--- /root/rack/0.21.3/wwwroot/inc/auth.php	2019-06-13 02:12:49.000000000 +0300
+++ /var/www/racktables/wwwroot/inc/auth.php	2019-12-06 14:28:35.387651000 +0300
@@ -18,15 +18,30 @@
 // anonymous binding). It also initializes $remote_* and $*_tags vars.
 function authenticate ()
 {
+	function checkHTTPCredentialsReceived()
+	{
+		return isset ($_SERVER['REMOTE_USER']) && $_SERVER['REMOTE_USER'] != '' && $_SERVER['REMOTE_USER'] != 'logout';
+	}
+	function checkPHPCredentialsReceived()
+	{
+		return isset ($_SERVER['PHP_AUTH_USER']) && $_SERVER['PHP_AUTH_USER'] != '' && $_SERVER['PHP_AUTH_USER'] != 'logout' &&
+			isset ($_SERVER['PHP_AUTH_PW']) && $_SERVER['PHP_AUTH_PW'] != '';
+	}
 	function assertHTTPCredentialsReceived()
 	{
-		if
-		(
-			! isset ($_SERVER['PHP_AUTH_USER']) ||
-			$_SERVER['PHP_AUTH_USER'] == '' ||
-			! isset ($_SERVER['PHP_AUTH_PW']) ||
-			$_SERVER['PHP_AUTH_PW'] == ''
-		)
+		if( !checkHTTPCredentialsReceived() )
+			throw new RackTablesError ('', RackTablesError::NOT_AUTHENTICATED);
+	}
+
+	function assertPHPCredentialsReceived()
+	{
+		if( !checkPHPCredentialsReceived() )
+			throw new RackTablesError ('', RackTablesError::NOT_AUTHENTICATED);
+	}
+
+	function assertPHPandHTTPCredentialsReceived()
+	{
+		if( !checkHTTPCredentialsReceived() && !checkPHPCredentialsReceived() )
 			throw new RackTablesError ('', RackTablesError::NOT_AUTHENTICATED);
 	}
 
@@ -45,6 +60,10 @@
 	{
 		if (isset ($user_auth_src) && 'saml' == $user_auth_src)
 			saml_logout ();
+		else if (isset ($user_auth_src) && ('ldap' == $user_auth_src or 'httpd+ldap' == $user_auth_src) )
+		{
+			ldap_logout();
+		}
 		throw new RackTablesError ('', RackTablesError::NOT_AUTHENTICATED); // Reset browser credentials cache.
 	}
 	// Phase 2. Do some method-specific processing, initialize $remote_username on success.
@@ -57,18 +76,35 @@
 			$remote_username = $_SERVER['PHP_AUTH_USER'];
 			break;
 		case 'ldap' == $user_auth_src:
-			assertHTTPCredentialsReceived();
+			assertPHPCredentialsReceived();
 			$remote_username = $_SERVER['PHP_AUTH_USER'];
 			constructLDAPOptions();
 			break;
 		case 'httpd' == $user_auth_src:
-			if
-			(
-				! isset ($_SERVER['REMOTE_USER']) or
-				$_SERVER['REMOTE_USER'] == ''
-			)
+			if(!checkHTTPCredentialsReceived())
 				throw new RackTablesError ('The web-server didn\'t authenticate the user, although ought to do.', RackTablesError::MISCONFIGURED);
 			$remote_username = $_SERVER['REMOTE_USER'];
+		case 'httpd+ldap' == $user_auth_src:
+			if(isset ($_REQUEST['login']) && $_REQUEST['login'] == 'basic')
+				assertPHPCredentialsReceived();
+			if(!checkHTTPCredentialsReceived() && !checkPHPCredentialsReceived())
+			{
+				if(!isset ($_REQUEST['login']) )
+				{
+					header("Location: /?login");
+					die('Login required');
+					return;
+				}
+				else
+					throw new RackTablesError ('The web-server didn\'t authenticate the user, although ought to do.', RackTablesError::MISCONFIGURED);
+			}
+			if(checkHTTPCredentialsReceived())
+				$remote_username = $_SERVER['REMOTE_USER'];
+			else
+			{
+			    $remote_username = $_SERVER['PHP_AUTH_USER'];
+			    constructLDAPOptions();
+			}
 			break;
 		case 'saml' == $user_auth_src:
 			$saml_username = '';
@@ -106,6 +142,7 @@
 			if (authenticated_via_database ($userinfo, $_SERVER['PHP_AUTH_PW']))
 				return; // success
 			break; // failure
+		case 'httpd+ldap' == $user_auth_src:
 		case 'ldap' == $user_auth_src:
 			$ldap_dispname = '';
