WMDE
/
LDAPAccountManager
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

added password policies

This commit is contained in:
Roland Gruber 2008-02-14 17:37:02 +00:00
parent 26bce2e179
commit e7e3b581f2
4 changed files with 110 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lam/lib/modules/inetOrgPerson.inc
View File

@ -682,7 +682,13 @@ class inetOrgPerson extends baseModule {
$errors[] = $this->messages['userPassword'][1];
}
else {
$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, 'SSHA');
$pwdPolicyResult = checkPasswordStrength($_POST['userPassword']);
if ($pwdPolicyResult === true) {
$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, 'SSHA');
}
else {
$errors[] = array('ERROR', $pwdPolicyResult);
}
}
}
}
@ -956,7 +962,13 @@ class inetOrgPerson extends baseModule {
$messages[] = $this->messages['userPassword'][1];
}
else {
$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, 'SSHA');
$pwdPolicyResult = checkPasswordStrength($_POST['userPassword']);
if ($pwdPolicyResult === true) {
$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, 'SSHA');
}
else {
$messages[] = array('ERROR', $pwdPolicyResult);
}
}
}
return $messages;

24
lam/lib/modules/posixAccount.inc
View File

@ -913,8 +913,14 @@ class posixAccount extends baseModule {
$errors[] = $this->messages['userPassword'][1];
}
else {
$this->clearTextPassword = $_POST['userPassword'];
$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
$pwdPolicyResult = checkPasswordStrength($_POST['userPassword']);
if ($pwdPolicyResult === true) {
$this->clearTextPassword = $_POST['userPassword'];
$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
}
else {
$errors[] = array('ERROR', $pwdPolicyResult);
}
}
}
return $errors;
@ -1729,11 +1735,17 @@ class posixAccount extends baseModule {
$return['messages'][] = $this->messages['userPassword'][1];
}
else {
$return['mod']['userPassword'][0] = pwd_hash($_POST['posixAccount_password'], true, $this->selfServiceSettings['posixAccount_pwdHash'][0]);
if (isset($attributes['shadowLastChange'])) {
$return['mod']['shadowLastChange'][0] = intval(time()/3600/24);
$pwdPolicyResult = checkPasswordStrength($_POST['posixAccount_password']);
if ($pwdPolicyResult === true) {
$return['mod']['userPassword'][0] = pwd_hash($_POST['posixAccount_password'], true, $this->selfServiceSettings['posixAccount_pwdHash'][0]);
if (isset($attributes['shadowLastChange'])) {
$return['mod']['shadowLastChange'][0] = intval(time()/3600/24);
}
$_SESSION['selfService_clientPasswordNew'] = $_POST['posixAccount_password'];
}
else {
$return['messages'][] = array('ERROR', $pwdPolicyResult);
}
$_SESSION['selfService_clientPasswordNew'] = $_POST['posixAccount_password'];
}
}
}

8
lam/lib/modules/posixGroup.inc
View File

@ -675,7 +675,13 @@ class posixGroup extends baseModule {
$errors[] = $this->messages['userPassword'][1];
}
else {
$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
$pwdPolicyResult = checkPasswordStrength($_POST['userPassword']);
if ($pwdPolicyResult === true) {
$this->attributes['userPassword'][0] = pwd_hash($_POST['userPassword'], true, $this->moduleSettings['posixAccount_pwdHash'][0]);
}
else {
$errors[] = array('ERROR', $pwdPolicyResult);
}
}
return $errors;
}

71
lam/lib/security.inc
View File

@ -209,4 +209,75 @@ function checkIfPasswordChangeIsAllowed() {
return false;
}
/**
* Checks if the password fulfills the password policies.
*
* @param string $password password
* @return mixed true if ok, string with error message if not valid
*/
function checkPasswordStrength($password) {
if ($password == null) {
$password = "";
}
if (isset($_SESSION['cfgMain'])) $cfg = $_SESSION['cfgMain'];
else $cfg = new LAMCfgMain();
// check length
if (strlen($password) < $cfg->passwordMinLength) {
return sprintf(_('The password is too short. You have to enter at least %s characters.'), $cfg->passwordMinLength);
}
// get number of characers per character class
$lower = 0;
$upper = 0;
$numeric = 0;
$symbols = 0;
for ($i = 0; $i < strlen($password); $i++) {
if (ereg("[a-z]", $password[$i])) {
$lower++;
}
if (ereg("[A-Z]", $password[$i])) {
$upper++;
}
if (ereg("[0-9]", $password[$i])) {
$numeric++;
}
if (eregi("[^a-z0-9]", $password[$i])) {
$symbols++;
}
}
// check lower case
if ($lower < $cfg->passwordMinLower) {
return sprintf(_('The password is too weak. You have to enter at least %s lower case characters.'), $cfg->passwordMinLower);
}
// check upper case
if ($upper < $cfg->passwordMinUpper) {
return sprintf(_('The password is too weak. You have to enter at least %s upper case characters.'), $cfg->passwordMinUpper);
}
// check numeric
if ($numeric < $cfg->passwordMinNumeric) {
return sprintf(_('The password is too weak. You have to enter at least %s numeric characters.'), $cfg->passwordMinNumeric);
}
// check symbols
if ($symbols < $cfg->passwordMinSymbol) {
return sprintf(_('The password is too weak. You have to enter at least %s symbolic characters.'), $cfg->passwordMinSymbol);
}
// check classes
$classes = 0;
if ($lower > 0) {
$classes++;
}
if ($upper > 0) {
$classes++;
}
if ($numeric > 0) {
$classes++;
}
if ($symbols > 0) {
$classes++;
}
if ($classes < $cfg->passwordMinClasses) {
return sprintf(_('The password is too weak. You have to enter at least %s different character classes (upper/lower case, numbers and symbols).'), $cfg->passwordMinClasses);
}
return true;
}
?>