hashed password
This commit is contained in:
parent
6260184600
commit
b23002ad67
|
@ -1,3 +1,9 @@
|
||||||
|
??? 2.2.0
|
||||||
|
- allow to switch sorting in the account lists
|
||||||
|
- use suffix from account list as default for new accounts (patch 1823583)
|
||||||
|
- Security: passwords in configuration files are now saved as hash values
|
||||||
|
|
||||||
|
|
||||||
07.11.2007 2.1.0
|
07.11.2007 2.1.0
|
||||||
- tabular design for account pages
|
- tabular design for account pages
|
||||||
- show DN on account pages
|
- show DN on account pages
|
||||||
|
|
|
@ -1,5 +1,5 @@
|
||||||
# password to add/delete/rename configuration profiles
|
# password to add/delete/rename configuration profiles (default: lam)
|
||||||
password: lam
|
password: {SSHA}D6AaX93kPmck9wAxNlq3GF93S7A= R7gkjQ==
|
||||||
|
|
||||||
# default profile, without ".conf"
|
# default profile, without ".conf"
|
||||||
default: lam
|
default: lam
|
||||||
|
|
|
@ -8,8 +8,8 @@ serverURL: ldap://localhost:389
|
||||||
# e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org
|
# e.g. admins: cn=admin,dc=yourdomain,dc=org;cn=root,dc=yourdomain,dc=org
|
||||||
admins: cn=Manager,dc=my-domain,dc=com
|
admins: cn=Manager,dc=my-domain,dc=com
|
||||||
|
|
||||||
# password to change these preferences via webfrontend
|
# password to change these preferences via webfrontend (default: lam)
|
||||||
passwd: lam
|
passwd: {SSHA}RjBruJcTxZEdcBjPQdRBkDaSQeY= iueleA==
|
||||||
|
|
||||||
# suffix of tree view
|
# suffix of tree view
|
||||||
# e.g. dc=yourdomain,dc=org
|
# e.g. dc=yourdomain,dc=org
|
||||||
|
|
|
@ -467,12 +467,23 @@ class LAMConfig {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the password to access the preferences wizard
|
* Checks if the given password matches.
|
||||||
*
|
*
|
||||||
* @return string the password
|
* @param String $password
|
||||||
|
* @return boolean true, if matches
|
||||||
*/
|
*/
|
||||||
public function get_Passwd() {
|
public function check_Passwd($password) {
|
||||||
return $this->Passwd;
|
if (substr($this->Passwd, 0, 6) == "{SSHA}") {
|
||||||
|
// check hashed password
|
||||||
|
$value = substr($this->Passwd, 6);
|
||||||
|
$parts = explode(" ", $value);
|
||||||
|
$salt = base64_decode($parts[1]);
|
||||||
|
return ($this->hashPassword($password, $salt) === $this->Passwd);
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
// old nonhashed password
|
||||||
|
return ($password === $this->Passwd);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
@ -482,10 +493,29 @@ class LAMConfig {
|
||||||
* @return boolean true if $value has correct format
|
* @return boolean true if $value has correct format
|
||||||
*/
|
*/
|
||||||
public function set_Passwd($value) {
|
public function set_Passwd($value) {
|
||||||
if (is_string($value)) $this->Passwd = $value;
|
if (is_string($value)) {
|
||||||
else return false;
|
mt_srand((microtime() * 1000000));
|
||||||
|
$rand = mt_rand();
|
||||||
|
$salt0 = substr(pack("h*", md5($rand)), 0, 8);
|
||||||
|
$salt = substr(pack("H*", sha1($salt0 . $value)), 0, 4);
|
||||||
|
$this->Passwd = $this->hashPassword($value, $salt);
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
else {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns the hashed password.
