diff options
Diffstat (limited to 'perl-install/authentication.pm')
| -rw-r--r-- | perl-install/authentication.pm | 226 | 
1 files changed, 125 insertions, 101 deletions
| diff --git a/perl-install/authentication.pm b/perl-install/authentication.pm index 716128e49..55491edfb 100644 --- a/perl-install/authentication.pm +++ b/perl-install/authentication.pm @@ -1,9 +1,8 @@ -package authentication; # $Id$ +package authentication;  use common; -my $ccreds = 1; -my ($authentication) = @_; +my $authentication;  sub kinds {       my $no_para = @_ == 0; @@ -48,13 +47,15 @@ my %kind2nsswitch = (      winbind   => ['winbind'],   ); +my $lib = get_libdir(); +  my %kind2packages = (      local     => [],      SmartCard => [ 'castella-pam' ], -    LDAP      => [ 'openldap-clients', 'nss_ldap', 'pam_ldap', 'autofs', 'pam_ccreds', 'nss_updatedb' ], -    KRB5       => [ 'nss_ldap', 'pam_krb5', 'libsasl2-plug-gssapi', 'pam_ccreds', 'nss_updatedb' ], +    LDAP      => [ 'openldap-clients', 'nss-pam-ldapd', 'autofs', 'nss_updatedb' ], +    KRB5       => [ 'nss-pam-ldapd', 'pam_krb5', "${lib}sasl2-plug-gssapi", 'nss_updatedb' ],      NIS       => [ 'ypbind', 'autofs' ], -    winbind   => [ 'samba-winbind', 'nss_ldap', 'pam_krb5', 'libsasl2-plug-gssapi', 'samba-server' ], +    winbind   => [ 'samba-winbind', 'nss-pam-ldapd', 'pam_krb5', "${lib}sasl2-plug-gssapi" ],  ); @@ -65,7 +66,7 @@ sub kind2description_raw {  	LDAP      => [ N("LDAP:"), N("Tells your computer to use LDAP for some or all authentication. LDAP consolidates certain types of information within your organization."), ],  	NIS       => [ N("NIS:"), N("Allows you to run a group of computers in the same Network Information Service domain with a common password and group file."), ],  	winbind   => [ N("Windows Domain:"), N("Winbind allows the system to retrieve information and authenticate users in a Windows domain."), ], -	KRB5        => [ N("Kerberos 5 :"), N("With Kerberos and Ldap for authentication in Active Directory Server "), ], +	KRB5        => [ N("Kerberos 5 :"), N("With Kerberos and LDAP for authentication in Active Directory Server "), ],      );      join('', map { $_ ? qq($_->[0]\n$_->[1]) : '' } map { $kind2description{$_} } @kinds);  } @@ -92,13 +93,16 @@ sub ask_parameters {      foreach (kinds()) {  	delete $authentication->{$_} if $_ ne $kind;      } +    # do not enable ccreds unless required +    undef $authentication->{ccreds};      if ($kind eq 'LDAP') {  	$authentication->{LDAPDOMAIN} ||= domain_to_ldap_domain($net->{resolv}{DOMAINNAME}); -	#$authentication->{anonymous} = "0"; -	#$authentication->{cafile} = "0"; -	#$authentication->{nssgrp} = "0"; +	$authentication->{ccreds} = 1; +    # this package must be installed for 'Fetch DN' button to actually work +    $in->do_pkgs->ensure_are_installed([ 'openldap-clients' ], 1) or return; +      	$in->ask_from('', N(" "),  		     [ { label => N("Welcome to the Authentication Wizard"), title => 1 },                       {}, @@ -106,12 +110,12 @@ sub ask_parameters {                       {},  		     { label => N("LDAP Server"), val => \$authentication->{LDAP_server} },  		     { label => N("Base dn"), val => \$authentication->{LDAPDOMAIN} }, -                     { val => N("Fetch base Dn "), type  => button , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 } }, +                     { val => N("Fetch base Dn "), type  => 'button' , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 } },  		     {},  		     { text => N("Use encrypt connection with TLS "), val => \$authentication->{cafile}, type => 'bool' }, -                     { val => N("Download CA Certificate "), type  => button , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 }  }, +                     { val => N("Download CA Certificate "), type  => 'button' , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 }  }, -		     { text => N("Use Disconnect mode "), val => \$ccreds, type => 'bool' }, +		     { text => N("Use Disconnect mode "), val => \$authentication->{ccreds}, type => 'bool' },  		     { text => N("Use anonymous BIND "), val => \$authentication->{anonymous}, type => 'bool' , advanced => 1 },  		     { text => N("  "), advanced => 1 },                       { label => N("Bind DN "), val => \$authentication->{LDAP_binddn}, disabled => sub { !