| Summary | hash generation change to smbldap driver |
| Queue | Passwd |
| Queue Version | HEAD |
| Type | Enhancement |
| State | Resolved |
| Priority | 1. Low |
| Owners | Horde Developers (at) , eric.rostetter (at) physics (dot) utexas (dot) edu |
| Requester | kglueck (at) viz (dot) tamu (dot) edu |
| Created | 01/21/2005 (7494 days ago) |
| Due | |
| Updated | 05/31/2005 (7364 days ago) |
| Assigned | 01/22/2005 (7493 days ago) |
| Resolved | 05/31/2005 (7364 days ago) |
| Milestone | |
| Patch | No |
State ⇒ Resolved
Assigned to
State ⇒ Assigned
New Attachment: test.php
(source for this shamelessly stolen from accounts/test.php)
New Attachment: passwd_lib_Driver_smbldap.php.patch
New Attachment: passwd_config_backends.php.dist.patch
Priority ⇒ 1. Low
Type ⇒ Enhancement
Summary ⇒ hash generation change to smbldap driver
Queue ⇒ Passwd
State ⇒ New
the NT and Lan Manager hashes were being generated by an exec() call to a
program that took the password on the commandline and spit out the hashes
with a colon in between them. This caused some trouble for me because
there was text being read in that was being passed to the external program
without escaping shell characters before being called. This had the effect
of when a character, such as a single quote, was used in the password, the
attempt to change the password returned errors...I didn't try a backtick,
but I'm sure that could be a rather fun experiment for an enterprising
individual. Rather than escape the text, I thought incorporating the
hashing function inside the horde code was better (and likely much more
portable).
So, I started to look to see what I could do about it. lo and behold there
was a pear module Crypt_CHAP that would generate the hashes for me. So,
I installed it and changed a couple of lines of code in the
lib/Drivers/smbldap.php code segment. then I realized that the
sambaPwdLastSet and sambaPwdMustChange attributes also weren't getting
set. So I added that code.
Since I had to add a new pear module, I shamelessly stole the
accounts/test.php code and modified it to be the passwd/test.php to check
for the PEAR module Crypt_CHAP and its php prerequisites mhash and mcrypt.
Features that are modified/added by the attached patches are:
- Crypt_CHAP replaces external mkntpwd program to generate LM and NT
hashes
- added config attributes pw_set_attribute, pw_expire_attribute, and
pw_expire_time to backends.php.dist
- pw_set_attribute (sambaPwdLastSet) timestamp is updated when password
changed
- pw_expire_attribute (sambaPwdMustChange) timestamp is generated from
current timestamp + pw_expire_time attribute * 86400
- added test.php to test for additional modules needed