From 7d124bb77ccb142913093778dae90d2bb782ee22 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sat, 2 Jan 2016 12:16:14 +0000
Subject: [PATCH] support K5KEY

---
 lam/lib/account.inc               | 13 ++++++++-----
 lam/lib/modules/inetOrgPerson.inc | 11 ++++++++++-
 lam/lib/modules/posixAccount.inc  | 11 ++++++++++-
 3 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index d1e053ec..80b7b1c1 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Tilo Lutz
-                2009 - 2015  Roland Gruber
+                2009 - 2016  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -140,7 +140,7 @@ function ntPassword($password) {
 *
 * @param string $password the password string
 * @param boolean $enabled marks the hash as enabled/disabled (e.g. by prefixing "!")
-* @param string $hashType password hash type (CRYPT, CRYPT-SHA512, SHA, SSHA, MD5, SMD5, PLAIN)
+* @param string $hashType password hash type (CRYPT, CRYPT-SHA512, SHA, SSHA, MD5, SMD5, PLAIN, K5KEY)
 * @return string the password hash
 */
 function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
@@ -160,8 +160,8 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
 			$hash = "{MD5}" . base64_encode(convertHex2bin(md5($password)));
 			break;
 		case 'SMD5':
-				$salt = generateSalt(4);
-				$hash = "{SMD5}" . base64_encode(convertHex2bin(md5($password . $salt)) . $salt);
+			$salt = generateSalt(4);
+			$hash = "{SMD5}" . base64_encode(convertHex2bin(md5($password . $salt)) . $salt);
 			break;
 		case 'SHA':
 			$hash = "{SHA}" . base64_encode(convertHex2bin(sha1($password)));
@@ -169,6 +169,9 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
 		case 'PLAIN':
 			$hash = $password;
 			break;
+		case 'K5KEY':
+			$hash = '{K5KEY}';
+			break;
 		case 'SSHA':
 		default: // use SSHA if the setting is invalid
 			$salt = generateSalt(4);
@@ -186,7 +189,7 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
  * @return array hash types
  */
 function getSupportedHashTypes() {
-	return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL');
+	return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL', 'K5KEY');
 }
 
 /**
diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc
index 81656cf5..4ee458c6 100644
--- a/lam/lib/modules/inetOrgPerson.inc
+++ b/lam/lib/modules/inetOrgPerson.inc
@@ -4,7 +4,7 @@ $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
   Copyright (C) 2003 - 2006  Tilo Lutz
-                2005 - 2015  Roland Gruber
+                2005 - 2016  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -833,6 +833,7 @@ class inetOrgPerson extends baseModule implements passwordService {
 			'pwdHash' => array(
 				"Headline" => _("Password hash type"),
 				"Text" => _("LAM supports CRYPT, CRYPT-SHA512, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
+						. ' ' . _('K5KEY is only needed if you use Kerberos with smbk5pwd.')
 			),
 			'ou' => array(
 				"Headline" => _("Organisational unit"), 'attr' => 'ou',
@@ -1209,6 +1210,10 @@ class inetOrgPerson extends baseModule implements passwordService {
 						&& ($this->getAccountContainer()->isNewAccount || ($this->attributes['uid'][0] != $this->orig['uid'][0]))) {
 					$this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0];
 				}
+				// set K5KEY password for new users
+				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'K5KEY')) {
+					$this->attributes[$this->getPasswordAttrName()][0] = pwd_hash('x', true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+				}
 			}
 		}
 
@@ -2327,6 +2332,10 @@ class inetOrgPerson extends baseModule implements passwordService {
 				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
 					$partialAccounts[$i]['userPassword'] = '{SASL}' . $partialAccounts[$i]['uid'];
 				}
+				// set K5KEY password
+				elseif (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'K5KEY')) {
+					$partialAccounts[$i]['userPassword'] = pwd_hash('x', true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+				}
 				// set normal password
 				else {
 					if (($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") && (get_preg($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], 'password'))) {
diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc
index c55ff2e0..3c1c9aec 100644
--- a/lam/lib/modules/posixAccount.inc
+++ b/lam/lib/modules/posixAccount.inc
@@ -4,7 +4,7 @@
 
 	This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
 	Copyright (C) 2003 - 2006  Tilo Lutz
-    Copyright (C) 2005 - 2015  Roland Gruber
+    Copyright (C) 2005 - 2016  Roland Gruber
 
 	This program is free software; you can redistribute it and/or modify
 	it under the terms of the GNU General Public License as published by
@@ -488,6 +488,7 @@ class posixAccount extends baseModule implements passwordService {
 			'pwdHash' => array(
 				"Headline" => _("Password hash type"),
 				"Text" => _("LAM supports CRYPT, CRYPT-SHA512, SHA, SSHA, MD5 and SMD5 to generate the hash value of passwords. SSHA and CRYPT are the most common but CRYPT does not support passwords greater than 8 letters. We do not recommend to use plain text passwords.")
+						. ' ' . _('K5KEY is only needed if you use Kerberos with smbk5pwd.')
 			),
 			'uidNumber' => array(
 				"Headline" => _("UID number"), 'attr' => 'uidNumber',
@@ -1282,6 +1283,10 @@ class posixAccount extends baseModule implements passwordService {
 					&& ($this->getAccountContainer()->isNewAccount || ($this->attributes['uid'][0] != $this->orig['uid'][0]))) {
 				$this->attributes[$this->getPasswordAttrName()][0] = '{SASL}' . $this->attributes['uid'][0];
 			}
+			// set K5KEY password for new users
+			if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'K5KEY')) {
+				$this->attributes[$this->getPasswordAttrName()][0] = pwd_hash('x', true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+			}
 		}
 		// Return error-messages
 		return $errors;
@@ -2226,6 +2231,10 @@ class posixAccount extends baseModule implements passwordService {
 				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
 					$partialAccounts[$i][$pwdAttrName] = '{SASL}' . $partialAccounts[$i]['uid'];
 				}
+				// set K5KEY password
+				elseif (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'K5KEY')) {
+					$partialAccounts[$i][$pwdAttrName] = pwd_hash('x', true, $this->moduleSettings['posixAccount_pwdHash'][0]);
+				}
 				// set normal password
 				else {
 					if (($rawAccount[$ids['posixAccount_password']] != "") && (get_preg($rawAccount[$ids['posixAccount_password']], 'password'))) {