Exemplo n.º 1
0
 /**
  * Process our <post> arguments from the templates
  */
 protected function getPostAttribute($attribute, $i)
 {
     if (DEBUG_ENABLED && (($fargs = func_get_args()) || ($fargs = 'NOARGS'))) {
         debug_log('Entered (%%)', 129, 0, __FILE__, __LINE__, __METHOD__, $fargs);
     }
     $autovalue = $attribute->getPostValue();
     $args = explode(';', $autovalue['args']);
     $server = $this->getServer();
     $vals = $attribute->getValues();
     switch ($autovalue['function']) {
         /**
          * Join will concatenate values with a string, similiar to explode()
          * eg: =php.Join(-;%sambaSID%,%sidsuffix%)
          *
          * * arg 0
          *   - character to use when joining the attributes
          *
          * * arg 1
          *   - values to concatenate together. we'll explode %attr% values.
          */
         case 'Join':
             preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', $args[1], $matchall);
             $matchattrs = $matchall[1];
             $char = $args[0];
             $values = array();
             $blank = 0;
             foreach ($matchattrs as $joinattr) {
                 $attribute2 = $this->template->getAttribute($joinattr);
                 if (!$attribute2) {
                     if (($pv = get_request(strtolower($joinattr), 'REQUEST')) && isset($pv[$attribute->getName()][$i])) {
                         array_push($values, $pv[$attribute->getName()][$i]);
                         if (!$pv[$attribute->getName()][$i]) {
                             $blank++;
                         }
                     } else {
                         array_push($values, '');
                         $blank++;
                     }
                 } elseif (count($attribute2->getValues()) == 0) {
                     return;
                 } elseif (count($attribute2->getValues()) != 1) {
                     array_push($values, '');
                     $blank++;
                     system_message(array('title' => _('Invalid value count for [post] processing'), 'body' => sprintf('%s (<b>%s [%s]</b>)', _('Function() variable expansion can only handle 1 value'), $attribute->getName(false), count($attribute->getValues())), 'type' => 'warn'));
                 } else {
                     array_push($values, $attribute2->getValue(0));
                 }
             }
             # If all our value expansion results in blanks, we'll return no value
             if (count($matchattrs) == $blank) {
                 if (count($vals) > 1) {
                     $vals[$i] = null;
                 } else {
                     $vals = null;
                 }
             } else {
                 $vals[$i] = implode($char, $values);
             }
             break;
             /**
              * PasswordEncrypt will encrypt a password
              * eg: =php.PasswordEncrypt(%enc%;%userPassword%)
              *
              * This function will encrypt the users password "userPassword" using the "enc" method.
              */
         /**
          * PasswordEncrypt will encrypt a password
          * eg: =php.PasswordEncrypt(%enc%;%userPassword%)
          *
          * This function will encrypt the users password "userPassword" using the "enc" method.
          */
         case 'PasswordEncrypt':
             if (count($args) != 2) {
                 system_message(array('title' => _('Invalid argument count for PasswordEncrypt'), 'body' => sprintf('%s (<b>%s</b>)', _('PasswordEncrypt() only accepts two arguments'), $autovalue['args']), 'type' => 'warn'));
                 return;
             }
             if (!$attribute->hasBeenModified()) {
                 return;
             }
             # Get the attribute.
             if (preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', strtolower($args[1]), $matchall)) {
                 if (count($matchall[1]) != 1) {
                     system_message(array('title' => _('Invalid value count for PasswordEncrypt'), 'body' => sprintf('%s (<b>%s</b>)', _('Unable to get the attribute value for PasswordEncrypt()'), count($matchall[1])), 'type' => 'warn'));
                 }
                 $passwordattr = $matchall[1][0];
                 $passwordvalue = $_REQUEST['new_values'][$passwordattr][$i];
             } else {
                 $passwordvalue = $args[1];
             }
             if (!trim($passwordvalue) || in_array($passwordvalue, $attribute->getOldValues())) {
                 return;
             }
             # Get the encoding
             if ($passwordattr && preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', strtolower($args[0]), $matchall)) {
                 if (count($matchall[1]) != 1) {
                     system_message(array('title' => _('Invalid value count for PasswordEncrypt'), 'body' => sprintf('%s (<b>%s</b>)', _('Unable to get the attribute value for PasswordEncrypt()'), count($matchall[1])), 'type' => 'warn'));
                 }
                 $enc = $_REQUEST[$matchall[1][0]][$passwordattr][$i];
             } else {
                 $enc = $args[0];
             }
             $enc = strtolower($enc);
             switch ($enc) {
                 case 'lm':
                     $sambapassword = new smbHash();
                     $vals[$i] = $sambapassword->lmhash($passwordvalue);
                     break;
                 case 'nt':
                     $sambapassword = new smbHash();
                     $vals[$i] = $sambapassword->nthash($passwordvalue);
                     break;
                 default:
                     $vals[$i] = pla_password_hash($passwordvalue, $enc);
             }
