/**
* Process our <post> arguments from the templates
*/
protected function getPostAttribute($attribute, $i)
{
if (DEBUG_ENABLED && (($fargs = func_get_args()) || ($fargs = 'NOARGS'))) {
debug_log('Entered (%%)', 129, 0, __FILE__, __LINE__, __METHOD__, $fargs);
}
$autovalue = $attribute->getPostValue();
$args = explode(';', $autovalue['args']);
$server = $this->getServer();
$vals = $attribute->getValues();
switch ($autovalue['function']) {
/**
* Join will concatenate values with a string, similiar to explode()
* eg: =php.Join(-;%sambaSID%,%sidsuffix%)
*
* * arg 0
* - character to use when joining the attributes
*
* * arg 1
* - values to concatenate together. we'll explode %attr% values.
*/
case 'Join':
preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', $args[1], $matchall);
$matchattrs = $matchall[1];
$char = $args[0];
$values = array();
$blank = 0;
foreach ($matchattrs as $joinattr) {
$attribute2 = $this->template->getAttribute($joinattr);
if (!$attribute2) {
if (($pv = get_request(strtolower($joinattr), 'REQUEST')) && isset($pv[$attribute->getName()][$i])) {
array_push($values, $pv[$attribute->getName()][$i]);
if (!$pv[$attribute->getName()][$i]) {
$blank++;
}
} else {
array_push($values, '');
$blank++;
}
} elseif (count($attribute2->getValues()) == 0) {
return;
} elseif (count($attribute2->getValues()) != 1) {
array_push($values, '');
$blank++;
system_message(array('title' => _('Invalid value count for [post] processing'), 'body' => sprintf('%s (<b>%s [%s]</b>)', _('Function() variable expansion can only handle 1 value'), $attribute->getName(false), count($attribute->getValues())), 'type' => 'warn'));
} else {
array_push($values, $attribute2->getValue(0));
}
}
# If all our value expansion results in blanks, we'll return no value
if (count($matchattrs) == $blank) {
if (count($vals) > 1) {
$vals[$i] = null;
} else {
$vals = null;
}
} else {
$vals[$i] = implode($char, $values);
}
break;
/**
* PasswordEncrypt will encrypt a password
* eg: =php.PasswordEncrypt(%enc%;%userPassword%)
*
* This function will encrypt the users password "userPassword" using the "enc" method.
*/
/**
* PasswordEncrypt will encrypt a password
* eg: =php.PasswordEncrypt(%enc%;%userPassword%)
*
* This function will encrypt the users password "userPassword" using the "enc" method.
*/
case 'PasswordEncrypt':
if (count($args) != 2) {
system_message(array('title' => _('Invalid argument count for PasswordEncrypt'), 'body' => sprintf('%s (<b>%s</b>)', _('PasswordEncrypt() only accepts two arguments'), $autovalue['args']), 'type' => 'warn'));
return;
}
if (!$attribute->hasBeenModified()) {
return;
}
# Get the attribute.
if (preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', strtolower($args[1]), $matchall)) {
if (count($matchall[1]) != 1) {
system_message(array('title' => _('Invalid value count for PasswordEncrypt'), 'body' => sprintf('%s (<b>%s</b>)', _('Unable to get the attribute value for PasswordEncrypt()'), count($matchall[1])), 'type' => 'warn'));
}
$passwordattr = $matchall[1][0];
$passwordvalue = $_REQUEST['new_values'][$passwordattr][$i];
} else {
$passwordvalue = $args[1];
}
if (!trim($passwordvalue) || in_array($passwordvalue, $attribute->getOldValues())) {
return;
}
# Get the encoding
if ($passwordattr && preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', strtolower($args[0]), $matchall)) {
if (count($matchall[1]) != 1) {
system_message(array('title' => _('Invalid value count for PasswordEncrypt'), 'body' => sprintf('%s (<b>%s</b>)', _('Unable to get the attribute value for PasswordEncrypt()'), count($matchall[1])), 'type' => 'warn'));
}
$enc = $_REQUEST[$matchall[1][0]][$passwordattr][$i];
} else {
$enc = $args[0];
}
$enc = strtolower($enc);
switch ($enc) {
case 'lm':
$sambapassword = new smbHash();
$vals[$i] = $sambapassword->lmhash($passwordvalue);
break;
case 'nt':
$sambapassword = new smbHash();
$vals[$i] = $sambapassword->nthash($passwordvalue);
break;
default:
$vals[$i] = pla_password_hash($passwordvalue, $enc);
}
$vals = array_unique($vals);
break;
default:
$vals = $this->get('AutoPost', $attribute, $i);
}
if (!$vals || $vals == $attribute->getValues()) {
return;
}
