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
-	$possible = '0123456789'.
-		'abcdefghijklmnopqrstuvwxyz'.
-		'ABCDEFGHIJKLMNOPQRSTUVWXYZ'.
-		'./';
-	$str = '';
-	mt_srand((double)microtime() * 1000000);
-
-	while (strlen($str) < $length)
-		$str .= substr($possible,(rand()%strlen($possible)),1);
+	$str = bin2hex(random_bytes(ceil($length/2)));
+	if ($length % 2 == 1)
+		return substr($str, 0, -1);
 
 	return $str;
 }
@@ -2104,19 +2148,7 @@ function password_types() {
 	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
-	return array(
-		''=>'clear',
-		'blowfish'=>'blowfish',
-		'crypt'=>'crypt',
-		'ext_des'=>'ext_des',
-		'md5'=>'md5',
-		'k5key'=>'k5key',
-		'md5crypt'=>'md5crypt',
-		'sha'=>'sha',
-		'smd5'=>'smd5',
-		'ssha'=>'ssha',
-		'sha512'=>'sha512',
-	);
+	return $_SESSION[APPCONFIG]->getValue('password', 'available_types');
 }
 
 /**
@@ -2124,10 +2156,11 @@ function password_types() {
  *
  * @param string The password to hash in clear text.
  * @param string Standard LDAP encryption type which must be one of
- *        crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, sha512, or clear.
+ *        crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, sha512,
+ *        sha256crypt, sha512crypt, or clear.
  * @return string The hashed password.
  */
-function password_hash($password_clear,$enc_type) {
+function pla_password_hash($password_clear,$enc_type) {
 	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
@@ -2171,7 +2204,7 @@ function password_hash($password_clear,$enc_type) {
 			break;
 
 		case 'md5':
-			$new_value = sprintf('{MD5}%s',base64_encode(pack('H*',md5($password_clear))));
+			$new_value = sprintf('{MD5}%s',base64_encode(md5($password_clear, true)));
 			break;
 
 		case 'md5crypt':
@@ -2183,47 +2216,79 @@ function password_hash($password_clear,$enc_type) {
 			break;
 
 		case 'sha':
-			# Use php 4.3.0+ sha1 function, if it is available.
-			if (function_exists('sha1'))
-				$new_value = sprintf('{SHA}%s',base64_encode(pack('H*',sha1($password_clear))));
-			elseif (function_exists('mhash'))
-				$new_value = sprintf('{SHA}%s',base64_encode(mhash(MHASH_SHA1,$password_clear)));
-			else
-				error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'),'error','index.php');
+			$new_value = sprintf('{SHA}%s',base64_encode(sha1($password_clear, true)));
 
 			break;
 
 		case 'ssha':
-			if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
-				mt_srand((double)microtime()*1000000);
-				$salt = mhash_keygen_s2k(MHASH_SHA1,$password_clear,substr(pack('h*',md5(mt_rand())),0,8),4);
-				$new_value = sprintf('{SSHA}%s',base64_encode(mhash(MHASH_SHA1,$password_clear.$salt).$salt));
-
-			} else {
-				error(_('Your PHP install does not have the mhash() or mhash_keygen_s2k() function. Cannot do S2K hashes.'),'error','index.php');
-			}
+			$salt = hex2bin(random_salt(8));
+			$new_value = sprintf('{SSHA}%s',base64_encode(sha1($password_clear.$salt, true).$salt));
 
 			break;
 
-		case 'smd5':
-			if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
-				mt_srand((double)microtime()*1000000);
-				$salt = mhash_keygen_s2k(MHASH_MD5,$password_clear,substr(pack('h*',md5(mt_rand())),0,8),4);
-				$new_value = sprintf('{SMD5}%s',base64_encode(mhash(MHASH_MD5,$password_clear.$salt).$salt));
+		case 'bcrypt':
+				$options = [
+							'cost' => 8,
+						   ];
+				#Checking if password_hash() function is available.
+				if (function_exists('password_hash'))
+						$new_value = sprintf('{BCRYPT}%s',base64_encode(password_hash($password_clear, PASSWORD_BCRYPT, $options)));
+				else
+						error(_('Your PHP install does not have the password_hash() function. Cannot do BCRYPT hashes.'),'error','index.php');
 
