worteks
/
lemonldap-ng
mirror of https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
3
0
Fork 0
Code Issues Projects Releases Wiki Activity

first working version of dynamic hash passwords in trunk (LEMONLDAP-1245)

Browse Source
environments/ppa-mbqj77/deployments/1
David COUTADEUR 8 years ago
parent 5e4ef360e0
commit 6533b0a36b
14 changed files with 3694 additions and 3493 deletions
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Show Stats Download Patch File Download Diff File
  1. 472
      lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
  2. 2
      lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
  3. 6341
      lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
  4. 8
      lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
  5. 14
      lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
  6. 5
      lemonldap-ng-manager/site/htdocs/static/languages/ar.json
  7. 5
      lemonldap-ng-manager/site/htdocs/static/languages/en.json
  8. 5
      lemonldap-ng-manager/site/htdocs/static/languages/fr.json
  9. 5
      lemonldap-ng-manager/site/htdocs/static/languages/it.json
  10. 5
      lemonldap-ng-manager/site/htdocs/static/languages/vi.json
  11. 2
      lemonldap-ng-manager/site/htdocs/static/reverseTree.json
  12. 2
      lemonldap-ng-manager/site/htdocs/static/struct.json
  13. 292
      lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/DBI.pm
  14. 29
      lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Password/DBI.pm

472
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/DefaultValues.pm
Unescape View File

