support SASL as password hash

This commit is contained in:
Roland Gruber 2015-02-11 16:57:38 +00:00
parent 8ab35a11de
commit b57015ff3f
3 changed files with 70 additions and 21 deletions

View File

@ -188,9 +188,9 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
function getSupportedHashTypes() {
if (version_compare(phpversion(), '5.3.2') < 0) {
// CRYPT-SHA512 requires PHP 5.3.2 or higher
return array('CRYPT', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN');
return array('CRYPT', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL');
}
return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN');
return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL');
}
/**
@ -271,6 +271,10 @@ function pwd_is_lockable($password) {
if (($password == null) || (strlen($password) < 5)) {
return false;
}
// SASL is not lockable
if (strpos($password, '{SASL}') === 0) {
return false;
}
return ((substr($password, 0, 1) == "{") || (substr($password, 1, 1) == "{")) && (strpos($password, "}") > 3);
}

View File

@ -1163,6 +1163,12 @@ class inetOrgPerson extends baseModule implements passwordService {
if (isset($_POST['removePassword'])) {
unset($this->attributes['userPassword']);
}
// set SASL password for new and renamed users
if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')
&& ($this->getAccountContainer()->isNewAccount || ($this->attributes['uid'][0] != $this->orig['uid'][0]))) {
$this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0];
}
}
}
@ -2387,15 +2393,22 @@ class inetOrgPerson extends baseModule implements passwordService {
}
}
// password
if (($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") && (get_preg($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], 'password'))) {
$partialAccounts[$i]['userPassword'] = pwd_hash($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccounts[$i][$ids['inetOrgPerson_userPassword']]; // for custom scripts etc.
// set SASL password
if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$partialAccounts[$i]['userPassword'] = '{SASL}' . $partialAccounts[$i]['uid'];
}
elseif ($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") {
$errMsg = $this->messages['userPassword'][0];
$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
array_push($errMsg, array($i));
$errors[] = $errMsg;
// set normal password
else {
if (($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") && (get_preg($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], 'password'))) {
$partialAccounts[$i]['userPassword'] = pwd_hash($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccounts[$i][$ids['inetOrgPerson_userPassword']]; // for custom scripts etc.
}
elseif ($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") {
$errMsg = $this->messages['userPassword'][0];
$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
array_push($errMsg, array($i));
$errors[] = $errMsg;
}
}
}
}
@ -3513,7 +3526,15 @@ class inetOrgPerson extends baseModule implements passwordService {
}
// set new password
$this->clearTextPassword = $password;
$this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
// set SASL password
if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0];
}
// set normal password
else {
$this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
}
return array();
}

View File

@ -666,11 +666,12 @@ class posixAccount extends baseModule implements passwordService {
* <br>"info" are values with informational value (e.g. to be used later by pre/postModify actions)
*/
function save_attributes() {
$return = $this->getAccountContainer()->save_module_attributes($this->attributes, $this->orig);
if (!in_array('posixAccount', $this->attributes['objectClass']) && !in_array('posixAccount', $this->orig['objectClass'])) {
// skip saving if the extension was not added/modified
return array();
}
// get default changes
$return = $this->getAccountContainer()->save_module_attributes($this->attributes, $this->orig);
// add information about clear text password and password status change
$return[$this->getAccountContainer()->dn_orig]['info']['userPasswordClearText'][0] = $this->clearTextPassword;
$pwdAttrName = $this->getPasswordAttrName();
@ -1226,6 +1227,14 @@ class posixAccount extends baseModule implements passwordService {
}
}
}
if ($this->get_scope() == 'user') {
// set SASL password for new and renamed users
if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')
&& ($this->getAccountContainer()->isNewAccount || ($this->attributes['uid'][0] != $this->orig['uid'][0]))) {
$this->attributes[$this->getPasswordAttrName()][0] = '{SASL}' . $this->attributes['uid'][0];
}
}
// Return error-messages
return $errors;
}
@ -2146,15 +2155,22 @@ class posixAccount extends baseModule implements passwordService {
$errors[] = $errMsg;
}
// password
if (($rawAccount[$ids['posixAccount_password']] != "") && (get_preg($rawAccount[$ids['posixAccount_password']], 'password'))) {
$partialAccounts[$i][$pwdAttrName] = pwd_hash($rawAccount[$ids['posixAccount_password']], $pwd_enabled, $this->moduleSettings['posixAccount_pwdHash'][0]);
$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccount[$ids['posixAccount_password']]; // for custom scripts etc.
// set SASL passwords
if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$partialAccounts[$i][$pwdAttrName] = '{SASL}' . $partialAccounts[$i]['uid'];
}
elseif ($rawAccount[$ids['posixAccount_password']] != "") {
$errMsg = $this->messages['userPassword'][4];
$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
array_push($errMsg, array($i));
$errors[] = $errMsg;
// set normal password
else {
if (($rawAccount[$ids['posixAccount_password']] != "") && (get_preg($rawAccount[$ids['posixAccount_password']], 'password'))) {
$partialAccounts[$i][$pwdAttrName] = pwd_hash($rawAccount[$ids['posixAccount_password']], $pwd_enabled, $this->moduleSettings['posixAccount_pwdHash'][0]);
$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccount[$ids['posixAccount_password']]; // for custom scripts etc.
}
elseif ($rawAccount[$ids['posixAccount_password']] != "") {
$errMsg = $this->messages['userPassword'][4];
$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
array_push($errMsg, array($i));
$errors[] = $errMsg;
}
}
// cn
if ($this->manageCn()) {
@ -2705,7 +2721,15 @@ class posixAccount extends baseModule implements passwordService {
}
// set new password
$this->clearTextPassword = $password;
$this->attributes[$this->getPasswordAttrName()][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
// set SASL password
if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$this->attributes[$this->getPasswordAttrName()][0] = '{SASL}' . $this->attributes['uid'][0];
}
// set normal password
else {
$this->attributes[$this->getPasswordAttrName()][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
}
return array();
}