-			} else {
-				error(_('Your PHP install does not have the mhash() or mhash_keygen_s2k() function. Cannot do S2K hashes.'),'error','index.php');
-			}
+				break;
+
+
+		case 'smd5':
+			$salt = hex2bin(random_salt(8));
+			$new_value = sprintf('{SMD5}%s',base64_encode(md5($password_clear.$salt, true).$salt));
+
+			break;
+
+		case 'sha256':
+			$new_value = sprintf('{SHA256}%s', base64_encode(hash('sha256', $password_clear, true)));
+
+			break;
+
+		case 'ssha256':
+			$salt = hex2bin(random_salt(8));
+			$new_value = sprintf('{SSHA256}%s', base64_encode(hash('sha256', $password_clear.$salt, true).$salt));
+
+			break;
+
+		case 'sha384':
+			$new_value = sprintf('{SHA384}%s', base64_encode(hash('sha384', $password_clear, true)));
+
+			break;
+
+		case 'ssha384':
+			$salt = hex2bin(random_salt(8));
+			$new_value = sprintf('{SSHA384}%s', base64_encode(hash('sha384', $password_clear.$salt, true).$salt));
 
 			break;
 
 		case 'sha512':
-			if (function_exists('openssl_digest') && function_exists('base64_encode')) {
-				$new_value = sprintf('{SHA512}%s', base64_encode(openssl_digest($password_clear, 'sha512', true)));
+			$new_value = sprintf('{SHA512}%s', base64_encode(hash('sha512', $password_clear, true)));
 
-			} else {
-				error(_('Your PHP install doest not have the openssl_digest() or base64_encode() function. Cannot do SHA512 hashes. '),'error','index.php');
-			}
+			break;
+
+		case 'ssha512':
+			$salt = hex2bin(random_salt(8));
+			$new_value = sprintf('{SSHA512}%s', base64_encode(hash('sha512', $password_clear.$salt, true).$salt));
+
+			break;
+
+		case 'sha256crypt':
+			if (! defined('CRYPT_SHA256') || CRYPT_SHA256 == 0)
+				error(_('Your system crypt library does not support sha256crypt encryption.'),'error','index.php');
+			$new_value = sprintf('{CRYPT}%s',crypt($password_clear,'$5$'.random_salt(8)));
+
+			break;
+
+		case 'sha512crypt':
+			if (! defined('CRYPT_SHA512') || CRYPT_SHA512 == 0)
+				error(_('Your system crypt library does not support sha512crypt encryption.'),'error','index.php');
+			$new_value = sprintf('{CRYPT}%s',crypt($password_clear,'$6$'.random_salt(8)));
 
 			break;
 
@@ -2244,6 +2309,7 @@ function password_hash($password_clear,$enc_type) {
  * @return Boolean True if the clear password matches the hash, and false otherwise.
  */
 function password_check($cryptedpassword,$plainpassword,$attribute='userpassword') {
+	$plainpassword = htmlspecialchars_decode($plainpassword);
 	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',1,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
@@ -2278,47 +2344,52 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
 	switch($cypher) {
 		# SSHA crypted passwords
 		case 'ssha':
-			# Check php mhash support before using it
-			if (function_exists('mhash')) {
-				$hash = base64_decode($cryptedpassword);
+			$hash = base64_decode($cryptedpassword);
 
-				# OpenLDAP uses a 4 byte salt, SunDS uses an 8 byte salt - both from char 20.
-				$salt = substr($hash,20);
-				$new_hash = base64_encode(mhash(MHASH_SHA1,$plainpassword.$salt).$salt);
+			# OpenLDAP uses a 4 byte salt, SunDS uses an 8 byte salt - both from char 20.
+			$salt = substr($hash,20);
+			$new_hash = base64_encode(sha1($plainpassword.$salt, true).$salt);
 
-				if (strcmp($cryptedpassword,$new_hash) == 0)
-					return true;
-				else
-					return false;
-
-			} else {
-				error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'),'error','index.php');
-			}
+			if (strcmp($cryptedpassword,$new_hash) == 0)
+				return true;
+			else
+				return false;
 
 			break;
 
+		#BCRYPT hashed passwords
+		case 'bcrypt':
+				# Check php password_verify support before using it
+				if (function_exists('password_verify')) {
+						$hash = base64_decode($cryptedpassword);
+						if (password_verify($plainpassword, $hash)) {
+							return true;
+						} else {
+							return false;
+						}
+
+				} else {
+						error(_('Your PHP install does not have the password_verify() function. Cannot do Bcrypt hashes.'),'error','index.php');
+				}
+
+				break;
+
 		# Salted MD5
 		case 'smd5':
-			# Check php mhash support before using it
-			if (function_exists('mhash')) {
-				$hash = base64_decode($cryptedpassword);
-				$salt = substr($hash,16);
-				$new_hash = base64_encode(mhash(MHASH_MD5,$plainpassword.$salt).$salt);
+			$hash = base64_decode($cryptedpassword);
+			$salt = substr($hash,16);
+			$new_hash = base64_encode(md5($plainpassword.$salt).$salt, true);
 