             $vals = array_unique($vals);
             break;
         default:
             $vals = $this->get('AutoPost', $attribute, $i);
     }
     if (!$vals || $vals == $attribute->getValues()) {
         return;
     }
     $attribute->clearValue();
     if (!is_array($vals)) {
         $attribute->setValue(array($vals));
     } else {
         $attribute->setValue($vals);
     }
 }
Exemplo n.º 2
0
    if (is_binary_option_required($ldapserver, $attr)) {
        $attr .= ";binary";
    }
}
/* Automagically hash new userPassword attributes according to the
   chosen in config.php. */
if (0 == strcasecmp($attr, 'userpassword')) {
    if (trim($ldapserver->default_hash) != '') {
        $enc_type = $ldapserver->default_hash;
        $val = password_hash($val, $enc_type);
    }
} elseif (strcasecmp($attr, 'sambaNTPassword') == 0) {
    $sambapassword = new smbHash();
    $val = $sambapassword->nthash($val);
} elseif (strcasecmp($attr, 'sambaLMPassword') == 0) {
    $sambapassword = new smbHash();
    $val = $sambapassword->lmhash($val);
}
$new_entry = array($attr => $val);
$result = $ldapserver->attrModify($dn, $new_entry);
if ($result) {
    header(sprintf('Location: template_engine.php?server_id=%s&dn=%s&modified_attrs[]=%s', $ldapserver->server_id, $encoded_dn, $encoded_attr));
} else {
    pla_error(_('Failed to add the attribute.'), $ldapserver->error(), $ldapserver->errno());
}
/**
 * Check if we need to append the ;binary option to the name
 * of some binary attribute
 *
 * @param object $ldapserver Server Object that the attribute is in.
 * @param attr $attr Attribute to test to see if it requires ;binary added to it.
Exemplo n.º 3
0
/**
 * Given a clear-text password and a hash, this function determines if the clear-text password
 * is the password that was used to generate the hash. This is handy to verify a user's password
 * when all that is given is the hash and a "guess".
 * @param String The hash.
 * @param String The password in clear text to test.
 * @return Boolean True if the clear password matches the hash, and false otherwise.
 */
function password_check($cryptedpassword, $plainpassword, $attribute = 'userpassword')
{
    if (DEBUG_ENABLED && (($fargs = func_get_args()) || ($fargs = 'NOARGS'))) {
        debug_log('Entered (%%)', 1, 0, __FILE__, __LINE__, __METHOD__, $fargs);
    }
    if (in_array($attribute, array('sambalmpassword', 'sambantpassword'))) {
        $smb = new smbHash();
        switch ($attribute) {
            case 'sambalmpassword':
                if (strcmp($smb->lmhash($plainpassword), strtoupper($cryptedpassword)) == 0) {
                    return true;
                } else {
                    return false;
                }
            case 'sambantpassword':
                if (strcmp($smb->nthash($plainpassword), strtoupper($cryptedpassword)) == 0) {
                    return true;
                } else {
                    return false;
                }
        }
        return false;
    }
    if (preg_match('/{([^}]+)}(.*)/', $cryptedpassword, $matches)) {
        $cryptedpassword = $matches[2];
        $cypher = strtolower($matches[1]);
    } else {
        $cypher = null;
    }
    switch ($cypher) {
        # SSHA crypted passwords
        case 'ssha':
            # Check php mhash support before using it
            if (function_exists('mhash')) {
                $hash = base64_decode($cryptedpassword);
                # OpenLDAP uses a 4 byte salt, SunDS uses an 8 byte salt - both from char 20.
                $salt = substr($hash, 20);
                $new_hash = base64_encode(mhash(MHASH_SHA1, $plainpassword . $salt) . $salt);
                if (strcmp($cryptedpassword, $new_hash) == 0) {
                    return true;
                } else {
                    return false;
                }
            } else {
                error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'), 'error', 'index.php');
            }
            break;
            # Salted MD5
        # Salted MD5
        case 'smd5':
            # Check php mhash support before using it
            if (function_exists('mhash')) {
                $hash = base64_decode($cryptedpassword);
                $salt = substr($hash, 16);
                $new_hash = base64_encode(mhash(MHASH_MD5, $plainpassword . $salt) . $salt);
                if (strcmp($cryptedpassword, $new_hash) == 0) {
                    return true;
                } else {
                    return false;
                }
            } else {
                error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'), 'error', 'index.php');
            }
            break;
            # SHA crypted passwords
        # SHA crypted passwords
        case 'sha':
            if (strcasecmp(pla_password_hash($plainpassword, 'sha'), '{SHA}' . $cryptedpassword) == 0) {
                return true;
            } else {
                return false;
            }
            break;
            # MD5 crypted passwords
        # MD5 crypted passwords
        case 'md5':
            if (strcasecmp(pla_password_hash($plainpassword, 'md5'), '{MD5}' . $cryptedpassword) == 0) {
                return true;
            } else {
                return false;
            }
            break;
            # Crypt passwords
        # Crypt passwords
        case 'crypt':
            # Check if it's blowfish crypt
            if (preg_match('/^\\$2+/', $cryptedpassword)) {
                # Make sure that web server supports blowfish crypt
                if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) {
                    error(_('Your system crypt library does not support blowfish encryption.'), 'error', 'index.php');
