WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added central password service

This commit is contained in:
Roland Gruber 2009-10-09 18:21:12 +00:00
parent 9e088dcffa
commit 234766d251
4 changed files with 81 additions and 184 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
lam/lib/modules.inc
View File

@ -1288,10 +1288,16 @@ class accountContainer {
}
}
// set new password
$selectedModules = array();
foreach ($_POST as $key => $value) {
if (substr($key, 0, 3) == 'cb_') {
$name = substr($key, 3);
$return = array_merge($return, $this->module[$name]->passwordChanged($_POST['newPassword1']));
$selectedModules[] = $name;
}
}
foreach ($this->module as $name => $module) {
if ($module instanceof passwordService) {
$return = array_merge($return, $module->passwordChangeRequested($_POST['newPassword1'], $selectedModules));
}
}
return $return;
@ -2092,13 +2098,15 @@ interface passwordService {
public function managesPasswordAttributes();
/**
* This function is called whenever the password of this module should be changed.
* This function is called whenever the password should be changed. Account modules
* must change their password attributes only if the modules list contains their module name.
*
* @param String $password new password
* @param $modules list of modules for which the password should be changed
* @return array list of error messages if any as parameter array for StatusMessage
* e.g. return arrray(array('ERROR', 'Password change failed.'))
*/
public function passwordChanged($password);
public function passwordChangeRequested($password, $modules);
}