-				if (strcmp($cryptedpassword,$new_hash) == 0)
-					return true;
-				else
-					return false;
-
-			} else {
-				error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'),'error','index.php');
-			}
+			if (strcmp($cryptedpassword,$new_hash) == 0)
+				return true;
+			else
+				return false;
 
 			break;
 
 		# SHA crypted passwords
 		case 'sha':
-			if (strcasecmp(password_hash($plainpassword,'sha'),'{SHA}'.$cryptedpassword) == 0)
+			if (strcasecmp(pla_password_hash($plainpassword,'sha'),'{SHA}'.$cryptedpassword) == 0)
 				return true;
 			else
 				return false;
@@ -2327,7 +2398,7 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
 
 		# MD5 crypted passwords
 		case 'md5':
-			if( strcasecmp(password_hash($plainpassword,'md5'),'{MD5}'.$cryptedpassword) == 0)
+			if( strcasecmp(pla_password_hash($plainpassword,'md5'),'{MD5}'.$cryptedpassword) == 0)
 				return true;
 			else
 				return false;
@@ -2390,9 +2461,66 @@ function password_check($cryptedpassword,$plainpassword,$attribute='userpassword
 
 			break;
 
+		# SHA256 crypted passwords
+		case 'sha256':
+			if (strcasecmp(pla_password_hash($plainpassword,'sha256'),'{SHA256}'.$cryptedpassword) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
+		# Salted SHA256 crypted passwords
+		case 'ssha256':
+			$hash = base64_decode($cryptedpassword);
+			$salt = substr($hash,64);
+			$new_hash = base64_encode(hash('sha256', $plainpassword.$salt, true).$salt);
+
+			if (strcmp($cryptedpassword,$new_hash) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
+		# SHA384 crypted passwords
+		case 'sha384':
+			if (strcasecmp(pla_password_hash($plainpassword,'sha384'),'{SHA384}'.$cryptedpassword) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
+		# Salted SHA384 crypted passwords
+		case 'ssha384':
+			$hash = base64_decode($cryptedpassword);
+			$salt = substr($hash,64);
+			$new_hash = base64_encode(hash('sha384', $plainpassword.$salt, true).$salt);
+
+			if (strcmp($cryptedpassword,$new_hash) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
 		# SHA512 crypted passwords
 		case 'sha512':
-			if (strcasecmp(password_hash($plainpassword,'sha512'),'{SHA512}'.$cryptedpassword) == 0)
+			if (strcasecmp(pla_password_hash($plainpassword,'sha512'),'{SHA512}'.$cryptedpassword) == 0)
+				return true;
+			else
+				return false;
+
+			break;
+
+		# Salted SHA512 crypted passwords
+		case 'ssha512':
+			$hash = base64_decode($cryptedpassword);
+			$salt = substr($hash,64);
+			$new_hash = base64_encode(hash('sha512', $plainpassword.$salt, true).$salt);
+
+			if (strcmp($cryptedpassword,$new_hash) == 0)
 				return true;
 			else
 				return false;
@@ -2470,6 +2598,32 @@ function draw_chooser_link($form,$element,$include_choose_text=true,$rdn='none')
 		printf('<span class="x-small"><a href="%s" title="%s">%s</a></span>',$href,$title,_('browse'));
 }
 
+/**
+ * http://php.net/manual/en/function.ldap-explode-dn.php#34724
+ * fixed for:
+ * Keep attention on UTF8 encoded DNs. Since openLDAP >=2.1.2
+ * ldap_explode_dn turns unprintable chars (in the ASCII sense, UTF8
+ * encoded) into \<hexcode>.
+ */
+function ldap_explode_dn_patch($dn,$with_attrib) {
+	$result = ldap_explode_dn($dn,$with_attrib);
+	if (! $result)
+		return null;
+
+	# translate hex code into ascii again
+	foreach ($result as $key => $value) {
+		$result[$key] = preg_replace_callback(
+			"/\\\([0-9A-Fa-f]{2})/",
+			function ($matches) {
+				return chr(hexdec($matches[1]));
+			},
+			$value
+		);
+	}
+
+	return $result;
+}
+
 /**
  * Explode a DN into an array of its RDN parts.
  *
@@ -2505,8 +2659,8 @@ function pla_explode_dn($dn,$with_attributes=0) {
 	$dn = addcslashes($dn,'<>+";');
 