@ -5,250 +5,234 @@ our $VERSION = '2.0.0';
sub defaultValues {
return {
'activeTimer' => 1,
'ADPwdExpireWarning' => 0,
'ADPwdMaxAge' => 0,
'apacheAuthnLevel' => 4,
'applicationList' => {
'default' => {
'catname' => 'Default category',
'type' => 'category'
}
},
'authChoiceParam' => 'lmAuth',
'authentication' => 'Demo',
'captcha_mail_enabled' => 1,
'captcha_register_enabled' => 1,
'captcha_size' => 6,
'casAccessControlPolicy' => 'none',
'casAuthnLevel' => 1,
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'cookieName' => 'lemonldap',
'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'',
'cspFont' => '\'self\'',
'cspImg' => '\'self\' data:',
'cspScript' => '\'self\'',
'cspStyle' => '\'self\'',
'dbiAuthnLevel' => 2,
'dbiExportedVars' => {},
'demoExportedVars' => {
'cn' => 'cn',
'mail' => 'mail',
'uid' => 'uid'
},
'domain' => 'example.com',
'exportedVars' => {
'UA' => 'HTTP_USER_AGENT'
},
'ext2fActivation' => 0,
'facebookAuthnLevel' => 1,
'facebookExportedVars' => {},
'failedLoginNumber' => 5,
'formTimeout' => 120,
'globalStorage' => 'Apache::Session::File',
'globalStorageOptions' => {
'Directory' => '/var/lib/lemonldap-ng/sessions/',
'generateModule' =>
'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/'
},
'groups' => {},
'hiddenAttributes' => '_password',
'httpOnly' => 1,
'infoFormMethod' => 'get',
'issuerDBCASPath' => '^/cas/',
'issuerDBCASRule' => 1,
'issuerDBGetParameters' => {},
'issuerDBGetPath' => '^/get/',
'issuerDBGetRule' => 1,
'issuerDBOpenIDConnectPath' => '^/oauth2/',
'issuerDBOpenIDConnectRule' => 1,
'issuerDBOpenIDPath' => '^/openidserver/',
'issuerDBOpenIDRule' => 1,
'issuerDBSAMLPath' => '^/saml/',
'issuerDBSAMLRule' => 1,
'jsRedirect' => 0,
'krbAuthnLevel' => 3,
'ldapAuthnLevel' => 2,
'ldapBase' => 'dc=example,dc=com',
'ldapExportedVars' => {
'cn' => 'cn',
'mail' => 'mail',
'uid' => 'uid'
},
'ldapGroupAttributeName' => 'member',
'ldapGroupAttributeNameGroup' => 'dn',
'ldapGroupAttributeNameSearch' => 'cn',
'ldapGroupAttributeNameUser' => 'dn',
'ldapGroupObjectClass' => 'groupOfNames',
'ldapPasswordResetAttribute' => 'pwdReset',
'ldapPasswordResetAttributeValue' => 'TRUE',
'ldapPort' => 389,
'ldapPwdEnc' => 'utf-8',
'ldapSearchDeref' => 'find',
'ldapServer' => 'ldap://localhost',
'ldapTimeout' => 120,
'ldapUsePasswordResetAttribute' => 1,
'ldapVersion' => 3,
'localSessionStorage' => 'Cache::FileCache',
'localSessionStorageOptions' => {
'cache_depth' => 3,
'cache_root' => '/tmp',
'default_expires_in' => 600,
'directory_umask' => '007',
'namespace' => 'lemonldap-ng-sessions'
},
'locationRules' => {
'default' => 'deny'
},
'logoutServices' => {},
'macros' => {},
'mailCharset' => 'utf-8',
'mailFrom' => 'noreply@example.com',
'mailSessionKey' => 'mail',
'mailTimeout' => 0,
'mailUrl' => 'http://auth.example.com/resetpwd',
'managerDn' => '',
'managerPassword' => '',
'multiValuesSeparator' => '; ',
'notificationStorage' => 'File',
'notificationStorageOptions' => {
'dirName' => '/var/lib/lemonldap-ng/notifications'
},
'notificationWildcard' => 'allusers',
'notifyDeleted' => 1,
'nullAuthnLevel' => 0,
'oidcAuthnLevel' => 1,
'oidcRPCallbackGetParam' => 'openidconnectcallback',
'oidcRPStateTimeout' => 600,
'oidcServiceAllowAuthorizationCodeFlow' => 1,
'oidcServiceMetaDataAuthnContext' => {
'loa-1' => 1,
'loa-2' => 2,
'loa-3' => 3,
'loa-4' => 4,
'loa-5' => 5
},
'oidcServiceMetaDataAuthorizeURI' => 'authorize',
'oidcServiceMetaDataBackChannelURI' => 'blogout',
'oidcServiceMetaDataCheckSessionURI' => 'checksession.html',
'oidcServiceMetaDataEndSessionURI' => 'logout',
'oidcServiceMetaDataFrontChannelURI' => 'flogout',
'oidcServiceMetaDataIssuer' => 'http://auth.example.com',
'oidcServiceMetaDataJWKSURI' => 'jwks',
'oidcServiceMetaDataRegistrationURI' => 'register',
'oidcServiceMetaDataTokenURI' => 'token',
'oidcServiceMetaDataUserInfoURI' => 'userinfo',
'openIdAuthnLevel' => 1,
'openIdExportedVars' => {},
'openIdIDPList' => '0;',
'openIdSPList' => '0;',
'openIdSreg_email' => 'mail',
'openIdSreg_fullname' => 'cn',
'openIdSreg_nickname' => 'uid',
'openIdSreg_timezone' => '_timezone',
'pamAuthnLevel' => 2,
'pamService' => 'login',
'passwordDB' => 'Demo',
'portal' => 'http://auth.example.com/',
'portalAntiFrame' => 1,
'portalCheckLogins' => 1,
'portalDisplayAppslist' => 1,
'portalDisplayChangePassword' => '$_auth =~ /^(LDAP|DBI|Demo)$/',
'portalDisplayLoginHistory' => 1,
'portalDisplayLogout' => 1,
'portalDisplayRegister' => 1,
'portalErrorOnExpiredSession' => 1,
'portalForceAuthnInterval' => 5,
'portalPingInterval' => 60000,
'portalRequireOldPassword' => 1,
'portalSkin' => 'bootstrap',
'portalUserAttr' => '_user',
'proxyAuthnLevel' => 2,
'radiusAuthnLevel' => 3,
'randomPasswordRegexp' => '[A-Z]{3}[a-z]{5}.\\d{2}',
'redirectFormMethod' => 'get',
'registerDB' => 'Null',
'registerTimeout' => 0,
'remoteGlobalStorage' => 'Lemonldap::NG::Common::Apache::Session::SOAP',
'remoteGlobalStorageOptions' => {
'ns' =>
'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
'proxy' => 'http://auth.example.com/sessions'
},
'requireToken' => 1,
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' =>
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
'samlAuthnContextMapKerberos' => 4,
'samlAuthnContextMapPassword' => 2,
'samlAuthnContextMapPasswordProtectedTransport' => 3,
'samlAuthnContextMapTLSClient' => 5,
'samlEntityID' => '#PORTAL#/saml/metadata',
'samlIdPResolveCookie' => 'lemonldapidp',
'samlIDPSSODescriptorArtifactResolutionServiceArtifact' =>
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
'samlIDPSSODescriptorSingleLogoutServiceHTTPPost' =>
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
'samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect' =>
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
'samlIDPSSODescriptorSingleLogoutServiceSOAP' =>
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;',
'samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact' =>
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;',
'samlIDPSSODescriptorSingleSignOnServiceHTTPPost' =>
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;',
'samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect' =>
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;',
'samlIDPSSODescriptorWantAuthnRequestsSigned' => 1,
'samlMetadataForceUTF8' => 1,
'samlNameIDFormatMapEmail' => 'mail',
'samlNameIDFormatMapKerberos' => 'uid',
'samlNameIDFormatMapWindows' => 'uid',
'samlNameIDFormatMapX509' => 'mail',
'samlOrganizationDisplayName' => 'Example',
'samlOrganizationName' => 'Example',
'samlOrganizationURL' => 'http://www.example.com',
'samlRelayStateTimeout' => 600,
'samlSPSSODescriptorArtifactResolutionServiceArtifact' =>
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
'samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact' =>
'1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
'samlSPSSODescriptorAssertionConsumerServiceHTTPPost' =>
'0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
'samlSPSSODescriptorAuthnRequestsSigned' => 1,
'samlSPSSODescriptorSingleLogoutServiceHTTPPost' =>
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
'samlSPSSODescriptorSingleLogoutServiceHTTPRedirect' =>
'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
'samlSPSSODescriptorSingleLogoutServiceSOAP' =>
'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;',
'samlSPSSODescriptorWantAssertionsSigned' => 1,
'securedCookie' => 0,
'slaveAuthnLevel' => 2,
'slaveExportedVars' => {},
'SMTPServer' => '',
'SMTPTLS' => '',
'SSLAuthnLevel' => 5,
'successLoginNumber' => 5,
'timeout' => 72000,
'timeoutActivity' => 0,
'timeoutActivityInterval' => 60,
'trustedProxies' => '',
'twitterAuthnLevel' => 1,
'u2fActivation' => 0,
'upgradeSession' => 1,
'userControl' => '^[\\w\\.\\-@]+$',
'userDB' => 'Same',
'useRedirectOnError' => 1,
'useSafeJail' => 1,
'webIDAuthnLevel' => 1,
'webIDExportedVars' => {},
'whatToTrace' => 'uid',
'yubikeyAuthnLevel' => 3,
'yubikeyPublicIDSize' => 12
};
'activeTimer' => 1,
'ADPwdExpireWarning' => 0,
'ADPwdMaxAge' => 0,
'apacheAuthnLevel' => 4,
'applicationList' => {
