Commit Graph

63 Commits

Author SHA1 Message Date
Ralf Becker
b95727bb6f move auth classes to Api\Auth, only Sql is currently tested! 2016-03-06 20:47:10 +00:00
Ralf Becker
4e986e58b8 change "password about to expire in N days" warning into an once per login info-message (was a redirect to password change) 2015-07-01 17:51:56 +00:00
Ralf Becker
d39c2a71bf * Login/Password: handle forced password change on login page 2015-07-01 12:44:34 +00:00
Ralf Becker
f0b2131cfd fix IDE warnings 2014-12-11 08:10:41 +00:00
Ralf Becker
f641c2cec6 open password in a popup 2014-04-17 07:37:21 +00:00
Ralf Becker
e94502515d * Admin/Preferences: changepassword hook was called twice
fixed by calling in now from API and not on every location in application code changing a password
2013-10-25 19:24:01 +00:00
Ralf Becker
eb06a2adee setup uses now sessions too and password-hashes in header.inc.php use most secure hashing type 2013-09-11 11:35:20 +00:00
Ralf Becker
71676f982a fixed not working special char detection 2013-07-25 07:21:35 +00:00
Ralf Becker
10436d5e41 fixed not being able to switch "forbid password to contain name" off again, after it has been switched on (caused by name "passwd_forbid_name") 2013-07-16 14:50:12 +00:00
Klaus Leithoff
2bdcd29582 pass acount_id to crackcheck, as it is required for crackcheck rule validation forbid_name 2013-07-16 10:42:31 +00:00
Ralf Becker
b54aef66e4 need to use own authentication method, to be able to auth user forced to change password and need to always recheck flag, if user are forced to change password, as otherwise he will be prompt again after changing it 2013-07-15 20:29:49 +00:00
Ralf Becker
6898ee9cdb * Admin/Preferences/Active Directory: more understandable password policy errors and using windows defaults only, if admin has not configured something else 2013-07-14 13:05:24 +00:00
Ralf Becker
5e0c017129 remove old default of 7 for password length, as it allways checks for that default otherwise 2013-06-28 16:20:01 +00:00
Ralf Becker
aa1426b8de * Admin: split password strength config in minimum length and number of character types, allow account backends specially AD to report password policy failures 2013-06-25 16:37:44 +00:00
Ralf Becker
293d395472 allow auth backends to throw exceptions to give verbose error why password changing failed, auth_ads does now password strength check (even if not configured), as this is most likely cause for not changed password 2013-06-23 10:46:26 +00:00
Ralf Becker
ef1756438e * Preferences/EMail: if user changed password, update password in session correct, so eg. EMail using that password keeps working 2013-02-21 09:43:38 +00:00
Klaus Leithoff
ac2279d933 * API: is_a compatibility vs. php5.3.8 resolving to instanceof operator for most common basic classes 2011-09-26 09:52:43 +00:00
Klaus Leithoff
53c78cd9e2 as the timestamp used for ldap is not the unixtimestamp, we just use time for updating the session cache on auth_alpwchange_val 2011-09-23 11:10:05 +00:00
Klaus Leithoff
afb4dff864 * API/CheckPasswordAge: new approach to the issue, as we have to take into account that the timestamp of the last password change may not be provided by the auth system. We fetch the timestamp from the authsystem if the method is implemented for the auth method configured (instead of juggling with account_lastpasswd_change or account_lastpwd_change) 2011-09-22 15:29:41 +00:00
Ralf Becker
562343a4dd disabling permanent error_log and missing translation 2011-06-06 06:39:07 +00:00
Ralf Becker
fae1d29e68 - implemented more secure password hashing types: sha512_crypt, sha256_crypt and blowfish_crypt (later was only just broken)
- DB schema update for account_pwd to varchar(128) to accomodate sha512_crypt hashes
- enable automatic migration to sha512_crypt, if on SQL or LDAP (but only on Linux, as OpenLDAP has not native support for it)
2011-06-05 23:22:51 +00:00
Klaus Leithoff
0b1e444325 do not use password on asetLastPwdChange in admin actions, as the use of passwords indicates the usage of the functionality in usermode; Handle params for egw_cache::getSession in the correct order 2011-05-19 10:32:46 +00:00
Ralf Becker
4f3f6748f1 small docu update 2011-05-04 13:32:58 +00:00
Ralf Becker
57fc9c63fc - fixed with ssha not working migration from sql <--> ldap
- using 16 char salt for ssha and smd5 as eclipse ldap admin does
- remove auth::hash_sql2ldap() method, as it is now in setup/inc/class.setup_cmd_ldap.inc.php
- added ability to create uid dn in setup_cmd_ldap subcommand create_ldap
2011-05-04 09:42:50 +00:00
Ralf Becker
457e79454d * Setup: making SSHA (salted sha1) hashes the default password hash for SQL and LDAP
- fixing not working ssha hashes if mb_string.func_overload > 0 set
2011-05-04 07:52:45 +00:00
Klaus Leithoff
4f0e104e27 more to the issue: fix to regard the password-last-changed information from the auth system - if provided, and thus be able to react on forced password changes triggered by auth system 2011-03-16 12:44:42 +00:00
Klaus Leithoff
a080404dab fix to regard the password-last-changed information from the auth system - if provided, and thus be able to react on forced password changes triggered from auth system. set password-last-changed info in authsystem on password change. when trying to force the user to change his password upon next login as admin from within egrouware, try to set the 0 value within the authsystem as well (in ldap rights are required for admin (or user) to set/alter the shadowlastchange attribute) 2011-03-16 11:00:16 +00:00
Klaus Leithoff
bf8b3211c8 if the number of days left until change of password is expired is negative, dont warn, require the change 2010-10-28 11:02:05 +00:00
Klaus Leithoff
53374d91fb * API/Passwordmanagement: option enable a warning for users to inform them, that their password is about to expire
will be displayed once every session starting X days before the password will expure, when enforce password change is enabled and 
a suitable period is set
-translations for that option
-pending translations
2010-10-21 13:58:57 +00:00
Klaus Leithoff
2e33eeaab6 fixing ACL check for nopasswordchange; fixing setting of shadowlastchange by using the correct data with propper format 2010-09-24 08:20:14 +00:00
Klaus Leithoff
7e68a0727f check if the user is allowed to change its password, before redirecting 2010-09-22 15:20:06 +00:00
Klaus Leithoff
abbf9e3abf allow old name for account_lastpwd_change (account_lastpassword_change) 2010-09-22 11:41:16 +00:00
Klaus Leithoff
3843c0b59b Feature: to allow admins a) to set an allowed password age, to require all users to change their password regularily; b) force password change for a given user on the users next login; c) better control about the password strength required; Funded by Cricket 2010-09-22 09:48:27 +00:00
Ralf Becker
bf898afb61 "removed permannent error_log" 2010-05-13 10:45:37 +00:00
Ralf Becker
e91b0f0cb5 using since php<=5.0 available raw_output=true parameter for md5 and sha1 instead of deprecated and in newer distros no longer available mhash extension 2010-05-13 10:39:48 +00:00
Ralf Becker
61d26df913 reworked auth classes, to allow them to use each other and a new auth class using a primary backend (ldap) and a fallback (sql) 2010-01-28 04:22:37 +00:00
Ralf Becker
b5c28fba48 1. NTLM Single Sign ON
NTLM SSO removes Windows users on a PC, which is a member of a Windows
domain and who are logged into that domain, from the need to explicitly log
into eGW.  They simply point IE to the eGW URL (eg. http://domain.com/egroupware/)
and start working. They can of cause explicitly log out and log in as an
other user.
For more information look at the README at
http://www.egroupware.org/viewvc/trunk/phpgwapi/ntml/README