$attribute->clearValue();
if (!is_array($vals)) {
$attribute->setValue(array($vals));
} else {
$attribute->setValue($vals);
}
}
if (is_binary_option_required($ldapserver, $attr)) {
$attr .= ";binary";
}
}
/* Automagically hash new userPassword attributes according to the
chosen in config.php. */
if (0 == strcasecmp($attr, 'userpassword')) {
if (trim($ldapserver->default_hash) != '') {
$enc_type = $ldapserver->default_hash;
$val = password_hash($val, $enc_type);
}
} elseif (strcasecmp($attr, 'sambaNTPassword') == 0) {
$sambapassword = new smbHash();
$val = $sambapassword->nthash($val);
} elseif (strcasecmp($attr, 'sambaLMPassword') == 0) {
$sambapassword = new smbHash();
$val = $sambapassword->lmhash($val);
}
$new_entry = array($attr => $val);
$result = $ldapserver->attrModify($dn, $new_entry);
if ($result) {
header(sprintf('Location: template_engine.php?server_id=%s&dn=%s&modified_attrs[]=%s', $ldapserver->server_id, $encoded_dn, $encoded_attr));
} else {
pla_error(_('Failed to add the attribute.'), $ldapserver->error(), $ldapserver->errno());
}
/**
* Check if we need to append the ;binary option to the name
* of some binary attribute
*
* @param object $ldapserver Server Object that the attribute is in.
* @param attr $attr Attribute to test to see if it requires ;binary added to it.
/**
* Given a clear-text password and a hash, this function determines if the clear-text password
* is the password that was used to generate the hash. This is handy to verify a user's password
* when all that is given is the hash and a "guess".
* @param String The hash.
* @param String The password in clear text to test.
* @return Boolean True if the clear password matches the hash, and false otherwise.
*/
function password_check($cryptedpassword, $plainpassword, $attribute = 'userpassword')
{
if (DEBUG_ENABLED && (($fargs = func_get_args()) || ($fargs = 'NOARGS'))) {
debug_log('Entered (%%)', 1, 0, __FILE__, __LINE__, __METHOD__, $fargs);
}
if (in_array($attribute, array('sambalmpassword', 'sambantpassword'))) {
$smb = new smbHash();
switch ($attribute) {
case 'sambalmpassword':
if (strcmp($smb->lmhash($plainpassword), strtoupper($cryptedpassword)) == 0) {
return true;
} else {
return false;
}
case 'sambantpassword':
if (strcmp($smb->nthash($plainpassword), strtoupper($cryptedpassword)) == 0) {
return true;
} else {
return false;
}
}
return false;
}
if (preg_match('/{([^}]+)}(.*)/', $cryptedpassword, $matches)) {
$cryptedpassword = $matches[2];
$cypher = strtolower($matches[1]);
} else {
$cypher = null;
}
switch ($cypher) {
# SSHA crypted passwords
case 'ssha':
# Check php mhash support before using it
if (function_exists('mhash')) {
$hash = base64_decode($cryptedpassword);
# OpenLDAP uses a 4 byte salt, SunDS uses an 8 byte salt - both from char 20.
$salt = substr($hash, 20);
$new_hash = base64_encode(mhash(MHASH_SHA1, $plainpassword . $salt) . $salt);
if (strcmp($cryptedpassword, $new_hash) == 0) {
return true;
} else {
return false;
}
} else {
error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'), 'error', 'index.php');
}
break;
# Salted MD5
# Salted MD5
case 'smd5':
# Check php mhash support before using it
if (function_exists('mhash')) {
$hash = base64_decode($cryptedpassword);
$salt = substr($hash, 16);
$new_hash = base64_encode(mhash(MHASH_MD5, $plainpassword . $salt) . $salt);
if (strcmp($cryptedpassword, $new_hash) == 0) {
return true;
} else {
return false;
}
} else {
error(_('Your PHP install does not have the mhash() function. Cannot do SHA hashes.'), 'error', 'index.php');
}
break;
# SHA crypted passwords
# SHA crypted passwords
case 'sha':
if (strcasecmp(pla_password_hash($plainpassword, 'sha'), '{SHA}' . $cryptedpassword) == 0) {
return true;
} else {
return false;
}
break;
# MD5 crypted passwords
# MD5 crypted passwords
case 'md5':
if (strcasecmp(pla_password_hash($plainpassword, 'md5'), '{MD5}' . $cryptedpassword) == 0) {
return true;
} else {
return false;
}
break;
# Crypt passwords
# Crypt passwords
case 'crypt':
# Check if it's blowfish crypt
if (preg_match('/^\\$2+/', $cryptedpassword)) {
# Make sure that web server supports blowfish crypt
if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) {
