extern/egroupware
1
0
Fork 1
mirror of https://github.com/EGroupware/egroupware.git synced 2025-06-19 17:38:06 +02:00
Code Issues Packages Projects Releases Wiki Activity

- fixed with ssha not working migration from sql <--> ldap

Browse Source 
- using 16 char salt for ssha and smd5 as eclipse ldap admin does
- remove auth::hash_sql2ldap() method, as it is now in setup/inc/class.setup_cmd_ldap.inc.php
- added ability to create uid dn in setup_cmd_ldap subcommand create_ldap
This commit is contained in:
Ralf Becker 2011-05-04 09:42:50 +00:00
parent 457e79454d
commit 57fc9c63fc
3 changed files with 53 additions and 105 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

45
phpgwapi/inc/class.auth.inc.php
View File

@ -319,12 +319,14 @@ class auth
* uses the encryption type set in setup and calls the appropriate encryption functions * uses the encryption type set in setup and calls the appropriate encryption functions
* *
* @param $password password to encrypt * @param $password password to encrypt
* @param $type=null default to $GLOBALS['egw_info']['server']['ldap_encryption_type']
* @return string
*/ */
static function encrypt_ldap($password) static function encrypt_ldap($password, $type=null)
{ {
$type = strtolower($GLOBALS['egw_info']['server']['ldap_encryption_type']); if (is_null($type)) $type = $GLOBALS['egw_info']['server']['ldap_encryption_type'];
$salt = ''; $salt = '';
switch($type) switch(strtolower($type))
{ {
default: // eg. setup >> config never saved default: // eg. setup >> config never saved
case 'des': case 'des':
@ -366,7 +368,7 @@ class auth
$e_password = '{md5}' . base64_encode(pack("H*",md5($password))); $e_password = '{md5}' . base64_encode(pack("H*",md5($password)));
break; break;
case 'smd5': case 'smd5':
$salt = self::randomstring(8); $salt = self::randomstring(16);
$hash = md5($password . $salt,true); $hash = md5($password . $salt,true);
$e_password = '{SMD5}' . base64_encode($hash . $salt); $e_password = '{SMD5}' . base64_encode($hash . $salt);
break; break;
@ -374,7 +376,7 @@ class auth
$e_password = '{SHA}' . base64_encode(sha1($password,true)); $e_password = '{SHA}' . base64_encode(sha1($password,true));
break; break;
case 'ssha': case 'ssha':
$salt = self::randomstring(8); $salt = self::randomstring(16);
$hash = sha1($password . $salt,true); $hash = sha1($password . $salt,true);
$e_password = '{SSHA}' . base64_encode($hash . $salt); $e_password = '{SSHA}' . base64_encode($hash . $salt);
break; break;
@ -386,35 +388,6 @@ class auth
return $e_password; return $e_password;
} }
/**
* Create an ldap hash from an sql hash
*
* @param string $hash
*/
static function hash_sql2ldap($hash)
{
switch(strtolower($GLOBALS['egw_info']['server']['sql_encryption_type']))
{
case '': // not set sql_encryption_type
case 'md5':
$hash = '{md5}' . base64_encode(pack("H*",$hash));
break;
case 'crypt':
$hash = '{crypt}' . $hash;
break;
case 'plain':
$saved_h = $hash;
if (preg_match('/^\\{([a-z_5]+)\\}(.+)$/i',$hash,$matches))
{
$hash= $matches[2];
} else {
$hash = $saved_h;
}
break;
}
return $hash;
}
/** /**
* Create a password for storage in the accounts table * Create a password for storage in the accounts table
* *
@ -466,13 +439,13 @@ class auth
self::$error = 'no ext crypt'; self::$error = 'no ext crypt';
break; break;
case 'smd5': case 'smd5':
$salt = self::randomstring(8); $salt = self::randomstring(16);
$hash = md5($password . $salt,true); $hash = md5($password . $salt,true);
return '{SMD5}' . base64_encode($hash . $salt); return '{SMD5}' . base64_encode($hash . $salt);
case 'sha': case 'sha':
return '{SHA}' . base64_encode(sha1($password,true)); return '{SHA}' . base64_encode(sha1($password,true));
case 'ssha': case 'ssha':
$salt = self::randomstring(8); $salt = self::randomstring(16);
$hash = sha1($password . $salt,true); $hash = sha1($password . $salt,true);
return '{SSHA}' . base64_encode($hash . $salt); return '{SSHA}' . base64_encode($hash . $salt);
case 'md5': case 'md5':

25
setup/account_migration.php
View File

@ -30,31 +30,6 @@ $setup_tpl->set_file(array(
'T_alert_msg' => 'msg_alert_msg.tpl' 'T_alert_msg' => 'msg_alert_msg.tpl'
)); ));
function hash_sql2ldap($hash)
{
$type = $GLOBALS['egw_info']['server']['sql_encryption_type'];
if (preg_match('/^\\{(.*)\\}(.*)$/',$hash,$matches))
{
$type = $matches[1];
$hash = $matches[2];
}
switch(strtolower($type))
{
case '': // not set sql_encryption_type
case 'md5':
$hash = '{md5}' . base64_encode(pack("H*",$hash));
break;
case 'crypt':
$hash = '{crypt}' . $hash;
break;
case 'plain':
break;
}
return $hash;
}
// determine from where we migrate to what // determine from where we migrate to what
if (!is_object($GLOBALS['egw_setup']->db)) if (!is_object($GLOBALS['egw_setup']->db))
{ {

