external password check

lam/HISTORY

@@ -1,3 +1,7 @@
+June 2018
+  - Passwords can be checked against external service (e.g. https://api.pwnedpasswords.com/range)
+
+
 19.03.2018 6.3
   - Server profile: added option if referential integrity overlay is active to skip cleanup actions
   - Unix: several options are now specific to subaccount types (reconfiguration required!)

lam/docs/manual-sources/chapter-configuration.xml

@@ -151,6 +151,43 @@
 
       <para>You can set the minimum password length and also the complexity of
       the passwords.</para>
+
+      <para><emphasis role="bold">External password check</emphasis></para>
+
+      <para>Please note that this option is only displayed if you have
+      installed the PHP Curl extension for your web server.</para>
+
+      <para>This will validate passwords using an external service. LAM
+      supports the protocol used by <ulink
+      url="https://haveibeenpwned.com/API/v2#SearchingPwnedPasswordsByRange">Have
+      I been Pwned</ulink>. You can use the service directly or setup any
+      custom service with the same API. If the service reports an error LAM
+      will log an error message and the password will be accepted.</para>
+
+      <para>Example URL:
+      https://api.pwnedpasswords.com/range/{SHA1PREFIX}</para>
+
+      <para>LAM will build a SHA1 hash of the password and send parts of it to
+      the service.</para>
+
+      <para>The configured URL must contain the wildcard "{SHA1PREFIX}" which
+      will be replaced with the 5 character hash prefix. The service must then
+      return a list of text lines in the format "&lt;hash
+      suffix&gt;:&lt;number&gt;".</para>
+
+      <para>"&lt;hash suffix&gt;" needs to be the suffix of a known insecure
+      password. The "&lt;number&gt;" can be any numeric value and will be
+      ignored by LAM.</para>
+
+      <para>Example:</para>
+
+      <para>Password hash: 21BD10018A45C4D1DEF81644B54AB7F969B88D65</para>
+
+      <para>Hash prefix sent to service: 21BD1</para>
+
+      <para>Returned line: 0018A45C4D1DEF81644B54AB7F969B88D65:1</para>
+
+      <para>This will reject the password.</para>
     </section>
 
     <section id="conf_logging">

lam/docs/manual-sources/chapter-installation.xml

@@ -574,6 +574,12 @@
       version. Unless explicitly noticed there is no need to install an
       intermediate release.</para>
 
+      <section>
+        <title>6.3 -&gt; 6.4</title>
+
+        <para>No actions needed.</para>
+      </section>
+
       <section>
         <title>6.2 -&gt; 6.3</title>
 

lam/help/help.inc

@@ -172,7 +172,7 @@ $helpArray = array (
 				"248" => array ("Headline" => _('Password must not contain part of user/first/last name'),
 					"Text" => _('Specifies if the password must not contain 3 or more characters of the user/first/last name.')),
 				"249" => array ("Headline" => _('External password check'),
-					"Text" => _('Please specify the URL (e.g. "https://api.pwnedpasswords.com/range/{SHA1PREFIX}") of your external password check and the severity if the check fails.')),
+					"Text" => _('Please specify the URL (e.g. "https://api.pwnedpasswords.com/range/{SHA1PREFIX}") of your external password check.')),
 				"250" => array ("Headline" => _("Filter"),
 					"Text" => _("Here you can input simple filter expressions (e.g. 'value' or 'v*'). The filter is case-sensitive.")),
 				"260" => array ("Headline" => _("Additional LDAP filter"),