'default' => {
'catname' => 'Default category',
'type' => 'category'
}
},
'authChoiceParam' => 'lmAuth',
'authentication' => 'Demo',
'captcha_mail_enabled' => 1,
'captcha_register_enabled' => 1,
'captcha_size' => 6,
'casAccessControlPolicy' => 'none',
'casAuthnLevel' => 1,
'checkXSS' => 1,
'confirmFormMethod' => 'post',
'cookieName' => 'lemonldap',
'cspConnect' => '\'self\'',
'cspDefault' => '\'self\'',
'cspFont' => '\'self\'',
'cspImg' => '\'self\' data:',
'cspScript' => '\'self\'',
'cspStyle' => '\'self\'',
'dbiAuthnLevel' => 2,
'dbiExportedVars' => {},
'demoExportedVars' => {
'cn' => 'cn',
'mail' => 'mail',
'uid' => 'uid'
},
'domain' => 'example.com',
'exportedVars' => {
'UA' => 'HTTP_USER_AGENT'
},
'ext2fActivation' => 0,
'facebookAuthnLevel' => 1,
'facebookExportedVars' => {},
'failedLoginNumber' => 5,
'formTimeout' => 120,
'globalStorage' => 'Apache::Session::File',
'globalStorageOptions' => {
'Directory' => '/var/lib/lemonldap-ng/sessions/',
'generateModule' => 'Lemonldap::NG::Common::Apache::Session::Generate::SHA256',
'LockDirectory' => '/var/lib/lemonldap-ng/sessions/lock/'
},
'groups' => {},
'hiddenAttributes' => '_password',
'httpOnly' => 1,
'infoFormMethod' => 'get',
'issuerDBCASPath' => '^/cas/',
'issuerDBCASRule' => 1,
'issuerDBGetParameters' => {},
'issuerDBGetPath' => '^/get/',
'issuerDBGetRule' => 1,
'issuerDBOpenIDConnectPath' => '^/oauth2/',
'issuerDBOpenIDConnectRule' => 1,
'issuerDBOpenIDPath' => '^/openidserver/',
'issuerDBOpenIDRule' => 1,
'issuerDBSAMLPath' => '^/saml/',
'issuerDBSAMLRule' => 1,
'jsRedirect' => 0,
'krbAuthnLevel' => 3,
'ldapAuthnLevel' => 2,
'ldapBase' => 'dc=example,dc=com',
'ldapExportedVars' => {
'cn' => 'cn',
'mail' => 'mail',
'uid' => 'uid'
},
'ldapGroupAttributeName' => 'member',
'ldapGroupAttributeNameGroup' => 'dn',
'ldapGroupAttributeNameSearch' => 'cn',
'ldapGroupAttributeNameUser' => 'dn',
'ldapGroupObjectClass' => 'groupOfNames',
'ldapPasswordResetAttribute' => 'pwdReset',
'ldapPasswordResetAttributeValue' => 'TRUE',
'ldapPort' => 389,
'ldapPwdEnc' => 'utf-8',
'ldapSearchDeref' => 'find',
'ldapServer' => 'ldap://localhost',
'ldapTimeout' => 120,
'ldapUsePasswordResetAttribute' => 1,
'ldapVersion' => 3,
'localSessionStorage' => 'Cache::FileCache',
'localSessionStorageOptions' => {
'cache_depth' => 3,
'cache_root' => '/tmp',
'default_expires_in' => 600,
'directory_umask' => '007',
'namespace' => 'lemonldap-ng-sessions'
},
'locationRules' => {
'default' => 'deny'
},
'logoutServices' => {},
'macros' => {},
'mailCharset' => 'utf-8',
'mailFrom' => 'noreply@example.com',
'mailSessionKey' => 'mail',
'mailTimeout' => 0,
'mailUrl' => 'http://auth.example.com/resetpwd',
'managerDn' => '',
'managerPassword' => '',
'multiValuesSeparator' => '; ',
'notificationStorage' => 'File',
'notificationStorageOptions' => {
'dirName' => '/var/lib/lemonldap-ng/notifications'
},
'notificationWildcard' => 'allusers',
'notifyDeleted' => 1,
'nullAuthnLevel' => 0,
'oidcAuthnLevel' => 1,
'oidcRPCallbackGetParam' => 'openidconnectcallback',
'oidcRPStateTimeout' => 600,
'oidcServiceAllowAuthorizationCodeFlow' => 1,
'oidcServiceMetaDataAuthnContext' => {
'loa-1' => 1,
'loa-2' => 2,
'loa-3' => 3,
'loa-4' => 4,
'loa-5' => 5
},
'oidcServiceMetaDataAuthorizeURI' => 'authorize',
'oidcServiceMetaDataBackChannelURI' => 'blogout',
'oidcServiceMetaDataCheckSessionURI' => 'checksession.html',
'oidcServiceMetaDataEndSessionURI' => 'logout',
'oidcServiceMetaDataFrontChannelURI' => 'flogout',
'oidcServiceMetaDataIssuer' => 'http://auth.example.com',
'oidcServiceMetaDataJWKSURI' => 'jwks',
'oidcServiceMetaDataRegistrationURI' => 'register',
'oidcServiceMetaDataTokenURI' => 'token',
'oidcServiceMetaDataUserInfoURI' => 'userinfo',
'openIdAuthnLevel' => 1,
'openIdExportedVars' => {},
'openIdIDPList' => '0;',
'openIdSPList' => '0;',
'openIdSreg_email' => 'mail',
'openIdSreg_fullname' => 'cn',
'openIdSreg_nickname' => 'uid',
'openIdSreg_timezone' => '_timezone',
'pamAuthnLevel' => 2,
'pamService' => 'login',
'passwordDB' => 'Demo',
'portal' => 'http://auth.example.com/',
'portalAntiFrame' => 1,
'portalCheckLogins' => 1,
'portalDisplayAppslist' => 1,
'portalDisplayChangePassword' => '$_auth =~ /^(LDAP|DBI|Demo)$/',
'portalDisplayLoginHistory' => 1,
'portalDisplayLogout' => 1,
'portalDisplayRegister' => 1,
'portalErrorOnExpiredSession' => 1,
'portalForceAuthnInterval' => 5,
'portalPingInterval' => 60000,
'portalRequireOldPassword' => 1,
'portalSkin' => 'bootstrap',
'portalUserAttr' => '_user',
'proxyAuthnLevel' => 2,
'radiusAuthnLevel' => 3,
'randomPasswordRegexp' => '[A-Z]{3}[a-z]{5}.\\d{2}',
'redirectFormMethod' => 'get',
'registerDB' => 'Null',
'registerTimeout' => 0,
'remoteGlobalStorage' => 'Lemonldap::NG::Common::Apache::Session::SOAP',
'remoteGlobalStorageOptions' => {
'ns' => 'http://auth.example.com/Lemonldap/NG/Common/PSGI/SOAPService',
'proxy' => 'http://auth.example.com/sessions'
},
'requireToken' => 1,
'samlAttributeAuthorityDescriptorAttributeServiceSOAP' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/AA/SOAP;',
'samlAuthnContextMapKerberos' => 4,
'samlAuthnContextMapPassword' => 2,
'samlAuthnContextMapPasswordProtectedTransport' => 3,
'samlAuthnContextMapTLSClient' => 5,
'samlEntityID' => '#PORTAL#/saml/metadata',
'samlIdPResolveCookie' => 'lemonldapidp',
'samlIDPSSODescriptorArtifactResolutionServiceArtifact' => '1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
'samlIDPSSODescriptorSingleLogoutServiceHTTPPost' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
'samlIDPSSODescriptorSingleLogoutServiceHTTPRedirect' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleLogout;#PORTAL#/saml/singleLogoutReturn',
'samlIDPSSODescriptorSingleLogoutServiceSOAP' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/singleLogoutSOAP;',
'samlIDPSSODescriptorSingleSignOnServiceHTTPArtifact' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/singleSignOnArtifact;',
'samlIDPSSODescriptorSingleSignOnServiceHTTPPost' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/singleSignOn;',
'samlIDPSSODescriptorSingleSignOnServiceHTTPRedirect' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/singleSignOn;',
'samlIDPSSODescriptorWantAuthnRequestsSigned' => 1,
'samlMetadataForceUTF8' => 1,
'samlNameIDFormatMapEmail' => 'mail',
'samlNameIDFormatMapKerberos' => 'uid',
'samlNameIDFormatMapWindows' => 'uid',
'samlNameIDFormatMapX509' => 'mail',
'samlOrganizationDisplayName' => 'Example',
'samlOrganizationName' => 'Example',
'samlOrganizationURL' => 'http://www.example.com',
'samlRelayStateTimeout' => 600,
'samlSPSSODescriptorArtifactResolutionServiceArtifact' => '1;0;urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/artifact',
'samlSPSSODescriptorAssertionConsumerServiceHTTPArtifact' => '1;0;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact;#PORTAL#/saml/proxySingleSignOnArtifact',
'samlSPSSODescriptorAssertionConsumerServiceHTTPPost' => '0;1;urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleSignOnPost',
'samlSPSSODescriptorAuthnRequestsSigned' => 1,
'samlSPSSODescriptorSingleLogoutServiceHTTPPost' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
'samlSPSSODescriptorSingleLogoutServiceHTTPRedirect' => 'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect;#PORTAL#/saml/proxySingleLogout;#PORTAL#/saml/proxySingleLogoutReturn',
'samlSPSSODescriptorSingleLogoutServiceSOAP' => 'urn:oasis:names:tc:SAML:2.0:bindings:SOAP;#PORTAL#/saml/proxySingleLogoutSOAP;',
'samlSPSSODescriptorWantAssertionsSigned' => 1,
'securedCookie' => 0,
'slaveAuthnLevel' => 2,
'slaveExportedVars' => {},
'SMTPServer' => '',
'SMTPTLS' => '',
'SSLAuthnLevel' => 5,
'successLoginNumber' => 5,
'timeout' => 72000,
'timeoutActivity' => 0,
'timeoutActivityInterval' => 60,
'trustedProxies' => '',
'twitterAuthnLevel' => 1,
'u2fActivation' => 0,
'upgradeSession' => 1,
'userControl' => '^[\\w\\.\\-@]+$',
'userDB' => 'Same',
'useRedirectOnError' => 1,
'useSafeJail' => 1,
'webIDAuthnLevel' => 1,
'webIDExportedVars' => {},
'whatToTrace' => 'uid',
'yubikeyAuthnLevel' => 3,
'yubikeyPublicIDSize' => 12
};
}
1;