 			if (! authenticated_via_ldap ($remote_username, $_SERVER['PHP_AUTH_PW'], $ldap_dispname))
@@ -113,6 +150,11 @@
 			$remote_displayname = $userinfo['user_realname'] != '' ? // local value is most preferred
 				$userinfo['user_realname'] :
 				($ldap_dispname != '' ? $ldap_dispname : $remote_username); // then one from LDAP
+			if (isset ($_REQUEST['login']) && $_REQUEST['login'] == 'basic')
+			{
+				header("Location: /");
+				die("Redirect");
+			}
 			return; // success
 		case 'saml' == $user_auth_src:
 			$remote_displayname = $saml_dispname != '' ? $saml_dispname : $saml_username;
@@ -314,35 +356,60 @@
 {
 	global $LDAP_options;
 	if (! isset ($LDAP_options))
-		throw new RackTablesError ('$LDAP_options has not been defined (see secret.php)', RackTablesError::MISCONFIGURED);
+	    throw new RackTablesError ('$LDAP_options has not been defined (see secret.php)', RackTablesError::MISCONFIGURED);
 	$LDAP_defaults = array
 	(
-		'group_attr' => 'memberof',
-		'group_filter' => '/^[Cc][Nn]=([^,]+)/',
 		'cache_refresh' => 300,
 		'cache_retry' => 15,
-		'cache_expiry' => 600,
+		'cache_expiry' => 600
 	);
 	foreach ($LDAP_defaults as $option_name => $option_value)
 		if (! array_key_exists ($option_name, $LDAP_options))
 			$LDAP_options[$option_name] = $option_value;
+
+	foreach ($LDAP_options['domains'] as $LDAP_domain_options)
+	{
+		$LDAP_domain_defaults = array
+		(
+			'group_attr' => 'memberof',
+			'group_filter' => '/^[Cc][Nn]=([^,]+)/',
+		);
+		foreach ($LDAP_domain_defaults as $option_name => $option_value)
+			if (! array_key_exists ($option_name, $LDAP_domain_options))
+				$LDAP_domain_options[$option_name] = $option_value;
+	}
+}
+
+function ldap_logout ()
+{
+	global $LDAP_options;
+	if( isset($remote_username) && $remote_username != "")
+		deleteLDAPCacheRecord ($remote_username);
+	else if( isset($_SERVER['PHP_AUTH_USER']) && $_SERVER['PHP_AUTH_USER'] != "")
+		deleteLDAPCacheRecord ($_SERVER['PHP_AUTH_USER']);
+	echo("<h3>You are logged off.<br/>Please close the page.</h3>");
+	exit;
 }
 
 // a wrapper for two LDAP auth methods below
 function authenticated_via_ldap ($username, $password, &$ldap_displayname)
 {
 	global $LDAP_options, $debug_mode;
+	$isSuccess = FALSE;
 	try
 	{
-		// Destroy the cache each time config changes.
-		if ($LDAP_options['cache_expiry'] != 0 &&
-			sha1 (serialize ($LDAP_options)) != loadScript ('LDAPConfigHash'))
-		{
-			discardLDAPCache();
-			saveScript ('LDAPConfigHash', sha1 (serialize ($LDAP_options)));
-			deleteScript ('LDAPLastSuccessfulServer');
-		}
-
+	    // Destroy the cache each time config changes.
+	    if ($LDAP_options['cache_expiry'] != 0 && sha1 (serialize ($LDAP_options)) != loadScript ('LDAPConfigHash'))
+	    {
+		discardLDAPCache();
+		saveScript ('LDAPConfigHash', sha1 (serialize ($LDAP_options)));
+		deleteScript ('LDAPLastSuccessfulServer');
+	    }
+
+	    foreach ($LDAP_options['domains'] as $LDAP_domain_options)
+	    {
+		if($isSuccess)
+		    break;
 		if
 		(
 			$LDAP_options['cache_retry'] > $LDAP_options['cache_refresh'] ||
@@ -350,21 +417,26 @@
 		)
 			throw new RackTablesError ('LDAP misconfiguration: refresh/retry/expiry mismatch', RackTablesError::MISCONFIGURED);
 		if ($LDAP_options['cache_expiry'] == 0) // immediate expiry set means disabled cache
-			return authenticated_via_ldap_nocache ($username, $password, $ldap_displayname);
-		// authenticated_via_ldap_cache()'s way of locking can sometimes result in
-		// a PDO error condition that convertPDOException() was not able to dispatch.
