b94bf0532d2690c77ebb7831846b21eb0073ba62
[squirrelmail.git] / plugins / change_password / backend / ldap.php
1 <?php
2 /**
3 * Change password LDAP backend
4 *
5 * @version $Id$
6 * @package plugins
7 * @subpackage change_password
8 */
9
10 /** get imap server global */
11 global $imapServerAddress;
12
13 /** Default plugin configuration.*/
14 /**
15 * Address of LDAP server.
16 * You can use any URL format that is supported by your LDAP extension.
17 * Examples:
18 * <ul>
19 * <li>'ldap.example.com' - connect to server on ldap.example.com address
20 * <li>'ldaps://ldap.example.com' - connect to server on ldap.example.com address
21 * and use SSL encrypted connection to default LDAPs port.
22 * </ul>
23 * defaults to imap server address.
24 * @link http://www.php.net/ldap-connect
25 * @global string $cpw_ldap_server
26 */
27 global $cpw_ldap_server;
28 $cpw_ldap_server=$imapServerAddress;
29
30 /**
31 * Port of LDAP server.
32 * Used only when $cpw_ldap_server specifies IP address or DNS name.
33 * @global integer $cpw_ldap_port
34 */
35 global $cpw_ldap_port;
36 $cpw_ldap_port=389;
37
38 /**
39 * LDAP basedn that is used for binding to LDAP server.
40 * this option must be set to correct value.
41 * @global $cpw_ldap_basedn;
42 */
43 global $cpw_ldap_basedn;
44 $cpw_ldap_basedn='';
45
46 /**
47 * LDAP connection options
48 * @link http://www.php.net/ldap-set-option
49 * @global array $cpw_ldap_connect_opts
50 */
51 global $cpw_ldap_connect_opts;
52 $cpw_ldap_connect_opts=array();
53
54 /**
55 * Controls use of starttls on LDAP connection.
56 * Requires PHP 4.2+, PHP LDAP extension with SSL support and
57 * PROTOCOL_VERSION => 3 setting in $cpw_ldap_connect_opts
58 * @global boolean $cpw_ldap_use_tls
59 */
60 global $cpw_ldap_use_tls;
61 $cpw_ldap_use_tls=false;
62
63 /**
64 * BindDN that should be able to search LDAP directory and find DN used by user.
65 * Uses anonymous bind if set to empty string. You should not use DN with write
66 * access to LDAP directory here. Write access is not required.
67 * @global string $cpw_ldap_binddn
68 */
69 global $cpw_ldap_binddn;
70 $cpw_ldap_binddn='';
71
72 /**
73 * password used for $cpw_ldap_binddn
74 * @global string $cpw_ldap_bindpw
75 */
76 global $cpw_ldap_bindpw;
77 $cpw_ldap_bindpw='';
78
79 /**
80 * BindDN that should be able to change password.
81 * WARNING: usually user has enough privileges to change own password.
82 * If you leave default value, plugin will try to connect with DN that
83 * is detected in $cpw_ldap_username_attr=$username search and current
84 * user password will be used for authentication.
85 * @global string $cpw_ldap_admindn
86 */
87 global $cpw_ldap_admindn;
88 $cpw_ldap_admindn='';
89
90 /**
91 * password used for $cpw_ldap_admindn
92 * @global string $cpw_ldap_adminpw
93 */
94 global $cpw_ldap_adminpw;
95 $cpw_ldap_adminpw='';
96
97 /**
98 * LDAP attribute that stores username.
