Commit Graph

52 Commits

Author SHA1 Message Date
Ralf Becker
e82af0a961 need to use own authentication method, to be able to auth user forced to change password and need to always recheck flag, if user are forced to change password, as otherwise he will be prompt again after changing it 2013-07-15 20:30:30 +00:00
Ralf Becker
eb7cccf775 * Admin/Preferences/Active Directory: more understandable password policy errors and using windows defaults only, if admin has not configured something else 2013-07-14 13:06:39 +00:00
Ralf Becker
4e7669dfd0 remove old default of 7 for password length, as it allways checks for that default otherwise 2013-06-28 16:20:28 +00:00
Ralf Becker
6cfe7d4fc2 * Admin: split password strength config in minimum length and number of character types, allow account backends specially AD to report password policy failures 2013-06-25 17:23:25 +00:00
Ralf Becker
a8e94beb5f allow auth backends to throw exceptions to give verbose error why password changing failed, auth_ads does now password strength check (even if not configured), as this is most likely cause for not changed password 2013-06-23 10:52:18 +00:00
Ralf Becker
9dfd92813a * Preferences/EMail: if user changed password, update password in session correct, so eg. EMail using that password keeps working 2013-02-21 09:44:56 +00:00
Klaus Leithoff
15457b47d4 * API: is_a compatibility vs. php5.3.8 resolving to instanceof operator for most common basic classes 2011-09-26 10:01:38 +00:00
Klaus Leithoff
f7a50ec383 * API/CheckPasswordAge: new approach to the issue, as we have to take into account that the timestamp of the last password change may not be provided by the auth system. We fetch the timestamp from the authsystem if the method is implemented for the auth method configured (instead of juggling with account_lastpasswd_change or account_lastpwd_change) 2011-09-26 08:51:48 +00:00
Ralf Becker
562343a4dd disabling permanent error_log and missing translation 2011-06-06 06:39:07 +00:00
Ralf Becker
fae1d29e68 - implemented more secure password hashing types: sha512_crypt, sha256_crypt and blowfish_crypt (later was only just broken)
- DB schema update for account_pwd to varchar(128) to accomodate sha512_crypt hashes
- enable automatic migration to sha512_crypt, if on SQL or LDAP (but only on Linux, as OpenLDAP has not native support for it)
2011-06-05 23:22:51 +00:00
Klaus Leithoff
0b1e444325 do not use password on asetLastPwdChange in admin actions, as the use of passwords indicates the usage of the functionality in usermode; Handle params for egw_cache::getSession in the correct order 2011-05-19 10:32:46 +00:00
Ralf Becker
4f3f6748f1 small docu update 2011-05-04 13:32:58 +00:00
Ralf Becker
57fc9c63fc - fixed with ssha not working migration from sql <--> ldap
- using 16 char salt for ssha and smd5 as eclipse ldap admin does
- remove auth::hash_sql2ldap() method, as it is now in setup/inc/class.setup_cmd_ldap.inc.php
- added ability to create uid dn in setup_cmd_ldap subcommand create_ldap
2011-05-04 09:42:50 +00:00
Ralf Becker
457e79454d * Setup: making SSHA (salted sha1) hashes the default password hash for SQL and LDAP
- fixing not working ssha hashes if mb_string.func_overload > 0 set
2011-05-04 07:52:45 +00:00
Klaus Leithoff
4f0e104e27 more to the issue: fix to regard the password-last-changed information from the auth system - if provided, and thus be able to react on forced password changes triggered by auth system 2011-03-16 12:44:42 +00:00
Klaus Leithoff
a080404dab fix to regard the password-last-changed information from the auth system - if provided, and thus be able to react on forced password changes triggered from auth system. set password-last-changed info in authsystem on password change. when trying to force the user to change his password upon next login as admin from within egrouware, try to set the 0 value within the authsystem as well (in ldap rights are required for admin (or user) to set/alter the shadowlastchange attribute) 2011-03-16 11:00:16 +00:00
Klaus Leithoff
bf8b3211c8 if the number of days left until change of password is expired is negative, dont warn, require the change 2010-10-28 11:02:05 +00:00
Klaus Leithoff
53374d91fb * API/Passwordmanagement: option enable a warning for users to inform them, that their password is about to expire
will be displayed once every session starting X days before the password will expure, when enforce password change is enabled and 
a suitable period is set
-translations for that option
-pending translations
2010-10-21 13:58:57 +00:00
Klaus Leithoff
2e33eeaab6 fixing ACL check for nopasswordchange; fixing setting of shadowlastchange by using the correct data with propper format 2010-09-24 08:20:14 +00:00
Klaus Leithoff
7e68a0727f check if the user is allowed to change its password, before redirecting 2010-09-22 15:20:06 +00:00
Klaus Leithoff
abbf9e3abf allow old name for account_lastpwd_change (account_lastpassword_change) 2010-09-22 11:41:16 +00:00
Klaus Leithoff
3843c0b59b Feature: to allow admins a) to set an allowed password age, to require all users to change their password regularily; b) force password change for a given user on the users next login; c) better control about the password strength required; Funded by Cricket 2010-09-22 09:48:27 +00:00
Ralf Becker
bf898afb61 "removed permannent error_log" 2010-05-13 10:45:37 +00:00
Ralf Becker
e91b0f0cb5 using since php<=5.0 available raw_output=true parameter for md5 and sha1 instead of deprecated and in newer distros no longer available mhash extension 2010-05-13 10:39:48 +00:00
Ralf Becker
61d26df913 reworked auth classes, to allow them to use each other and a new auth class using a primary backend (ldap) and a fallback (sql) 2010-01-28 04:22:37 +00:00
Ralf Becker
b5c28fba48 1. NTLM Single Sign ON
NTLM SSO removes Windows users on a PC, which is a member of a Windows
domain and who are logged into that domain, from the need to explicitly log
into eGW.  They simply point IE to the eGW URL (eg. http://domain.com/egroupware/)
and start working. They can of cause explicitly log out and log in as an
other user.
For more information look at the README at
http://www.egroupware.org/viewvc/trunk/phpgwapi/ntml/README

