chamilo
/
chamilo-lms
mirror of https://github.com/chamilo/chamilo-lms/tree/1.11.x
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

LDAP: enable ldap admin password encryption to avoid having clear password in the configuration file -refs BT#20849

Browse Source
pull/4927/head
NicoDucou 2 years ago
parent 66e8f9d63b
commit a528ca1375
6 changed files with 120 additions and 4 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 22
      main/auth/external_login/ldap.inc.php
  2. 3
      main/auth/ldap/authldap.php
  3. 4
      main/auth/ldap/ldap_var.inc.php
  4. 35
      main/inc/lib/api.lib.php
  5. 8
      main/install/configuration.dist.php
  6. 52
      tests/scripts/ldap_encrypt_admin_password.php

22
main/auth/external_login/ldap.inc.php
Unescape View File

@ -112,7 +112,13 @@ function extldap_authenticate($username, $password, $in_auth_with_no_password =
} }
// Connection as admin to search dn of user // Connection as admin to search dn of user
$ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $extldap_config['admin_password']);
if (api_get_configuration_value('ldap_encrypt_admin_password') {
$ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
} else {
$ldap_pass = $extldap_config['admin_password'];
}
$ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $ldap_pass);
if ($ldapbind === false) { if ($ldapbind === false) {
if ($debug) { if ($debug) {
error_log( error_log(
@ -297,7 +303,12 @@ function extldap_import_all_users()
//echo "Binding...\n"; //echo "Binding...\n";
$ldapbind = false; $ldapbind = false;
//Connection as admin to search dn of user //Connection as admin to search dn of user
$ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $extldap_config['admin_password']); if (api_get_configuration_value('ldap_encrypt_admin_password') {
$ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
} else {
$ldap_pass = $extldap_config['admin_password'];
}
$ldapbind = @ldap_bind($ds, $extldap_config['admin_dn'], $ldap_pass);
if ($ldapbind === false) { if ($ldapbind === false) {
if ($debug) { if ($debug) {
error_log( error_log(
@ -437,7 +448,12 @@ function extldapGetUserAttributeValue($filter, $attribute)
throw new Exception(get_lang('LDAPConnectFailed')); throw new Exception(get_lang('LDAPConnectFailed'));
} }
if (false === ldap_bind($ldap, $extldap_config['admin_dn'], $extldap_config['admin_password'])) { if (api_get_configuration_value('ldap_encrypt_admin_password') {
$ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
} else {
$ldap_pass = $extldap_config['admin_password'];
}
if (false === ldap_bind($ldap, $extldap_config['admin_dn'], $ldap_pass)) {
throw new Exception(get_lang('LDAPBindFailed')); throw new Exception(get_lang('LDAPBindFailed'));
} }

3
main/auth/ldap/authldap.php
Unescape View File

@ -338,6 +338,9 @@ function ldap_handle_bind(&$ldap_handler, &$ldap_bind)
global $ldap_rdn, $ldap_pass, $extldap_config; global $ldap_rdn, $ldap_pass, $extldap_config;
$ldap_rdn = $extldap_config['admin_dn']; $ldap_rdn = $extldap_config['admin_dn'];
$ldap_pass = $extldap_config['admin_password']; $ldap_pass = $extldap_config['admin_password'];
if (api_get_configuration_value('ldap_encrypt_admin_password') {
$ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
}
if (!empty($ldap_rdn) and !empty($ldap_pass)) { if (!empty($ldap_rdn) and !empty($ldap_pass)) {
//error_log('Trying authenticated login :'.$ldap_rdn.'/'.$ldap_pass,0); //error_log('Trying authenticated login :'.$ldap_rdn.'/'.$ldap_pass,0);
$ldap_bind = ldap_bind($ldap_handler, $ldap_rdn, $ldap_pass); $ldap_bind = ldap_bind($ldap_handler, $ldap_rdn, $ldap_pass);

4
main/auth/ldap/ldap_var.inc.php
Unescape View File

@ -43,5 +43,7 @@ $ldap_version = $extldap_config['protocol_version'];
//non-anonymous LDAP mode //non-anonymous LDAP mode
$ldap_rdn = $extldap_config['admin_dn']; $ldap_rdn = $extldap_config['admin_dn'];
$ldap_pass = $extldap_config['admin_password']; $ldap_pass = $extldap_config['admin_password'];
if (api_get_configuration_value('ldap_encrypt_admin_password') {
$ldap_pass = api_decrypt_ldap_password($extldap_config['admin_password']);
}
$ldap_pass_placeholder = "PLACEHOLDER"; $ldap_pass_placeholder = "PLACEHOLDER";

