Formats a password using the current encryption.
| public static getCryptedPassword ( string $plaintext, string $salt = '', string $encryption = 'md5-hex', boolean $show_encrypt = false ) : string | ||
| $plaintext | string | The plaintext password to encrypt. |
| $salt | string | The salt to use to encrypt the password. If not present, a new salt will be generated. |
| $encryption | string | The kind of pasword encryption to use. Defaults to md5-hex. |
| $show_encrypt | boolean | Some password systems prepend the kind of encryption to the crypted password ({SHA}, etc). Defaults to false. |
| return | string | The encrypted password. |
/**
* Find out if a set of login credentials are valid. Only supports
* htpasswd files with DES passwords right now.
*
* @param string $userId The userId to check.
* @param array $credentials An array of login credentials. For IMAP,
* this must contain a password entry.
*
* @throws Horde_Auth_Exception
*/
protected function _authenticate($userId, $credentials)
{
if (empty($credentials['password']) || empty($this->_users[$userId])) {
throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
}
$hash = Horde_Auth::getCryptedPassword($credentials['password'], $this->_users[$userId], $this->_params['encryption'], !empty($this->_params['show_encryption']));
if ($hash != $this->_users[$userId]) {
throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
}
}
/**
* Resets a user's password. Used for example when the user does not
* remember the existing password.
*
* @param string $userId The user id for which to reset the password.
*
* @return string The new password on success.
* @throws Horde_Auth_Exception
*/
public function resetPassword($userId)
{
/* Get a new random password. */
$password = Horde_Auth::genRandomPassword();
/* Build the SQL query. */
$query = str_replace(array('\\L', '\\P'), array($this->_db->quote($userId), $this->_db->quote(Horde_Auth::getCryptedPassword($password, '', $this->_params['encryption'], $this->_params['show_encryption']))), $this->_params['query_resetpassword']);
try {
$this->_db->update($query);
} catch (Horde_Db_Exception $e) {
throw new Horde_Auth_Exception($e);
}
return $password;
}
/**
* Reset a user's password. Used for example when the user does not
* remember the existing password.
*
* @param string $userId The user id for which to reset the password.
*
* @return string The new password on success.
* @throws Horde_Auth_Exception
*/
public function resetPassword($userId)
{
if (!empty($this->_params['ad'])) {
throw new Horde_Auth_Exception(__CLASS__ . ': Updating users is not supported for Active Directory.');
}
/* Search for the user's full DN. */
try {
$dn = $this->_ldap->findUserDN($userId);
} catch (Horde_Exception_Ldap $e) {
throw new Horde_Auth_Exception($e);
}
/* Get a new random password. */
$password = Horde_Auth::genRandomPassword();
/* Encrypt the new password */
$entry = array('userpassword' => Horde_Auth::getCryptedPassword($password, '', $this->_params['encryption'], 'true'));
/* Set the lastchange field */
$shadow = $this->_lookupShadow($dn);
if ($shadow['shadowlastchange']) {
$entry['shadowlastchange'] = floor(time() / 86400);
}
/* Update user entry. */
try {
$this->_ldap->modify($dn, array('replace' => $entry));
} catch (Horde_Ldap_Exception $e) {
throw new Horde_Auth_Exception($e);
}
return $password;
}
/**
* Compare an encrypted password to a plaintext string to see if
* they match.
*
* @param string $encrypted The crypted password to compare against.
* @param string $plaintext The plaintext password to verify.
*
* @return boolean True if matched, false otherwise.
*/
protected function _comparePasswords($encrypted, $plaintext)
{
return $encrypted == Horde_Auth::getCryptedPassword($plaintext, $encrypted, $this->_params['encryption'], $this->_params['show_encryption']);
}
/**
* Creates a user in the backend.
*
* @param array $info The user information to save.
*
* @return array The user information.
* @throws Vilma_Exception
*/
protected function _createUser($info)
{
// Bind with appropriate dn to give update access.
$res = ldap_bind($this->_ldap, $this->_params['ldap']['binddn'], $this->_params['ldap']['bindpw']);
if (!$res) {
throw new Vilma_Exception(_("Unable to bind to the LDAP server. Check authentication credentials."));
}
// Prepare data.
$entry['cn'] = $info['user_full_name'];
// sn is not used operationally but we make an effort to be
// something sensical. No guarantees, though.
$entry['sn'] = array_pop(explode(' ', $info['user_full_name']));
$entry['mail'] = $info['user_name'] . '@' . $info['domain'];
// uid must match mail or SMTP auth fails.