$authentication->{anonymous} }, advanced => 1  }, @@ -128,10 +132,10 @@ sub ask_parameters {  	$authentication->{AD_domain} ||= $net->{resolv}{DOMAINNAME};  	$in->do_pkgs->ensure_are_installed([ 'perl-Net-DNS' ], 1) or return; -	my @srvs = query_srv_names($authentication->{AD_domain}); +	my @srvs = query_srv_names($authentication->{AD_domain}); #FIXME: update this list if the REALM has changed  	$authentication->{AD_server} ||= $srvs[0] if @srvs;  	my $AD_user = $authentication->{AD_user} =~ /(.*)\@\Q$authentication->{AD_domain}\E$/ ? $1 : $authentication->{AD_user}; -	#my $authentication->{ccreds} ; +	$authentication->{ccreds} = 1;  	$in->ask_from('', N(" "),                          [ { label => N("Welcome to the Authentication Wizard"), title => 1 }, @@ -140,16 +144,16 @@ sub ask_parameters {                          {},  		       { label => N("Realm "),  val => \$authentication->{AD_domain} },                         {}, -		       { label => N("KDCs Servers"),  title => 1, val => \$authentication->{AD_server} , list => \@srvs , not_edit => 0,  title => 1 }, +		       { label => N("KDCs Servers"), title => 1, val => \$authentication->{AD_server} , list => \@srvs , not_edit => 0,  title => 1 },                         {}, -		       { text => N("Use DNS to resolve hosts for realms "), val => \$authentication->{KRB_host_lookup}, type => 'bool' }, -		       { text => N("Use DNS to resolve KDCs for realms "), val => \$authentication->{KRB_dns_lookup}, type => 'bool' }, -		       { text => N("Use Disconnect mode "), val => \$ccreds, type => 'bool' }, +		       { text => N("Use DNS to locate KDC for the realm"), val => \$authentication->{KRB_host_lookup}, type => 'bool' }, +		       { text => N("Use DNS to locate realms"), val => \$authentication->{KRB_dns_lookup}, type => 'bool' }, +		       { text => N("Use Disconnect mode "), val => \$authentication->{ccreds}, type => 'bool' },  		     ]) or return;  my %level = (               1 => N("Use local file for users information"), -             2 => N("Use Ldap for users information"), +             2 => N("Use LDAP for users information"),              );   $in->ask_from('', N(" "), @@ -161,10 +165,10 @@ my %level = (  			{},	  			{ label => N("LDAP Server"), val => \$authentication->{LDAP_server}, disabled => sub { $authentication->{nsskrb} eq "1"  } },                       	{ label => N("Base dn"), val => \$authentication->{LDAPDOMAIN} , disabled => sub { $authentication->{nsskrb} eq "1"  } }, -                     	{ val => N("Fecth base Dn "), type  => button , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 }, disabled => sub { $authentication->{nsskrb} eq "1"  } }, +                     	{ val => N("Fetch base DN "), type  => 'button' , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 }, disabled => sub { $authentication->{nsskrb} eq "1"  } },  			{},                       	{ text => N("Use encrypt connection with TLS "), val => \$authentication->{cafile}, type => 'bool',, disabled => sub { $authentication->{nsskrb} eq "1"  } }, -                     	{ val => N("Download CA Certificate "), type  => button , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 }  }, +                     	{ val => N("Download CA Certificate "), type  => 'button' , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 }  },                       	{ text => N("Use anonymous BIND "), val => \$authentication->{anonymous}, type => 'bool', disabled => sub { $authentication->{nsskrb} eq "1"  } },                       	{ label => N("Bind DN "), val => \$authentication->{LDAP_binddn}, disabled => sub { !