Changeset 1603 for trunk


Ignore:
Timestamp:
01/07/16 15:55:13 (9 years ago)
Author:
nanardon
Message:

Upgrade entry user to sambaAccount to store NT encrypted password

Having password stored in NT windows forms will allow to use them for mschap(v2)
authentication

Location:
trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases
Files:
3 edited

Legend:

Unmodified
Added
Removed

  • trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Ldap.pm

    r1493 r1603  
    9191} 
    9292 
     93sub sambaSID { 
     94    my ($self, $id) = @_; 
     95 
     96    my $ssid = $self->config('sambaSID') || 'S-2016-01-07'; 
     97    if (defined($id)) { 
     98        $ssid .= '-' . $id; 
     99    } 
     100    return $ssid; 
     101} 
     102 
    93103sub load { 
    94104    my ($self) = @_; 

  • trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Ldap/User.pm

    r1495 r1603  
    1515use LATMOS::Accounts::Bases::Ldap::Group; 
    1616use LATMOS::Accounts::Utils; 
     17use Crypt::SmbHash; 
    1718 
    1819our $VERSION = (q$Rev: 649 $ =~ /^Rev: (\d+) /)[0]; 
     
    4950    posixAccount 
    5051    shadowAccount 
     52    sambaSamAccount 
    5153) } 
     54 
     55sub _computeSSID { 
     56    my ($value) = @_; 
     57    $value * 2 + 1000 
     58} 
    5259 
    5360sub _get_attr_schema { 
     
    7077        }, 
    7178        facsimileTelephoneNumber => { }, 
    72         uidNumber => { uniq => 1, }, 
     79        uidNumber => { 
     80            uniq => 1, 
     81            post => sub { 
     82                my ($self, $value) = @_; 
     83                if (!grep { $_ eq 'sambaSamAccount' }  $self->object->_get_attributes('objectClass')) { 
     84                    $self->_update_class( 
     85                        sambaSID => $self->base->sambaSID(_computeSSID($value)) 
     86                    ); 
     87                } else { 
     88                    $self->object->set_fields(sambaSID => $self->object->base->sambaSID(_computeSSID($value))); 
     89                } 
     90            }, 
     91        }, 
    7392        gidNumber => { 
    7493            reference => 'group', 
     
    121140        pwdChangedTime => { ro => 1 }, 
    122141        labeledURI => {}, 
    123         userPassword => { readable => 0, }, 
     142        userPassword    => { readable => 0, }, 
     143        sambaLMPassword => { readable => 0, }, 
     144        sambaNTPassword => { readable => 0, }, 
     145        sambaSid => { ro => 1 }, 
    124146    } 
    125147    ); 
     
    143165    $data{sn} ||= $id; # sn is mandatory 
    144166    $data{uid} ||= $id; # uid is mandatory 
     167    $data{sambaSID} = $base->sambaSID(_computeSSID($data{uidNumber})); 
    145168    $data{homeDirectory} ||= '/dev/null'; # homeDirectory is mandatory 
    146169    $data{$class->_key_attribute($base)} = $id; 
     
    230253            return 1; 
    231254        }; 
    232         /^userPassword$/ and do { 
    233             # openldap use prefix to identify encryption passwd 
    234             # {CRYPT} is system dependant, eg use crypt from system 
    235             # As we run openldap on UNIX, this should not be a problem 
    236             # as we use perl crypt() which does the same 
    237             # This code will have to be changed if we use openldap on other UNIX 
    238             $val = '{CRYPT}' . ($val || 'xxx'); 
    239             next; 
    240         }; 
    241255        /^manager$/ && $val and do { 
    242256            my $user = $base->get_object('user', $val) or do { 
     
    255269} 
    256270 
     271sub _set_password { 
     272    my ($self, $clear_pass) = @_; 
     273 
     274    my @salt_char = (('a' .. 'z'), ('A' .. 'Z'), (0 .. 9), '/', '.'); 
     275    my $salt = join('', map { $salt_char[rand(scalar(@salt_char))] } (1 .. 8)); 
     276    # openldap use prefix to identify encryption passwd 
     277    # {CRYPT} is system dependant, eg use crypt from system 
     278    # As we run openldap on UNIX, this should not be a problem 
     279    # as we use perl crypt() which does the same 
     280    # This code will have to be changed if we use openldap on other UNIX 
     281    my $md5 = '{CRYPT}' . crypt($clear_pass, '$1$' . $salt); 
     282 
     283    my ($lm, $nt) = ntlmgen $clear_pass; 
     284 
     285    if (!grep { $_ eq 'sambaSamAccount' }  $self->get_attributes('objectClass')) { 
     286        $self->_update_class( 
     287            sambaSID => $self->base->sambaSID($self->_get_attributes('uidNumber') * 2 + 1000) 
     288        ); 
     289    } 
     290 
     291    my $res = $self->set_fields( 
     292        userPassword    => $md5, 
     293        sambaLMPassword => $lm, 
     294        sambaNTPassword => $nt, 
     295    ); 
     296    $self->base->log(LA_NOTICE, 'Mot de passe changé pour %s', $self->id) 
     297    if($res); 
     298    return $res; 
     299} 
     300 
    2573011; 
    258302 

  • trunk/LATMOS-Accounts/lib/LATMOS/Accounts/Bases/Ldap/objects.pm

    r1493 r1603  
    225225} 
    226226 
     227sub _update_class { 
     228    my ($self, %attr) = @_; 
     229 
     230    $self->base->log( 
     231        LA_NOTICE, 
     232        "Updating ObjectClass for %s/%s: %s", 
     233        $self->type, $self->id, join(', ', $self->_my_ldap_classes) 
     234    ); 
     235    $self->{entry}->replace( 
     236        'objectClass' => [ $self->_my_ldap_classes ], 
     237        %attr, 
     238    ); 
     239} 
     240 
    2272411; 
    228242 
Note: See TracChangeset for help on using the changeset viewer.