WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

support SASL as password hash

This commit is contained in:
Roland Gruber 2015-02-11 16:57:38 +00:00
parent 8ab35a11de
commit b57015ff3f
3 changed files with 70 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
lam/lib/account.inc
View File

@ -188,9 +188,9 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
function getSupportedHashTypes() { function getSupportedHashTypes() {
if (version_compare(phpversion(), '5.3.2') < 0) { if (version_compare(phpversion(), '5.3.2') < 0) {
// CRYPT-SHA512 requires PHP 5.3.2 or higher // CRYPT-SHA512 requires PHP 5.3.2 or higher
return array('CRYPT', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN'); return array('CRYPT', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL');
} }
return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN'); return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL');
} }
/** /**
@ -271,6 +271,10 @@ function pwd_is_lockable($password) {
if (($password == null) || (strlen($password) < 5)) { if (($password == null) || (strlen($password) < 5)) {
return false; return false;
} }
// SASL is not lockable
if (strpos($password, '{SASL}') === 0) {
return false;
}
return ((substr($password, 0, 1) == "{") || (substr($password, 1, 1) == "{")) && (strpos($password, "}") > 3); return ((substr($password, 0, 1) == "{") || (substr($password, 1, 1) == "{")) && (strpos($password, "}") > 3);
} }

39
lam/lib/modules/inetOrgPerson.inc
View File

@ -1163,6 +1163,12 @@ class inetOrgPerson extends baseModule implements passwordService {
if (isset($_POST['removePassword'])) { if (isset($_POST['removePassword'])) {
unset($this->attributes['userPassword']); unset($this->attributes['userPassword']);
} }
// set SASL password for new and renamed users
if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')
&& ($this->getAccountContainer()->isNewAccount || ($this->attributes['uid'][0] != $this->orig['uid'][0]))) {
$this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0];
}
} }
} }
@ -2387,15 +2393,22 @@ class inetOrgPerson extends baseModule implements passwordService {
} }
} }
// password // password
if (($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") && (get_preg($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], 'password'))) { // set SASL password
$partialAccounts[$i]['userPassword'] = pwd_hash($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], true, $this->moduleSettings['posixAccount_pwdHash'][0]); if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccounts[$i][$ids['inetOrgPerson_userPassword']]; // for custom scripts etc. $partialAccounts[$i]['userPassword'] = '{SASL}' . $partialAccounts[$i]['uid'];
} }
elseif ($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") { // set normal password
$errMsg = $this->messages['userPassword'][0]; else {
$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf if (($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") && (get_preg($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], 'password'))) {
array_push($errMsg, array($i)); $partialAccounts[$i]['userPassword'] = pwd_hash($rawAccounts[$i][$ids['inetOrgPerson_userPassword']], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
$errors[] = $errMsg; $partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccounts[$i][$ids['inetOrgPerson_userPassword']]; // for custom scripts etc.
}
elseif ($rawAccounts[$i][$ids['inetOrgPerson_userPassword']] != "") {
$errMsg = $this->messages['userPassword'][0];
$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
array_push($errMsg, array($i));
$errors[] = $errMsg;
}
} }
} }
} }
@ -3513,7 +3526,15 @@ class inetOrgPerson extends baseModule implements passwordService {
} }
// set new password // set new password
$this->clearTextPassword = $password; $this->clearTextPassword = $password;
$this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]); // set SASL password
if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0];
}
// set normal password
else {
$this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
}
return array(); return array();
} }