-		// To avoid reaching printPDOException() (which prints backtrace with password
-		// argument in cleartext), any remaining PDO condition is converted locally.
-		return authenticated_via_ldap_cache ($username, $password, $ldap_displayname);
+			$isSuccess = authenticated_via_ldap_nocache ($username, $password, $ldap_displayname);
+		else
+		{
+			// authenticated_via_ldap_cache()'s way of locking can sometimes result in
+			// a PDO error condition that convertPDOException() was not able to dispatch.
+			// To avoid reaching printPDOException() (which prints backtrace with password
+			// argument in cleartext), any remaining PDO condition is converted locally.
+			$isSuccess = authenticated_via_ldap_cache ($username, $password, $ldap_displayname);
+		}
+		return $isSuccess;
+		}
 	}
 	catch (PDOException $e)
 	{
-		if (isset ($debug_mode) && $debug_mode)
-			// in debug mode re-throw DB exception as-is
-			throw $e;
-		else
-			// re-create exception to hide private data from its backtrace
-			throw new RackTablesError ('LDAP caching error', RackTablesError::DB_WRITE_FAILED);
+	    if (isset ($debug_mode) && $debug_mode)
+		// in debug mode re-throw DB exception as-is
+		throw $e;
+	    else
+		// re-create exception to hide private data from its backtrace
+		throw new RackTablesError ('LDAP caching error', RackTablesError::DB_WRITE_FAILED);
 	}
 }
 
@@ -372,7 +444,7 @@
 function authenticated_via_ldap_nocache ($username, $password, &$ldap_displayname)
 {
 	global $auto_tags;
-	$server_test = queryLDAPServer ($username, $password);
+	$server_test = queryLDAPServers ($username, $password);
 	if ($server_test['result'] == 'ACK')
 	{
 		$ldap_displayname = $server_test['displayed_name'];
@@ -418,16 +490,20 @@
 	// first try to get cache row without locking it (quick way)
 	$cache_row = fetchLDAPCacheRow ($username);
 	if (isLDAPCacheValid ($cache_row, $password_hash, TRUE))
+	{
 		$user_data = $cache_row; // cache HIT
+	}
 	else
 	{
 		// cache miss or expired. Try to lock LDAPCache for $username
 		$cache_row = acquireLDAPCache ($username);
 		if (isLDAPCacheValid ($cache_row, $password_hash, TRUE))
+		{
 			$user_data = $cache_row; // cache HIT, but with DB lock
+		}
 		else
 		{
-			$ldap_answer = queryLDAPServer ($username, $password);
+			$ldap_answer = queryLDAPServers ($username, $password);
 			switch ($ldap_answer['result'])
 			{
 			case 'ACK':
@@ -474,23 +550,37 @@
 // 'displayed_name' : a string built according to LDAP displayname_attrs option
 // 'memberof' => filtered list of all LDAP groups the user belongs to
 //
-function queryLDAPServer ($username, $password)
+function queryLDAPServers ($username, $password)
 {
 	global $LDAP_options;
 
 	if (extension_loaded ('ldap') === FALSE)
 		throw new RackTablesError ('LDAP misconfiguration. LDAP PHP Module is not installed.', RackTablesError::MISCONFIGURED);
 
+	$server_test = array ('result' => 'NAK');
+	foreach ($LDAP_options['domains'] as $LDAP_domain_options)
+	{
+		$server_test = queryLDAPServer ($username, $password, $LDAP_domain_options);
+		if ($server_test['result'] == 'ACK')
+		    return $server_test;
+	}
+
+	return $server_test;
+}
+function queryLDAPServer ($username, $password, $LDAP_domain_options)
+{
+	global $LDAP_options;
+
 	$ldap_cant_connect_codes = array
 	(
-		-1,			// Can't contact LDAP server error
-		-5,			// LDAP Timed out error
+		-1,		// Can't contact LDAP server error
+		-5,		// LDAP Timed out error
 		-11,		// LDAP connect error
 	);
 
 	$last_successful_server = loadScript ('LDAPLastSuccessfulServer');
 	$success_server = NULL;
-	$servers = preg_split ("/\s+/", $LDAP_options['server'], NULL, PREG_SPLIT_NO_EMPTY);
+	$servers = preg_split ("/\s+/", $LDAP_domain_options['server'], NULL, PREG_SPLIT_NO_EMPTY);
 	if (isset ($last_successful_server) && in_array ($last_successful_server, $servers))	// Cached server is still present in config ?