$authentication->{anonymous} } },                       	{ label => N("Bind Password "), val => \$authentication->{LDAP_bindpwd}, disabled => sub { !$authentication->{anonymous} } }, @@ -176,7 +180,7 @@ my %level = (  	$authentication->{AD_password} = '' if !$authentication->{AD_user}; -    } elsif ($kind eq 'NIS') {  +    } elsif ($kind eq 'NIS') {  	$authentication->{NIS_server} ||= 'broadcast';  	$net->{network}{NISDOMAIN} ||= $net->{resolv}{DOMAINNAME};  	$in->ask_from('', N(" "), @@ -193,12 +197,12 @@ my %level = (  	#- but networking is not setup yet necessarily  	#  	my @sec_domain = ( -		"Windows NT4 Domain",  		"Windows Active Directory Domain", +		"Windows NT4 Domain",  ); -	$authentication->{AD_domain} ||= $net->{resolv}{DOMAINNAME}; +	$authentication->{DNS_domain} ||= $net->{resolv}{DOMAINNAME};  	$authentication->{WINDOMAIN} ||= $net->{resolv}{DOMAINNAME};  	$in->do_pkgs->ensure_are_installed([ 'samba-client' ], 1) or return;  	my @domains=list_domains(); @@ -213,8 +217,8 @@ my %level = (  		        { label => N("Domain Model "), val => \$authentication->{model}, list => \@sec_domain , not_edit => 1 },  		        {},  			{ label => N("Active Directory Realm "), val => \$authentication->{AD_domain} , disabled => sub { $authentication->{model} eq "Windows NT4 Domain"  } }, -		        {}, -		        {}, +			{ label => N("DNS Domain"), val => \$authentication->{DNS_domain} , disabled => sub { $authentication->{model} eq "Windows NT4 Domain"  } }, +			{ label => N("DC Server"), val => \$authentication->{AD_server} , disabled => sub { $authentication->{model} eq "Windows NT4 Domain"  } },  		        {},  			]) or return;      } @@ -268,6 +272,8 @@ sub get() {      my $authentication = {  	blowfish => to_bool($system_auth =~ /\$2a\$/),  	md5      => to_bool($system_auth =~ /md5/),  +	sha256   => to_bool($system_auth =~ /sha256/), +	sha512   => to_bool($system_auth =~ /sha512/),  	shadow   => to_bool($system_auth =~ /shadow/),      }; @@ -285,8 +291,10 @@ sub get() {  }  sub install_needed_packages { -    my ($do_pkgs, $kind) = @_; +    my ($do_pkgs, $kind, $ccreds) = @_;      if (my $pkgs = $kind2packages{$kind}) { +	# install ccreds if required +	$ccreds and push(@$pkgs, 'pam_ccreds');  	#- automatic during install  	$do_pkgs->ensure_are_installed($pkgs, $::isInstall) or return;      } else { @@ -298,7 +306,7 @@ sub install_needed_packages {  sub set {      my ($in, $net, $authentication, $o_when_network_is_up) = @_; -    install_needed_packages($in->do_pkgs, to_kind($authentication)) or return; +    install_needed_packages($in->do_pkgs, to_kind($authentication), $authentication->{ccreds}) or return;      set_raw($net, $authentication, $o_when_network_is_up);      require services; @@ -319,16 +327,15 @@ sub set_raw {      my $pam_modules = $kind2pam_kind{$kind} or log::l("kind2pam_kind does not know $kind");      $pam_modules ||= []; -    sshd_config_UsePAM(@$pam_modules > 0); -    set_pam_authentication($pam_modules, $ccreds); +    set_pam_authentication($pam_modules, $authentication->{ccreds});      my $nsswitch = $kind2nsswitch{$kind} or log::l("kind2nsswitch does not know $kind");      $nsswitch ||= []; -    set_nsswitch_priority($nsswitch,$ccreds); +    set_nsswitch_priority($nsswitch, $authentication->{ccreds});      if ($kind eq 'local') { -output($conf_file, <<EOF); +	output($conf_file, <<EOF);  auth=Local File   server=none   realm=none @@ -341,18 +348,22 @@ EOF  	configure_nss_ldap($authentication); -output($conf_file, <<EOF); -auth=Ldap Directory +	output($conf_file, <<EOF); +auth=LDAP Directory  