28
setup/inc/class.setup_cmd_ldap.inc.php
View File

@ -46,7 +46,7 @@ class setup_cmd_ldap extends setup_cmd
* @param string $ldap_context=null ou for accounts, default "ou=accounts,$base" * @param string $ldap_context=null ou for accounts, default "ou=accounts,$base"
* @param string $ldap_search_filter=null search-filter for accounts, default "(uid=%user)" * @param string $ldap_search_filter=null search-filter for accounts, default "(uid=%user)"
* @param string $ldap_group_context=null ou for groups, default "ou=groups,$base" * @param string $ldap_group_context=null ou for groups, default "ou=groups,$base"
* @param string $sub_command='create_ldap' 'create_ldap', 'test_ldap', 'test_ldap_root' * @param string $sub_command='create_ldap' 'create_ldap', 'test_ldap', 'test_ldap_root', see exec method
* @param string $ldap_encryption_type='des' * @param string $ldap_encryption_type='des'
*/ */
function __construct($domain,$ldap_host=null,$ldap_suffix=null,$ldap_admin=null,$ldap_admin_pw=null, function __construct($domain,$ldap_host=null,$ldap_suffix=null,$ldap_admin=null,$ldap_admin_pw=null,
@ -268,25 +268,23 @@ class setup_cmd_ldap extends setup_cmd
*/ */
public static function hash_sql2ldap($hash) public static function hash_sql2ldap($hash)
{ {
$type = $GLOBALS['egw_info']['server']['sql_encryption_type']; if (!($type = $GLOBALS['egw_info']['server']['sql_encryption_type'])) $type = 'md5';
if (preg_match('/^\\{(.*)\\}(.*)$/',$hash,$matches)) if (preg_match('/^\\{(.*)\\}(.*)$/',$hash,$matches))
{ {
$type = $matches[1]; list(,$type,$hash) = $matches;
$hash = $matches[2];
} }
switch(strtolower($type)) switch(strtolower($type))
{ {
case '': // not set sql_encryption_type case 'plain':
case 'md5': // ldap stores plaintext passwords without {plain} prefix
$hash = '{md5}' . base64_encode(pack("H*",$hash));
break;
case 'crypt':
$hash = '{crypt}' . $hash;
break; break;
case 'plain': case 'md5':
break; $hash = base64_encode(pack("H*",$hash));
// fall through
default:
$hash = '{'.strtoupper($type).'}'.$hash;
} }
return $hash; return $hash;
} }
@ -445,7 +443,7 @@ class setup_cmd_ldap extends setup_cmd
$this->ldap_base => array(), $this->ldap_base => array(),
$this->ldap_context => array(), $this->ldap_context => array(),
$this->ldap_group_context => array(), $this->ldap_group_context => array(),
$this->ldap_root_dn => array('userPassword' => '{crypt}'.crypt($this->ldap_root_pw)), $this->ldap_root_dn => array('userPassword' => auth::encrypt_ldap($this->ldap_root_pw,'ssha')),
) as $dn => $extra) ) as $dn => $extra)
{ {
if (!$this->_create_node($dn,$extra,$check_only) && $dn == $this->ldap_root_dn) if (!$this->_create_node($dn,$extra,$check_only) && $dn == $this->ldap_root_dn)
@ -584,6 +582,7 @@ class setup_cmd_ldap extends setup_cmd
'o' => 'organization', 'o' => 'organization',
'ou' => 'organizationalUnit', 'ou' => 'organizationalUnit',
'cn' => array('organizationalRole','simpleSecurityObject'), 'cn' => array('organizationalRole','simpleSecurityObject'),
'uid' => array('uidObject','organizationalRole','simpleSecurityObject'),
'dc' => array('organization','dcObject'), 'dc' => array('organization','dcObject'),
); );
@ -597,7 +596,7 @@ class setup_cmd_ldap extends setup_cmd
*/ */
private function _create_node($dn,$extra=array()) private function _create_node($dn,$extra=array())
{ {
//echo "<p>_create_node($dn,".print_r($extra,true).")</p>\n"; //echo "<p>_create_node($dn,".array2string($extra).")</p>\n";
// check if the node already exists and return if it does // check if the node already exists and return if it does
if (@ldap_read($this->test_ldap->ds,$dn,'objectClass=*')) if (@ldap_read($this->test_ldap->ds,$dn,'objectClass=*'))
{ {
@ -618,6 +617,7 @@ class setup_cmd_ldap extends setup_cmd
lang('Supported node types:').implode(', ',array_keys(self::$requiredObjectclasses))); lang('Supported node types:').implode(', ',array_keys(self::$requiredObjectclasses)));
} }
if ($name == 'dc') $extra['o'] = $value; // required by organisation if ($name == 'dc') $extra['o'] = $value; // required by organisation
if ($name == 'uid') $extra['cn'] = $value; // required by organizationalRole
if (!@ldap_add($this->test_ldap->ds,$dn,$attr = array( if (!@ldap_add($this->test_ldap->ds,$dn,$attr = array(
$name => $value, $name => $value,