2
lemonldap-ng-common/lib/Lemonldap/NG/Common/Conf/ReConstants.pm
Unescape View File

@ -39,7 +39,7 @@ our $authParameters = {
choiceParams => [qw(authChoiceParam authChoiceModules)],
combinationParams => [qw(combination combModules)],
customParams => [qw(customAuth customUserDB customPassword customRegister customAddParams)],
dbiParams => [qw(dbiAuthnLevel dbiExportedVars dbiAuthChain dbiAuthUser dbiAuthPassword dbiUserChain dbiUserUser dbiUserPassword dbiAuthTable dbiUserTable dbiAuthLoginCol dbiAuthPasswordCol dbiPasswordMailCol userPivot dbiAuthPasswordHash)],
dbiParams => [qw(dbiAuthnLevel dbiExportedVars dbiAuthChain dbiAuthUser dbiAuthPassword dbiUserChain dbiUserUser dbiUserPassword dbiAuthTable dbiUserTable dbiAuthLoginCol dbiAuthPasswordCol dbiPasswordMailCol userPivot dbiAuthPasswordHash dbiDynamicHashEnabled dbiDynamicHashValidSchemes dbiDynamicHashValidSaltedSchemes dbiDynamicHashNewPasswordScheme)],
demoParams => [qw(demoExportedVars)],
facebookParams => [qw(facebookAuthnLevel facebookExportedVars facebookAppId facebookAppSecret)],
kerberosParams => [qw(krbKeytab krbByJs krbAuthnLevel)],