|
||||||
|
*
|
||||||
|
* @param String $password password
|
||||||
|
* @param String $salt salt
|
||||||
|
* @return String hash value
|
||||||
|
*/
|
||||||
|
private function hashPassword($password, $salt) {
|
||||||
|
return "{SSHA}" . base64_encode(hex2bin(sha1($password . $salt))) . " " . base64_encode($salt);
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Returns the LDAP suffix for the given account type
|
* Returns the LDAP suffix for the given account type
|
||||||
|
|
|
@ -45,11 +45,10 @@ setlanguage();
|
||||||
|
|
||||||
// get password
|
// get password
|
||||||
if (isset($_POST['passwd'])) $passwd = $_POST['passwd'];
|
if (isset($_POST['passwd'])) $passwd = $_POST['passwd'];
|
||||||
if (isset($_GET["modulesback"]) || isset($_GET["typesback"])) $passwd = $_SESSION['conf_config']->get_Passwd();
|
|
||||||
|
|
||||||
// check if password was entered
|
// check if password was entered
|
||||||
// if not: load login page
|
// if not: load login page
|
||||||
if (! $passwd) {
|
if (!$passwd && !isset($_SESSION['conf_isAuthenticated'])) {
|
||||||
$_SESSION['conf_message'] = _("No password was entered!");
|
$_SESSION['conf_message'] = _("No password was entered!");
|
||||||
/** go back to login if password is empty */
|
/** go back to login if password is empty */
|
||||||
require('conflogin.php');
|
require('conflogin.php');
|
||||||
|
@ -63,7 +62,7 @@ $conf = &$_SESSION['conf_config'];
|
||||||
|
|
||||||
// check if password is valid
|
// check if password is valid
|
||||||
// if not: load login page
|
// if not: load login page
|
||||||
if (!(($conf->get_Passwd()) == $passwd)) {
|
if (!$conf->check_Passwd($passwd) && !($_SESSION['conf_isAuthenticated'] === $conf->file)) {
|
||||||
$sessionKeys = array_keys($_SESSION);
|
$sessionKeys = array_keys($_SESSION);
|
||||||
for ($i = 0; $i < sizeof($sessionKeys); $i++) {
|
for ($i = 0; $i < sizeof($sessionKeys); $i++) {
|
||||||
if (substr($sessionKeys[$i], 0, 5) == "conf_") unset($_SESSION[$sessionKeys[$i]]);
|
if (substr($sessionKeys[$i], 0, 5) == "conf_") unset($_SESSION[$sessionKeys[$i]]);
|
||||||
|
@ -73,6 +72,7 @@ if (!(($conf->get_Passwd()) == $passwd)) {
|
||||||
require('conflogin.php');
|
require('conflogin.php');
|
||||||
exit;
|
exit;
|
||||||
}
|
}
|
||||||
|
$_SESSION['conf_isAuthenticated'] = $conf->file;
|
||||||
|
|
||||||
// check if button was pressed and if we have to save the setting or go back to login
|
// check if button was pressed and if we have to save the setting or go back to login
|
||||||
if (isset($_POST['back']) || isset($_POST['submitconf']) || isset($_POST['editmodules']) || isset($_POST['edittypes'])){
|
if (isset($_POST['back']) || isset($_POST['submitconf']) || isset($_POST['editmodules']) || isset($_POST['edittypes'])){
|
||||||
|
|
|
@ -79,7 +79,7 @@ if ($_POST['submit']) {
|
||||||
if ($file) {
|
if ($file) {
|
||||||
// load as config and write new password
|
// load as config and write new password
|
||||||
$conf = new LAMConfig($_POST['addprofile']);
|
$conf = new LAMConfig($_POST['addprofile']);
|
||||||
$conf->Passwd = $_POST['addpassword'];
|
$conf->set_Passwd($_POST['addpassword']);
|
||||||
$conf->save();
|
$conf->save();
|
||||||
$msg = _("Created new profile.");