99 * username entry should be unique for $cpw_ldap_basedn
100 * @global string $cpw_ldap_userid_attr
101 */
102 global $cpw_ldap_userid_attr;
103 $cpw_ldap_userid_attr='uid';
104
105 /**
106 * crypto that is used to encode new password
107 * If set to empty string, system tries to keep same encoding/hashing algorithm
108 * @global string $cpw_ldap_default_crypto
109 */
110 global $cpw_ldap_default_crypto;
111 $cpw_ldap_default_crypto='';
112
113 /** end of default config */
114
115 /** configuration overrides from config file */
116 if (isset($cpw_ldap['server'])) $cpw_ldap_server=$cpw_ldap['server'];
117 if (isset($cpw_ldap['port'])) $cpw_ldap_port=$cpw_ldap['port'];
118 if (isset($cpw_ldap['basedn'])) $cpw_ldap_basedn=$cpw_ldap['basedn'];
119 if (isset($cpw_ldap['connect_opts'])) $cpw_ldap_connect_opts=$cpw_ldap['connect_opts'];
120 if (isset($cpw_ldap['use_tls'])) $cpw_ldap_use_tls=$cpw_ldap['use_tls'];
121 if (isset($cpw_ldap['binddn'])) $cpw_ldap_binddn=$cpw_ldap['binddn'];
122 if (isset($cpw_ldap['bindpw'])) $cpw_ldap_bindpw=$cpw_ldap['bindpw'];
123 if (isset($cpw_ldap['admindn'])) $cpw_ldap_admindn=$cpw_ldap['admindn'];
124 if (isset($cpw_ldap['adminpw'])) $cpw_ldap_adminpw=$cpw_ldap['adminpw'];
125 if (isset($cpw_ldap['userid_attr'])) $cpw_ldap_userid_attr=$cpw_ldap['userid_attr'];
126 if (isset($cpw_ldap['default_crypto'])) $cpw_ldap_default_crypto=$cpw_ldap['default_crypto'];
127
128 /**
129 * Adding plugin hooks
130 */
131 global $squirrelmail_plugin_hooks;
132 $squirrelmail_plugin_hooks['change_password_dochange']['ldap'] =
133 'cpw_ldap_dochange';
134 $squirrelmail_plugin_hooks['change_password_init']['ldap'] =
135 'cpw_ldap_init';
136
137 /**
138 * Backend specific functions
139 */
140 function cpw_ldap_init() {
141 global $color;
142 global $cpw_ldap_basedn;
143
144 /**
145 * If SM_PATH isn't defined, define it. Required to include files.
146 * @ignore
147 */
148 if (!defined('SM_PATH')) define('SM_PATH','../../../');
149
150 // load error_box() function
151 include_once(SM_PATH . 'functions/display_messages.php');
152
153 // set initial value for error tracker
154 $cpw_ldap_initerr=false;
155
156 // check for ldap support in php
157 if (! function_exists('ldap_connect')) {
158 error_box(_("Current configuration requires LDAP support in PHP."),$color);
159 $cpw_ldap_initerr=true;
160 }
161
162 // chech required configuration settings.
163 if ($cpw_ldap_basedn=='') {
164 error_box(_("Plugin is not configured correctly."),$color);
165 $cpw_ldap_initerr=true;
166 }
167
168 // if error var is positive, close html and stop execution
169 if ($cpw_ldap_initerr) {
170 echo '</body></html>';
171 exit;
172 }
173 }
174
175
176 /**
177 * @param array $data The username/curpw/newpw data.
178 * @return array Array of error messages.
179 */
180 function cpw_ldap_dochange($data) {
181 global $cpw_ldap_server, $cpw_ldap_port, $cpw_ldap_basedn,
182 $cpw_ldap_connect_opts,$cpw_ldap_use_tls,
183 $cpw_ldap_binddn, $cpw_ldap_bindpw,
184 $cpw_ldap_admindn, $cpw_ldap_adminpw;
185
186 // unfortunately, we can only pass one parameter to a hook function,
187 // so we have to pass it as an array.
188 $username = $data['username'];
189 $curpw = $data['curpw'];
190 $newpw = $data['newpw'];
191
192 // globalize current password.
193
194 $msgs = array();
195
196 /**
197 * connect to LDAP server
198 * hide ldap_connect() function call errors, because they are processed in script.
199 * any script execution error is treated as critical, error messages are dumped
200 * to $msgs and LDAP connection is closed with ldap_unbind(). all ldap_unbind()
201 * errors are suppressed. Any other error suppression should be explained.
202 */
203 $cpw_ldap_con=@ldap_connect($cpw_ldap_server);
204
205 if ($cpw_ldap_con) {
206 $cpw_ldap_con_err=false;
207 // set connection options
208 if (is_array($cpw_ldap_connect_opts) && $cpw_ldap_connect_opts!=array()) {
209 foreach ($cpw_ldap_connect_opts as $opt => $value) {
210 if (! ldap_set_option($cpw_ldap_con,constant('LDAP_OPT_' . $opt),$value)) {
211 // set error message
212 array_push($msgs,sprintf(_("Setting of LDAP connection option %s to value %s failed."),$opt,$value));
213 // FIXME: check if ldap_set_option modifies ldap_error.