35
main/inc/lib/api.lib.php
Unescape View File

@ -10580,3 +10580,38 @@ function api_flush_settings_cache(int $url_id): bool
return true; return true;
} }
/**
* Decrypt sent data with encoded secret defined in app/config/configuration.php
* in the variable $_configuration['ldap_admin_password_salt'].
*
* @param $encryptedText The text to be decrypted
*
* @return string
*/
function api_decrypt_ldap_password(string $encryptedText): string
{
if (!empty(api_get_configuration_value('ldap_admin_password_salt'))) {
$secret = api_get_configuration_value('ldap_admin_password_salt');
} else {
return false;
}
$secret = hex2bin($secret);
$iv = base64_decode(substr($encryptedText, 0, 16), true);
$data = base64_decode(substr($encryptedText, 16), true);
$tag = substr($data, strlen($data) - 16);
$data = substr($data, 0, strlen($data) - 16);
try {
return openssl_decrypt(
$data,
'aes-256-gcm',
$secret,
OPENSSL_RAW_DATA,
$iv,
$tag
);
} catch (\Exception $e) {
return false;
}
}

8
main/install/configuration.dist.php
Unescape View File

@ -2236,6 +2236,14 @@ VALUES (21, 13, 'send_notification_at_a_specific_date', 'Send notification at a
// Overwrites the app/config/auth.conf.php settings // Overwrites the app/config/auth.conf.php settings
//$_configuration['extldap_config'] = ['host' => '', 'port' => '']; //$_configuration['extldap_config'] = ['host' => '', 'port' => ''];
// To use an encrypted ldap admin password in app/config/auth.conf.php
// if set to true then you need to put in app/config/auth.conf.php the encrypted passeword in $extldap_config['admin_password']
// To generate the encrypted password you can use the script tests/scripts/ldap_encrypt_admin_password.php
//$_configuration['ldap_encrypt_admin_password'] = false;
// Salt to use for admin ldap password decryption
//$_configuration['ldap_admin_password_salt'] = 'salt';
// Option to hide the teachers info on courses about info page. // Option to hide the teachers info on courses about info page.
//$_configuration['course_about_teacher_name_hide'] = false; //$_configuration['course_about_teacher_name_hide'] = false;

52
tests/scripts/ldap_encrypt_admin_password.php
Unescape View File

@ -0,0 +1,52 @@
<?php
/* For licensing terms, see /license.txt */
/**
* This script is to generate the encrypted password for LDAP admin to be used
* when the parameter "ldap_encrypt_admin_password" is set to true
* this encrypted password will be decrypted by the function api_decrypt_ldap_password
*/
//exit;
require_once __DIR__.'/../../main/inc/global.inc.php';
// Usage
echo "This generate the encryption of the password passed in parameter.".PHP_EOL;
$password = '';
if (!empty($argv[1])) {
$password = $argv[1];
} else {
echo "Password not defined in parameter. Please try again, passing it as argument to this script".PHP_EOL;
echo "Usage: php ldap_encrypt_admin_password.php password".PHP_EOL;
echo " password The original clear ldap admin's password".PHP_EOL;
exit();
}
if (!empty(api_get_configuration_value('ldap_encrypt_admin_password'))) {
echo "The encrypted password is : " . encrypt(api_get_configuration_value('ldap_encrypt_admin_password'), $password) .PHP_EOL;
} else {
echo "There is no salt defined in app/config/configuration.php for variable 'ldap_admin_password_salt'".PHP_EOL.PHP_EOL;
}
function encrypt($secret, $data)
{
$secret = hex2bin($secret);
$iv = random_bytes(12);
$tag = '';
$encrypted = openssl_encrypt(
$data,
'aes-256-gcm',
$secret,
OPENSSL_RAW_DATA,
$iv,
$tag,
'',
16
);
return base64_encode($iv) . base64_encode($encrypted . $tag);
}
Write Preview
Loading…
Cancel
Save