44
lam/lib/modules/posixAccount.inc
View File

@ -666,11 +666,12 @@ class posixAccount extends baseModule implements passwordService {
* <br>"info" are values with informational value (e.g. to be used later by pre/postModify actions) * <br>"info" are values with informational value (e.g. to be used later by pre/postModify actions)
*/ */
function save_attributes() { function save_attributes() {
$return = $this->getAccountContainer()->save_module_attributes($this->attributes, $this->orig);
if (!in_array('posixAccount', $this->attributes['objectClass']) && !in_array('posixAccount', $this->orig['objectClass'])) { if (!in_array('posixAccount', $this->attributes['objectClass']) && !in_array('posixAccount', $this->orig['objectClass'])) {
// skip saving if the extension was not added/modified // skip saving if the extension was not added/modified
return array(); return array();
} }
// get default changes
$return = $this->getAccountContainer()->save_module_attributes($this->attributes, $this->orig);
// add information about clear text password and password status change // add information about clear text password and password status change
$return[$this->getAccountContainer()->dn_orig]['info']['userPasswordClearText'][0] = $this->clearTextPassword; $return[$this->getAccountContainer()->dn_orig]['info']['userPasswordClearText'][0] = $this->clearTextPassword;
$pwdAttrName = $this->getPasswordAttrName(); $pwdAttrName = $this->getPasswordAttrName();
@ -1226,6 +1227,14 @@ class posixAccount extends baseModule implements passwordService {
} }
} }
} }
if ($this->get_scope() == 'user') {
// set SASL password for new and renamed users
if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')
&& ($this->getAccountContainer()->isNewAccount || ($this->attributes['uid'][0] != $this->orig['uid'][0]))) {
$this->attributes[$this->getPasswordAttrName()][0] = '{SASL}' . $this->attributes['uid'][0];
}
}
// Return error-messages // Return error-messages
return $errors; return $errors;
} }
@ -2146,15 +2155,22 @@ class posixAccount extends baseModule implements passwordService {
$errors[] = $errMsg; $errors[] = $errMsg;
} }
// password // password
if (($rawAccount[$ids['posixAccount_password']] != "") && (get_preg($rawAccount[$ids['posixAccount_password']], 'password'))) { // set SASL passwords
$partialAccounts[$i][$pwdAttrName] = pwd_hash($rawAccount[$ids['posixAccount_password']], $pwd_enabled, $this->moduleSettings['posixAccount_pwdHash'][0]); if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccount[$ids['posixAccount_password']]; // for custom scripts etc. $partialAccounts[$i][$pwdAttrName] = '{SASL}' . $partialAccounts[$i]['uid'];
} }
elseif ($rawAccount[$ids['posixAccount_password']] != "") { // set normal password
$errMsg = $this->messages['userPassword'][4]; else {
$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf if (($rawAccount[$ids['posixAccount_password']] != "") && (get_preg($rawAccount[$ids['posixAccount_password']], 'password'))) {
array_push($errMsg, array($i)); $partialAccounts[$i][$pwdAttrName] = pwd_hash($rawAccount[$ids['posixAccount_password']], $pwd_enabled, $this->moduleSettings['posixAccount_pwdHash'][0]);
$errors[] = $errMsg; $partialAccounts[$i]['INFO.userPasswordClearText'] = $rawAccount[$ids['posixAccount_password']]; // for custom scripts etc.
}
elseif ($rawAccount[$ids['posixAccount_password']] != "") {
$errMsg = $this->messages['userPassword'][4];
$errMsg[2] = str_replace('%', '%%', $errMsg[2]); // double "%" because of later sprintf
array_push($errMsg, array($i));
$errors[] = $errMsg;
}
} }
// cn // cn
if ($this->manageCn()) { if ($this->manageCn()) {
@ -2705,7 +2721,15 @@ class posixAccount extends baseModule implements passwordService {
} }
// set new password // set new password
$this->clearTextPassword = $password; $this->clearTextPassword = $password;
$this->attributes[$this->getPasswordAttrName()][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]); // set SASL password
if (!empty($this->attributes['uid'][0]) && !empty($this->moduleSettings['posixAccount_pwdHash'][0])
&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$this->attributes[$this->getPasswordAttrName()][0] = '{SASL}' . $this->attributes['uid'][0];
}
// set normal password
else {
$this->attributes[$this->getPasswordAttrName()][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);
}
return array(); return array();
} }