server=$authentication->{LDAP_server}  realm=$authentication->{LDAPDOMAIN}  EOF +    if ($authentication->{ccreds}) { +	run_program::rooted($::prefix, '/usr/sbin/nss_updatedb.cron');  # updates offline cache. +    } +      } elsif ($kind eq 'KRB5') {  	configure_krb5_for_AD($authentication);  	configure_nss_ldap($authentication); -output($conf_file, <<EOF); +	output($conf_file, <<EOF);  auth=Kerberos 5  server=$authentication->{AD_server}  realm=$authentication->{AD_domain} @@ -361,7 +372,7 @@ EOF      } elsif ($kind eq 'NIS') {  	my $domain = $net->{network}{NISDOMAIN};  	my $NIS_server = $authentication->{NIS_server}; -	$domain || $NIS_server ne "broadcast" or die N("Can not use broadcast with no NIS domain"); +	$domain || $NIS_server ne "broadcast" or die N("Cannot use broadcast with no NIS domain");  	my $t = $domain ?   	  ($NIS_server eq 'broadcast' ?   	     "domain $domain broadcast" :  @@ -384,14 +395,12 @@ EOF  	    run_program::rooted($::prefix, 'service', 'ypbind', 'restart');  	}); -output($conf_file, <<EOF); +	output($conf_file, <<EOF);  auth=$kind  server=$NIS_server  realm=$domain  EOF -#    } elsif ($kind eq 'winbind' || $kind eq 'AD' && $authentication->{subkind} eq 'winbind') { -      } elsif ($kind eq 'winbind') {  	my $domain = uc $authentication->{WINDOMAIN}; @@ -410,11 +419,11 @@ EOF  	$when_network_is_up->(sub {  	    run_program::raw({ root => $::prefix, sensitive_arguments => 1 }, -		    #'net', 'join', $domain, '-U', $authentication->{winuser} . '%' . $authentication->{winpass}); +			                 #'net', 'join', $domain, '-U', $authentication->{winuser} . '%' . $authentication->{winpass});  			     'echo', '"', 'net', 'join', $domain, '-U', $authentication->{winuser} . '%' . $authentication->{winpass}, '"');  	}); -output($conf_file, <<EOF); +	output($conf_file, <<EOF);  auth=Windows NT4 Domain  server= none   realm=$domain @@ -424,7 +433,7 @@ EOF  	} else { 	 -		 +	# FIXME: the DC isn't named ads.domain... try to do reserve lookup?  	$authentication->{AD_server} ||= 'ads.' . $authentication->{AD_domain};  	my $domain = uc $authentication->{WINDOMAIN};  	my $realm = $authentication->{AD_domain}; @@ -437,15 +446,15 @@ EOF  	mkdir_p("$::prefix/home/$domain");  	run_program::rooted($::prefix, 'net', 'time', 'set', '-S', $authentication->{AD_server});  	run_program::rooted($::prefix, 'service', 'smb', 'restart'); -	run_program::rooted($::prefix, 'service', 'winbind', 'restart');  	$when_network_is_up->(sub {  	    run_program::raw({ root => $::prefix, sensitive_arguments => 1 },   			     'net', 'ads', 'join', '-U', $authentication->{winuser} . '%' . $authentication->{winpass}); +	    run_program::rooted($::prefix, 'service', 'winbind', 'restart');  	}); - -output($conf_file, <<EOF); +	#FIXME: perhaps save the defaults values ? +	output($conf_file, <<EOF);  auth=Windows Active Directory Domain  server= none  realm=$realm @@ -472,11 +481,9 @@ sub pam_format_line {  sub get_raw_pam_authentication() {      my %before_deny;      foreach (cat_("$::prefix/etc/pam.d/system-auth")) { -	#my ($type, $control, $module, @para) = split;  	my ($type, $_control, $other) = /(\S+)\s+(\[.*?\]|\S+)\s+(.*)/;  	my ($module, @para) = split(' ', $other);  	if ($module = pam_module_from_path($module)) { -	    #$before_deny{$type}{$module} = \@para if $control eq 'sufficient' && member($module, pam_modules());  	    $before_deny{$type}{$module} = \@para if member($module, pam_modules());  	}      } @@ -517,25 +524,18 @@ sub pam_sufficient_line {  sub set_pam_authentication { -    #my (@authentication_kinds) = @_; -    my ($authentication_kinds, $ccreds) = @_; +    my ($authentication_kinds, $o_ccreds) = @_;      my %special = ( -	    #auth => [ difference2(\@authentication_kinds,, [ 'mount' ]) ], -	    #account => [ difference2(\@authentication_kinds, [ 