commit | author | age
|
5fec6d
|
1 |
<?php |
T |
2 |
|
|
3 |
/** |
|
4 |
* LDAP Password Driver |
|
5 |
* |
|
6 |
* Driver for passwords stored in LDAP |
|
7 |
* This driver use the PEAR Net_LDAP2 class (http://pear.php.net/package/Net_LDAP2). |
|
8 |
* |
|
9 |
* @version 1.1 (2010-04-07) |
|
10 |
* @author Edouard MOREAU <edouard.moreau@ensma.fr> |
|
11 |
* |
|
12 |
* function hashPassword based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/). |
|
13 |
* function randomSalt based on code from the phpLDAPadmin development team (http://phpldapadmin.sourceforge.net/). |
|
14 |
* |
|
15 |
*/ |
|
16 |
|
|
17 |
function password_save($curpass, $passwd) |
|
18 |
{ |
|
19 |
$rcmail = rcmail::get_instance(); |
|
20 |
require_once ('Net/LDAP2.php'); |
db1a87
|
21 |
|
5fec6d
|
22 |
// Building user DN |
T |
23 |
if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) { |
|
24 |
$userDN = substitute_vars($userDN); |
|
25 |
} else { |
|
26 |
$userDN = search_userdn($rcmail); |
|
27 |
} |
db1a87
|
28 |
|
5fec6d
|
29 |
if (empty($userDN)) { |
T |
30 |
return PASSWORD_CONNECT_ERROR; |
|
31 |
} |
db1a87
|
32 |
|
5fec6d
|
33 |
// Connection Method |
T |
34 |
switch($rcmail->config->get('password_ldap_method')) { |
|
35 |
case 'admin': |
|
36 |
$binddn = $rcmail->config->get('password_ldap_adminDN'); |
|
37 |
$bindpw = $rcmail->config->get('password_ldap_adminPW'); |
|
38 |
break; |
|
39 |
case 'user': |
|
40 |
default: |
|
41 |
$binddn = $userDN; |
|
42 |
$bindpw = $curpass; |
|
43 |
break; |
|
44 |
} |
db1a87
|
45 |
|
5fec6d
|
46 |
// Configuration array |
T |
47 |
$ldapConfig = array ( |
|
48 |
'binddn' => $binddn, |
|
49 |
'bindpw' => $bindpw, |
|
50 |
'basedn' => $rcmail->config->get('password_ldap_basedn'), |
|
51 |
'host' => $rcmail->config->get('password_ldap_host'), |
|
52 |
'port' => $rcmail->config->get('password_ldap_port'), |
|
53 |
'starttls' => $rcmail->config->get('password_ldap_starttls'), |
|
54 |
'version' => $rcmail->config->get('password_ldap_version'), |
|
55 |
); |
db1a87
|
56 |
|
5fec6d
|
57 |
// Connecting using the configuration array |
T |
58 |
$ldap = Net_LDAP2::connect($ldapConfig); |
db1a87
|
59 |
|
5fec6d
|
60 |
// Checking for connection error |
T |
61 |
if (PEAR::isError($ldap)) { |
|
62 |
return PASSWORD_CONNECT_ERROR; |
|
63 |
} |
db1a87
|
64 |
|
5fec6d
|
65 |
// Crypting new password |
T |
66 |
$newCryptedPassword = hashPassword($passwd, $rcmail->config->get('password_ldap_encodage')); |
|
67 |
if (!$newCryptedPassword) { |
|
68 |
return PASSWORD_CRYPT_ERROR; |
|
69 |
} |
db1a87
|
70 |
|
5fec6d
|
71 |
// Writing new crypted password to LDAP |
T |
72 |
$userEntry = $ldap->getEntry($userDN); |
|
73 |
if (Net_LDAP2::isError($userEntry)) { |
|
74 |
return PASSWORD_CONNECT_ERROR; |
|
75 |
} |
db1a87
|
76 |
|
5fec6d
|
77 |
$pwattr = $rcmail->config->get('password_ldap_pwattr'); |
T |
78 |
$force = $rcmail->config->get('password_ldap_force_replace'); |
|
79 |
|
|
80 |
if (!$userEntry->replace(array($pwattr => $newCryptedPassword), $force)) { |
|
81 |
return PASSWORD_CONNECT_ERROR; |
|
82 |
} |
|
83 |
|
|
84 |
// Updating PasswordLastChange Attribute if desired |
|
85 |
if ($lchattr = $rcmail->config->get('password_ldap_lchattr')) { |
|
86 |
$current_day = (int)(time() / 86400); |
|
87 |
if (!$userEntry->replace(array($lchattr => $current_day), $force)) { |
|
88 |
return PASSWORD_CONNECT_ERROR; |
|
89 |
} |
|
90 |
} |
|
91 |
|
|
92 |
if (Net_LDAP2::isError($userEntry->update())) { |
|
93 |
return PASSWORD_CONNECT_ERROR; |
|
94 |
} |
|
95 |
|
|
96 |
// All done, no error |
|
97 |
return PASSWORD_SUCCESS; |
|
98 |
} |
|
99 |
|
|
100 |
/** |
|
101 |
* Bind with searchDN and searchPW and search for the user's DN. |
