Commit d5c3a0a1 authored by Côme Bernigaud's avatar Côme Bernigaud Committed by Benoit Mortier
Browse files

Fixes #3383 Handling password in user class

parent 277158dd
......@@ -604,11 +604,7 @@ class passwordRecovery {
return;
}
if ($this->method != "") {
change_password($dn, $_POST['new_password'], 0, $this->method);
} else {
change_password($dn, $_POST['new_password']);
}
change_password($dn, $_POST['new_password'], $this->method);
fusiondirectory_log("User ".$this->uid." password has been changed");
/* Send the mail */
$mail_body = sprintf($this->mail2_body, $this->uid);
......
......@@ -2905,151 +2905,14 @@ function get_correct_class_name($cls)
*
* \return boolean TRUE on success FALSE on error
*/
function change_password ($dn, $password, $mode = 0, $hash = "")
function change_password ($dn, $password, $hash = "")
{
global $config;
$newpass = "";
/* Convert to lower. Methods are lowercase */
$hash = strtolower($hash);
// Get all available encryption Methods
// NON STATIC CALL :)
$methods = new passwordMethod($config, $dn);
$available = $methods->get_available_methods();
// read current password entry for $dn, to detect the encryption Method
$ldap = $config->get_ldap_link();
$ldap->cat($dn, array('shadowLastChange', 'userPassword', 'uid'));
$attrs = $ldap->fetch ();
/* Is ensure that clear passwords will stay clear */
if ($hash == '' && isset($attrs['userPassword'][0]) && !preg_match ("/^{([^}]+)}(.+)/", $attrs['userPassword'][0])) {
$hash = 'clear';
}
// Detect the encryption Method
if ($config->get_cfg_value('forcePasswordDefaultHash', 'FALSE') == 'TRUE') {
// if forcePasswordDefaultHash is TRUE we use the passwordDefaultHash
// hash and if it is not defined we use 'ssha' as default
$hash = $config->get_cfg_value('passwordDefaultHash', 'ssha');
$test = new $available[$hash]($config, $dn);
} elseif ((isset($attrs['userPassword'][0]) && preg_match ("/^{([^}]+)}(.+)/", $attrs['userPassword'][0])) || $hash != "") {
/* Check for supported algorithm */
mt_srand((double) microtime() * 1000000);
/* Extract used hash */
if ($hash == "") {
$test = passwordMethod::get_method($attrs['userPassword'][0], $dn);
} else {
$test = new $available[$hash]($config,$dn);
$test->set_hash($hash);
}
} else {
// Use SSHA by default
$hash = $config->get_cfg_value('passwordDefaultHash', 'ssha');
$test = new $available[$hash]($config, $dn);
}
if (!($test instanceOf passwordMethod)) {
return FALSE;
}
$deactivated = $test->is_locked($config, $dn);
/* Feed password backends with information */
$test->dn = $dn;
$test->attrs = $attrs;
$newpass = $test->generate_hash($password);
// Update shadow timestamp?
if (isset($attrs['shadowLastChange'][0])) {
$shadow = (int)(date('U') / 86400);
} else {
$shadow = 0;
}
// Write back modified entry
$ldap->cd($dn);
$attrs = array();
// Not for groups
if ($mode == 0) {
if ($test->need_password()) {
// Create SMB Password
$attrs = generate_smb_nt_hash($password);
} else {
$attrs['sambaLMPassword'] = array();
$attrs['sambaNTPassword'] = array();
$attrs['sambaPwdLastSet'] = array();
$attrs['sambaBadPasswordCount'] = array();
$attrs['sambaBadPasswordTime'] = array();
}
if ($shadow != 0) {
$attrs['shadowLastChange'] = $shadow;
}
}
$attrs['userPassword'] = array();
$attrs['userPassword'] = $newpass;
$ldap->modify($attrs);
/* Read ! if user was deactivated */
if ($deactivated) {
$test->lock_account($config, $dn);
}
new log('modify', 'user/passwordMethod', $dn, array_keys($attrs), $ldap->get_error());
if (!$ldap->success()) {
msg_dialog::display(_('LDAP error'), msgPool::ldaperror($ldap->get_error(), $dn, LDAP_MOD), LDAP_ERROR);
} else {
/* Run backend method for change/create */
if (!$test->set_password($password)) {
return FALSE;
}
/* Find postmodify entries for this class */
$command = $config->search('password', 'POSTMODIFY', array('menu', 'hooks'));
if ($command != '') {
/* Walk through attribute list */
$addAttrs = array(
'userPassword' => escapeshellarg($password),
'dn' => escapeshellarg($dn),
'passwordHash' => $hash,
);
$addAttrsStars = array(
'userPassword' => '******',
'dn' => escapeshellarg($dn),
'passwordHash' => $hash,
);
$commandHiddenPwd = plugin::tpl_parse_string($command, $addAttrsStars);
$command = plugin::tpl_parse_string($command, $addAttrs);
@DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, 'Execute');
exec($command, $arr, $returnCode);
if ($returnCode != 0) {
$str = implode("\n", $arr);
@DEBUG(DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $commandHiddenPwd, 'Execution failed code: '.$returnCode);
$message = msgPool::cmdexecfailed('POSTMODIFY', $commandHiddenPwd, 'password');
if (!empty($str)) {
$message .= 'Result: '.$str;
}
msg_dialog::display(_('Error'), $message, ERROR_DIALOG);
} elseif (is_array($arr)) {
$str = implode("\n", $arr);
@DEBUG(DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $commandHiddenPwd, 'Result: '.$str);
}
}
}
return TRUE;
$userTabs = objects::open($dn, 'user');
$userTab = $userTabs->getBaseObject();
$userTab->userPassword = array($hash, $password, $password, $userTab->userPassword);
$userTabs->save_object();
$userTabs->save();
}
......
......@@ -79,7 +79,6 @@ class configInLdap extends simplePlugin
$plugins = array_keys(session::global_get('plist')->info);
}
sort($plugins);
array_unshift($plugins, 'password');
return array(
'look_n_feel' => array(
'name' => _('Look n feel'),
......
......@@ -385,25 +385,6 @@ class user extends simplePlugin
return parent::execute();
}
function prepare_save()
{
parent::prepare_save();
unset($this->attrs['userPassword']);
}
function ldap_save($cleanup = TRUE)
{
parent::ldap_save($cleanup);
if ($this->attributesAccess['userPassword']->attributes[1]->getValue() != '') {
change_password(
$this->dn,
$this->attributesAccess['userPassword']->attributes[1]->getValue(), /*password*/
0,
$this->attributesAccess['userPassword']->attributes[0]->getValue() /*hash*/
);
}
}
function save()
{
parent::save();
......
......@@ -515,9 +515,12 @@ class posixAccount extends simplePlugin
if ($this->mustchangepassword) {
$this->shadowLastChange =
floor(date("U") / EpochDaysDateAttribute::$secondsPerDay) - $this->shadowMax - 1;
} elseif ($this->is_account && !$this->initially_was_account) {
$this->shadowLastChange = floor(date("U") / EpochDaysDateAttribute::$secondsPerDay);
floor(date('U') / EpochDaysDateAttribute::$secondsPerDay) - $this->shadowMax - 1;
} elseif (
($this->is_account && !$this->initially_was_account) ||
$this->parent->getBaseObject()->attributesAccess['userPassword']->hasChanged()
) {
$this->shadowLastChange = floor(date('U') / EpochDaysDateAttribute::$secondsPerDay);
}
$this->updateAttributesValues();
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment