let the admin decide how passwords are handled

2024-09-03 20:06:27 +02:00 · 2017-09-16 19:22:47 +02:00 · 2017-09-16 19:22:47 +02:00 · db9059a55c
commit db9059a55c
parent 6b6fd09f34
3 changed files with 13 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -66,7 +66,7 @@ If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent`

 ## Available parameters

-These are the SSOwat's configuration parameters. Only `portal_domain` and `skipped_urls` are required, but it is recommended to know the others to fully understand what you can do with SSOwat.
+These are the SSOwat's configuration parameters. Only `portal_domain` is required, but it is recommended to know the others to fully understand what you can do with SSOwat.

 #### portal_domain

@ -104,6 +104,10 @@ LDAP user identifier (**default**: `uid`)

 User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)

+#### ldap_enforce_crypt
+
+Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`)
+
 #### allow_mail_authentication

 Whether users can authenticate with their mail address (**default**: `true`)
--- a/config.lua
+++ b/config.lua
@ -50,6 +50,8 @@ function get_config()
        ldap_host                 = "localhost",
        ldap_group                = "ou=users,dc=yunohost,dc=org",
        ldap_identifier           = "uid",
+        ldap_enforce_crypt        = true,
+        skipped_urls              = {},
        ldap_attributes           = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"},
        allow_mail_authentication = true,
        default_language          = "en"
--- a/helpers.lua
+++ b/helpers.lua
@ -293,7 +293,9 @@ function authenticate(user, password)
    -- cache shared table in order to eventually reuse it later when updating
    -- profile information or just passing credentials to an application.
    if connected then
+        if conf['ldap_enforce_crypt'] then
            ensure_user_password_uses_strong_hash(connected, user, password)
+        end
        cache:add(user.."-password", password, conf["session_timeout"])
        ngx.log(ngx.NOTICE, "Connected as: "..user)
        return user
@ -575,12 +577,13 @@ end
 -- if it's not the case, it migrates the password to this new hash algorithm
 function ensure_user_password_uses_strong_hash(ldap, user, password)
    local current_hashed_password = nil
+    conf = config.get_config()

    for dn, attrs in ldap:search {
-        base = "ou=users,dc=yunohost,dc=org",
+        base = conf['ldap_group'],
        scope = "onelevel",
        sizelimit = 1,
-        filter = "(uid="..user..")",
+        filter = "("..conf['ldap_identifier'].."="..user..")",
        attrs = {"userPassword"}
    } do
        current_hashed_password = attrs["userPassword"]:sub(0, 10)