2. different authentication for SyncML and/or GroupDAV
You can now use eg. an external auth provider for the login via the
WebGUI (eg. ADS) and the passwords stored in SQL for SyncML.
2008-07-16 09:29:13 +00:00
Ralf Becker
a5a7c2d30e Additional password crypt types for ldap:
- MD5_CRYPT (9 char salt prefixed with $1$)
- BLOWFISH_CRYPT (16 char salt prefixed with $2$)
- EXT_CRYPT (9 char salt, no prefix)
2008-05-31 06:25:04 +00:00
Ralf Becker
868345fcb6 "added static to encrypt_pasword" 2008-03-25 17:05:38 +00:00
Ralf Becker
4f94d5837d use of global db object and new headers, made all methods of the auth class static 2008-03-15 17:27:36 +00:00
Ralf Becker
90f39cef39 "encryption" type plain for sql and ldap, to allow to store the passwords readable 2007-11-06 11:16:34 +00:00
Miles Lott
23ac553d70 Fix for types other than md5 and crypt, e.g. SSHA where the the type is contained in the text of the password 2006-06-20 09:50:00 +00:00
Ralf Becker
5dc4617462 setting the default for encrypt_ldap() to des and not just return false, the default is needed if you never saved setup >> config 2006-06-17 16:04:35 +00:00
Ralf Becker
9eca4904e0 allow to specify the hash type to prefix the hash, to easy migrate passwords from ldap 2006-06-07 22:08:13 +00:00
Ralf Becker
98d8b30761 rewrite of the accounts classes:
- new cleaner AND documented interfaces
- old interfaces are still availible, but depricated
- LDAP backend stores now membership information in LDAP too, and does NO longer require the phpgwAccount schema
- LDAP backend deals now well with LDAP schema in which posixGroup is no structural object (eg. newer SuSE distros)
- password from users are done now binded as that user, so if you dont need/use our admin to manage accounts, you can give a root-dn which only allows to search&read accounts
2006-06-06 23:42:36 +00:00
Miles Lott
fb4182ea66 Correct spelling 2006-05-17 06:00:12 +00:00
Cornelius Weiß
b97f701d05 added an optinal check for a save^tm password (criterias as in MS-Windows) 2006-03-13 21:56:28 +00:00
Ralf Becker
c85d34c0fe changed the following table-names:
- phpgw_accounts --> egw_accounts
- phpgw_acl --> egw_acl
- phpgw_log(_msg) --> egw_log(_msg)
- phpgw_config --> egw_config
- phpgw_applications --> egw_applications
This requires code-changes in many apps. Quite often I was able to replace the db access, with calls to the appropreate classes.
2005-11-02 11:45:52 +00:00
Miles Lott
137e472433 Use correct quoting when querying/setting account_id; minor formatting 2005-08-27 12:19:35 +00:00
Cornelius Weiß
79c9507039 - massive code cleanup
- added md5_hmac auth type
- added support for password migration
2005-05-10 19:00:55 +00:00