 	# split the dn
-	$result[0] = ldap_explode_dn(dn_escape($dn),0);
-	$result[1] = ldap_explode_dn(dn_escape($dn),1);
+	$result[0] = ldap_explode_dn_patch(dn_escape($dn),0);
+	$result[1] = ldap_explode_dn_patch(dn_escape($dn),1);
 	if (! $result[$with_attributes]) {
 		if (DEBUG_ENABLED)
 			debug_log('Returning NULL - NO result.',1,0,__FILE__,__LINE__,__METHOD__);
@@ -2565,12 +2719,22 @@ function dn_unescape($dn) {
 		$a = array();
 
 		foreach ($dn as $key => $rdn)
-			$a[$key] = preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$rdn);
+			$a[$key] = preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',
+				function ($r) {
+					return chr(hexdec($r[1]));
+				},
+				$rdn
+			);
 
 		return $a;
 
 	} else {
-		return preg_replace('/\\\([0-9A-Fa-f]{2})/e',"''.chr(hexdec('\\1')).''",$dn);
+		return preg_replace_callback('/\\\([0-9A-Fa-f]{2})/',
+			function ($r) {
+				return chr(hexdec($r[1]));
+			},
+			$dn
+		);
 	}
 }
 
@@ -2583,35 +2747,21 @@ function dn_unescape($dn) {
  * @return string The URL to the requested item.
  */
 function get_href($type,$extra_info='') {
-	$sf = 'https://sourceforge.net';
 	$pla = 'http://phpldapadmin.sourceforge.net';
-	$group_id = '61828';
-	$bug_atid = '498546';
-	$rfe_atid = '498549';
-	$forum_id = 'phpldapadmin-users';
 
 	switch($type) {
 		case 'add_bug':
-			return sprintf('%s/tracker/?func=add&amp;group_id=%s&amp;atid=%s',$sf,$group_id,$bug_atid);
+			return 'https://github.com/leenooks/phpLDAPadmin/issues';
 		case 'add_rfe':
-			return sprintf('%s/tracker/?func=add&amp;group_id=%s&amp;atid=%s',$sf,$group_id,$rfe_atid);
+			return 'https://github.com/leenooks/phpLDAPadmin/issues';
 		case 'credits':
 			return sprintf('%s/Credits',$pla);
 		case 'documentation':
 			return sprintf('%s/Documentation',$pla);
 		case 'donate':
-			return sprintf('%s/donate/index.php?group_id=%s',$sf,$group_id);
+			return 'https://sourceforge.net/donate/index.php?group_id=61828';
 		case 'forum':
-			return sprintf('%s/mailarchive/forum.php?forum_name=%s',$sf,$forum_id);
-		case 'logo':
-			if (! isset($_SERVER['HTTPS']) || strtolower($_SERVER['HTTPS']) != 'on')
-				$proto = 'http';
-			else
-				$proto = 'https';
-
-			return isset($_SESSION) && ! $_SESSION[APPCONFIG]->getValue('appearance','remoteurls') ? '' : sprintf('%s://sflogo.sourceforge.net/sflogo.php?group_id=%s&amp;type=10',$proto,$group_id);
-		case 'sf':
-			return sprintf('%s/projects/phpldapadmin',$sf);
+			return 'https://stackoverflow.com/questions/tagged/phpldapadmin';
 		case 'web':
 			return sprintf('%s',$pla);
 		default:
@@ -3128,4 +3278,30 @@ function isAjaxEnabled() {
 	else
 		return false;
 }
+/**
+* Check if user is a robot with reCAPTCHA
+**/
+function IsRobot($gResponse){
+	$isRobot = true;
+	$url = 'https://www.google.com/recaptcha/api/siteverify';
+	$data = array(
+		'secret' => $_SESSION[APPCONFIG]->getValue('session','reCAPTCHA-key-server'),
+		'response' => $gResponse
+	);
+	$options = array(
+		'http' => array (
+			'method' => 'POST','header' =>
+			'Content-Type: application/x-www-form-urlencoded',
+			'content' => http_build_query($data)
+		)
+	);
+	$context  = stream_context_create($options);
+	$verify = file_get_contents($url, false, $context);
+	$captcha_success = json_decode($verify);
+	if ($captcha_success->success) {
+		$isRobot = false;
+	}
+	return $isRobot;
+
+}
 ?>

