WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

allow to disable LM hashes

This commit is contained in:
Roland Gruber 2009-05-03 15:16:15 +00:00
parent ca4c946f88
commit 40bbee0c26
2 changed files with 48 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lam/HISTORY
View File

@ -1,3 +1,7 @@
July 2009 2.7.0
- Samba 3: allow to disable LM hashes (on by default)
08.04.2009 2.6.0 08.04.2009 2.6.0
- support NIS netgroups - support NIS netgroups
- support EDU person accounts (RFE 1413731) - support EDU person accounts (RFE 1413731)

40
lam/lib/modules/sambaSamAccount.inc
View File

@ -336,7 +336,10 @@ class sambaSamAccount extends baseModule {
"Text" => _("Here you can change the settings for the terminal server access.")), "Text" => _("Here you can change the settings for the terminal server access.")),
'profilePwdCanMustChange' => array ( 'profilePwdCanMustChange' => array (
"Headline" => _("User can/must change password"), "Headline" => _("User can/must change password"),
"Text" => _("This is the number of seconds after when the user may or has to change his password.")) "Text" => _("This is the number of seconds after when the user may or has to change his password.")),
'lmHash' => array (
"Headline" => _("Disable LM hashes"),
"Text" => _("Windows password hashes are saved by default as NT and LM hashes. LM hashes are insecure and only needed for old versions of Windows. You should disable them unless you really need them."))
); );
// upload dependencies // upload dependencies
$return['upload_preDepends'] = array('posixAccount', 'inetOrgPerson'); $return['upload_preDepends'] = array('posixAccount', 'inetOrgPerson');
@ -519,7 +522,18 @@ class sambaSamAccount extends baseModule {
), ),
'options_selected' => array('0'), 'options_selected' => array('0'),
'descriptiveOptions' => true), 'descriptiveOptions' => true),
array('kind' => 'help', 'value' => 'timeZone')) array('kind' => 'help', 'value' => 'timeZone')),
array(
array('kind' => 'text', 'text' => '<b>' . _("Disable LM hashes") . ': &nbsp;</b>'),
array('kind' => 'select', 'name' => 'sambaSamAccount_lmHash', 'size' => '1',
'options' => array(
array('yes', _('yes')),
array('no', _('no'))
),
'options_selected' => array('yes'),
'descriptiveOptions' => true),
array('kind' => 'help', 'value' => 'lmHash')
)
); );
return $return; return $return;
} }
@ -633,6 +647,12 @@ class sambaSamAccount extends baseModule {
if (!in_array('sambaSamAccount', $this->attributes['objectClass'])) { if (!in_array('sambaSamAccount', $this->attributes['objectClass'])) {
return array(); return array();
} }
// delete LM hash if needed
if (!isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) || ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'yes')) {
if (isset($this->attributes['sambaLMPassword'])) {
unset($this->attributes['sambaLMPassword']);
}
}
$errors = array(); $errors = array();
$sambaDomains = search_domains(); $sambaDomains = search_domains();
if (sizeof($sambaDomains) == 0) { if (sizeof($sambaDomains) == 0) {
@ -690,11 +710,13 @@ class sambaSamAccount extends baseModule {
// host attributes // host attributes
if ($this->get_scope()=='host') { if ($this->get_scope()=='host') {
$this->attributes['sambaPrimaryGroupSID'][0] = $SID."-".$this->rids[_('Domain computers')]; $this->attributes['sambaPrimaryGroupSID'][0] = $SID."-".$this->rids[_('Domain computers')];
if ($_POST['ResetSambaPassword'] || !$this->attributes['sambaLMPassword'][0]) { if ($_POST['ResetSambaPassword'] || !$this->attributes['sambaNTPassword'][0]) {
$attrs = $this->getAccountContainer()->getAccountModule('posixAccount')->getAttributes(); $attrs = $this->getAccountContainer()->getAccountModule('posixAccount')->getAttributes();
$hostname = $attrs['uid'][0]; $hostname = $attrs['uid'][0];
$hostname = substr($hostname, 0, strlen($hostname) - 1); $hostname = substr($hostname, 0, strlen($hostname) - 1);
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$this->attributes['sambaLMPassword'][0] = lmPassword($hostname); $this->attributes['sambaLMPassword'][0] = lmPassword($hostname);
}
$this->attributes['sambaNTPassword'][0] = ntPassword($hostname); $this->attributes['sambaNTPassword'][0] = ntPassword($hostname);
