HomeLab/ldap-user-manager
2
0
Fork 0
mirror of https://github.com/wheelybird/ldap-user-manager.git synced 2025-01-18 23:42:54 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

Hashing (#22)

Browse Source 
* Added ALLOW_WEAK_PASSWORDS and PASSWORD_HASH options, some bug and log format fixes

* Fixed incorrect variable name in check for password hash setting.
This commit is contained in:
Brian Lycett 2020-05-22 11:03:23 +01:00 committed by GitHub
parent 9e5d3bd32b
commit 33c6aaa55e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
7 changed files with 49 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
README.md
View File

@ -110,6 +110,9 @@ Optional:
* `USERNAME_FORMAT` (default: *{first_name}-{last_name}*): The template used to dynamically generate usernames. See [Username format](#username-format). * `USERNAME_FORMAT` (default: *{first_name}-{last_name}*): The template used to dynamically generate usernames. See [Username format](#username-format).
* `USERNAME_REGEX` (default: *^[a-z][a-zA-Z0-9\._-]{3,32}$*): The regular expression used to ensure a username (and group name) is valid. See [Username format](#username-format). * `USERNAME_REGEX` (default: *^[a-z][a-zA-Z0-9\._-]{3,32}$*): The regular expression used to ensure a username (and group name) is valid. See [Username format](#username-format).
* `PASSWORD_HASH` (default: *SSHA*): Select which hashing method which will be used to store passwords in LDAP. Options are `MD5`, `SHA`, `SMD5`, `SSHA` or `CRYPT`.
* `ACCEPT_WEAK_PASSWORDS` (default: *FALSE*): Set this to *TRUE* to prevent a password being rejected for being too weak. The password strength indicators will still gauge the strength of the password. Don't enable this in a production environment.
* `LOGIN_TIMEOUT_MINS` (default: 10 minutes): How long before an idle session will be timed out. * `LOGIN_TIMEOUT_MINS` (default: 10 minutes): How long before an idle session will be timed out.
* `SITE_NAME` (default: *LDAP user manager*): Change this to replace the title in the menu. e.g. "My Company" * `SITE_NAME` (default: *LDAP user manager*): Change this to replace the title in the menu. e.g. "My Company"

2
www/account_manager/new_user.php
View File

@ -46,7 +46,7 @@ if (isset($_POST['create_account'])) {
if ($_POST['email']) { $email = stripslashes($_POST['email']); } if ($_POST['email']) { $email = stripslashes($_POST['email']); }
if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = TRUE; } if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $weak_password = TRUE; }
if (isset($email) and !is_valid_email($email)) { $invalid_email = TRUE; } if (isset($email) and !is_valid_email($email)) { $invalid_email = TRUE; }
if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; } if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; } if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; }

2
www/account_manager/show_user.php
View File

@ -82,7 +82,7 @@ if ($ldap_search) {
$password = $_POST['password']; $password = $_POST['password'];
if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $weak_password = TRUE; } if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $weak_password = TRUE; }
if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; } if (preg_match("/\"|'/",$password)) { $invalid_password = TRUE; }
if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; } if ($_POST['password'] != $_POST['password_match']) { $mismatched_passwords = TRUE; }
if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = TRUE; } if (!preg_match("/$USERNAME_REGEX/",$username)) { $invalid_username = TRUE; }

2
www/change_password/index.php
View File

@ -9,7 +9,7 @@ set_page_access("user");
if (isset($_POST['change_password'])) { if (isset($_POST['change_password'])) {
if (!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) { $not_strong_enough = 1; } if ((!is_numeric($_POST['pass_score']) or $_POST['pass_score'] < 3) and $ACCEPT_WEAK_PASSWORDS != TRUE) { $not_strong_enough = 1; }
if (preg_match("/\"|'/",$_POST['password'])) { $invalid_chars = 1; } if (preg_match("/\"|'/",$_POST['password'])) { $invalid_chars = 1; }
if ($_POST['password'] != $_POST['password_match']) { $mismatched = 1; } if ($_POST['password'] != $_POST['password_match']) { $mismatched = 1; }