$entry['uid'] = $entry['mail'];
$entry['homeDirectory'] = '/srv/vhost/mail/' . $info['domain'] . '/' . $info['user_name'];
$entry['qmailUID'] = $entry['qmailGID'] = 8;
$entry['objectclass'] = array('top', 'person', 'organizationalPerson', 'inetOrgPerson', 'hordePerson', 'qmailUser');
$entry['accountstatus'] = $info['user_enabled'];
// FIXME: Allow choice of hash
$entry['userPassword'] = Horde_Auth::getCryptedPassword($info['password'], '', 'ssha', true);
// Stir in any site-local custom LDAP attributes.
try {
$entry = Horde::callHook('getLDAPAttrs', array($entry), 'vilma');
} catch (Horde_Exception_HookNotSet $e) {
}
$rdn = 'mail=' . $entry['mail'];
$dn = $rdn . ',' . $this->_params['ldap']['basedn'];
$res = @ldap_add($this->_ldap, $dn, $entry);
if ($res === false) {
throw new Vilma_Exception(sprintf(_("Error adding account to LDAP: %s"), @ldap_error($this->_ldap)));
}
return $dn;
}
/**
* Salt and hash the password.
*
* @param string $password The password.
*
* @return string The salted hashed password.
*/
protected function hashPassword($password)
{
$type = isset($this->server->params['hashtype']) ? $this->server->params['hashtype'] : 'ssha';
return Horde_Auth::getCryptedPassword($password, '', $type, true);
}
/**
* Encrypts a password.
*
* @param string $plaintext A plaintext password.
*
* @return string The encrypted password.
*/
protected function _encryptPassword($plaintext)
{
return Horde_Auth::getCryptedPassword($plaintext, '', $this->_params['encryption'], $this->_params['show_encryption']);
}
/**
* Authentication handler
*
* On failure, Horde_Auth_Exception should pass a message string (if any)
* in the message field, and the Horde_Auth::REASON_* constant in the code
* field (defaults to Horde_Auth::REASON_MESSAGE).
*
* @param string $userID The userID to check.
* @param array $credentials An array of login credentials.
*
* @throws Horde_Auth_Exception
*/
protected function _authenticate($userID, $credentials)
{
$um = $this->_mappers->create('Dolcore_Rdo_UserMapper');
if ($this->exists($userID) == false) {
throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
}
$user = $um->findOne(array('nickname' => $userID));
$pass = Horde_Auth::getCryptedPassword($credentials['password'], substr($credentials['password'], 0, 2), 'crypt', false);
if ($pass != $user->passwort) {
throw new Horde_Auth_Exception('', Horde_Auth::REASON_BADLOGIN);
}
return true;
}
/**
* Update a set of authentication credentials.
*
* @param string $oldId The old userId.
* @param string $newId The new userId.
* @param array $credentials The new credentials.
* @param string $olddn The old user DN.
* @param string $newdn The new user DN.
*
* @throws Horde_Auth_Exception
*/
public function updateUser($oldId, $newId, $credentials, $olddn = null, $newdn = null)
{
/* Connect to the MSAD server. */
$this->_connect();
if (isset($credentials['ldap'])) {
$olddn = $credentials['ldap']['dn'];
} else {
/* Search for the user's full DN. */
$dn = $this->_findDN($oldId);
/* Encrypt the new password */
if (isset($credentials['password'])) {
$entry['userpassword'] = Horde_Auth::getCryptedPassword($credentials['password'], '', $this->_params['encryption'], true);
}
}
if ($oldId != $newID) {
$newdn = str_replace($oldId, $newID, $dn);
ldap_rename($this->_ds, $olddn, $newdn, $this->_params['basedn'], true);
$success = @ldap_modify($this->_ds, $newdn, $entry);
} else {
$success = @ldap_modify($this->_ds, $olddn, $entry);
}
if (!$success) {
throw new Horde_Auth_Exception(sprintf(__CLASS__ . ': Unable to update user "%s"', $newID));
}
@ldap_close($this->_ds);
}
/**
* Update a set of authentication credentials.
*
* @param string $oldID The old userId.
* @param string $newID The new userId. [NOT SUPPORTED]
* @param array $credentials The new credentials
*
* @throws Horde_Auth_Exception
*/
public function updateUser($oldID, $newID, $credentials)
{
if (!empty($this->_params['domain_field']) && $this->_params['domain_field'] != 'none') {
list($name, $domain) = explode('@', $oldID);
/* Build the SQL query with domain. */
$query = sprintf('UPDATE %s SET %s = ? WHERE %s = ? and %s = ?', $this->_params['table'], $this->_params['password_field'], $this->_params['username_field'], $this->_params['domain_field']);
$values = array(Horde_Auth::getCryptedPassword($credentials['password'], '', $this->_params['encryption'], $this->_params['show_encryption']), $name, $domain);
} else {
/* Build the SQL query. */
$query = sprintf('UPDATE %s SET %s = ? WHERE %s = ?', $this->_params['table'], $this->_params['password_field'], $this->_params['username_field']);
$values = array(Horde_Auth::getCryptedPassword($credentials['password'], '', $this->_params['encryption'], $this->_params['show_encryption']), $oldID);
}
try {
$this->_db->update($query, $values);
} catch (Horde_Db_Exception $e) {
throw new Horde_Auth_Exception($e);
}
}
/**
* @dataProvider getCredentials
*/
public function testGetCryptedPassword($encryption, $password, $salt, $show_encryption = false)
{
$this->assertEquals($password, Horde_Auth::getCryptedPassword('foobar', $password, $encryption, $show_encryption));
}