 	{
 		// Use last successful server first
@@ -500,15 +590,15 @@
 	// Try to connect to each server until first success
 	foreach ($servers as $server)
 	{
-		$connect = @ldap_connect ($server, array_fetch ($LDAP_options, 'port', 389));
+		$connect = @ldap_connect ($server, array_fetch ($LDAP_domain_options, 'port', 389));
 		if ($connect === FALSE)
 			continue;
-		ldap_set_option ($connect, LDAP_OPT_NETWORK_TIMEOUT, array_fetch ($LDAP_options, 'server_alive_timeout', 2));
+		ldap_set_option ($connect, LDAP_OPT_NETWORK_TIMEOUT, array_fetch ($LDAP_domain_options, 'server_alive_timeout', 2));
 		// If use_tls configuration option is set, then try establish TLS session instead of ldap_bind
-		if (isset ($LDAP_options['use_tls']) && $LDAP_options['use_tls'] >= 1)
+		if (isset ($LDAP_domain_options['use_tls']) && $LDAP_domain_options['use_tls'] >= 1)
 		{
 			$tls = ldap_start_tls ($connect);
-			if ($LDAP_options['use_tls'] >= 2 && $tls == FALSE)
+			if ($LDAP_domain_options['use_tls'] >= 2 && $tls == FALSE)
 			{
 				if (in_array (ldap_errno ($connect), $ldap_cant_connect_codes))
 					continue;
@@ -525,7 +615,7 @@
 				$success_server = $server;
 				// Cleanup after check. This connection will be used below
 				@ldap_unbind ($connect);
-				$connect = ldap_connect ($server, array_fetch ($LDAP_options, 'port', 389));
+				$connect = ldap_connect ($server, array_fetch ($LDAP_domain_options, 'port', 389));
 				break;
 			}
 		}
@@ -536,44 +626,52 @@
 		$last_successful_server !== $success_server)
 		saveScript ('LDAPLastSuccessfulServer', $success_server);
 
-	if (array_key_exists ('options', $LDAP_options) && is_array ($LDAP_options['options']))
-		foreach ($LDAP_options['options'] as $opt_code => $opt_value)
+	if (array_key_exists ('options', $LDAP_domain_options) && is_array ($LDAP_domain_options['options']))
+		foreach ($LDAP_domain_options['options'] as $opt_code => $opt_value)
 			ldap_set_option ($connect, $opt_code, $opt_value);
 
 	// Build the server's version of the user's username for ldap_bind(). This may
 	// involve an anonymous (or a non-anonymous, with another ldap_bind()) LDAP search.
-	if (isset ($LDAP_options['domain']) && $LDAP_options['domain'] != '')
-		$auth_user_name = $username . "@" . $LDAP_options['domain'];
+	if (isset ($LDAP_domain_options['domain']) && $LDAP_domain_options['domain'] != '')
+	{
+		$names = preg_split ("/@/", $username, NULL, PREG_SPLIT_NO_EMPTY);
+		if(count($names) == 1)
+			$auth_user_name = $username . "@" . $LDAP_domain_options['domain'];
+		elseif ($names[1] == $LDAP_domain_options['domain'])
+			$auth_user_name = $username;
+		else
+			return array ('result' => 'NAK');
+	}
 	elseif
 	(
-		isset ($LDAP_options['search_dn']) &&
-		$LDAP_options['search_dn'] != '' &&
-		isset ($LDAP_options['search_attr']) &&
-		$LDAP_options['search_attr'] != ''
+		isset ($LDAP_domain_options['search_dn']) &&
+		$LDAP_domain_options['search_dn'] != '' &&
+		isset ($LDAP_domain_options['search_attr']) &&
+		$LDAP_domain_options['search_attr'] != ''
 	)
 	{
 		// If a search_bind_rdn is supplied, bind to that and use it to search.
 		// This is required unless a server offers anonymous searching.
 		// Using bind again on the connection works as expected.
 		// The password is optional as it might be optional on server, too.