                }
                list($version, $rounds, $salt_hash) = explode('$', $cryptedpassword);
                if (crypt($plainpassword, '$' . $version . '$' . $rounds . '$' . $salt_hash) == $cryptedpassword) {
                    return true;
                } else {
                    return false;
                }
            } elseif (strstr($cryptedpassword, '$1$')) {
                # Make sure that web server supports md5 crypt
                if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) {
                    error(_('Your system crypt library does not support md5crypt encryption.'), 'error', 'index.php');
                }
                list($dummy, $type, $salt, $hash) = explode('$', $cryptedpassword);
                if (crypt($plainpassword, '$1$' . $salt) == $cryptedpassword) {
                    return true;
                } else {
                    return false;
                }
            } elseif (strstr($cryptedpassword, '_')) {
                # Make sure that web server supports ext_des
                if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) {
                    error(_('Your system crypt library does not support extended DES encryption.'), 'error', 'index.php');
                }
                if (crypt($plainpassword, $cryptedpassword) == $cryptedpassword) {
                    return true;
                } else {
                    return false;
                }
            } else {
                if (crypt($plainpassword, $cryptedpassword) == $cryptedpassword) {
                    return true;
                } else {
                    return false;
                }
            }
            break;
            # SHA512 crypted passwords
        # SHA512 crypted passwords
        case 'sha512':
            if (strcasecmp(pla_password_hash($plainpassword, 'sha512'), '{SHA512}' . $cryptedpassword) == 0) {
                return true;
            } else {
                return false;
            }
            break;
            # No crypt is given assume plaintext passwords are used
        # No crypt is given assume plaintext passwords are used
        default:
            if ($plainpassword == $cryptedpassword) {
                return true;
            } else {
                return false;
            }
    }
}
Exemplo n.º 4
0
Arquivo: ldap.php Projeto: pihizi/qf
 private function get_password_attrs($password)
 {
     switch ($this->get_option('pass_algo')) {
         case 'plain':
             //不加密
             $secret = $password;
             break;
         case 'md5':
             $secret = '{MD5}' . base64_encode(md5($password, TRUE));
             break;
         case 'sha':
         default:
             $secret = '{SHA}' . base64_encode(sha1($password, TRUE));
             break;
     }
     $data = array('userPassword' => $secret);
     if ($this->get_option('enable_samba3')) {
         class_exists('smbHash', FALSE) or Core::load(THIRD_BASE, 'smbhash', '*');
         $hash = new smbHash();
         $data['sambaLMPassword'] = $hash->lmhash($password);
         $data['sambaNTPassword'] = $hash->nthash($password);
     }
     return $data;
 }
Exemplo n.º 5
0
        if (strcasecmp($attr, 'userPassword') == 0) {
            foreach ($new_val as $key => $userpassword) {
                if (trim($userpassword)) {
                    $new_val[$key] = password_hash($userpassword, $_POST['enc_type'][$key]);
                } else {
                    unset($new_val[$key]);
                }
            }
            $password_already_hashed = true;
            # Special case for samba password
        } elseif (strcasecmp($attr, 'sambaNTPassword') == 0 && trim($new_val[0])) {
            $sambapassword = new smbHash();
            $new_val[0] = $sambapassword->nthash($new_val[0]);
            # Special case for samba password
        } elseif (strcasecmp($attr, 'sambaLMPassword') == 0 && trim($new_val[0])) {
            $sambapassword = new smbHash();
            $new_val[0] = $sambapassword->lmhash($new_val[0]);
        }
        # Retest in case our now encoded password is the same.
        if ($new_val === $old_val) {
            continue;
        }
        if ($new_val) {
            $update_array[$attr] = $new_val;
        }
    }
}
# Check user password with new encoding.
if (isset($new_values['userpassword']) && is_array($new_values['userpassword'])) {
    foreach ($new_values['userpassword'] as $key => $userpassword) {
        if ($userpassword) {
Exemplo n.º 6
0
     preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', $matches[2], $matchall);
     $enc = $_REQUEST[$matchall[1][0]];
     $password = $_REQUEST['form'][$matchall[1][1]];
     if (trim($password)) {
         $value = password_hash($password, $enc);
         $_REQUEST['form'][$attr] = $value;
     }
     break;
 case 'SambaPassword':
     $matchall = explode(',', $matches[2]);
     $attr = preg_replace('/%/', '', $matchall[1]);
     # If we have no password, then dont hash nothing!
     if (!trim($_REQUEST['form'][$attr])) {
         break;
     }
     $sambapassword = new smbHash();
     switch ($matchall[0]) {
         case 'LM':
             $value = $sambapassword->lmhash($_REQUEST['form'][$attr]);
             break;
         case 'NT':
             $value = $sambapassword->nthash($_REQUEST['form'][$attr]);
             break;
         default:
             $value = null;
     }
     $_REQUEST['form'][$attr] = $value;
     break;
 case 'Join':
     preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', $matches[2], $matchall);
     $matchattrs = explode(',', $matches[2]);