6341
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Attributes.pm
View File

File diff suppressed because it is too large Load Diff

8
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Attributes.pm
Unescape View File

@ -2269,6 +2269,14 @@ m{^(?:ldapi://[^/]*/?|\w[\w\-\.]*(?::\d{1,5})?|ldap(?:s|\+tls)?://\w[\w\-\.]*(?:
userPivot => { type => 'text', },
dbiAuthPasswordHash =>
{ type => 'text', help => 'authdbi.html#password', },
dbiDynamicHashEnabled =>
{ type => 'bool', help => 'authdbi.html#password', },
dbiDynamicHashValidSchemes =>
{ type => 'text', help => 'authdbi.html#password', },
dbiDynamicHashValidSaltedSchemes =>
{ type => 'text', help => 'authdbi.html#password', },
dbiDynamicHashNewPasswordScheme =>
{ type => 'text', help => 'authdbi.html#password', },
dbiExportedVars => {
type => 'keyTextContainer',
keyTest => qr/^!?[a-zA-Z][a-zA-Z0-9_-]*$/,

14
lemonldap-ng-manager/lib/Lemonldap/NG/Manager/Build/Tree.pm
Unescape View File

@ -172,7 +172,19 @@ sub tree {
title => 'dbiPassword',
help => 'authdbi.html#password',
form => 'simpleInputContainer',
nodes => ['dbiAuthPasswordHash']
nodes => ['dbiAuthPasswordHash',
{
title => 'dbiDynamicHash',
help => 'authdbi.html#password',
form => 'simpleInputContainer',
nodes => [
'dbiDynamicHashEnabled',
'dbiDynamicHashValidSchemes',
'dbiDynamicHashValidSaltedSchemes',
'dbiDynamicHashNewPasswordScheme'
]
}
]
}
]
},

5
lemonldap-ng-manager/site/htdocs/static/languages/ar.json vendored
Unescape View File

@ -179,6 +179,11 @@
"dbiAuthPassword": "كلمة المرور",
"dbiAuthPasswordCol": "اسم حقل كلمة المرور",
"dbiAuthPasswordHash": "هاش المخطط",
"dbiDynamicHash": "dynamic hashing",
"dbiDynamicHashEnabled": "dynamic hash activation",
"dbiDynamicHashValidSchemes": "Supported non-salted schemes",
"dbiDynamicHashValidSaltedSchemes": "Supported salted schemes",
"dbiDynamicHashNewPasswordScheme": "Dynamic hash scheme for new passwords",
"dbiAuthTable": "جدول إثبات الهوية",
"dbiAuthUser": "المستخدم",
"dbiConnection": "الاتصال",