214 array_push($msgs,sprintf(_("Error: %s"),ldap_error($cpw_ldap_con)));
215 $cpw_ldap_con_err=true;
216 }
217 }
218 }
219
220 // check for connection errors and stop execution if something is wrong
221 if ($cpw_ldap_con_err) {
222 @ldap_unbind($cpw_ldap_con);
223 return $msgs;
224 }
225
226 // enable tls
227 // FIXME: untested. use of undocumented ldap function
228 if ($cpw_ldap_use_tls &&
229 check_php_version(4,2,0) &&
230 isset($cpw_ldap_connect_opts['PROTOCOL_VERSION']) &&
231 $cpw_ldap_connect_opts['PROTOCOL_VERSION']>=3) {
232 if (! ldap_use_tls($cpw_ldap_con)) {
233 array_push($msgs,_("Unable to use TLS."));
234 array_push($msgs,sprintf(_("Error: %s"),ldap_error($cpw_ldap_con)));
235 $cpw_ldap_con_err=true;
236 }
237 } elseif ($cpw_ldap_use_tls) {
238 array_push($msgs,_("Unable to use LDAP TLS in current setup."));
239 $cpw_ldap_con_err=true;
240 }
241
242 // check for connection errors and stop execution if something is wrong
243 if ($cpw_ldap_con_err) {
244 @ldap_unbind($cpw_ldap_con);
245 return $msgs;
246 }
247
248 /**
249 * Bind to LDAP (use anonymous bind or unprivileged DN) in order to get user's DN
250 * hide ldap_bind() function call errors, because errors are processed in script
251 */
252 if ($cpw_ldap_binddn!='') {
253 // authenticated bind
254 $cpw_ldap_binding=@ldap_bind($cpw_ldap_con,$cpw_ldap_binddn,$cpw_ldap_bindpw);
255 } else {
256 // anonymous bind
257 $cpw_ldap_binding=@ldap_bind($cpw_ldap_con);
258 }
259
260 // check ldap_bind errors
261 if (! $cpw_ldap_binding) {
262 array_push($msgs,_("Unable to bind to LDAP server."));
263 array_push($msgs,sprintf(_("Server replied: %s"),ldap_error($cpw_ldap_con)));
264 @ldap_unbind($cpw_ldap_con);
265 return $msgs;
266 }
267
268 // find userdn
269 $cpw_ldap_search_err=cpw_ldap_uid_search($cpw_ldap_con,$cpw_ldap_basedn,$msgs,$cpw_ldap_res,$cpw_ldap_userdn);
270
271 // check for search errors and stop execution if something is wrong
272 if (! $cpw_ldap_search_err) {
273 ldap_unbind($cpw_ldap_con);
274 return $msgs;
275 }
276
277 /**
278 * unset $cpw_ldap_res2 variable, if such var exists.
279 * $cpw_ldap_res2 object can be set in two places and second place checks,
280 * if object was created in first place. if variable name matches (somebody
281 * uses $cpw_ldap_res2 in code or globals), incorrect validation might
282 * cause script errors.
283 */
284 if (isset($cpw_ldap_res2)) unset($cpw_ldap_res2);
285
286 // rebind as userdn or admindn
287 if ($cpw_ldap_admindn!='') {
288 // admindn bind
289 $cpw_ldap_binding=@ldap_bind($cpw_ldap_con,$cpw_ldap_admindn,$cpw_ldap_adminpw);
290
291 if ($cpw_ldap_binding) {
292 // repeat search in order to get password info. Password info should be unavailable in unprivileged bind.
293 $cpw_ldap_search_err=cpw_ldap_uid_search($cpw_ldap_con,$cpw_ldap_basedn,$msgs,$cpw_ldap_res2,$cpw_ldap_userdn);
294
295 // check for connection errors and stop execution if something is wrong
296 if (! $cpw_ldap_search_err) {
297 @ldap_unbind($cpw_ldap_con);
298 return $msgs;
299 }
300
301 // we should check user password here.