131
lam/lib/modules/posixAccount.inc
View File

@ -4,7 +4,7 @@
This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam)
Copyright (C) 2003 - 2006 Tilo Lutz
Copyright (C) 2005 - 2007 Roland Gruber
Copyright (C) 2005 - 2009 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -46,7 +46,6 @@ class posixAccount extends baseModule implements passwordService {
private $groups_orig;
private $createhomedir;
private $lamdaemonServer;
private $clearTextPassword;
/**
* This function fills the error message array with messages.
@ -69,8 +68,6 @@ class posixAccount extends baseModule implements passwordService {
$this->messages['uidNumber'][3] = array('ERROR', _('ID-Number'), _('ID is already in use'));
$this->messages['uidNumber'][4] = array('ERROR', _('Account %s:') . ' posixAccount_uid', _('UID must be a number. It has to be inside the UID range which is defined in your configuration profile.'));
$this->messages['uidNumber'][5] = array('INFO', _('UID number'), _('UID number has changed. To keep file ownership you have to run the following command as root: \'find / -uid %s -exec chown %s {} \;\''));
$this->messages['userPassword'][0] = array('ERROR', _('Password'), _('Please enter the same password in both password fields.'));
$this->messages['userPassword'][1] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!%&/|?{[()]}=@$ !'));
$this->messages['userPassword'][4] = array('ERROR', _('Account %s:') . ' posixAccount_password', _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!%&/|?{[()]}=@$ !'));
$this->messages['uid'][0] = array('INFO', _('UID'), _('UID has changed. Do you want to change home directory?'));
$this->messages['uid'][1] = array('WARN', _('User name'), _('You are using a capital letters. This can cause problems because windows isn\'t case-sensitive.'));
@ -323,7 +320,6 @@ class posixAccount extends baseModule implements passwordService {
'primaryGroup',
'additionalGroups',
'homeDirectory',
'userPassword',
'loginShell',
'cn'
);
@ -907,42 +903,6 @@ class posixAccount extends baseModule implements passwordService {
return array();
}
/**
* Processes user input of the password page.
* It checks if all input values are correct and updates the associated LDAP attributes.
*
* @return array list of info/error messages
*/
function process_password() {
if ($_POST['form_subpage_posixAccount_attributes_back']) return array();
else if ($_POST['form_subpage_posixAccount_attributes_randomPassword']) {
$pwd = generateRandomPassword();
$this->clearTextPassword = $pwd;
$this->attributes['userPassword'][0] = pwd_hash($pwd, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
return array(array('INFO', _('The password was set to:') . ' ' . $pwd));
}
$errors = array();
if ($_POST['userPassword'] != $_POST['userPassword2']) {
$errors[] = $this->messages['userPassword'][0];
}
else {
if (!get_preg($_POST['userPassword'], 'password')) {
$errors[] = $this->messages['userPassword'][1];
}
else {
$pwdPolicyResult = checkPasswordStrength($_POST['userPassword']);
if ($pwdPolicyResult === true) {
$this->clearTextPassword = $_POST['userPassword'];
$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
}
else {
$errors[] = array('ERROR', $pwdPolicyResult);
}
}
}
return $errors;
}
/**
* Returns the HTML meta data for the main account page.
*
@ -1022,30 +982,20 @@ class posixAccount extends baseModule implements passwordService {
array('kind' => 'help', 'value' => 'loginShell'));
}
}
if (!isset($this->attributes['userPassword'][0])) {
$return[] = array(
array('kind' => 'text', 'text' => _('Password') ),
array('kind' => 'input', 'name' => 'form_subpage_posixAccount_password_open', 'type' => 'submit', 'value' => _('Set password')));
if (pwd_is_enabled($this->attributes['userPassword'][0])) {
$lockOption = array('kind' => 'input', 'name' => 'form_subpage_posixAccount_attributes_lockPassword', 'type' => 'submit', 'value' => _('Lock password'));
}
else {
if (pwd_is_enabled($this->attributes['userPassword'][0])) {
$lockOption = array('kind' => 'input', 'name' => 'form_subpage_posixAccount_attributes_lockPassword', 'type' => 'submit', 'value' => _('Lock password'));
}
else {
$lockOption = array('kind' => 'input', 'name' => 'form_subpage_posixAccount_attributes_unlockPassword', 'type' => 'submit', 'value' => _('Unlock password'));
}
$return[] = array(
array('kind' => 'text', 'text' => _('Password') ),
array('kind' => 'table', 'value' => array(
array(
array('kind' => 'input', 'name' => 'form_subpage_posixAccount_password_open', 'type' => 'submit', 'value' => _('Change password'))
),
array($lockOption),
array(
array('kind' => 'input', 'name' => 'form_subpage_posixAccount_attributes_removePassword', 'type' => 'submit', 'value' => _('Remove password'))
)
)));
$lockOption = array('kind' => 'input', 'name' => 'form_subpage_posixAccount_attributes_unlockPassword', 'type' => 'submit', 'value' => _('Unlock password'));
}
$return[] = array(
array('kind' => 'text', 'text' => _('Password') ),
array('kind' => 'table', 'value' => array(
array($lockOption),
array(
array('kind' => 'input', 'name' => 'form_subpage_posixAccount_attributes_removePassword', 'type' => 'submit', 'value' => _('Remove password'))
)
)));
return $return;
}
@ -1109,37 +1059,6 @@ class posixAccount extends baseModule implements passwordService {
return $return;
}
/**
* Displays the password changing dialog.
*
* @return array meta HTML code
*/
function display_html_password() {
$return[] = array(
array('kind' => 'text', 'text' => _('Password') ),
array('kind' => 'input', 'name' => 'userPassword', 'type' => 'password', 'size' => '20', 'maxlength' => '255', 'value' => ""),
array('kind' => 'help', 'value' => 'userPassword'));
$return[] = array(
array('kind' => 'text', 'text' => _('Repeat password')),
array('kind' => 'input', 'name' => 'userPassword2', 'type' => 'password', 'size' => '20', 'maxlength' => '255', 'value' => ""));
$return[] = array(
array('kind' => 'text', 'text' => ' ')
);
$return[] = array(
array('kind' => 'text', 'text' => ' ')
);
$return[] = array(
array('kind' => 'table', 'value' => array(
array(
array('kind' => 'input', 'type' => 'submit', 'value' => _('Ok'), 'name' => 'form_subpage_posixAccount_attributes_submit'),
array('kind' => 'input', 'type' => 'submit', 'value' => _('Cancel'), 'name' => 'form_subpage_posixAccount_attributes_back'),
array('kind' => 'text')))),
array('kind' => 'input', 'type' => 'submit', 'value' => _('Set random password'),
'name' => 'form_subpage_posixAccount_attributes_randomPassword', 'td' => array('align' => 'right', 'colspan' => 2))
);
return $return;
}
/**
* Returns a list of elements for the account profiles.
*
@ -1247,9 +1166,6 @@ class posixAccount extends baseModule implements passwordService {
'posixAccount_homeDirectory' => array('<block><key>' . _('Home directory') . '</key><value>' . $this->attributes['homeDirectory'][0] . '</value></block>'),
'posixAccount_loginShell' => array('<block><key>' . _('Login shell') . '</key><value>' . $this->attributes['loginShell'][0] . '</value></block>'),
);
if (isset($this->clearTextPassword)) {
$return['posixAccount_userPassword'] = array('<block><key>' . _('Password') . '</key><value>' . $this->clearTextPassword . '</value></block>');
}
return $return;
}
@ -1811,15 +1727,6 @@ class posixAccount extends baseModule implements passwordService {
return $return;
}
/**
* Returns the clear text password.
*
* @return string password
*/
public function getClearTextPassword() {
return $this->clearTextPassword;
}
/**
* This method specifies if a module manages password attributes.
* @see passwordService::managesPasswordAttributes
@ -1831,14 +1738,20 @@ class posixAccount extends baseModule implements passwordService {
}
/**
* This function is called whenever the password of this module should be changed.
* @see passwordService::managesPasswordAttributes
*
* This function is called whenever the password should be changed. Account modules
* must change their password attributes only if the modules list contains their module name.
*
* @param String $password new password
* @param $modules list of modules for which the password should be changed
* @return array list of error messages if any as parameter array for StatusMessage
* e.g. return arrray(array('ERROR', 'Password change failed.'))
* @see passwordService::passwordChangeRequested
*/
public function passwordChanged($password) {
public function passwordChangeRequested($password, $modules) {
if (!in_array(get_class($this), $modules)) {
return array();
}
$this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
return array();
}

