4 * Simple LDAP Password Driver
6 * Driver for passwords stored in LDAP
7 * This driver is based on Edouard's LDAP Password Driver, but does not
8 * require PEAR's Net_LDAP2 to be installed
10 * @version 1.0 (2010-07-31)
11 * @author Wout Decre <wout@canodus.be>
13 function password_save($curpass, $passwd)
15 $rcmail = rcmail::get_instance();
18 if (!$ds = ldap_connect($rcmail->config->get('password_ldap_host'), $rcmail->config->get('password_ldap_port'))) {
20 return PASSWORD_CONNECT_ERROR;
23 // Set protocol version
24 if (!ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, $rcmail->config->get('password_ldap_version'))) {
26 return PASSWORD_CONNECT_ERROR;
30 if ($rcmail->config->get('password_ldap_starttls')) {
31 if (!ldap_start_tls($ds)) {
33 return PASSWORD_CONNECT_ERROR;
38 if ($user_dn = $rcmail->config->get('password_ldap_userDN_mask')) {
39 $user_dn = ldap_simple_substitute_vars($user_dn);
41 $user_dn = ldap_simple_search_userdn($rcmail, $ds);
44 if (empty($user_dn)) {
46 return PASSWORD_CONNECT_ERROR;
50 switch ($rcmail->config->get('password_ldap_method')) {
52 $binddn = $rcmail->config->get('password_ldap_adminDN');
53 $bindpw = $rcmail->config->get('password_ldap_adminPW');
63 $crypted_pass = ldap_simple_hash_password($passwd, $rcmail->config->get('password_ldap_encodage'));
64 $lchattr = $rcmail->config->get('password_ldap_lchattr');
65 $pwattr = $rcmail->config->get('password_ldap_pwattr');
66 $smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr');
67 $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr');
68 $samba = $rcmail->config->get('password_ldap_samba');
70 // Support password_ldap_samba option for backward compat.
71 if ($samba && !$smbpwattr) {
72 $smbpwattr = 'sambaNTPassword';
73 $smblchattr = 'sambaPwdLastSet';
78 return PASSWORD_CRYPT_ERROR;
81 // Crypt new Samba password
82 if ($smbpwattr && !($samba_pass = ldap_simple_hash_password($passwd, 'samba'))) {
83 return PASSWORD_CRYPT_ERROR;
87 if (!ldap_bind($ds, $binddn, $bindpw)) {
89 return PASSWORD_CONNECT_ERROR;
92 $entree[$pwattr] = $crypted_pass;
94 // Update PasswordLastChange Attribute if desired
96 $entree[$lchattr] = (int)(time() / 86400);
99 // Update Samba password
101 $entree[$smbpwattr] = $samba_pass;
104 // Update Samba password last change
106 $entree[$smblchattr] = time();
109 if (!ldap_modify($ds, $user_dn, $entree)) {
111 return PASSWORD_CONNECT_ERROR;
114 // All done, no error
116 return PASSWORD_SUCCESS;
120 * Bind with searchDN and searchPW and search for the user's DN
121 * Use search_base and search_filter defined in config file
122 * Return the found DN
124 function ldap_simple_search_userdn($rcmail, $ds)
127 if (!ldap_bind($ds, $rcmail->config->get('password_ldap_searchDN'), $rcmail->config->get('password_ldap_searchPW'))) {
131 /* Search for the DN */
132 if (!$sr = ldap_search($ds, $rcmail->config->get('password_ldap_search_base'), ldap_simple_substitute_vars($rcmail->config->get('password_ldap_search_filter')))) {
136 /* If no or more entries were found, return false */
137 if (ldap_count_entries($ds, $sr) != 1) {
141 return ldap_get_dn($ds, ldap_first_entry($ds, $sr));
145 * Substitute %login, %name, %domain, %dc in $str
146 * See plugin config for details
148 function ldap_simple_substitute_vars($str)
150 $str = str_replace('%login', $_SESSION['username'], $str);
151 $str = str_replace('%l', $_SESSION['username'], $str);
153 $parts = explode('@', $_SESSION['username']);
155 if (count($parts) == 2) {