-		if (isset ($LDAP_options['search_bind_rdn']) && $LDAP_options['search_bind_rdn'] != '')
+		if (isset ($LDAP_domain_options['search_bind_rdn']) && $LDAP_domain_options['search_bind_rdn'] != '')
 		{
 			$search_bind = @ldap_bind
 			(
 				$connect,
-				$LDAP_options['search_bind_rdn'],
-				isset ($LDAP_options['search_bind_password']) ? $LDAP_options['search_bind_password'] : NULL
+				$LDAP_domain_options['search_bind_rdn'],
+				isset ($LDAP_domain_options['search_bind_password']) ? $LDAP_domain_options['search_bind_password'] : NULL
 			);
 			if ($search_bind === FALSE)
 				throw new RackTablesError
 				(
 					'LDAP misconfiguration. You have specified a search_bind_rdn ' .
-					(isset ($LDAP_options['search_bind_password']) ? 'with' : 'without') .
+					(isset ($LDAP_domain_options['search_bind_password']) ? 'with' : 'without') .
 					' a search_bind_password, but the server refused it with: ' . ldap_error ($connect),
 					RackTablesError::MISCONFIGURED
 				);
 		}
-		$results = @ldap_search ($connect, $LDAP_options['search_dn'], '(' . $LDAP_options['search_attr'] . "=${username})", array("dn"));
+		$results = @ldap_search ($connect, $LDAP_domain_options['search_dn'], '(' . $LDAP_domain_options['search_attr'] . "=${username})", array("dn"));
 		if ($results === FALSE)
 			return array ('result' => 'CAN');
 		if (@ldap_count_entries ($connect, $results) != 1)
@@ -602,20 +700,20 @@
 	// Displayed name only makes sense for authenticated users anyway.
 	if
 	(
-		isset ($LDAP_options['displayname_attrs']) &&
-		$LDAP_options['displayname_attrs'] != '' &&
-		isset ($LDAP_options['search_dn']) &&
-		$LDAP_options['search_dn'] != '' &&
-		isset ($LDAP_options['search_attr']) &&
-		$LDAP_options['search_attr'] != ''
+		isset ($LDAP_domain_options['displayname_attrs']) &&
+		$LDAP_domain_options['displayname_attrs'] != '' &&
+		isset ($LDAP_domain_options['search_dn']) &&
+		$LDAP_domain_options['search_dn'] != '' &&
+		isset ($LDAP_domain_options['search_attr']) &&
+		$LDAP_domain_options['search_attr'] != ''
 	)
 	{
 		$results = @ldap_search
 		(
 			$connect,
-			$LDAP_options['search_dn'],
-			'(' . $LDAP_options['search_attr'] . "=${username})",
-			array_merge (array ($LDAP_options['group_attr']), explode (' ', $LDAP_options['displayname_attrs']))
+			$LDAP_domain_options['search_dn'],
+			'(' . $LDAP_domain_options['search_attr'] . "=${username})",
+			array_merge (array ($LDAP_domain_options['group_attr']), explode (' ', $LDAP_domain_options['displayname_attrs']))
 		);
 		if (@ldap_count_entries ($connect, $results) != 1)
 		{
@@ -625,18 +723,18 @@
 		$info = @ldap_get_entries ($connect, $results);
 		ldap_free_result ($results);
 		$space = '';
-		foreach (explode (' ', $LDAP_options['displayname_attrs']) as $attr)
+		foreach (explode (' ', $LDAP_domain_options['displayname_attrs']) as $attr)
 			if (isset ($info[0][$attr]))
 			{
 				$ret['displayed_name'] .= $space . $info[0][$attr][0];
 				$space = ' ';
 			}
 		// Pull group membership, if any was returned.
-		if (isset ($info[0][$LDAP_options['group_attr']]))
-			for ($i = 0; $i < $info[0][$LDAP_options['group_attr']]['count']; $i++)
+		if (isset ($info[0][$LDAP_domain_options['group_attr']]))
+			for ($i = 0; $i < $info[0][$LDAP_domain_options['group_attr']]['count']; $i++)
 				if
 				(
-					preg_match ($LDAP_options['group_filter'], $info[0][$LDAP_options['group_attr']][$i], $matches) &&
+					preg_match ($LDAP_domain_options['group_filter'], $info[0][$LDAP_domain_options['group_attr']][$i], $matches) &&
 					validTagName ('$lgcn_' . $matches[1], TRUE)
 				)
 					$ret['memberof'][] = '$lgcn_' . $matches[1];