302 $cpw_ldap_cur_pass_array=ldap_get_values($cpw_ldap_con,
303 ldap_first_entry($cpw_ldap_con,$cpw_ldap_res2),'userpassword');
304 // FIXME: check if ldap_get_values() found userpassword field. Currently it might cause php errors
305
306 // compare passwords
307 if (! cpw_ldap_compare_pass($cpw_ldap_cur_pass_array[0],$curpw,$msgs)) {
308 @ldap_unbind($cpw_ldap_con);
309 return $msgs;
310 }
311 }
312 } else {
313 $cpw_ldap_binding=@ldap_bind($cpw_ldap_con,$cpw_ldap_userdn,$curpw);
314 }
315
316 if (! $cpw_ldap_binding) {
317 array_push($msgs,_("Unable to rebind to LDAP server."));
318 array_push($msgs,sprintf(_("Server replied: %s"),ldap_error($cpw_ldap_con)));
319 @ldap_unbind($cpw_ldap_con);
320 return $msgs;
321 }
322
323 // repeat search in order to get password info
324 if (! isset($cpw_ldap_res2))
325 $cpw_ldap_search_err=cpw_ldap_uid_search($cpw_ldap_con,$cpw_ldap_basedn,$msgs,$cpw_ldap_res2,$cpw_ldap_userdn);
326
327 // check for connection errors and stop execution if something is wrong
328 if (! $cpw_ldap_search_err) {
329 @ldap_unbind($cpw_ldap_con);
330 return $msgs;
331 }
332
333 // getpassword
334 $cpw_ldap_cur_pass_array=ldap_get_values($cpw_ldap_con,ldap_first_entry($cpw_ldap_con,$cpw_ldap_res2),'userpassword');
335 // FIXME: check if ldap_get_values() found userpassword field
336
337 // encrypt new password (old password is needed for plaintext encryption detection)
338 $cpw_ldap_new_pass=cpw_ldap_encrypt_pass($newpw,$cpw_ldap_cur_pass_array[0],$msgs,$curpw);
339
340 if (! $cpw_ldap_new_pass) {
341 @ldap_unbind($cpw_ldap_con);
342 return $msgs;
343 }
344
345 // set new password. suppress ldap_modify errors. script checks and displays ldap_modify errors.
346 $ldap_pass_change=@ldap_modify($cpw_ldap_con,$cpw_ldap_userdn,array('userpassword'=>$cpw_ldap_new_pass));
347
348 // check if ldap_modify was successful
349 if(! $ldap_pass_change) {
350 array_push($msgs,ldap_error($cpw_ldap_con));
351 }
352
353 // close connection
354 @ldap_unbind($cpw_ldap_con);
355 } else {
356 array_push($msgs,_("Unable to connect to LDAP server."));
357 }
358 return $msgs;
359 }
360
361 /** backend support functions **/
362
363 /**
364 * Sanitizes LDAP query strings.
365 * original code - ldapquery plugin.
366 * See rfc2254
367 * @link http://www.faqs.org/rfcs/rfc2254.html
368 * @param string $string
369 * @return string sanitized string
370 */
371 function cpw_ldap_specialchars($string) {
372 $sanitized=array('\\' => '\5c',
373 '*' => '\2a',
374 '(' => '\28',
375 ')' => '\29',
376 "\x00" => '\00');
377
378 return str_replace(array_keys($sanitized),array_values($sanitized),$string);
379 }
380
381 /**
382 * returns crypto algorithm used in password.
383 * @param string $pass encrypted/hashed password
384 * @return string lowercased crypto algorithm name
385 */
386 function cpw_ldap_get_crypto($pass,$curpass='') {
387 $ret = false;
388
389 if (preg_match("/^\{(.+)\}+/",$pass,$crypto)) {
390 $ret=strtolower($crypto[1]);
391 }
392
393 if ($ret=='crypt') {
394 // {CRYPT} can be standard des crypt, extended des crypt, md5 crypt or blowfish
395 // depends on first salt symbols (ext_des = '_', md5 = '$1$', blowfish = '$2')
396 // and length of salt (des = 2 chars, ext_des = 9, md5 = 12, blowfish = 16).
397 if (preg_match("/^\{crypt\}\\\$1\\\$+/i",$pass)) {
398 $ret='md5crypt';
399 } elseif (preg_match("/^\{crypt\}\\\$2+/i",$pass)) {
400 $ret='blowfish';
401 } elseif (preg_match("/^\{crypt\}_+/i",$pass)) {
402 $ret='extcrypt';
403 }
404 }
405
406 // maybe password is plaintext
407 if (! $ret && $curpass!='' && $pass==$curpass) $ret='plaintext';
408
409 return $ret;
410 }
411
412 /**
413 * Search LDAP for user id.