8
www/includes/config.inc.php
View File

@ -32,7 +32,8 @@
$LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE); $LDAP['require_starttls'] = ((strcasecmp(getenv('LDAP_REQUIRE_STARTTLS'),'TRUE') == 0) ? TRUE : FALSE);
$DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody'); $DEFAULT_USER_GROUP = (getenv('DEFAULT_USER_GROUP') ? getenv('DEFAULT_USER_GROUP') : 'everybody');
$DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_SHELL') : '/bin/bash'); $DEFAULT_USER_SHELL = (getenv('DEFAULT_USER_SHELL') ? getenv('DEFAULT_USER_SHELL') : '/bin/bash');
$EMAIL_DOMAIN = (getenv('EMAIL_DOMAIN') ? getenv('EMAIL_DOMAIN') : Null); $EMAIL_DOMAIN = (getenv('EMAIL_DOMAIN') ? getenv('EMAIL_DOMAIN') : Null);
$LOGIN_TIMEOUT_MINS = (getenv('SESSION_TIMEOUT') ? getenv('SESSION_TIMEOUT') : 10); $LOGIN_TIMEOUT_MINS = (getenv('SESSION_TIMEOUT') ? getenv('SESSION_TIMEOUT') : 10);
@ -42,6 +43,11 @@
$USERNAME_REGEX = '^[a-z][a-zA-Z0-9\._-]{3,32}$'; $USERNAME_REGEX = '^[a-z][a-zA-Z0-9\._-]{3,32}$';
#We'll use the username regex for groups too. #We'll use the username regex for groups too.
$PASSWORD_HASH = (getenv('PASSWORD_HASH') ? getenv('PASSWORD_HASH') : 'SSHA');
if ( ! in_array($PASSWORD_HASH, array('MD5','SMD5','SHA','SSHA','CRYPT'))) { $PASSWORD_HASH = 'SSHA'; }
$ACCEPT_WEAK_PASSWORDS = ((strcasecmp(getenv('ACCEPT_WEAK_PASSWORDS'),'TRUE') == 0) ? TRUE : FALSE);
$LDAP_DEBUG = ((strcasecmp(getenv('LDAP_DEBUG'),'TRUE') == 0) ? TRUE : FALSE); $LDAP_DEBUG = ((strcasecmp(getenv('LDAP_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);
$SESSION_DEBUG = ((strcasecmp(getenv('SESSION_DEBUG'),'TRUE') == 0) ? TRUE : FALSE); $SESSION_DEBUG = ((strcasecmp(getenv('SESSION_DEBUG'),'TRUE') == 0) ? TRUE : FALSE);

