Jose Alberto Guzman wrote:
If you run an ldap backend, I can send you an example php script.
Jose:
would you please?
cheers,
glen
Here it goes, it's an in house script, so don't expect elegancy or cleanliness.
It uses php-cracklib in order to check for good new passwords, for some reason the php4-cracklib module is not included in debian, but it can be built as a deb out of the source package of php4. This involes editing debian/rules to add the configure option --with-crack=/usr in the COMMON_CONFIG section, as well as having _all_ needed *-dev packages installed to compile php4, it's a PITA but it's worth it. There may be an easier way to get the thing built, I just don't know.
In any case, if you don't want to or can't use cracklib, or have a better password checker, the code in the script can be commented out.
José
";
exit;
}
?>
Password change for serverConcise blurb about security policy on passwords, and what services this password affects.Examples of secure and insecure passwords would be good.
|
| '; echo ' | |
';
echo '
|
"; echo ""; echo "https://$servidor/$path/
"; tablefinal(); exit; } // check all fields have something if (!isset($usuario) || !isset($passviejo) || !isset($passnuevo) || !isset($passnuevover)) { tableinicio(); echo "You need to fill all the form fields.
\n"; tablefinal(); exit; } trim($usuario); trim($passviejo); trim($passnuevo); trim($passnuevover); // check blanks spaces if (($usuario=="") || ($passviejo=="") || ($passnuevo=="") || ($passnuevover=="")) { tableinicio(); echo "You need to fill all the form fields.
\n"; tablefinal(); exit; } // check for valid usernames for ($elem = 0; $elem < strlen($usuario); $elem++ ) { if ( !ctype_alnum($usuario{$elem}) ) { if ( ( $usuario{$elem} != "-" ) && ( $usuario{$elem} != "_" ) && ( $usuario{$elem} != "." ) ) { tableinicio(); echo "Invalid username, please type the correct username.
\n"; tablefinal(); exit; } } } // check for matching new passwords if ($passnuevo != $passnuevover) { tableinicio(); echo "The new passwords you typed do not match, "; echo "please type the same new password in both fields.
\n"; tablefinal(); exit; } // check for matching new and old passwords if ($passnuevo == $passviejo) { tableinicio(); echo "The old password is the same as the new one.
\n"; tablefinal(); exit; } // check for valid old password // if your ldap server is something other // than localhost, change it accordingly. $ds=ldap_connect("localhost"); if ($ds) { [EMAIL PROTECTED]($ds,$dn,$passviejo); if (!$r || $passviejo=="") { ldap_close($ds); tableinicio(); echo "
Can't connect to server $servidor with current password, please check your current password.
\n"; tablefinal(); exit; } // check for account sanity $sr=ldap_search($ds,"ou=People,dc=example,dc=com", "uid=$usuario"); $cuantos = ldap_count_entries($ds,$sr); if (( $cuantos <> 1) || (!$sr)) { tableinicio(); echo "
There's an error with your account, please report it to tech support as a duplicate account error.
"; tablefinal(); exit; } $info = ldap_get_entries($ds, $sr); for ($i=0; $i<$info["count"]; $i++) { echo "".$info[$i]["uid"][0] ." : "; echo $info[$i]["cn"][0] ."
"; } // check for new password strength using cracklib // see http://www.zend.com/manual/ref.crack.php // and http://google.com/search?q=php+cracklib // if you don't need or want cracklib // you can comment this block of code // but this is not recommended $dictionary = crack_opendict('/var/cache/cracklib/cracklib_dict') or die(' Can not check new password strenght '); $check = crack_check($dictionary, $passnuevo); $diag = crack_getlastmessage(); if ($diag != "strong password") { tableinicio(); echo "$diag"; // explain the reason echo "
The chosen new password is not secure enough, please choose a different one, prefferably mixing up numbers, upper and lower case letters.\n"; tablefinal(); exit; } crack_closedict($dictionary); // actual ldap password change // TODO: add SHA1 and/or MD5 hashes $sal = "$1$"; list($usec, $sec) = explode(' ', microtime()); $seed = (float) $sec + ((float) $usec * 100000); srand($seed); for ($i = 1; $i < 12; $i++ ) { $sal .= chr(rand(48,126)); } $sal .= "$"; $passcodi = crypt( $passnuevo, $sal ); $modifica["userPassword"] = "{crypt}$passcodi"; // Finally, successful change message // and tidy up if (@ldap_modify($ds, $dn, $modifica)) { echo "Ok, your password has been changed.
\n"; $modifica["userPassword"] = "[EMAIL PROTECTED]&[EMAIL PROTECTED]@*#!#$()[EMAIL PROTECTED]@#$("; $passcodi = "[EMAIL PROTECTED]&[EMAIL PROTECTED]@*#!#$()[EMAIL PROTECTED]@#$("; $passviejo= "[EMAIL PROTECTED]&[EMAIL PROTECTED]@*#!#$()[EMAIL PROTECTED]@#$("; $passnuevo= "[EMAIL PROTECTED]&[EMAIL PROTECTED]@*#!#$()[EMAIL PROTECTED]@#$("; $passnuevover= "[EMAIL PROTECTED]&[EMAIL PROTECTED]@*#!#$()[EMAIL PROTECTED]@#$("; } // Catch up mistakes else { tableinicio(); echo "Can not change the password at this moment, please try again later.
\n"; echo "$ds : $dn : ".$modifica["userPassword"]."
\n"; tablefinal(); } ldap_close($ds); } // Couldn't connect to the ldap server // in case slapd is down... else { tableinicio(); echo "
Can not connect to server $servidor at this moment.
\n"; echo "Please try again at a later time.
\n"; tablefinal(); } ?>