5
lemonldap-ng-manager/site/htdocs/static/languages/en.json vendored
Unescape View File

@ -179,6 +179,11 @@
"dbiAuthPassword": "Password",
"dbiAuthPasswordCol": "Password field name",
"dbiAuthPasswordHash": "Hash scheme",
"dbiDynamicHash": "dynamic hashing",
"dbiDynamicHashEnabled": "dynamic hash activation",
"dbiDynamicHashValidSchemes": "Supported non-salted schemes",
"dbiDynamicHashValidSaltedSchemes": "Supported salted schemes",
"dbiDynamicHashNewPasswordScheme": "Dynamic hash scheme for new passwords",
"dbiAuthTable": "Authentication table",
"dbiAuthUser": "User",
"dbiConnection": "Connection",

5
lemonldap-ng-manager/site/htdocs/static/languages/fr.json vendored
Unescape View File

@ -179,6 +179,11 @@
"dbiAuthPassword": "Mot de passe",
"dbiAuthPasswordCol": "Champ mot de passe",
"dbiAuthPasswordHash": "Schéma de hachage",
"dbiDynamicHash": "Hashage dynamique",
"dbiDynamicHashEnabled": "Activation des hashes dynamiques",
"dbiDynamicHashValidSchemes": "Schémas non salés supportés",
"dbiDynamicHashValidSaltedSchemes": "Schémas salés supportés",
"dbiDynamicHashNewPasswordScheme": "Schéma de hashage dynamique pour la création de mots de passe",
"dbiAuthTable": "Table authentification",
"dbiAuthUser": "Utilisateur",
"dbiConnection": "Connexion",

5
lemonldap-ng-manager/site/htdocs/static/languages/it.json vendored
Unescape View File

@ -179,6 +179,11 @@
"dbiAuthPassword": "Password",
"dbiAuthPasswordCol": "Nome del campo password",
"dbiAuthPasswordHash": "Schema Hash",
"dbiDynamicHash": "dynamic hashing",
"dbiDynamicHashEnabled": "dynamic hash activation",
"dbiDynamicHashValidSchemes": "Supported non-salted schemes",
"dbiDynamicHashValidSaltedSchemes": "Supported salted schemes",
"dbiDynamicHashNewPasswordScheme": "Dynamic hash scheme for new passwords",
"dbiAuthTable": "Tabella di autenticazione",
"dbiAuthUser": "Utente",
"dbiConnection": "Connessione",

5
lemonldap-ng-manager/site/htdocs/static/languages/vi.json vendored
Unescape View File

@ -179,6 +179,11 @@
"dbiAuthPassword": "Mật khẩu",
"dbiAuthPasswordCol": "Tên trường mật khẩu",
"dbiAuthPasswordHash": "Giản đồ Hash",
"dbiDynamicHash": "dynamic hashing",
"dbiDynamicHashEnabled": "dynamic hash activation",
"dbiDynamicHashValidSchemes": "Supported non-salted schemes",
"dbiDynamicHashValidSaltedSchemes": "Supported salted schemes",
"dbiDynamicHashNewPasswordScheme": "Dynamic hash scheme for new passwords",
"dbiAuthTable": "Bảng xác thực",
"dbiAuthUser": "Người dùng",
"dbiConnection": "Kết nối",

2
lemonldap-ng-manager/site/htdocs/static/reverseTree.json vendored
View File

File diff suppressed because one or more lines are too long

2
lemonldap-ng-manager/site/htdocs/static/struct.json vendored
View File

File diff suppressed because one or more lines are too long

292
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/DBI.pm
Unescape View File