|
102 |
* Use search_base and search_filter defined in config file. |
|
103 |
* Return the found DN. |
|
104 |
*/ |
|
105 |
function search_userdn($rcmail) |
|
106 |
{ |
|
107 |
$ldapConfig = array ( |
|
108 |
'binddn' => $rcmail->config->get('password_ldap_searchDN'), |
|
109 |
'bindpw' => $rcmail->config->get('password_ldap_searchPW'), |
|
110 |
'basedn' => $rcmail->config->get('password_ldap_basedn'), |
|
111 |
'host' => $rcmail->config->get('password_ldap_host'), |
|
112 |
'port' => $rcmail->config->get('password_ldap_port'), |
|
113 |
'starttls' => $rcmail->config->get('password_ldap_starttls'), |
|
114 |
'version' => $rcmail->config->get('password_ldap_version'), |
|
115 |
); |
|
116 |
|
|
117 |
$ldap = Net_LDAP2::connect($ldapConfig); |
|
118 |
|
|
119 |
if (PEAR::isError($ldap)) { |
|
120 |
return ''; |
|
121 |
} |
|
122 |
|
|
123 |
$base = $rcmail->config->get('password_ldap_search_base'); |
|
124 |
$filter = substitute_vars($rcmail->config->get('password_ldap_search_filter')); |
|
125 |
$options = array ( |
|
126 |
'scope' => 'sub', |
|
127 |
'attributes' => array(), |
|
128 |
); |
|
129 |
|
|
130 |
$result = $ldap->search($base, $filter, $options); |
|
131 |
$ldap->done(); |
|
132 |
if (PEAR::isError($result) || ($result->count() != 1)) { |
|
133 |
return ''; |
|
134 |
} |
db1a87
|
135 |
|
5fec6d
|
136 |
return $result->current()->dn(); |
T |
137 |
} |
|
138 |
|
|
139 |
/** |
db1a87
|
140 |
* Substitute %login, %name, %domain, %dc in $str. |
5fec6d
|
141 |
* See plugin config for details. |
T |
142 |
*/ |
|
143 |
function substitute_vars($str) |
|
144 |
{ |
|
145 |
$rcmail = rcmail::get_instance(); |
db1a87
|
146 |
$domain = $rcmail->user->get_username('domain'); |
T |
147 |
$dc = 'dc='.strtr($domain, array('.' => ',dc=')); // hierarchal domain string |
|
148 |
|
5fec6d
|
149 |
$str = str_replace(array( |
T |
150 |
'%login', |
|
151 |
'%name', |
|
152 |
'%domain', |
db1a87
|
153 |
'%dc', |
5fec6d
|
154 |
), array( |
T |
155 |
$_SESSION['username'], |
|
156 |
$rcmail->user->get_username('local'), |
db1a87
|
157 |
$domain, |
T |
158 |
$dc, |
5fec6d
|
159 |
), $str |
T |
160 |
); |
|
161 |
|
|
162 |
return $str; |
|
163 |
} |
|
164 |
|
|
165 |
|
|
166 |
/** |
|
167 |
* Code originaly from the phpLDAPadmin development team |
|
168 |
* http://phpldapadmin.sourceforge.net/ |
|
169 |
* |
|
170 |
* Hashes a password and returns the hash based on the specified enc_type. |
|
171 |
* |
|
172 |
* @param string $passwordClear The password to hash in clear text. |
|
173 |
* @param string $encodageType Standard LDAP encryption type which must be one of |
|
174 |
* crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, or clear. |
|
175 |
* @return string The hashed password. |
|
176 |
* |
|
177 |
*/ |
|
178 |
|
|
179 |
function hashPassword( $passwordClear, $encodageType ) |
|
180 |
{ |
|
181 |
$encodageType = strtolower( $encodageType ); |
|
182 |
switch( $encodageType ) { |
|
183 |
case 'crypt': |
|
184 |
$cryptedPassword = '{CRYPT}' . crypt($passwordClear,randomSalt(2)); |
|
185 |
break; |
db1a87
|
186 |
|
5fec6d
|
187 |
case 'ext_des': |
T |
188 |
// extended des crypt. see OpenBSD crypt man page. |
|
189 |
if ( ! defined( 'CRYPT_EXT_DES' ) || CRYPT_EXT_DES == 0 ) { |
|
190 |
// Your system crypt library does not support extended DES encryption. |
|
191 |
return FALSE; |
|
192 |
} |
|
193 |
$cryptedPassword = '{CRYPT}' . crypt( $passwordClear, '_' . randomSalt(8) ); |
|
194 |
break; |
|
195 |
|
|
196 |
case 'md5crypt': |
|
197 |
if( ! defined( 'CRYPT_MD5' ) || CRYPT_MD5 == 0 ) { |
|
198 |
// Your system crypt library does not support md5crypt encryption. |
|
199 |
return FALSE; |
|
200 |
} |
|
201 |