2. different authentication for SyncML and/or GroupDAV
You can now use eg. an external auth provider for the login via the
WebGUI (eg. ADS) and the passwords stored in SQL for SyncML.
2008-07-16 09:29:13 +00:00
Ralf Becker
a5a7c2d30e Additional password crypt types for ldap:
- MD5_CRYPT (9 char salt prefixed with $1$)
- BLOWFISH_CRYPT (16 char salt prefixed with $2$)
- EXT_CRYPT (9 char salt, no prefix)
2008-05-31 06:25:04 +00:00
Ralf Becker
868345fcb6 "added static to encrypt_pasword" 2008-03-25 17:05:38 +00:00
Ralf Becker
4f94d5837d use of global db object and new headers, made all methods of the auth class static 2008-03-15 17:27:36 +00:00
Ralf Becker
90f39cef39 "encryption" type plain for sql and ldap, to allow to store the passwords readable 2007-11-06 11:16:34 +00:00
Miles Lott
23ac553d70 Fix for types other than md5 and crypt, e.g. SSHA where the the type is contained in the text of the password 2006-06-20 09:50:00 +00:00
Ralf Becker
5dc4617462 setting the default for encrypt_ldap() to des and not just return false, the default is needed if you never saved setup >> config 2006-06-17 16:04:35 +00:00
Ralf Becker
9eca4904e0 allow to specify the hash type to prefix the hash, to easy migrate passwords from ldap 2006-06-07 22:08:13 +00:00
Ralf Becker
98d8b30761 rewrite of the accounts classes:
- new cleaner AND documented interfaces
- old interfaces are still availible, but depricated
- LDAP backend stores now membership information in LDAP too, and does NO longer require the phpgwAccount schema
- LDAP backend deals now well with LDAP schema in which posixGroup is no structural object (eg. newer SuSE distros)
- password from users are done now binded as that user, so if you dont need/use our admin to manage accounts, you can give a root-dn which only allows to search&read accounts
2006-06-06 23:42:36 +00:00
Miles Lott
fb4182ea66 Correct spelling 2006-05-17 06:00:12 +00:00
Cornelius Weiß
b97f701d05 added an optinal check for a save^tm password (criterias as in MS-Windows) 2006-03-13 21:56:28 +00:00
Ralf Becker
c85d34c0fe changed the following table-names:
- phpgw_accounts --> egw_accounts
- phpgw_acl --> egw_acl
- phpgw_log(_msg) --> egw_log(_msg)
- phpgw_config --> egw_config
- phpgw_applications --> egw_applications
This requires code-changes in many apps. Quite often I was able to replace the db access, with calls to the appropreate classes.
2005-11-02 11:45:52 +00:00
Miles Lott
137e472433 Use correct quoting when querying/setting account_id; minor formatting 2005-08-27 12:19:35 +00:00
Cornelius Weiß
79c9507039 - massive code cleanup
- added md5_hmac auth type
- added support for password migration
2005-05-10 19:00:55 +00:00
Miles Lott
6adc7fda6f Add some notes to the smd5_compare() function 2004-02-05 02:14:31 +00:00
Miles Lott
dfa356e0c6 Fix smd5 password comparison for sql 2004-02-05 02:01:39 +00:00
Miles Lott
04067c7a04 Add SMD5 hashing for sql and ldap based on my debian experience today 2004-01-26 03:01:54 +00:00
Miles Lott
d7db3b384e update credits by request 2004-01-20 21:31:33 +00:00
Miles Lott
77fd8f4882 Move password functions to auth class; Add support for new encryption types in setup
and implement password checking and creation for these new types
2004-01-18 21:12:53 +00:00
Miles Lott
9b6465af7a Using GLOBALS 2001-08-30 19:40:44 +00:00
Miles Lott
61675e82b5 Formatting 2001-05-02 12:52:44 +00:00
skeeter
53f4716584 replaced quotes with single ticks where applicable 2001-02-11 20:03:35 +00:00
jengo
5f0c2433db Returned cvs to how it was last night (with including the class.accounts.inc.php) file first 2001-02-06 20:13:06 +00:00
jengo
e0b8a07f9c Fixed not being able to login and clean up a ton of code. It was a mess in there, things flow a little but better now. I still have some cleaning up to do 2001-02-06 13:18:51 +00:00
seek3r
00b23411ef moved to define() for path vars. Also starting to hack sessions to be phpgw_info manager 2001-02-06 09:19:38 +00:00