error(_('Your system crypt library does not support blowfish encryption.'), 'error', 'index.php');
}
list($version, $rounds, $salt_hash) = explode('$', $cryptedpassword);
if (crypt($plainpassword, '$' . $version . '$' . $rounds . '$' . $salt_hash) == $cryptedpassword) {
return true;
} else {
return false;
}
} elseif (strstr($cryptedpassword, '$1$')) {
# Make sure that web server supports md5 crypt
if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) {
error(_('Your system crypt library does not support md5crypt encryption.'), 'error', 'index.php');
}
list($dummy, $type, $salt, $hash) = explode('$', $cryptedpassword);
if (crypt($plainpassword, '$1$' . $salt) == $cryptedpassword) {
return true;
} else {
return false;
}
} elseif (strstr($cryptedpassword, '_')) {
# Make sure that web server supports ext_des
if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) {
error(_('Your system crypt library does not support extended DES encryption.'), 'error', 'index.php');
}
if (crypt($plainpassword, $cryptedpassword) == $cryptedpassword) {
return true;
} else {
return false;
}
} else {
if (crypt($plainpassword, $cryptedpassword) == $cryptedpassword) {
return true;
} else {
return false;
}
}
break;
# SHA512 crypted passwords
# SHA512 crypted passwords
case 'sha512':
if (strcasecmp(pla_password_hash($plainpassword, 'sha512'), '{SHA512}' . $cryptedpassword) == 0) {
return true;
} else {
return false;
}
break;
# No crypt is given assume plaintext passwords are used
# No crypt is given assume plaintext passwords are used
default:
if ($plainpassword == $cryptedpassword) {
return true;
} else {
return false;
}
}
}
private function get_password_attrs($password)
{
switch ($this->get_option('pass_algo')) {
case 'plain':
//不加密
$secret = $password;
break;
case 'md5':
$secret = '{MD5}' . base64_encode(md5($password, TRUE));
break;
case 'sha':
default:
$secret = '{SHA}' . base64_encode(sha1($password, TRUE));
break;
}
$data = array('userPassword' => $secret);
if ($this->get_option('enable_samba3')) {
class_exists('smbHash', FALSE) or Core::load(THIRD_BASE, 'smbhash', '*');
$hash = new smbHash();
$data['sambaLMPassword'] = $hash->lmhash($password);
$data['sambaNTPassword'] = $hash->nthash($password);
}
return $data;
}
if (strcasecmp($attr, 'userPassword') == 0) {
foreach ($new_val as $key => $userpassword) {
if (trim($userpassword)) {
$new_val[$key] = password_hash($userpassword, $_POST['enc_type'][$key]);
} else {
unset($new_val[$key]);
}
}
$password_already_hashed = true;
# Special case for samba password
} elseif (strcasecmp($attr, 'sambaNTPassword') == 0 && trim($new_val[0])) {
$sambapassword = new smbHash();
$new_val[0] = $sambapassword->nthash($new_val[0]);
# Special case for samba password
} elseif (strcasecmp($attr, 'sambaLMPassword') == 0 && trim($new_val[0])) {
$sambapassword = new smbHash();
$new_val[0] = $sambapassword->lmhash($new_val[0]);
}
# Retest in case our now encoded password is the same.
if ($new_val === $old_val) {
continue;
}
if ($new_val) {
$update_array[$attr] = $new_val;
}
}
}
# Check user password with new encoding.
if (isset($new_values['userpassword']) && is_array($new_values['userpassword'])) {
foreach ($new_values['userpassword'] as $key => $userpassword) {
if ($userpassword) {
preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', $matches[2], $matchall);
$enc = $_REQUEST[$matchall[1][0]];
$password = $_REQUEST['form'][$matchall[1][1]];
if (trim($password)) {
$value = password_hash($password, $enc);
$_REQUEST['form'][$attr] = $value;
}
break;
case 'SambaPassword':
$matchall = explode(',', $matches[2]);
$attr = preg_replace('/%/', '', $matchall[1]);
# If we have no password, then dont hash nothing!
if (!trim($_REQUEST['form'][$attr])) {
break;
}
$sambapassword = new smbHash();
switch ($matchall[0]) {
case 'LM':
$value = $sambapassword->lmhash($_REQUEST['form'][$attr]);
break;
case 'NT':
$value = $sambapassword->nthash($_REQUEST['form'][$attr]);
break;
default:
$value = null;
}
$_REQUEST['form'][$attr] = $value;
break;
case 'Join':
preg_match_all('/%(\\w+)(\\|.+)?(\\/[lU])?%/U', $matches[2], $matchall);
$matchattrs = explode(',', $matches[2]);