@ -6,6 +6,7 @@
package Lemonldap::NG::Portal::Lib::DBI;
use DBI;
use MIME::Base64;
use strict;
use Mouse;
@ -82,6 +83,277 @@ sub hash_password_for_select {
}
}
## @method protected Lemonldap::NG::Portal::_DBI get_password(ref dbh, string user)
# Get password from database
# @param dbh database handler
# @param user user
# @return password
sub get_password {
my $self = shift;
my $dbh = shift;
my $user = shift || $self->{user};
my $table = $self->conf->{dbiAuthTable};
my $loginCol = $self->conf->{dbiAuthLoginCol};
my $passwordCol = $self->conf->{dbiAuthPasswordCol};
my @rows = ();
eval {
my $sth = $dbh->prepare(
"SELECT $passwordCol FROM $table WHERE $loginCol=?"
);
$sth->execute( $user);
@rows = $sth->fetchrow_array();
};
if ($@) {
$self->lmLog( "DBI error while getting password: $@", 'error' );
return "";
}
if ( @rows == 1 ) {
$self->logger->debug( "Successfully got password from database" );
return $rows[0];
}
else {
$self->userLogger->warn( "Unable to check password for $user" );
return "";
}
}
## @method protected Lemonldap::NG::Portal::_DBI hash_password_from_database
## (ref dbh, string dbmethod, string dbsalt, string password)
# Hash the given password calling the dbmethod function in database
# @param dbh database handler
# @param dbmethod the database method for hashing
# @param salt the salt used for hashing
# @param password the password to hash
# @return hashed password
sub hash_password_from_database {
# Remark: database function must get hexadecimal input
# and send back hexadecimal output
my $self = shift;
my $dbh = shift;
my $dbmethod = shift;
my $dbsalt = shift;
my $password = shift;
# convert password to hexa
my $passwordh = unpack "H*", $password;
my @rows = ();
eval {
my $sth = $dbh->prepare("SELECT $dbmethod('$passwordh$dbsalt')");
$sth->execute();
@rows = $sth->fetchrow_array();
};
if ($@) {
$self->lmLog( "DBI error while hashing with '$dbmethod' hash function: $@", 'error' );
$self->userLogger->warn( "Unable to check password" );
return "";
}
if ( @rows == 1 ) {
$self->logger->debug( "Successfully hashed password with $dbmethod hash function in database" );
# convert salt to binary
my $dbsaltb = pack 'H*', $dbsalt;
# convert result to binary
my $res = pack 'H*', $rows[0];
return encode_base64($res . $dbsaltb ,'');
}
else {
$self->userLogger->warn( "Unable to check password with '$dbmethod'" );
return "";
}
# Return encode_base64(SQL_METHOD(password + salt) + salt)
}
## @method protected Lemonldap::NG::Portal::_DBI get_salt(string dbhash)
# Return salt from salted hash password
# @param dbhash hash password
# @return extracted salt
sub get_salt {
my $self = shift;
my $dbhash = shift;
my $dbsalt;
# get rid of scheme ({sha256})
$dbhash =~ s/^\{[^}]+\}(.*)$/$1/;
# get binary hash
my $decoded = &decode_base64($dbhash);
# get last 8 bytes
$dbsalt = substr $decoded, -8;
# get hexadecimal version of salt
$dbsalt = unpack "H*", $dbsalt;
return $dbsalt;
}
## @method protected Lemonldap::NG::Portal::_DBI gen_salt()
# Generate 8 bytes of hexadecimal random salt
# @return generated salt
sub gen_salt {
my $self = shift;
my $dbsalt;
my @set = ('0' ..'9', 'A' .. 'F');
$dbsalt = join '' => map $set[rand @set], 1 .. 16;
return $dbsalt;
}
## @method protected Lemonldap::NG::Portal::_DBI dynamic_hash_password(ref dbh,
## string user, string password, string table, string loginCol, string passwordCol)
# Return hashed password for use in SQL statement
# @param dbh database handler
# @param user connected user
# @param password clear password
# @param table authentication table name
# @param loginCol name of the row containing the login
# @param passwordCol name of the row containing the password
# @return hashed password
sub dynamic_hash_password {
my $self = shift;
my $dbh = shift;
my $user = shift;
my $password = shift;
my $table = shift;
my $loginCol = shift;
my $passwordCol = shift;
# Authorized hash schemes and salted hash schemes
my @validSchemes = split / /, $self->conf->{dbiDynamicHashValidSchemes};
my @validSaltedSchemes = split / /, $self->conf->{dbiDynamicHashValidSaltedSchemes};
my $dbhash; # hash currently stored in database
my $dbscheme; # current hash scheme stored in database
my $dbmethod; # static hash method corresponding to a database function
my $dbsalt; # current salt stored in database
my $hash; # hash to compute from user password
# Search hash from database
$self->logger->debug( "Hash scheme is to be found in database" );
$dbhash = $self->get_password($dbh, $user, $table, $loginCol, $passwordCol);
# Get the scheme
$dbscheme = $dbhash;
$dbscheme =~ s/^\{([^}]+)\}.*/$1/;
$dbscheme = "" if $dbscheme eq $dbhash;
# no hash scheme => assume clear text
if($dbscheme eq "") {
$self->logger->info( "Password has no hash scheme" );
return "?";
}
# salted hash scheme
elsif(grep( /^$dbscheme$/, @validSaltedSchemes )) {
$self->logger->info( "Valid salted hash scheme: $dbscheme found for user $user" );
# extract non salted hash scheme
$dbmethod = $dbscheme;
$dbmethod =~ s/^s//i;
# extract the salt
$dbsalt = $self->get_salt($dbhash);
$self->logger->debug( "Get salt from password: $dbsalt");
# Hash password with given hash scheme and salt
$hash = $self->hash_password_from_database($dbh, $dbmethod, $dbsalt, $password);
$hash = "{$dbscheme}$hash";
return "'$hash'";
}
# static hash scheme
elsif(grep( /^$dbscheme$/, @validSchemes )) {
$self->logger->info( "Valid hash scheme: $dbscheme found for user $user" );
# Hash given password with given hash scheme and no salt
$hash = $self->hash_password_from_database($dbh, $dbscheme, "", $password);
$hash = "{$dbscheme}$hash";
return "'$hash'";
}
# no valid hash scheme
else {
$self->lmLog( "No valid hash scheme: $dbscheme for user $user", 'error' );
$self->userLogger->warn( "Unable to check password for $user" );
return "";
}
}
## @method protected Lemonldap::NG::Portal::_DBI dynamic_hash_new_password(ref dbh,
## string user, string password)
# Return hashed password for use in SQL statement
# @param dbh database handler
# @param user connected user
# @param password clear password
# @param dbscheme the scheme to use for hashing
# @return hashed password
sub dynamic_hash_new_password {
my $self = shift;
my $dbh = shift;
my $user = shift;
my $password = shift;
my $dbscheme = $self->conf->{dbiDynamicHashNewPasswordScheme} || "";
# Authorized hash schemes and salted hash schemes
my @validSchemes = split / /, $self->conf->{dbiDynamicHashValidSchemes};
my @validSaltedSchemes = split / /, $self->conf->{dbiDynamicHashValidSaltedSchemes};
my $dbmethod; # static hash method corresponding to a database function
my $dbsalt; # salt to generate for new hashed password
my $hash; # hash to compute from user password
# no hash scheme => assume clear text
if($dbscheme eq "") {
$self->logger->info( "No hash scheme selected, storing password in clear text" );
return "?";
}
# salted hash scheme
elsif(grep( /^$dbscheme$/, @validSaltedSchemes )) {
$self->logger->info( "Selected salted hash scheme: $dbscheme" );
# extract non salted hash scheme
$dbmethod = $dbscheme;
$dbmethod =~ s/^s//i;
# generate the salt
$dbsalt = $self->gen_salt();
$self->logger->debug( "Generated salt: $dbsalt" );
# Hash given password with given hash scheme and salt
$hash = $self->hash_password_from_database($dbh, $dbmethod, $dbsalt, $password);
$hash = "{$dbscheme}$hash";
return "'$hash'";
}
# static hash scheme
elsif(grep( /^$dbscheme$/, @validSchemes )) {
$self->logger->info( "Selected hash scheme: $dbscheme" );
# Hash given password with given hash scheme and no salt
$hash = $self->hash_password_from_database($dbh, $dbscheme, "", $password);
$hash = "{$dbscheme}$hash";
return "'$hash'";
}
# no valid hash scheme
else {
$self->lmLog( "No selected hash scheme: $dbscheme is invalid", 'error' );
$self->userLogger->warn( "Unable to store password for $user" );
return "";
}
}
# Verify user and password with SQL SELECT
# @param user user
# @param password password
@ -98,18 +370,28 @@ sub check_password {
my $table = $self->conf->{dbiAuthTable};
my $loginCol = $self->conf->{dbiAuthLoginCol};
my $passwordCol = $self->conf->{dbiAuthPasswordCol};
my $dynamicHash = $self->conf->{dbiDynamicHashEnabled} || 0;
# Password hash
my $passwordsql =
$self->hash_password_for_select( "?",
$self->conf->{dbiAuthPasswordHash} );
my $passwordsql;
if ( $dynamicHash == 1 ) {
# Dynamic password hashes
$passwordsql =
$self->dynamic_hash_password( $self->dbh, $user, $password, $table, $loginCol, $passwordCol );
}
else
{
# Static Password hashes
$passwordsql =
$self->hash_password_for_select( "?", $self->conf->{dbiAuthPasswordHash} );
}
my @rows = ();
eval {
my $sth = $self->dbh->prepare(
"SELECT $loginCol FROM $table WHERE $loginCol=? AND $passwordCol=$passwordsql"
);
$sth->execute( $user, $password );
$sth->execute( $user, $password ) if $passwordsql =~ /.*\?.*/;
$sth->execute( $user ) unless $passwordsql =~ /.*\?.*/;
@rows = $sth->fetchrow_array();
};
if ($@) {