$cryptedPassword = '{CRYPT}' . crypt( $passwordClear , '$1$' . randomSalt(9) ); |
|
202 |
break; |
|
203 |
|
|
204 |
case 'blowfish': |
|
205 |
if( ! defined( 'CRYPT_BLOWFISH' ) || CRYPT_BLOWFISH == 0 ) { |
|
206 |
// Your system crypt library does not support blowfish encryption. |
|
207 |
return FALSE; |
|
208 |
} |
|
209 |
// hardcoded to second blowfish version and set number of rounds |
|
210 |
$cryptedPassword = '{CRYPT}' . crypt( $passwordClear , '$2a$12$' . randomSalt(13) ); |
|
211 |
break; |
|
212 |
|
|
213 |
case 'md5': |
|
214 |
$cryptedPassword = '{MD5}' . base64_encode( pack( 'H*' , md5( $passwordClear) ) ); |
|
215 |
break; |
|
216 |
|
|
217 |
case 'sha': |
|
218 |
if( function_exists('sha1') ) { |
|
219 |
// use php 4.3.0+ sha1 function, if it is available. |
|
220 |
$cryptedPassword = '{SHA}' . base64_encode( pack( 'H*' , sha1( $passwordClear) ) ); |
|
221 |
} elseif( function_exists( 'mhash' ) ) { |
|
222 |
$cryptedPassword = '{SHA}' . base64_encode( mhash( MHASH_SHA1, $passwordClear) ); |
|
223 |
} else { |
|
224 |
return FALSE; //Your PHP install does not have the mhash() function. Cannot do SHA hashes. |
|
225 |
} |
|
226 |
break; |
|
227 |
|
|
228 |
case 'ssha': |
|
229 |
if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) ) { |
|
230 |
mt_srand( (double) microtime() * 1000000 ); |
|
231 |
$salt = mhash_keygen_s2k( MHASH_SHA1, $passwordClear, substr( pack( 'h*', md5( mt_rand() ) ), 0, 8 ), 4 ); |
|
232 |
$cryptedPassword = '{SSHA}'.base64_encode( mhash( MHASH_SHA1, $passwordClear.$salt ).$salt ); |
|
233 |
} else { |
|
234 |
return FALSE; //Your PHP install does not have the mhash() function. Cannot do SHA hashes. |
|
235 |
} |
|
236 |
break; |
|
237 |
|
|
238 |
case 'smd5': |
|
239 |
if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) ) { |
|
240 |
mt_srand( (double) microtime() * 1000000 ); |
|
241 |
$salt = mhash_keygen_s2k( MHASH_MD5, $passwordClear, substr( pack( 'h*', md5( mt_rand() ) ), 0, 8 ), 4 ); |
|
242 |
$cryptedPassword = '{SMD5}'.base64_encode( mhash( MHASH_MD5, $passwordClear.$salt ).$salt ); |
|
243 |
} else { |
|
244 |
return FALSE; //Your PHP install does not have the mhash() function. Cannot do SHA hashes. |
|
245 |
} |
|
246 |
break; |
|
247 |
|
|
248 |
case 'clear': |
|
249 |
default: |
|
250 |
$cryptedPassword = $passwordClear; |
|
251 |
} |
|
252 |
|
|
253 |
return $cryptedPassword; |
|
254 |
} |
|
255 |
|
|
256 |
/** |
|
257 |
* Code originaly from the phpLDAPadmin development team |
|
258 |
* http://phpldapadmin.sourceforge.net/ |
|
259 |
* |
|
260 |
* Used to generate a random salt for crypt-style passwords. Salt strings are used |
|
261 |
* to make pre-built hash cracking dictionaries difficult to use as the hash algorithm uses |
|
262 |
* not only the user's password but also a randomly generated string. The string is |
|
263 |
* stored as the first N characters of the hash for reference of hashing algorithms later. |
|
264 |
* |
|
265 |
* --- added 20021125 by bayu irawan <bayuir@divnet.telkom.co.id> --- |
|
266 |
* --- ammended 20030625 by S C Rigler <srigler@houston.rr.com> --- |
|
267 |
* |
|
268 |
* @param int $length The length of the salt string to generate. |
|
269 |
* @return string The generated salt string. |
|
270 |
*/ |
db1a87
|
271 |
function randomSalt( $length ) |
5fec6d
|
272 |
{ |
T |
273 |
$possible = '0123456789'. |
|
274 |
'abcdefghijklmnopqrstuvwxyz'. |
|
275 |
'ABCDEFGHIJKLMNOPQRSTUVWXYZ'. |
|
276 |
'./'; |
|
277 |
$str = ''; |
|
278 |
// mt_srand((double)microtime() * 1000000); |
|
279 |
|
db1a87
|
280 |
while (strlen($str) < $length) |
T |
281 |
$str .= substr($possible, (rand() % strlen($possible)), 1); |
5fec6d
|
282 |
|
T |
283 |
return $str; |
|
284 |
} |