Added in functionality to require a minimum username length and for a username blacklist which helps to prevent unneeded LDAP authentication attempts.

orware · orware · commit 605e1b534ea5 · 2021-03-16T12:24:45.000-07:00
diff --git a/configuration.example.php b/configuration.example.php
@@ -171,4 +171,97 @@
         'denied_ip' => [],
     ],
     'public_keys' => [],
+];
+
+// Add a minimum length for usernames (set to 0 to ignore length):
+$username_minimum_length = 4;
+
+// This list of usernames will simply be ignored completed (no LDAP authentication will occur):
+$username_blacklist = [
+    'admin',
+    'apagar',
+    'auto',
+    'bananapi',
+    'bdadmin',
+    'billing',
+    'bin',
+    'crm',
+    'csgoserver',
+    'deploy',
+    'eas',
+    'escaner',
+    'factorio',
+    'fedena',
+    'fernando',
+    'ftp',
+    'ftp_id',
+    'ftpserver',
+    'ftpuser',
+    'furukawa',
+    'gc',
+    'git',
+    'gitblit',
+    'gmod',
+    'guest',
+    'hxeadm',
+    'ircd',
+    'kafka',
+    'kk',
+    'koha',
+    'kms',
+    'mariadb',
+    'minecraft',
+    'mysql',
+    'node',
+    'odoo',
+    'oozie',
+    'openvpn',
+    'operator',
+    'oracle',
+    'pcguest',
+    'pi',
+    'platform',
+    'plcmspip',
+    'postgres',
+    'prueba',
+    'prueba1',
+    'rpm',
+    'root',
+    'rs',
+    'sample',
+    'secretaria',
+    'shutdown',
+    'sinus',
+    'squadserver',
+    'steam',
+    'student',
+    'student10',
+    'support',
+    'sysadmin',
+    'teacher',
+    'teacher1',
+    'teamspeak',
+    'temp',
+    'test',
+    'test1',
+    'test001',
+    'teste',
+    'testftp',
+    'trinity',
+    'ts3',
+    'ts3bot',
+    'ubuntu',
+    'user',
+    'usuario',
+    'uploader',
+    'vbox',
+    'vboxuser',
+    'voip',
+    'vyos',
+    'web5',
+    'webftp',
+    'www',
+    'www-data',
+    'zabbix',
+    'zte',
 ];
diff --git a/functions.php b/functions.php
@@ -27,10 +27,16 @@ function authenticateUser($data) {
     if (!empty($data)) {
 
         try {
-            global $connections, $domains_to_strip_automatically, $convert_username_to_lowercase;
+            global $connections, $domains_to_strip_automatically, $convert_username_to_lowercase, $username_minimum_length, $username_blacklist;
 
+            // Convert username to lowercase if setting is enabled:
             if (isset($convert_username_to_lowercase) && $convert_username_to_lowercase === true) {
+                $beforeUsername = $data['username'];
                 $data['username'] = strtolower($data['username']);
+
+                if ($beforeUsername !== $data['username']) {
+                    logMessage('Converted ' . $beforeUsername . ' to ' . $data['username']);
+                }
             }
 
             // Strip specific organization email domains if provided:
@@ -43,6 +49,22 @@ function authenticateUser($data) {
                 }
             }
 
+            // Prevent short usernames from being processed:
+            if (isset($username_minimum_length) && $username_minimum_length > 0) {
+                if (strlen($data['username']) < $username_minimum_length) {
+                    logMessage('Denying ' . $data['username'] . ' since length is less than minimum allowed (' . $username_minimum_length . ')');
+                    return denyRequest();
+                }
+            }
+
+            // Prevent blacklisted usernames from being processed:
+            if (isset($username_blacklist) && !empty($username_blacklist)) {
+                if (array_search($data['username'], $username_blacklist) !== false) {
+                    logMessage('Denying ' . $data['username'] . ' since it is in the username blacklist');
+                    return denyRequest();
+                }
+            }
+
             foreach($connections as $connectionName => $connection) {
 
                 logMessage('Before connection attempt to ' . $connectionName);