$this->attributes['sambaPwdLastSet'][0] = time(); $this->attributes['sambaPwdLastSet'][0] = time();
} }
@ -734,7 +756,9 @@ class sambaSamAccount extends baseModule {
if (isset($_POST['useunixpwd'])) { if (isset($_POST['useunixpwd'])) {
$this->useunixpwd = true; $this->useunixpwd = true;
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$this->attributes['sambaLMPassword'][0] = lmPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword()); $this->attributes['sambaLMPassword'][0] = lmPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword());
}
$this->attributes['sambaNTPassword'][0] = ntPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword()); $this->attributes['sambaNTPassword'][0] = ntPassword($this->getAccountContainer()->getAccountModule('posixAccount')->getClearTextPassword());
$this->attributes['sambaPwdLastSet'][0] = time(); $this->attributes['sambaPwdLastSet'][0] = time();
} }
@ -747,7 +771,9 @@ class sambaSamAccount extends baseModule {
else { else {
if (!get_preg($_POST['sambaLMPassword'], 'password')) $errors[] = $this->messages['sambaLMPassword'][1]; if (!get_preg($_POST['sambaLMPassword'], 'password')) $errors[] = $this->messages['sambaLMPassword'][1];
else { else {
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$this->attributes['sambaLMPassword'][0] = lmPassword($_POST['sambaLMPassword']); $this->attributes['sambaLMPassword'][0] = lmPassword($_POST['sambaLMPassword']);
}
$this->attributes['sambaNTPassword'][0] = ntPassword($_POST['sambaLMPassword']); $this->attributes['sambaNTPassword'][0] = ntPassword($_POST['sambaLMPassword']);
$this->attributes['sambaPwdLastSet'][0] = time(); $this->attributes['sambaPwdLastSet'][0] = time();
} }
@ -1853,16 +1879,22 @@ class sambaSamAccount extends baseModule {
} }
// use Unix password // use Unix password
if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == "") { // default: use Unix if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == "") { // default: use Unix
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]); $partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]);
}
$partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]); $partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]);
} }
elseif (in_array($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']], array('true', 'false'))) { elseif (in_array($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']], array('true', 'false'))) {
if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == 'true') { // use Unix if ($rawAccounts[$i][$ids['sambaSamAccount_pwdUnix']] == 'true') { // use Unix
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]); $partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['posixAccount_password']]);
}
$partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]); $partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['posixAccount_password']]);
} }
else { // use given password else { // use given password
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]); $partialAccounts[$i]['sambaLMPassword'] = lmPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]);
}
$partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]); $partialAccounts[$i]['sambaNTPassword'] = ntPassword($rawAccounts[$i][$ids['sambaSamAccount_password']]);
} }
} }
@ -2133,7 +2165,9 @@ class sambaSamAccount extends baseModule {
} }
// passwords ( = host name) // passwords ( = host name)
$partialAccounts[$i]['sambaPwdLastSet'] = time(); $partialAccounts[$i]['sambaPwdLastSet'] = time();
if (isset($this->moduleSettings['sambaSamAccount_lmHash'][0]) && ($this->moduleSettings['sambaSamAccount_lmHash'][0] == 'no')) {
$partialAccounts[$i]['sambaLMPassword'] = lmPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1)); $partialAccounts[$i]['sambaLMPassword'] = lmPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1));
}
$partialAccounts[$i]['sambaNTPassword'] = ntPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1)); $partialAccounts[$i]['sambaNTPassword'] = ntPassword(substr($partialAccounts[$i]['uid'], 0, sizeof($partialAccounts[$i]['uid']) - 1));
// flags // flags
$partialAccounts[$i]['sambaAcctFlags'] = "[W ]"; $partialAccounts[$i]['sambaAcctFlags'] = "[W ]";