414 * @param object $ldap_con ldap connection
415 * @param string $ldap_basedn ldap basedn
416 * @param array $msgs error messages
417 * @param object $results ldap search results
418 * @param string $userdn DN of found entry
419 * @param boolean $onlyone require unique search results
420 * @return boolean false if connection failed.
421 */
422 function cpw_ldap_uid_search($ldap_con,$ldap_basedn,&$msgs,&$results,&$userdn,$onlyone=true) {
423 global $cpw_ldap_userid_attr,$username;
424
425 $ret=true;
426
427 $results=ldap_search($ldap_con,$ldap_basedn,cpw_ldap_specialchars($cpw_ldap_userid_attr . '=' . $username));
428
429 if (! $results) {
430 array_push($msgs,_("Unable to find user's DN.") . _("Search error."));
431 array_push($msgs,sprintf(_("Error: %s"),ldap_error($ldap_con)));
432 $ret=false;
433 } elseif ($onlyone && ldap_count_entries($ldap_con,$results)>1) {
434 array_push($msgs,_("Multiple userid matches found."));
435 $ret=false;
436 } elseif (! $userdn = ldap_get_dn($ldap_con,ldap_first_entry($ldap_con,$results))) {
437 // ldap_get_dn() returned error
438 array_push($msgs,_("Unable to find user's DN.") . _("ldap_get_dn error."));
439 $ret=false;
440 }
441 return $ret;
442 }
443
444 /**
445 * Encrypts LDAP password
446 *
447 * if $cpw_ldap_default_crypto is set to empty string or $same_crypto is set,
448 * uses same crypto as in old password.
449 * See phpldapadmin password_hash() function
450 * @link http://phpldapadmin.sf.net
451 * @param string $pass string that has to be encrypted/hashed
452 * @param string $cur_pass_hash old password hash
453 * @param array $msgs error message
454 * @param string $curpass current password. Used for plaintext password detection.
455 * @return string encrypted/hashed password or false
456 */
457 function cpw_ldap_encrypt_pass($pass,$cur_pass_hash,&$msgs,$curpass='') {
458 global $cpw_ldap_default_crypto;
459
460 // which crypto should be used to encode/hash password
461 if ($cpw_ldap_default_crypto=='') {
462 $ldap_crypto=cpw_ldap_get_crypto($cur_pass_hash,$curpass);
463 } else {
464 $ldap_crypto=$cpw_ldap_default_crypto;
465 }
466 return cpw_ldap_password_hash($pass,$ldap_crypto,$msgs);
467 }
468
469 /**
470 * create hashed password
471 * @param string $pass plain text password
472 * @param string $crypto used crypto algorithm
473 * @param array $msgs array used for error messages
474 * @param string $forced_salt salt that should be used during hashing.
475 * Is used only when is not set to empty string. Salt should be formated
476 * according to $crypto requirements.
477 * @return hashed password or false.
478 */
479 function cpw_ldap_password_hash($pass,$crypto,&$msgs,$forced_salt='') {
480 // set default return code
481 $ret=false;
482
483 // lowercase crypto just in case
484 $crypto=strtolower($crypto);
485
486 // extra symbols used for random string in crypt salt
487 // squirrelmail GenerateRandomString() adds alphanumerics with third argument = 7.
488 $extra_salt_chars='./';
489
490 // encrypt/hash password
491 switch ($crypto) {
492 case 'md5':
493 $ret='{MD5}' . base64_encode(pack('H*',md5($pass)));
494 break;
495 case 'smd5':
496 // minimal requirement mhash extension and php 4.0.4.
497 if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) ) {
498 sq_mt_seed( (double) microtime() * 1000000 );
499 if ($forced_salt!='') {
500 $salt=$forced_salt;
501 } else {
502 $salt = mhash_keygen_s2k( MHASH_MD5, $pass, substr( pack( "h*", md5( mt_rand() ) ), 0, 8 ), 4 );
503 }
504 $ret = "{SMD5}".base64_encode( mhash( MHASH_MD5, $pass.$salt ).$salt );
505 } else {
506 // use two array_push calls in order to display messages in different lines.
507 array_push($msgs,sprintf(_("Unsupported crypto: %s"),'smd5'));
508 array_push($msgs,_("PHP mhash extension is missing."));
509 }
510 break;
511 case 'sha':
512 // minimal requirement = php 4.3.0+ or php with mhash extension
513 if ( function_exists('sha1') ) {
514 // use php 4.3.0+ sha1 function, if it is available.