74
lam/lib/modules/sambaSamAccount.inc
View File

@ -42,8 +42,6 @@ include_once('sambaSamAccount/sambaMungedDial.inc');
class sambaSamAccount extends baseModule implements passwordService {
// Variables
/** use Unix password as samba password? */
private $useunixpwd;
/** use no password? */
private $nopwd;
/** password does not expire? */
@ -91,8 +89,6 @@ class sambaSamAccount extends baseModule implements passwordService {
$this->messages['logonScript'][2] = array('ERROR', _('Account %s:') . ' sambaSamAccount_logonScript', _('Logon script is invalid!'));
$this->messages['workstations'][0] = array('ERROR', _('Samba workstations'), _('Please enter a comma separated list of host names!'));
$this->messages['workstations'][1] = array('ERROR', _('Account %s:') . ' sambaSamAccount_workstations', _('Please enter a comma separated list of host names!'));
$this->messages['sambaLMPassword'][0] = array('ERROR', _('Password'), _('Please enter the same password in both password-fields.'));
$this->messages['sambaLMPassword'][1] = array('ERROR', _('Password'), _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!%&/|?{[()]}=@$ !'));
$this->messages['sambaLMPassword'][2] = array('ERROR', _('Account %s:') . ' sambaSamAccount_password', _('Password contains invalid characters. Valid characters are: a-z, A-Z, 0-9 and #*,.;:_-+!%&/|?{[()]}=@$ !'));
$this->messages['rid'][2] = array('ERROR', _('Account %s:') . ' sambaSamAccount_rid', _('Please enter a RID number or the name of a special account!'));
$this->messages['rid'][3] = array('ERROR', _('Account %s:') . ' sambaSamAccount_rid', _('This is not a valid RID number!'));
@ -630,7 +626,6 @@ class sambaSamAccount extends baseModule implements passwordService {
function init($base) {
// call parent init
parent::init($base);
$this->useunixpwd = true;
$this->noexpire = true;
$this->nopwd = false;
$this->deactivated = false;
@ -862,31 +857,6 @@ class sambaSamAccount extends baseModule implements passwordService {
}
}
if (isset($_POST['useunixpwd'])) {
$this->useunixpwd = true;
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$this->attributes['sambaLMPassword'][0] = lmPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword());
}
$this->attributes['sambaNTPassword'][0] = ntPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword());
$this->attributes['sambaPwdLastSet'][0] = time();
}
else $this->useunixpwd = false;
if (!$this->useunixpwd && isset($_POST['sambaLMPassword']) && ($_POST['sambaLMPassword'] != '')) {
if ($_POST['sambaLMPassword'] != $_POST['sambaLMPassword2']) {
$errors[] = $this->messages['sambaLMPassword'][0];
unset ($_POST['sambaLMPassword2']);
}
else {
if (!get_preg($_POST['sambaLMPassword'], 'password')) $errors[] = $this->messages['sambaLMPassword'][1];
else {
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$this->attributes['sambaLMPassword'][0] = lmPassword($_POST['sambaLMPassword']);
}
$this->attributes['sambaNTPassword'][0] = ntPassword($_POST['sambaLMPassword']);
$this->attributes['sambaPwdLastSet'][0] = time();
}
}
}
$specialRids = array_flip($this->rids);
// set special RID if selected
if (in_array($_POST['sambaSID'], $specialRids)) {
@ -1119,19 +1089,6 @@ class sambaSamAccount extends baseModule implements passwordService {
if ($this->get_scope()=='user') {
$return[] = array(
array('kind' => 'input', 'name' => 'sambaAcctFlagsU', 'type' => 'hidden', 'value' => 'true'));
$return[] = array(
array('kind' => 'text', 'text' => _('Samba password')),
array('kind' => 'input', 'name' => 'sambaLMPassword', 'type' => 'password', 'size' => '20', 'maxlength' => '255'),
array('kind' => 'help', 'value' => 'password'));
$return[] = array(
array('kind' => 'text', 'text' => _('Repeat password')),
array('kind' => 'input', 'name' => 'sambaLMPassword2', 'type' => 'password', 'size' => '20', 'maxlength' => '255'));
if ($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword() != null) {
$return[] = array(
array('kind' => 'text', 'text' => _('Use Unix password') ),
array('kind' => 'input', 'name' => 'useunixpwd', 'type' => 'checkbox', 'checked' => $this->useunixpwd),
array('kind' => 'help', 'value' => 'useunixpwd'));
}
$return[] = array(
array('kind' => 'text', 'text' => _('Use no password') ),
array('kind' => 'input', 'name' => 'sambaAcctFlagsN', 'type' => 'checkbox', 'checked' => $this->nopwd),
@ -1614,12 +1571,6 @@ class sambaSamAccount extends baseModule implements passwordService {
for ( $i=1; $i<=31; $i++ ) $day[] = $i;
for ( $i=1; $i<=12; $i++ ) $mon[] = $i;
for ( $i=2003; $i<=2030; $i++ ) $year[] = $i;
// use Unix password as Samba password
$return[] = array(
array('kind' => 'text', 'text' => _('Use Unix password') . ': '),
array('kind' => 'input', 'name' => 'sambaSamAccount_useunixpwd', 'type' => 'checkbox', 'checked' => true),
array('kind' => 'help', 'value' => 'pwdunix')
);
// use no password at all
$return[] = array(
array('kind' => 'text', 'text' => _('Use no password') . ': '),
@ -1757,13 +1708,6 @@ class sambaSamAccount extends baseModule implements passwordService {
// profile mappings in meta data
parent::load_profile($profile);
// special profile options
// use Unix password
if ($profile['sambaSamAccount_useunixpwd'][0] == "true") {
$this->useunixpwd = true;
}
elseif ($profile['sambaSamAccount_useunixpwd'][0] == "false") {
$this->useunixpwd = false;
}
// use no password
if ($profile['sambaSamAccount_sambaAcctFlagsN'][0] == "true") {
$this->nopwd = true;
@ -2379,14 +2323,24 @@ class sambaSamAccount extends baseModule implements passwordService {
}
/**
* This function is called whenever the password of this module should be changed.
* @see passwordService::managesPasswordAttributes
*
* This function is called whenever the password should be changed. Account modules
* must change their password attributes only if the modules list contains their module name.
*
* @param String $password new password
* @param $modules list of modules for which the password should be changed
* @return array list of error messages if any as parameter array for StatusMessage
* e.g. return arrray(array('ERROR', 'Password change failed.'))
* @see passwordService::passwordChangeRequested
*/
public function passwordChanged($password) {
public function passwordChangeRequested($password, $modules) {
if (!in_array(get_class($this), $modules)) {
return array();
}
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$this->attributes['sambaLMPassword'][0] = lmPassword($password);
}
$this->attributes['sambaNTPassword'][0] = ntPassword($password);
$this->attributes['sambaPwdLastSet'][0] = time();
return array();
}

