diff options
Diffstat (limited to 'plugins/password/drivers/ldap.php')
| -rw-r--r-- | plugins/password/drivers/ldap.php | 169 |
1 files changed, 95 insertions, 74 deletions
diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php index 739958ad7..f773335ac 100644 --- a/plugins/password/drivers/ldap.php +++ b/plugins/password/drivers/ldap.php @@ -23,7 +23,7 @@ class rcube_ldap_password // Building user DN if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) { - $userDN = self::substitute_vars($userDN); + $userDN = $this->substitute_vars($userDN); } else { $userDN = $this->search_userdn($rcmail); } @@ -64,7 +64,7 @@ class rcube_ldap_password return PASSWORD_CONNECT_ERROR; } - $crypted_pass = self::hash_password($passwd, $rcmail->config->get('password_ldap_encodage')); + $crypted_pass = $this->hashPassword($passwd, $rcmail->config->get('password_ldap_encodage')); $force = $rcmail->config->get('password_ldap_force_replace'); $pwattr = $rcmail->config->get('password_ldap_pwattr'); $lchattr = $rcmail->config->get('password_ldap_lchattr'); @@ -84,7 +84,7 @@ class rcube_ldap_password } // Crypt new samba password - if ($smbpwattr && !($samba_pass = self::hash_password($passwd, 'samba'))) { + if ($smbpwattr && !($samba_pass = $this->hashPassword($passwd, 'samba'))) { return PASSWORD_CRYPT_ERROR; } @@ -146,8 +146,8 @@ class rcube_ldap_password return ''; } - $base = self::substitute_vars($rcmail->config->get('password_ldap_search_base')); - $filter = self::substitute_vars($rcmail->config->get('password_ldap_search_filter')); + $base = $rcmail->config->get('password_ldap_search_base'); + $filter = $this->substitute_vars($rcmail->config->get('password_ldap_search_filter')); $options = array ( 'scope' => 'sub', 'attributes' => array(), @@ -163,25 +163,27 @@ class rcube_ldap_password } /** - * Substitute %login, %name, %domain, %dc in $str - * See plugin config for details + * Substitute %login, %name, %domain, %dc in $str. + * See plugin config for details. */ - static function substitute_vars($str) + function substitute_vars($str) { - $str = str_replace('%login', $_SESSION['username'], $str); - $str = str_replace('%l', $_SESSION['username'], $str); - - $parts = explode('@', $_SESSION['username']); - - if (count($parts) == 2) { - $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string - - $str = str_replace('%name', $parts[0], $str); - $str = str_replace('%n', $parts[0], $str); - $str = str_replace('%dc', $dc, $str); - $str = str_replace('%domain', $parts[1], $str); - $str = str_replace('%d', $parts[1], $str); - } + $rcmail = rcmail::get_instance(); + $domain = $rcmail->user->get_username('domain'); + $dc = 'dc='.strtr($domain, array('.' => ',dc=')); // hierarchal domain string + + $str = str_replace(array( + '%login', + '%name', + '%domain', + '%dc', + ), array( + $_SESSION['username'], + $rcmail->user->get_username('local'), + $domain, + $dc, + ), $str + ); return $str; } @@ -190,109 +192,128 @@ class rcube_ldap_password * Code originaly from the phpLDAPadmin development team * http://phpldapadmin.sourceforge.net/ * - * Hashes a password and returns the hash based on the specified enc_type + * Hashes a password and returns the hash based on the specified enc_type. + * + * @param string $passwordClear The password to hash in clear text. + * @param string $encodageType Standard LDAP encryption type which must be one of + * crypt, ext_des, md5crypt, blowfish, md5, sha, smd5, ssha, or clear. + * @return string The hashed password. + * */ - static function hash_password($password_clear, $encodage_type) + function hashPassword( $passwordClear, $encodageType ) { - $encodage_type = strtolower($encodage_type); - switch ($encodage_type) { + $encodageType = strtolower( $encodageType ); + switch( $encodageType ) { case 'crypt': - $crypted_password = '{CRYPT}' . crypt($password_clear, self::random_salt(2)); + $cryptedPassword = '{CRYPT}' . crypt($passwordClear, $this->randomSalt(2)); break; + case 'ext_des': - /* Extended DES crypt. see OpenBSD crypt man page */ - if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) { - /* Your system crypt library does not support extended DES encryption */ - return false; + // extended des crypt. see OpenBSD crypt man page. + if ( ! defined( 'CRYPT_EXT_DES' ) || CRYPT_EXT_DES == 0 ) { + // Your system crypt library does not support extended DES encryption. + return FALSE; } - $crypted_password = '{CRYPT}' . crypt($password_clear, '_' . self::random_salt(8)); + $cryptedPassword = '{CRYPT}' . crypt( $passwordClear, '_' . $this->randomSalt(8) ); break; + case 'md5crypt': - if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) { - /* Your system crypt library does not support md5crypt encryption */ - return false; + if( ! defined( 'CRYPT_MD5' ) || CRYPT_MD5 == 0 ) { + // Your system crypt library does not support md5crypt encryption. + return FALSE; } - $crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . self::random_salt(9)); + $cryptedPassword = '{CRYPT}' . crypt( $passwordClear , '$1$' . $this->randomSalt(9) ); break; + case 'blowfish': - if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) { - /* Your