515 $new_value = '{SHA}' . base64_encode( pack( 'H*' , sha1( $password_clear) ) );
516 } elseif( function_exists( 'mhash' ) ) {
517 $ret = '{SHA}' . base64_encode( mhash( MHASH_SHA1, $pass) );
518 } else {
519 array_push($msgs,sprintf(_("Unsupported crypto: %s"),'sha'));
520 array_push($msgs,_("PHP mhash extension is missing."));
521 }
522 break;
523 case 'ssha':
524 // minimal requirement = mhash extension and php 4.0.4
525 if( function_exists( 'mhash' ) && function_exists( 'mhash_keygen_s2k' ) ) {
526 sq_mt_seed( (double) microtime() * 1000000 );
527 if ($forced_salt!='') {
528 $salt=$forced_salt;
529 } else {
530 $salt = mhash_keygen_s2k( MHASH_SHA1, $pass, substr( pack( "h*", md5( mt_rand() ) ), 0, 8 ), 4 );
531 }
532 $ret = "{SSHA}".base64_encode( mhash( MHASH_SHA1, $pass.$salt ).$salt );
533 } else {
534 array_push($msgs,sprintf(_("Unsupported crypto: %s"),'ssha'));
535 array_push(_("PHP mhash extension is missing."));
536 }
537 break;
538 case 'crypt':
539 if (defined('CRYPT_STD_DES') && CRYPT_STD_DES==1) {
540 $ret = '{CRYPT}' . crypt($pass,GenerateRandomString(2,$extra_salt_chars,7));
541 } else {
542 array_push($msgs,sprintf(_("Unsupported crypto: %s"),'crypt'));
543 array_push($msgs,_("System crypt library doesn't support standard DES crypt."));
544 }
545 break;
546 case 'md5crypt':
547 // check if crypt() supports md5
548 if (defined('CRYPT_MD5') && CRYPT_MD5==1) {
549 $ret = '{CRYPT}' . crypt($pass,'$1$' . GenerateRandomString(9,$extra_salt_chars,7));
550 } else {
551 array_push($msgs,sprintf(_("Unsupported crypto: %s"),'md5crypt'));
552 array_push($msgs,_("System crypt library doesn't have MD5 support."));
553 }
554 break;
555 case 'extcrypt':
556 // check if crypt() supports extended des
557 if (defined('CRYPT_EXT_DES') && CRYPT_EXT_DES==1) {
558 // FIXME: guinea pigs with extended des support needed.
559 $ret = '{CRYPT}' . crypt($pass,'_' . GenerateRandomString(8,$extra_salt_chars,7));
560 } else {
561 array_push($msgs,sprintf(_("Unsupported crypto: %s"),'ext_des'));
562 array_push($msgs,_("System crypt library doesn't support extended DES crypt."));
563 }
564 break;
565 case 'blowfish':
566 // check if crypt() supports blowfish
567 if (defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH==1) {
568 // FIXME: guinea pigs with blowfish support needed.
569 $ret = '{CRYPT}' . crypt($pass,'$2a$12$' . GenerateRandomString(13,$extra_salt_chars,7));
570 } else {
571 array_push($msgs,sprintf(_("Unsupported crypto: %s"),'Blowfish'));
572 array_push($msgs,_("System crypt library doesn't have Blowfish support."));
573 }
574 break;
575 case 'plaintext':
576 // clear plain text password
577 $ret=$pass;
578 break;
579 default:
580 array_push($msgs,sprintf(_("Unsupported crypto: %s"),
581 (is_string($ldap_crypto) ? htmlspecialchars($ldap_crypto) : _("unknown"))));
582 }
583 return $ret;
584 }
585
586 /**
587 * compares two passwords
588 * Code reuse. See phpldapadmin password_compare() function.
589 * Some parts of code was rewritten to backend specifics.