156 $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string
158 $str = str_replace('%name', $parts[0], $str);
159 $str = str_replace('%n', $parts[0], $str);
160 $str = str_replace('%dc', $dc, $str);
161 $str = str_replace('%domain', $parts[1], $str);
162 $str = str_replace('%d', $parts[1], $str);
169 * Code originaly from the phpLDAPadmin development team
170 * http://phpldapadmin.sourceforge.net/
172 * Hashes a password and returns the hash based on the specified enc_type
174 function ldap_simple_hash_password($password_clear, $encodage_type)
176 $encodage_type = strtolower($encodage_type);
177 switch ($encodage_type) {
179 $crypted_password = '{CRYPT}' . crypt($password_clear, ldap_simple_random_salt(2));
182 /* Extended DES crypt. see OpenBSD crypt man page */
183 if (!defined('CRYPT_EXT_DES') || CRYPT_EXT_DES == 0) {
184 /* Your system crypt library does not support extended DES encryption */
187 $crypted_password = '{CRYPT}' . crypt($password_clear, '_' . ldap_simple_random_salt(8));
190 if (!defined('CRYPT_MD5') || CRYPT_MD5 == 0) {
191 /* Your system crypt library does not support md5crypt encryption */
194 $crypted_password = '{CRYPT}' . crypt($password_clear, '$1$' . ldap_simple_random_salt(9));
197 if (!defined('CRYPT_BLOWFISH') || CRYPT_BLOWFISH == 0) {
198 /* Your system crypt library does not support blowfish encryption */
201 /* Hardcoded to second blowfish version and set number of rounds */
202 $crypted_password = '{CRYPT}' . crypt($password_clear, '$2a$12$' . ldap_simple_random_salt(13));
205 $crypted_password = '{MD5}' . base64_encode(pack('H*', md5($password_clear)));
208 if (function_exists('sha1')) {
209 /* Use PHP 4.3.0+ sha1 function, if it is available */
210 $crypted_password = '{SHA}' . base64_encode(pack('H*', sha1($password_clear)));
211 } else if (function_exists('mhash')) {
212 $crypted_password = '{SHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear));
214 /* Your PHP install does not have the mhash() function */
219 if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
220 mt_srand((double) microtime() * 1000000 );
221 $salt = mhash_keygen_s2k(MHASH_SHA1, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4);
222 $crypted_password = '{SSHA}' . base64_encode(mhash(MHASH_SHA1, $password_clear . $salt) . $salt);
224 /* Your PHP install does not have the mhash() function */
229 if (function_exists('mhash') && function_exists('mhash_keygen_s2k')) {
230 mt_srand((double) microtime() * 1000000 );
231 $salt = mhash_keygen_s2k(MHASH_MD5, $password_clear, substr(pack('h*', md5(mt_rand())), 0, 8), 4);
232 $crypted_password = '{SMD5}' . base64_encode(mhash(MHASH_MD5, $password_clear . $salt) . $salt);
234 /* Your PHP install does not have the mhash() function */
239 if (function_exists('hash')) {
240 $crypted_password = hash('md4', rcube_charset_convert($password_clear, RCMAIL_CHARSET, 'UTF-16LE'));
242 /* Your PHP install does not have the hash() function */
248 $crypted_password = $password_clear;
251 return $crypted_password;
255 * Code originaly from the phpLDAPadmin development team
256 * http://phpldapadmin.sourceforge.net/
258 * Used to generate a random salt for crypt-style passwords
260 function ldap_simple_random_salt($length)
262 $possible = '0123456789' . 'abcdefghijklmnopqrstuvwxyz' . 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' . './';
264 // mt_srand((double)microtime() * 1000000);
265 while (strlen($str) < $length) {
266 $str .= substr($possible, (rand() % strlen($possible)), 1);