Skip to content
GitLab
Select Git revision
  • dev default
  • 6378-orcid-test-method-is-wrong-and-break-orcid-saving
  • core-php8
  • master
  • 6342-update-the-locales-for-1-5
  • 6344-template-issue-when-creating-a-template-with-empty-password-error-message-should-not-be-seen
  • 6365-core-locking-mechanism-is-not-changing-the-mail-ressource-it-does-lock-the-mail-account
  • 6365-core-when-lock-mechanism-is-trigger-the-user-should-not-be-editable-if-not-unlock
  • fusiondirectory-1.5
  • fusiondirectory-1.4
  • fusiondirectory-1.3.1
  • fusiondirectory-1.3
  • fusiondirectory-1.2.3
  • fusiondirectory-1.2.2
  • fusiondirectory-1.2.1
  • fusiondirectory-1.2
  • fusiondirectory-1.1.1
  • fusiondirectory-1.1
  • fusiondirectory-1.0.20
  • fusiondirectory-1.0.19
  • fusiondirectory-1.0.18
  • fusiondirectory-1.0.17
  • fusiondirectory-1.0.16
  • fusiondirectory-1.0.15
  • fusiondirectory-1.0.14
  • fusiondirectory-1.0.13
  • fusiondirectory-1.0.12
  • fusiondirectory-1.0.11
Find file BlameHistoryPermalink
class_password-methods.inc 10.30 KiB
1 
<?php
2
3 
/*
4 
  This code is part of FusionDirectory (http://www.fusiondirectory.org/)
5 
  Copyright (C) 2003-2010  Cajus Pollmeier
6 
  Copyright (C) 2011-2016  FusionDirectory
7
8 
  This program is free software; you can redistribute it and/or modify
9 
  it under the terms of the GNU General Public License as published by
10 
  the Free Software Foundation; either version 2 of the License, or
11 
  (at your option) any later version.
12
13 
  This program is distributed in the hope that it will be useful,
14 
  but WITHOUT ANY WARRANTY; without even the implied warranty of
15 
  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
16 
  GNU General Public License for more details.
17
18 
  You should have received a copy of the GNU General Public License
19 
  along with this program; if not, write to the Free Software
20 
  Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA.
21 
*/
22
23 
/*
24 
 * \file class_pasword-methods.inc
25 
 * Source code for class password-methods
26 
 */
27
28 
/*!
29 
 * \brief This class contains all the basic function for password methods
30 
 */
31 
class passwordMethod
32 
{
33 
  var $attrs    = array();
34 
  var $display  = FALSE;
35 
  var $hash     = "";
36 
  var $lockable = TRUE;
37
38 
  /*!
39 
   * \brief Password method contructor
40 
   *
41 
   * \param string $dn The DN
42 
   */
43 
  function __construct($dn = "")
44 
  {
45 
  }
46
47 
  /*!
48 
   * \brief Get the Hash name
49 
   */
50 
  static function get_hash_name()
51 
  {
52 
    trigger_error("get_hash_name can't be called on main class");
53 
  }
54
55 
  /*!
56 
   * \brief If we need password
57 
   *
58 
   * \return boolean TRUE
59 
   */
60 
  function need_password()
61 
  {
62 
    return TRUE;
63 
  }
64
65 
  /*!
66 
   * \brief Is locked
67 
   *
68 
   * \param string $dn The DN
69 
   */
70 
  function is_locked($dn = "")
7172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140
{ global $config; if (!$this->lockable) { return FALSE; } /* Get current password hash */ $pwd = ""; if (!empty($dn)) { $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); $ldap->cat($dn); $attrs = $ldap->fetch(); if (isset($attrs['userPassword'][0])) { $pwd = $attrs['userPassword'][0]; } } elseif (isset($this->attrs['userPassword'][0])) { $pwd = $this->attrs['userPassword'][0]; } return preg_match("/^[^\}]*+\}!/", $pwd); } /*! \brief Locks an account by adding a '!' as prefix to the password hashes. * This makes login impossible, due to the fact that the hash becomes invalid. * userPassword: {SHA}!q02NKl9IChNwZEAJxzRdmB6E * sambaLMPassword: !EBD223B61F8C259AD3B435B51404EE * sambaNTPassword: !98BB35737013AAF181D0FE9FDA09E * * \param string $dn */ function lock_account($dn = "") { return $this->generic_modify_account($dn, 'LOCK'); } /*! * \brief Unlocks an account which was locked by 'lock_account()'. * For details about the locking mechanism see 'lock_account()'. */ function unlock_account($dn = "") { return $this->generic_modify_account($dn, 'UNLOCK'); } /*! * \brief Unlocks an account which was locked by 'lock_account()'. * For details about the locking mechanism see 'lock_account()'. */ private function generic_modify_account($dn, $mode) { global $config; if (!$this->lockable) { return FALSE; } if ($mode != 'LOCK' && $mode != 'UNLOCK') { die('Invalid mode "'.$mode.'"'); } /* Get current password hash */ $attrs = $this->attrs; $pwd = ""; $ldap = $config->get_ldap_link(); $ldap->cd($config->current['BASE']); if (!empty($dn)) { $ldap->cat($dn); $attrs = $ldap->fetch(); } if (isset($attrs['userPassword'][0])) { $pwd = $attrs['userPassword'][0]; $dn = $attrs['dn'];
141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210