590 * @link http://phpldapadmin.sf.net
591 * @param string $pass_hash
592 * @param string $pass_clear
593 * @param array $msgs
594 * @return boolean true, if passwords match
595 */
596 function cpw_ldap_compare_pass($pass_hash,$pass_clear,&$msgs) {
597 $ret=false;
598
599 if( preg_match( "/{([^}]+)}(.*)/", $pass_hash, $cypher ) ) {
600 $pass_hash = $cypher[2];
601 $_cypher = strtolower($cypher[1]);
602 } else {
603 $_cypher = NULL;
604 }
605
606 switch( $_cypher ) {
607 case 'ssha':
608 // Salted SHA
609 // check for mhash support
610 if ( function_exists('mhash') ) {
611 $hash = base64_decode($pass_hash);
612 $salt = substr($hash, -4);
613 $new_hash = base64_encode( mhash( MHASH_SHA1, $pass_clear.$salt).$salt );
614 if( strcmp( $pass_hash, $new_hash ) == 0 )
615 $ret=true;
616 } else {
617 array_push($msgs,_("Unable to validate user's password."));
618 array_push($msgs, _("PHP mhash extension is missing."));
619 }
620 break;
621 case 'smd5':
622 // Salted MD5
623 // check for mhash support
624 if ( function_exists('mhash') ) {
625 $hash = base64_decode($pass_hash);
626 $salt = substr($hash, -4);
627 $new_hash = base64_encode( mhash( MHASH_MD5, $pass_clear.$salt).$salt );
628 if( strcmp( $pass_hash, $new_hash ) == 0)
629 $ret=true;
630 } else {
631 array_push($msgs,_("Unable to validate user's password."));
632 array_push($msgs, _("PHP mhash extension is missing."));
633 }
634 break;
635 case 'sha':
636 // SHA crypted passwords
637 if( strcasecmp( cpw_ldap_password_hash($pass_clear,'sha',$msgs), "{SHA}".$pass_hash ) == 0)
638 $ret=true;
639 break;
640 case 'md5':
641 // MD5 crypted passwords
642 if( strcasecmp( cpw_ldap_password_hash($pass_clear,'md5',$msgs), "{MD5}".$pass_hash ) == 0 )
643 $ret=true;
644 break;
645 case 'crypt':
646 // Crypt passwords
647 if( preg_match( "/^\\\$2+/",$pass_hash ) ) { // Check if it's blowfish crypt
648 // check CRYPT_BLOWFISH here.
649 // ldap server might support it, but php can be on other OS
650 if (defined('CRYPT_BLOWFISH') && CRYPT_BLOWFISH==1) {
651 if( crypt( $pass_clear, $pass_hash ) == $pass_hash )
652 $ret=true;
653 } else {
654 array_push($msgs,_("Unable to validate user's password."));
655 array_push($msgs,_("Blowfish is not supported by webserver's system crypt library."));
656 }
657 } elseif( strstr( $pass_hash, '$1$' ) ) { // Check if it's md5 crypt
658 // check CRYPT_MD5 here.
659 // ldap server might support it, but php might be on other OS
660 if (defined('CRYPT_MD5') && CRYPT_MD5==1) {
661 list(,$type,$salt,$hash) = explode('$',$pass_hash);
662 if( crypt( $pass_clear, '$1$' .$salt ) == $pass_hash )
663 $ret=true;
664 } else {
665 array_push($msgs,_("Unable to validate user's password."));
666 array_push($msgs,_("MD5 is not supported by webserver's system crypt library."));
667 }
668 } elseif( strstr( $pass_hash, '_' ) ) { // Check if it's extended des crypt
669 // check CRYPT_EXT_DES here.
670 // ldap server might support it, but php might be on other OS
671 if (defined('CRYPT_EXT_DES') && CRYPT_EXT_DES==1) {
672 if( crypt( $pass_clear, $pass_hash ) == $pass_hash )
673 $ret=true;
674 } else {
675 array_push($msgs,_("Unable to validate user's password."));
676 array_push($msgs,_("Extended DES crypt is not supported by webserver's system crypt library."));
677 }
678 } else {
679 // it is possible that this test is useless and any crypt library supports it, but ...
680 if (defined('CRYPT_STD_DES') && CRYPT_STD_DES==1) {
681 // plain crypt password
682 if( crypt($pass_clear, $pass_hash ) == $pass_hash )
683 $ret=true;
684 } else {
685 array_push($msgs,_("Unable to validate user's password."));
686 array_push($msgs,_("Standard DES crypt is not supported by webserver's system crypt library."));
687 }
688 }
689 break;
690 // No crypt is given, assume plaintext passwords are used
691 default:
692 if( $pass_clear == $pass_hash )
693 $ret=true;
694 break;
695 }
696 if (! $ret && empty($msgs)) {
697 array_push($msgs,CPW_CURRENT_NOMATCH);
698 }
699 return $ret;
700 }
701 ?>