46
lam/lib/modules/shadowAccount.inc
View File

@ -4,7 +4,7 @@ $Id$
This code is part of LDAP Account Manager (http://www.sourceforge.net/projects/lam)
Copyright (C) 2003 - 2006 Tilo Lutz
Copyright (C) 2007 Roland Gruber
Copyright (C) 2007 - 2009 Roland Gruber
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
@ -36,7 +36,7 @@ $Id$
*
* @package modules
*/
class shadowAccount extends baseModule {
class shadowAccount extends baseModule implements passwordService {
/**
* Creates a new shadowAccount object.
@ -237,16 +237,7 @@ class shadowAccount extends baseModule {
if (!in_array('shadowAccount', $this->attributes['objectClass'])) {
return array();
}
$return = $this->getAccountContainer()->save_module_attributes($this->attributes, $this->orig);
// Set shadowLastchange manual.
$clearPwd = $this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword();
if (isset($clearPwd)) {
$return[$this->getAccountContainer()->dn]['modify']['shadowLastChange'] = array(intval(time()/3600/24));
}
elseif ($this->getAccountContainer()->isNewAccount) {
$return[$this->getAccountContainer()->dn]['add']['shadowLastChange'] = array(intval(time()/3600/24));
}
return $return;
return $this->getAccountContainer()->save_module_attributes($this->attributes, $this->orig);
}
/**
@ -501,6 +492,37 @@ class shadowAccount extends baseModule {
}
}
/**
* This method specifies if a module manages password attributes.
* @see passwordService::managesPasswordAttributes
*
* @return boolean true if this module manages password attributes
*/
public function managesPasswordAttributes() {
// only listen to password changes
return false;
}
/**
* This function is called whenever the password should be changed. Account modules
* must change their password attributes only if the modules list contains their module name.
*
* @param String $password new password
* @param $modules list of modules for which the password should be changed
* @return array list of error messages if any as parameter array for StatusMessage
* e.g. return arrray(array('ERROR', 'Password change failed.'))
* @see passwordService::passwordChangeRequested
*/
public function passwordChangeRequested($password, $modules) {
// update password timestamp when Unix password was updated
if (!in_array('posixAccount', $modules)) {
return array();
}
$this->attributes['shadowLastChange'][0] = intval(time()/3600/24);
return array();
}
}
?>