29
lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Password/DBI.pm
Unescape View File

@ -21,14 +21,29 @@ sub confirm {
sub modifyPassword {
my ( $self, $req, $pwd ) = @_;
my $userCol = $self->conf->{dbiAuthLoginCol};
my $passwordCol = $self->conf->{dbiAuthPasswordCol};
my $table = $self->conf->{dbiAuthTable};
my $dynamicHash = $self->conf->{dbiDynamicHashEnabled} || 0;
my $passwordsql;
if ( $dynamicHash == 1 ) {
# Dynamic password hashes
$passwordsql =
$self->dynamic_hash_new_password( $self->dbh, $req->user, $pwd, $table, $userCol, $passwordCol );
}
else
{
# Static Password hash
$passwordsql = $self->hash_password( "?", $self->conf->{dbiAuthPasswordHash} );
}
eval {
$self->dbh->prepare( 'UPDATE '
. $self->conf->{dbiAuthTable} . ' SET '
. $self->conf->{dbiAuthPasswordCol} . '='
. $self->hash_password( "?", $self->conf->{dbiAuthPasswordHash} )
. ' WHERE '
. $self->conf->{dbiAuthLoginCol}
. '=?' )->execute( $pwd, $req->user );
my $sth = $self->dbh->prepare(
"UPDATE $table SET $passwordCol=$passwordsql WHERE $userCol=?");
$sth->execute( $pwd, $req->user ) if $passwordsql =~ /.*\?.*/;
$sth->execute( $req->user ) unless $passwordsql =~ /.*\?.*/;
};
if ($@) {

Write Preview
Loading…
Cancel
Save