36
www/includes/ldap_functions.inc.php
View File

@ -145,7 +145,35 @@ function ldap_setup_auth($ldap_connection, $password) {
function ldap_hashed_password($password) { function ldap_hashed_password($password) {
global $PASSWORD_HASH;
$permitted_chars = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
$salt = substr(str_shuffle($permitted_chars), 0, 64);
switch (strtoupper($PASSWORD_HASH)) {
case 'MD5':
$hashed_pwd = '{MD5}' . base64_encode(md5($password,TRUE)); $hashed_pwd = '{MD5}' . base64_encode(md5($password,TRUE));
break;
case 'SMD5':
$hashed_pwd = '{SMD5}' . base64_encode(md5($password.$salt,TRUE) . $salt);
break;
case 'SHA':
$hashed_pwd = '{SHA}' . base64_encode(sha1($password,TRUE));
break;
case 'SSHA':
$hashed_pwd = '{SSHA}' . base64_encode(sha1($password.$salt,TRUE) . $salt);
break;
case 'CRYPT':
$hashed_pwd = '{crypt}' . crypt($password, $salt);
break;
}
return $hashed_pwd; return $hashed_pwd;
} }
@ -166,7 +194,7 @@ function ldap_get_user_list($ldap_connection,$start=0,$entries=NULL,$sort="asc",
$ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $this_filter, $fields); $ldap_search = @ ldap_search($ldap_connection, "${LDAP['user_dn']}", $this_filter, $fields);
$result = @ ldap_get_entries($ldap_connection, $ldap_search); $result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} users for ${LDAP['user_dn']} when using this filter: $this_filter",0); } if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix: LDAP returned ${result['count']} users for ${LDAP['user_dn']} when using this filter: $this_filter",0); }
$records = array(); $records = array();
foreach ($result as $record) { foreach ($result as $record) {
@ -251,7 +279,7 @@ function ldap_get_group_list($ldap_connection,$start=0,$entries=NULL,$sort="asc"
$ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $this_filter); $ldap_search = ldap_search($ldap_connection, "${LDAP['group_dn']}", $this_filter);
$result = @ ldap_get_entries($ldap_connection, $ldap_search); $result = @ ldap_get_entries($ldap_connection, $ldap_search);
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned ${result['count']} groups for ${LDAP['group_dn']} when using this filter: $this_filter",0); } if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix: LDAP returned ${result['count']} groups for ${LDAP['group_dn']} when using this filter: $this_filter",0); }
$records = array(); $records = array();
foreach ($result as $record) { foreach ($result as $record) {
@ -292,13 +320,13 @@ function ldap_get_group_members($ldap_connection,$group_name,$start=0,$entries=N
if ($key !== 'count' and !empty($value)) { if ($key !== 'count' and !empty($value)) {
$this_member = preg_replace("/^.*?=(.*?),.*/", "$1", $value); $this_member = preg_replace("/^.*?=(.*?),.*/", "$1", $value);
array_push($records, $this_member); array_push($records, $this_member);
if ($LDAP_DEBUG == TRUE) { error_log("${value} is a member",0); } if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix: ${value} is a member",0); }
} }
} }
$actual_result_count = count($records); $actual_result_count = count($records);
if ($LDAP_DEBUG == TRUE) { error_log("LDAP returned $actual_result_count members of ${group_name} when using this search: $ldap_search_query and this filter: ${LDAP['group_membership_attribute']}",0); } if ($LDAP_DEBUG == TRUE) { error_log("$log_prefix: LDAP returned $actual_result_count members of ${group_name} when using this search: $ldap_search_query and this filter: ${LDAP['group_membership_attribute']}",0); }
if ($actual_result_count > 0) { if ($actual_result_count > 0) {
if ($sort == "asc") { sort($records); } else { rsort($records); } if ($sort == "asc") { sort($records); } else { rsort($records); }

6
www/includes/web_functions.inc.php
View File

@ -52,8 +52,7 @@ function set_passkey_cookie($user_id,$is_admin) {
$IS_ADMIN = TRUE; $IS_ADMIN = TRUE;
} }
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id); $filename = preg_replace('/[^a-zA-Z0-9]/','_', $user_id);
file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time"); @ file_put_contents("/tmp/$filename","$passkey:$admin_val:$this_time");
# setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', $_SERVER["HTTP_HOST"]);
setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', '', '', TRUE); setcookie('orf_cookie', "$user_id:$passkey", $this_time+(60 * $LOGIN_TIMEOUT_MINS), '/', '', '', TRUE);
if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); } if ( $SESSION_DEBUG == TRUE) { error_log("$log_prefix Session: user $user_id validated (IS_ADMIN=${IS_ADMIN}), sent orf_cookie to the browser.",0); }
$VALIDATED = TRUE; $VALIDATED = TRUE;
@ -171,11 +170,10 @@ function log_out($method='normal') {
global $USER_ID; global $USER_ID;
#setcookie('orf_cookie', "", time()-20000 , "/", $_SERVER["HTTP_HOST"], 0);
setcookie('orf_cookie', "", time()-20000, '/', '', '', TRUE); setcookie('orf_cookie', "", time()-20000, '/', '', '', TRUE);
$filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID); $filename = preg_replace('/[^a-zA-Z0-9]/','_', $USER_ID);
unlink("/tmp/$filename"); @ unlink("/tmp/$filename");
if ($method == 'auto') { $options = "?logged_out"; } else { $options = ""; } if ($method == 'auto') { $options = "?logged_out"; } else { $options = ""; }
header("Location: //${_SERVER["HTTP_HOST"]}/index.php$options\n\n"); header("Location: //${_SERVER["HTTP_HOST"]}/index.php$options\n\n");