} /* We can only lock/unlock non-empty passwords */ if (!empty($pwd)) { /* Check if this entry is already locked. */ if (!preg_match("/^[^\}]*+\}!/", $pwd)) { if ($mode == 'UNLOCK') { return TRUE; } } elseif ($mode == 'LOCK') { return TRUE; } // (Un)lock the samba account $modify = lock_samba_account($mode, $attrs); // (Un)lock SSH keys lock_ssh_account($mode, $attrs, $modify); // (Un)lock the account by modifying the password hash. $pwdClass = new user($dn); $pwdClass->callHook('PRE'.$mode, array(), $ret); if ($mode == 'LOCK') { /* Lock entry */ $pwd = preg_replace("/(^[^\}]+\})(.*$)/", "\\1!\\2", $pwd); } else { /* Unlock entry */ $pwd = preg_replace("/(^[^\}]+\})!(.*$)/", "\\1\\2", $pwd); } $modify["userPassword"] = $pwd; $ldap->cd($dn); $ldap->modify($modify); // Call the password post-lock hook, if defined. if ($ldap->success()) { $pwdClass->callHook('POST'.$mode, array(), $ret); } else { msg_dialog::display(_('LDAP error'), msgPool::ldaperror($ldap->get_error(), $dn, LDAP_MOD), LDAP_ERROR); } return $ldap->success(); } return FALSE; } /*! * \brief This function returns all loaded classes for password encryption */ static function get_available_methods() { global $class_mapping, $config; $ret = FALSE; $i = 0; /* Only */ if (!session::is_set("passwordMethod::get_available_methods")) { foreach (array_keys($class_mapping) as $class) { if (preg_match('/passwordMethod/i', $class) && !preg_match("/^passwordMethod$/i", $class)) { $test = new $class(""); if ($test->is_available()) { $plugs = $test->get_hash_name(); if (!is_array($plugs)) { $plugs = array($plugs); } foreach ($plugs as $plugname) { $cfg = $test->is_configurable();
211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280
$ret['name'][$i] = $plugname; $ret['class'][$i] = $class; $ret['is_configurable'][$i] = $cfg; $ret['object'][$i] = $test; $ret['desc'][$i] = $test->get_description(); $ret[$i]['name'] = $plugname; $ret[$i]['class'] = $class; $ret[$i]['object'] = $test; $ret[$i]['is_configurable'] = $cfg; $ret[$i]['desc'] = $test->get_description(); $ret[$plugname] = $class; $i++; } } } } session::set("passwordMethod::get_available_methods", $ret); } return session::get("passwordMethod::get_available_methods"); } /*! * \brief Get desciption */ function get_description() { return ""; } /*! * \brief Method to let password backends remove additional information besides * the userPassword attribute */ function remove_from_parent() { } /*! * \brief Method to check if a password matches a hash */ function checkPassword($pwd, $hash) { return ($hash == $this->generate_hash($pwd)); } /*! * \brief Return true if this password method provides a configuration dialog */ function is_configurable() { return FALSE; } /*! * \brief Provide a subdialog to configure a password method */ function configure() { return ""; } /*! * \brief Save information to LDAP * * \param string $dn The DN */ function save($dn)
281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350
{ } /*! * \brief Try to find out if it's our hash... * * \param string $password_hash * * \param string $dn The DN */ static function get_method($password_hash, $dn = "") { global $config; $methods = passwordMethod::get_available_methods(); foreach ($methods['class'] as $class) { $method = $class::_extract_method($class, $password_hash); if ($method != "") { $test = new $class($dn); $test->set_hash($method); return $test; } } $method = new passwordMethodClear($dn); $method->set_hash('clear'); return $method; } /*! * \brief Extract a method * * \param string $password_hash */ static function _extract_method($classname, $password_hash) { $hash = $classname::get_hash_name(); if (preg_match("/^\{$hash\}/i", $password_hash)) { return $hash; } return ""; } /*! * \brief Make a hash * * \param string $password The password * * \param string $hash */ static function make_hash($password, $hash) { $methods = passwordMethod::get_available_methods(); $tmp = new $methods[$hash](); $tmp->set_hash($hash); return $tmp->generate_hash($password); } /*! * \brief Set a hash * * \param string $hash */ function set_hash($hash) { $this->hash = $hash; }
351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412
/*! * \brief Get a hash */ function get_hash() { return $this->hash; } /*! * \brief Test for problematic unicode caracters in password * This can be activated with the keyword strictPasswordRules in the * fusiondirectory.conf * * \param string $password The password */ static function is_harmless($password) { global $config; if ($config->get_cfg_value("strictPasswordRules") == "TRUE") { // Do we have UTF8 characters in the password? return ($password == utf8_decode($password)); } return TRUE; } /*! * \brief Get the password proposal */ static function getPasswordProposal() { global $config; if ($config->get_cfg_value('passwordProposalHook', '') != '') { $command = $config->get_cfg_value('passwordProposalHook', ''); if (check_command($command)) { @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute"); exec($command, $arr, $returnCode); if ($returnCode != 0) { $str = implode("\n", $arr); @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execution failed code: ".$returnCode); $message = msgPool::cmdexecfailed($cmd, $command, get_class($plugin)); msg_dialog::display(_("Error"), $message, ERROR_DIALOG); } elseif (is_array($arr)) { $str = implode("\n", $arr); @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Result: ".$str); if (count($arr) && !empty($arr[0])) { return $arr[0]; } } } else { $message = msgPool::cmdinvalid($cmd, $command, get_class($plugin)); msg_dialog::display(_("Error"), $message, ERROR_DIALOG); } } return ''; } } ?>