lib/hooks.php

@@ -32,7 +32,7 @@
  * element priority. 1 otherwise.
  */
 function sort_array_by_priority($a,$b) {
-	if (DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
+	if (defined('DEBUG_ENABLED') && DEBUG_ENABLED && (($fargs=func_get_args())||$fargs='NOARGS'))
 		debug_log('Entered (%%)',257,0,__FILE__,__LINE__,__METHOD__,$fargs);
 
 	return (($a['priority'] < $b['priority']) ? -1 : 1 );
@@ -68,7 +68,7 @@ function run_hook($hook_name,$args) {
 	/* Execution of procedures attached is done using a numeric order
 	 * since all procedures have been attached to the hook with a
 	 * numerical weight. */
-	while (list($key,$hook) = each($hooks[$hook_name])) {
+	foreach ($hooks[$hook_name] as $key=>$hook) {
 		if (DEBUG_ENABLED)
 			debug_log('Calling HOOK Function (%s)(%s)',257,0,__FILE__,__LINE__,__METHOD__,
 				$hook['hook_function'],$args);
@@ -159,7 +159,7 @@ function remove_hook($hook_name,$hook_function,$priority,$rollback_function) {
 	if (array_key_exists($hook_name,$_SESSION[APPCONFIG]->hooks)) {
 		reset($_SESSION[APPCONFIG]->hooks[$hook_name]);
 
-		while (list($key,$hook) = each($_SESSION[APPCONFIG]->hooks[$hook_name])) {
+		foreach ($_SESSION[APPCONFIG]->hooks[$hook_name] as $key=>$hook) {
 			if (($priority >= 0 && $priority == $hook['priority']) ||
 				($hook_function && $hook_function == $hook['hook_function']) ||
 				($rollback_function && $rollback_function == $hook['rollback_function'])) {

lib/ldap_supported_oids.txt

@@ -48,6 +48,7 @@
 1.3.6.1.1.13.1					"Pre-Read Controls" "" "The Pre-Read request control, indicates that a copy of the entry before application of update is to be returned."
 1.3.6.1.1.13.2					"Post-Read Controls" "" "The Pre-Read request control, indicates that a copy of the entry before application of update is to be returned."
 1.3.6.1.1.14		"Modify-Increment Extension" "RFC 4525" "An extension to the Lightweight Directory Access Protocol (LDAP) Modify operation to support an increment capability."
+1.3.6.1.1.22		"Don't Use Copy Control" "RFC 9171" "When the control is attached to an LDAP request, the requested operation MUST NOT be performed on copied information. That is, the requested operation MUST be performed on original information."
 1.3.6.1.4.1.42.2.27.8.5.1	"passwordPolicyRequest"
 1.3.6.1.4.1.42.2.27.9.5.2	"GetEffectiveRights control" "" "May be used to determine what operations a given user may perform on a specified entry."
 1.3.6.1.4.1.1466.101.119.1	"Dynamic Directory Services Refresh Request" "RFC 2589"

lib/page.php

@@ -323,7 +323,7 @@ class page {
 		printf('<tr class="foot"><td><small>%s</small></td><td colspan="2"><div id="ajFOOT">%s</div>%s</td></tr>',
 			isCompress() ? '[C]' : '&nbsp;',
 			app_version(),
-			get_href('logo') ? sprintf('<a href="%s"><img src="%s" alt="SourceForge.net Logo" style="border: 0px;" /></a>',get_href('sf'),get_href('logo')) : '&nbsp;');
+			'&nbsp;');
 	}
 
 	/**

templates/creation/posixAccount.xml

@@ -72,9 +72,13 @@
 	<page>1</page>
 	<!-- <value><![CDATA[=php.PickList(/;(&(objectClass=posixAccount));loginShell;%loginShell%;;;;loginShell)]]></value> -->
 	<type>select</type>
-	<value id="/bin/sh">Bash</value>
+	<value id="/bin/bash">Bash</value>
 	<value id="/bin/csh">C Shell</value>
+	<value id="/bin/dash">Dash</value>
+	<value id="/bin/sh">Shell</value>
 	<value id="/bin/tsh">Turbo C Shell</value>
+	<value id="/bin/false">False</value>
+	<value id="/usr/sbin/nologin">No Login</value>
 </attribute>
 <attribute id="userPassword">
 	<display>Password</display>