YunoHost/SSOwat
1
0
Fork 0
mirror of https://github.com/YunoHost/SSOwat.git synced 2024-09-03 20:06:27 +02:00
Code Issues Projects Releases Packages Wiki Activity

let the admin decide how passwords are handled

Browse source
This commit is contained in:
Y 2017-09-16 19:22:47 +02:00
parent 6b6fd09f34
commit db9059a55c
3 changed files with 13 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -66,7 +66,7 @@ If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent`
## Available parameters ## Available parameters
These are the SSOwat's configuration parameters. Only `portal_domain` and `skipped_urls` are required, but it is recommended to know the others to fully understand what you can do with SSOwat. These are the SSOwat's configuration parameters. Only `portal_domain` is required, but it is recommended to know the others to fully understand what you can do with SSOwat.
#### portal_domain #### portal_domain
@ -104,6 +104,10 @@ LDAP user identifier (**default**: `uid`)
User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`) User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)
#### ldap_enforce_crypt
Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`)
#### allow_mail_authentication #### allow_mail_authentication
Whether users can authenticate with their mail address (**default**: `true`) Whether users can authenticate with their mail address (**default**: `true`)

2
config.lua
View file

@ -50,6 +50,8 @@ function get_config()
ldap_host = "localhost", ldap_host = "localhost",
ldap_group = "ou=users,dc=yunohost,dc=org", ldap_group = "ou=users,dc=yunohost,dc=org",
ldap_identifier = "uid", ldap_identifier = "uid",
ldap_enforce_crypt = true,
skipped_urls = {},
ldap_attributes = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"}, ldap_attributes = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"},
allow_mail_authentication = true, allow_mail_authentication = true,
default_language = "en" default_language = "en"

9
helpers.lua
View file

@ -293,7 +293,9 @@ function authenticate(user, password)
-- cache shared table in order to eventually reuse it later when updating -- cache shared table in order to eventually reuse it later when updating
-- profile information or just passing credentials to an application. -- profile information or just passing credentials to an application.
if connected then if connected then
ensure_user_password_uses_strong_hash(connected, user, password) if conf['ldap_enforce_crypt'] then
ensure_user_password_uses_strong_hash(connected, user, password)
end
cache:add(user.."-password", password, conf["session_timeout"]) cache:add(user.."-password", password, conf["session_timeout"])
ngx.log(ngx.NOTICE, "Connected as: "..user) ngx.log(ngx.NOTICE, "Connected as: "..user)
return user return user
@ -575,12 +577,13 @@ end
-- if it's not the case, it migrates the password to this new hash algorithm -- if it's not the case, it migrates the password to this new hash algorithm
function ensure_user_password_uses_strong_hash(ldap, user, password) function ensure_user_password_uses_strong_hash(ldap, user, password)
local current_hashed_password = nil local current_hashed_password = nil
conf = config.get_config()
for dn, attrs in ldap:search { for dn, attrs in ldap:search {
base = "ou=users,dc=yunohost,dc=org", base = conf['ldap_group'],
scope = "onelevel", scope = "onelevel",
sizelimit = 1, sizelimit = 1,
filter = "(uid="..user..")", filter = "("..conf['ldap_identifier'].."="..user..")",
attrs = {"userPassword"} attrs = {"userPassword"}
} do } do
current_hashed_password = attrs["userPassword"]:sub(0, 10) current_hashed_password = attrs["userPassword"]:sub(0, 10)