feat(passwords) Allowed password hashes can now be configured

This will allow to disable password methods, for instance clear, empty
 or md5.

issue #5886
parent e1a17e48
......@@ -202,6 +202,12 @@ attributetype ( 1.3.6.1.4.1.38414.8.13.8 NAME 'fdForcePasswordDefaultHash'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7
SINGLE-VALUE )
attributetype ( 1.3.6.1.4.1.38414.8.13.9 NAME 'fdPasswordAllowedHashes'
DESC 'FusionDirectory - Allowed password hashes'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
# Core settings
attributetype ( 1.3.6.1.4.1.38414.8.14.2 NAME 'fdListSummary'
......@@ -574,7 +580,7 @@ objectclass ( 1.3.6.1.4.1.38414.8.2.1 NAME 'fusionDirectoryConf'
fdAclRoleRDN $ fdCnPattern $ fdRestrictRoleMembers $ fdSplitPostalAddress $ fdPostalAddressPattern $
fdPasswordDefaultHash $ fdPasswordMinLength $ fdPasswordMinDiffer $
fdHandleExpiredAccounts $ fdSaslRealm $ fdSaslExop $
fdForcePasswordDefaultHash $
fdForcePasswordDefaultHash $ fdPasswordAllowedHashes $
fdListSummary $
fdModificationDetectionAttribute $ fdLogging $ fdLdapSizeLimit $ fdWildcardForeignKeys $
fdLoginAttribute $ fdForceSSL $ fdWarnSSL $ fdStoreFilterSettings $ fdSessionLifeTime $
......
......@@ -238,20 +238,17 @@ abstract class passwordMethod
}
$cfg = $test->is_configurable();
$desc = $test->get_description();
foreach ($plugs as $plugname) {
$ret['name'][$i] = $plugname;
$ret['class'][$i] = $class;
$ret['is_configurable'][$i] = $cfg;
$ret['object'][$i] = $test;
$ret['desc'][$i] = $desc;
$ret[$i]['name'] = $plugname;
$ret[$i]['class'] = $class;
$ret[$i]['object'] = $test;
$ret[$i]['is_configurable'] = $cfg;
$ret[$i]['desc'] = $desc;
$ret[$plugname] = $class;
$i++;
......@@ -264,14 +261,6 @@ abstract class passwordMethod
return session::get('passwordMethod::get_available_methods');
}
/*!
* \brief Get desciption
*/
function get_description (): string
{
return '';
}
/*!
* \brief Method to check if a password matches a hash
*/
......
......@@ -120,6 +120,13 @@ class configInLdap extends simplePlugin
'password' => [
'name' => _('Password settings'),
'attrs' => [
new SetAttribute(
new SelectAttribute(
_('Allowed password hashes'), _('Password hashes which may be used for user passwords'),
'fdPasswordAllowedHashes', TRUE,
['ssha']
)
),
new SelectAttribute(
_('Password default hash'), _('Default hash to be used'),
'fdPasswordDefaultHash', TRUE,
......@@ -381,7 +388,10 @@ class configInLdap extends simplePlugin
if (!in_array('sasl', $methods)) {
$methods[] = 'sasl';
}
$attributesInfo['password']['attrs'][0]->setChoices($methods);
$attributesInfo['password']['attrs'][0]->attribute->setChoices($methods);
$attributesInfo['password']['attrs'][0]->setDefaultValue($methods);
$attributesInfo['password']['attrs'][0]->resetToDefault();
$attributesInfo['password']['attrs'][1]->setChoices($methods);
/* Login methods */
$methods = LoginMethod::getMethods();
$attributesInfo['login']['attrs'][4]->setChoices(array_keys($methods), array_values($methods));
......@@ -496,6 +506,10 @@ class configInLdap extends simplePlugin
$this->fdLoginMethod = 'LoginHTTPHeader';
}
}
$this->attributesAccess['fdPasswordDefaultHash']->setChoices(
$this->attributesAccess['fdPasswordAllowedHashes']->getValue()
);
}
function compute_dn (): string
......@@ -512,6 +526,15 @@ class configInLdap extends simplePlugin
return $messages;
}
function save_object ()
{
parent::save_object();
$this->attributesAccess['fdPasswordDefaultHash']->setChoices(
$this->attributesAccess['fdPasswordAllowedHashes']->getValue()
);
}
static function get_themes ()
{
$themesdir = '../ihtml/themes/';
......
......@@ -26,17 +26,15 @@ class UserPasswordAttribute extends CompositeAttribute
function __construct ($label, $description, $ldapName, $required = FALSE, $defaultValue = "", $acl = "")
{
global $config;
$temp = passwordMethod::get_available_methods();
/* Create password methods array */
$pwd_methods = [];
$pwd_methods = $config->get_cfg_value('PasswordAllowedHashes', $temp['name']);
$this->needPassword = [];
foreach ($temp['name'] as $id => $name) {
$this->needPassword[$name] = $temp[$id]['object']->need_password();
$pwd_methods[$name] = $name;
if (!empty($temp[$id]['desc'])) {
$pwd_methods[$name] .= " (".$temp[$id]['desc'].")";
}
}
parent::__construct(
......@@ -45,7 +43,7 @@ class UserPasswordAttribute extends CompositeAttribute
new SelectAttribute(
_('Password method'), _('Password hash method to use'),
$ldapName.'_pwstorage', TRUE,
array_keys($pwd_methods), '', array_values($pwd_methods)
$pwd_methods
),
new PasswordAttribute(
_('Password'), _('Password (Leave empty if you do not wish to change it)'),
......
  • SonarQube analysis reported 3 issues

    • 3 info

    Note: The following issues were found on lines that were not modified in the commit. Because these issues can't be reported as line comments, they are summarized here:

    1. Remove the unused function parameter "$dn". 📘
    2. Remove the unused function parameter "$userTab". 📘
    3. Remove the unused function parameter "$dn". 📘
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment