mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
let the admin decide how passwords are handled
This commit is contained in:
parent
6b6fd09f34
commit
db9059a55c
3 changed files with 13 additions and 4 deletions
|
@ -66,7 +66,7 @@ If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent`
|
||||||
|
|
||||||
## Available parameters
|
## Available parameters
|
||||||
|
|
||||||
These are the SSOwat's configuration parameters. Only `portal_domain` and `skipped_urls` are required, but it is recommended to know the others to fully understand what you can do with SSOwat.
|
These are the SSOwat's configuration parameters. Only `portal_domain` is required, but it is recommended to know the others to fully understand what you can do with SSOwat.
|
||||||
|
|
||||||
#### portal_domain
|
#### portal_domain
|
||||||
|
|
||||||
|
@ -104,6 +104,10 @@ LDAP user identifier (**default**: `uid`)
|
||||||
|
|
||||||
User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)
|
User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)
|
||||||
|
|
||||||
|
#### ldap_enforce_crypt
|
||||||
|
|
||||||
|
Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`)
|
||||||
|
|
||||||
#### allow_mail_authentication
|
#### allow_mail_authentication
|
||||||
|
|
||||||
Whether users can authenticate with their mail address (**default**: `true`)
|
Whether users can authenticate with their mail address (**default**: `true`)
|
||||||
|
|
|
@ -50,6 +50,8 @@ function get_config()
|
||||||
ldap_host = "localhost",
|
ldap_host = "localhost",
|
||||||
ldap_group = "ou=users,dc=yunohost,dc=org",
|
ldap_group = "ou=users,dc=yunohost,dc=org",
|
||||||
ldap_identifier = "uid",
|
ldap_identifier = "uid",
|
||||||
|
ldap_enforce_crypt = true,
|
||||||
|
skipped_urls = {},
|
||||||
ldap_attributes = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"},
|
ldap_attributes = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"},
|
||||||
allow_mail_authentication = true,
|
allow_mail_authentication = true,
|
||||||
default_language = "en"
|
default_language = "en"
|
||||||
|
|
|
@ -293,7 +293,9 @@ function authenticate(user, password)
|
||||||
-- cache shared table in order to eventually reuse it later when updating
|
-- cache shared table in order to eventually reuse it later when updating
|
||||||
-- profile information or just passing credentials to an application.
|
-- profile information or just passing credentials to an application.
|
||||||
if connected then
|
if connected then
|
||||||
|
if conf['ldap_enforce_crypt'] then
|
||||||
ensure_user_password_uses_strong_hash(connected, user, password)
|
ensure_user_password_uses_strong_hash(connected, user, password)
|
||||||
|
end
|
||||||
cache:add(user.."-password", password, conf["session_timeout"])
|
cache:add(user.."-password", password, conf["session_timeout"])
|
||||||
ngx.log(ngx.NOTICE, "Connected as: "..user)
|
ngx.log(ngx.NOTICE, "Connected as: "..user)
|
||||||
return user
|
return user
|
||||||
|
@ -575,12 +577,13 @@ end
|
||||||
-- if it's not the case, it migrates the password to this new hash algorithm
|
-- if it's not the case, it migrates the password to this new hash algorithm
|
||||||
function ensure_user_password_uses_strong_hash(ldap, user, password)
|
function ensure_user_password_uses_strong_hash(ldap, user, password)
|
||||||
local current_hashed_password = nil
|
local current_hashed_password = nil
|
||||||
|
conf = config.get_config()
|
||||||
|
|
||||||
for dn, attrs in ldap:search {
|
for dn, attrs in ldap:search {
|
||||||
base = "ou=users,dc=yunohost,dc=org",
|
base = conf['ldap_group'],
|
||||||
scope = "onelevel",
|
scope = "onelevel",
|
||||||
sizelimit = 1,
|
sizelimit = 1,
|
||||||
filter = "(uid="..user..")",
|
filter = "("..conf['ldap_identifier'].."="..user..")",
|
||||||
attrs = {"userPassword"}
|
attrs = {"userPassword"}
|
||||||
} do
|
} do
|
||||||
current_hashed_password = attrs["userPassword"]:sub(0, 10)
|
current_hashed_password = attrs["userPassword"]:sub(0, 10)
|
||||||
|
|
Loading…
Reference in a new issue