mirror of
https://github.com/YunoHost/SSOwat.git
synced 2024-09-03 20:06:27 +02:00
let the admin decide how passwords are handled
This commit is contained in:
parent
6b6fd09f34
commit
db9059a55c
3 changed files with 13 additions and 4 deletions
|
@ -66,7 +66,7 @@ If you use YunoHost, you may want to edit the `/etc/ssowat/conf.json.persistent`
|
|||
|
||||
## Available parameters
|
||||
|
||||
These are the SSOwat's configuration parameters. Only `portal_domain` and `skipped_urls` are required, but it is recommended to know the others to fully understand what you can do with SSOwat.
|
||||
These are the SSOwat's configuration parameters. Only `portal_domain` is required, but it is recommended to know the others to fully understand what you can do with SSOwat.
|
||||
|
||||
#### portal_domain
|
||||
|
||||
|
@ -104,6 +104,10 @@ LDAP user identifier (**default**: `uid`)
|
|||
|
||||
User's attributes to fetch from LDAP (**default**: `["uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"]`)
|
||||
|
||||
#### ldap_enforce_crypt
|
||||
|
||||
Let SSOwat re-encrypt weakly-encrypted LDAP passwords into the safer sha-512 (crypt) (**default**: `true`)
|
||||
|
||||
#### allow_mail_authentication
|
||||
|
||||
Whether users can authenticate with their mail address (**default**: `true`)
|
||||
|
|
|
@ -50,6 +50,8 @@ function get_config()
|
|||
ldap_host = "localhost",
|
||||
ldap_group = "ou=users,dc=yunohost,dc=org",
|
||||
ldap_identifier = "uid",
|
||||
ldap_enforce_crypt = true,
|
||||
skipped_urls = {},
|
||||
ldap_attributes = {"uid", "givenname", "sn", "cn", "homedirectory", "mail", "maildrop"},
|
||||
allow_mail_authentication = true,
|
||||
default_language = "en"
|
||||
|
|
|
@ -293,7 +293,9 @@ function authenticate(user, password)
|
|||
-- cache shared table in order to eventually reuse it later when updating
|
||||
-- profile information or just passing credentials to an application.
|
||||
if connected then
|
||||
ensure_user_password_uses_strong_hash(connected, user, password)
|
||||
if conf['ldap_enforce_crypt'] then
|
||||
ensure_user_password_uses_strong_hash(connected, user, password)
|
||||
end
|
||||
cache:add(user.."-password", password, conf["session_timeout"])
|
||||
ngx.log(ngx.NOTICE, "Connected as: "..user)
|
||||
return user
|
||||
|
@ -575,12 +577,13 @@ end
|
|||
-- if it's not the case, it migrates the password to this new hash algorithm
|
||||
function ensure_user_password_uses_strong_hash(ldap, user, password)
|
||||
local current_hashed_password = nil
|
||||
conf = config.get_config()
|
||||
|
||||
for dn, attrs in ldap:search {
|
||||
base = "ou=users,dc=yunohost,dc=org",
|
||||
base = conf['ldap_group'],
|
||||
scope = "onelevel",
|
||||
sizelimit = 1,
|
||||
filter = "(uid="..user..")",
|
||||
filter = "("..conf['ldap_identifier'].."="..user..")",
|
||||
attrs = {"userPassword"}
|
||||
} do
|
||||
current_hashed_password = attrs["userPassword"]:sub(0, 10)
|
||||
|
|
Loading…
Reference in a new issue