system crypt library does not support blowfish encryption */ - return false; + if( ! defined( 'CRYPT_BLOWFISH' ) || CRYPT_BLOWFISH == 0 ) { + // Your system crypt library does not support blowfish encryption. + return FALSE; } - /* Hardcoded to second blowfish version and set number of rounds */ - $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . self::random_salt(13)); + // hardcoded to second blowfish version and set number of rounds + $cryptedPassword = '{CRYPT}' . crypt( $passwordClear , '$2a$12$' . $this->randomSalt(13) ); break; + case 'md5': - $crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear))); + $cryptedPassword = '{MD5}' . base64_encode( pack( 'H*' , md5( $passwordClear) ) ); break; + case 'sha': - if (function_exists('sha1')) { - /* Use PHP 4.3.0+ sha1 function, if it is available */ - $crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear))); - } else if (function_exists('mhash')) { - $crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear)); + if( function_exists('sha1') ) { + // use php 4.3.0+ sha1 function, if it is available. + $cryptedPassword = '{SHA}' . base64_encode( pack( 'H*' , sha1( $passwordClear) ) ); + } elseif( function_exists( 'mhash' ) ) { + $cryptedPassword = '{SHA}' . base64_encode( mhash( MHASH_SHA1, $passwordClear) ); } else { - /* Your PHP install does not have the mhash() function */ - return false; + return FALSE; //Your PHP install does not have the mhash() function. Cannot do SHA hashes. } break; + case 'ssha': - if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { - mt_srand((double) microtime() * 1000000 ); - $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4); - $crypted_password = '{SSHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear . $salt) . $salt); + if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) ) { + mt_srand( (double) microtime() * 1000000 ); + $salt = mhash_keygen_s2k( MHASH_SHA1, $passwordClear, substr( pack( 'h*', md5( mt_rand() ) ), 0, 8 ), 4 ); + $cryptedPassword = '{SSHA}'.base64_encode( mhash( MHASH_SHA1, $passwordClear.$salt ).$salt ); } else { - /* Your PHP install does not have the mhash() function */ - return false; + return FALSE; //Your PHP install does not have the mhash() function. Cannot do SHA hashes. } break; + case 'smd5': - if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) { - mt_srand((double) microtime() * 1000000 ); - $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4); - $crypted_password = '{SMD5}' . base64_encode(mhash(MHASH_MD5, $password_clear . $salt) . $salt); + if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) ) { + mt_srand( (double) microtime() * 1000000 ); + $salt = mhash_keygen_s2k( MHASH_MD5, $passwordClear, substr( pack( 'h*', md5( mt_rand() ) ), 0, 8 ), 4 ); + $cryptedPassword = '{SMD5}'.base64_encode( mhash( MHASH_MD5, $passwordClear.$salt ).$salt ); } else { - /* Your PHP install does not have the mhash() function */ - return false; + return FALSE; //Your PHP install does not have the mhash() function. Cannot do SHA hashes. } break; + case 'samba': if (function_exists('hash')) { - $crypted_password = hash('md4', rcube_charset::convert($password_clear, RCUBE_CHARSET, 'UTF-16LE')); - $crypted_password = strtoupper($crypted_password); + $cryptedPassword = hash('md4', rcube_charset_convert($passwordClear, RCMAIL_CHARSET, 'UTF-16LE')); + $cryptedPassword = strtoupper($cryptedPassword); } else { /* Your PHP install does not have the hash() function */ return false; } break; - case 'ad': - $crypted_password = rcube_charset::convert('"' . $password_clear . '"', RCUBE_CHARSET, 'UTF-16LE'); - break; + case 'clear': default: - $crypted_password = $password_clear; + $cryptedPassword = $passwordClear; } - return $crypted_password; + return $cryptedPassword; } /** * Code originaly from the phpLDAPadmin development team * http://phpldapadmin.sourceforge.net/ * - * Used to generate a random salt for crypt-style passwords + * Used to generate a random salt for crypt-style passwords. Salt strings are used + * to make pre-built hash cracking dictionaries difficult to use as the hash algorithm uses + * not only the user's password but also a randomly generated string. The string is + * stored as the first N characters of the hash for reference of hashing algorithms later. + * + * --- added 20021125 by bayu irawan <bayuir@divnet.telkom.co.id> --- + * --- ammended 20030625 by S C Rigler <srigler@houston.rr.com> --- + * + * @param int $length The length of the salt string to generate. + * @return string The generated salt string. */ - static function random_salt($length) + function randomSalt( $length ) { - $possible = '0123456789' . 'abcdefghijklmnopqrstuvwxyz' . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' . './'; + $possible = '0123456789'. + 'abcdefghijklmnopqrstuvwxyz'. + 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'. + './'; $str = ''; // mt_srand((double)microtime() * 1000000); - while (strlen($str) < $length) { + while (strlen($str) < $length) $str .= substr($possible, (rand() % strlen($possible)), 1); - } return $str; } - } |