|
$msg = _("Created new profile.");
|
||||||
}
|
}
|
||||||
|
|
|
@ -39,7 +39,6 @@ echo ("<br><br><big><b> Starting Test...</b></big><br><br>");
|
||||||
echo ("Loading preferences...");
|
echo ("Loading preferences...");
|
||||||
$ServerURL = $conf->get_ServerURL();
|
$ServerURL = $conf->get_ServerURL();
|
||||||
$cachetimeout = $conf->get_cacheTimeout();
|
$cachetimeout = $conf->get_cacheTimeout();
|
||||||
$Passwd = $conf->get_Passwd();
|
|
||||||
$Adminstring = $conf->get_Adminstring();
|
$Adminstring = $conf->get_Adminstring();
|
||||||
$Suff_users = $conf->get_Suffix('user');
|
$Suff_users = $conf->get_Suffix('user');
|
||||||
$Suff_groups = $conf->get_Suffix('group');
|
$Suff_groups = $conf->get_Suffix('group');
|
||||||
|
@ -81,7 +80,7 @@ echo ("Loading and comparing...");
|
||||||
$conf2 = new LAMConfig('test');
|
$conf2 = new LAMConfig('test');
|
||||||
if ($conf2->get_ServerURL() != "ldap://123.345.678.123:777") echo ("<br><font color=\"#FF0000\">Saving ServerURL failed!</font><br>");
|
if ($conf2->get_ServerURL() != "ldap://123.345.678.123:777") echo ("<br><font color=\"#FF0000\">Saving ServerURL failed!</font><br>");
|
||||||
if ($conf2->get_cacheTimeout() != "33") echo ("<br><font color=\"#FF0000\">Saving Cache timeout failed!</font><br>");
|
if ($conf2->get_cacheTimeout() != "33") echo ("<br><font color=\"#FF0000\">Saving Cache timeout failed!</font><br>");
|
||||||
if ($conf2->get_Passwd() != "123456abcde") echo ("<br><font color=\"#FF0000\">Saving password failed!</font><br>");
|
if (!$conf2->check_Passwd("123456abcde")) echo ("<br><font color=\"#FF0000\">Saving password failed!</font><br>");
|
||||||
if ($conf2->get_Adminstring() != "uid=test,o=test,dc=org;uid=root,o=test2,c=de") echo ("<br><font color=\"#FF0000\">Saving admin string failed!</font><br>");
|
if ($conf2->get_Adminstring() != "uid=test,o=test,dc=org;uid=root,o=test2,c=de") echo ("<br><font color=\"#FF0000\">Saving admin string failed!</font><br>");
|
||||||
if ($conf2->get_Suffix('user') != "ou=test,o=test,c=de") echo ("<br><font color=\"#FF0000\">Saving user suffix failed!</font><br>");
|
if ($conf2->get_Suffix('user') != "ou=test,o=test,c=de") echo ("<br><font color=\"#FF0000\">Saving user suffix failed!</font><br>");
|
||||||
if ($conf2->get_Suffix('group') != "ou=testgrp,o=test,c=de") echo ("<br><font color=\"#FF0000\">Saving group suffix failed!</font><br>");
|
if ($conf2->get_Suffix('group') != "ou=testgrp,o=test,c=de") echo ("<br><font color=\"#FF0000\">Saving group suffix failed!</font><br>");
|
||||||
|
@ -102,7 +101,7 @@ echo ("done<br>");
|
||||||
echo ("Restoring old preferences...");
|
echo ("Restoring old preferences...");
|
||||||
$conf2->set_ServerURL($ServerURL);
|
$conf2->set_ServerURL($ServerURL);
|
||||||
$conf2->set_cacheTimeout($cachetimeout);
|
$conf2->set_cacheTimeout($cachetimeout);
|
||||||
$conf2->set_Passwd($Passwd);
|
$conf2->set_Passwd('lam');
|
||||||
$conf2->set_Adminstring($Adminstring);
|
$conf2->set_Adminstring($Adminstring);
|
||||||
$conf2->set_Suffix('user', $Suff_users);
|
$conf2->set_Suffix('user', $Suff_users);
|
||||||
$conf2->set_Suffix('group', $Suff_groups);
|
$conf2->set_Suffix('group', $Suff_groups);
|
||||||
|
|
Loading…
Reference in New Issue