'castella', 'mount' ]) ], -	    #password => [ intersection(\@authentication_kinds, [ 'ldap', 'krb5' ]) ],  	auth => [ difference2($authentication_kinds,, [ 'mount' ]) ],  	account => [ difference2($authentication_kinds, [ 'castella', 'mount', 'ccreds' ]) ],  	password => [ intersection($authentication_kinds, [ 'ldap', 'krb5', 'ccreds' ]) ],      );      my %before_first = ( -	    #auth => member('mount', @authentication_kinds) ? pam_format_line('auth', 'required', 'pam_mount') : '',  	auth => member('mount', @$authentication_kinds) ? pam_format_line('auth', 'required', 'pam_mount') : '',  	session =>  -	  #intersection(\@authentication_kinds, [ 'winbind', 'krb5', 'ldap' ])   	  intersection($authentication_kinds, [ 'winbind', 'krb5', 'ldap' ])  	    ? pam_format_line('session', 'optional', 'pam_mkhomedir', 'skel=/etc/skel/', 'umask=0022') : -	    #member('castella', @authentication_kinds)  	    member('castella', @$authentication_kinds)  	    ? pam_format_line('session', 'optional', 'pam_castella') : '',      ); @@ -548,7 +548,6 @@ sub set_pam_authentication {      );      substInFile { -	    #my ($type, $control, $module, @para) = split;  	my ($type, $control, $other) = /(\S+)\s+(\[.*?\]|\S+)\s+(.*)/;  	my ($module, @para) = split(' ', $other);  	if ($module = pam_module_from_path($module)) { @@ -572,16 +571,15 @@ sub set_pam_authentication {  			 (map { [ "pam_$_" ] } @$ask),  			 );  		push @{$l[-1]}, @para_for_last; -		#$_ = join('', map { pam_format_line($type, 'sufficient', @$_) } @l); -		### $_ = join('', map { pam_format_line($type, sufficient($ccreds, $_->[0], $type), @$_) } @l); -		$_ = join('', map { pam_sufficient_line($ccreds, $type, @$_) } @l); + +		$_ = join('', map { pam_sufficient_line($o_ccreds, $type, @$_) } @l);  		if ($control eq 'required') {  		    #- ensure a pam_deny line is there. it will be added below  		    ($module, @para) = ('pam_deny');  		} -		if ($type eq 'auth' && $ccreds) { +		if ($type eq 'auth' && $o_ccreds) {  			$_ .= pam_format_line('auth', '[default=done]', 'pam_ccreds', 'action=validate use_first_pass');  			$_ .= pam_format_line('auth', '[default=done]', 'pam_ccreds', 'action=store');  			$_ .= pam_format_line('auth', '[default=bad]',  'pam_ccreds', 'action=update'); @@ -591,7 +589,7 @@ sub set_pam_authentication {  	    if (member($module, 'pam_deny', 'pam_permit')) {  		$_ .= pam_format_line($type, $control,  -				      $type eq 'account' && $ccreds ? 'pam_permit' : 'pam_deny'); +				      $type eq 'account' && $o_ccreds ? 'pam_permit' : 'pam_deny');  	    }  	    if (my $s = delete $before_first{$type}) {  		$_ = $s . $_; @@ -606,14 +604,11 @@ sub set_pam_authentication {  }  sub set_nsswitch_priority { -	#my (@kinds) = @_;      my ($kinds, $connected) = @_; -    my @known = qw(nis ldap winbind); +    my @known = qw(nis ldap winbind compat);      substInFile {  	if (my ($database, $l) = /^(\s*(?:passwd|shadow|group|automount):\s*)(.*)/) {  	    my @l = difference2([ split(' ', $l) ], \@known); -	    #    $_ = $database . join(' ', uniq('files', @kinds, @l)) . "\n"; -	    #}  		$_ = $database . join(' ', uniq('files', @$kinds, @l)) . "\n";  	}  	if (/^\s*(?:passwd|group):/) { @@ -656,7 +651,7 @@ sub read_ldap_conf() {      my %conf = map {   	s/^\s*#.*//;   	if_(_after_read_ldap_line($_) =~ /(\S+)\s+(.*)/, $1 => $2); -    } cat_("$::prefix/etc/ldap.conf"); +    } cat_("$::prefix/etc/nslcd.conf");      \%conf;  } @@ -676,7 +671,7 @@ sub update_ldap_conf {  		$_ .= _pre_write_ldap_line("$cmd $val\n");  	    }  	} -    } "$::prefix/etc/ldap.conf"; +    } "$::prefix/etc/nslcd.conf";  }  sub configure_krb5_for_AD { @@ -705,6 +700,7 @@ sub configure_krb5_for_AD {  EOF  		    domain_realm => <<EOF,   .$authentication->{AD_domain} = $uc_domain + $authentication->{AD_domain} = $uc_domain  EOF  		    kdc => <<'EOF',   profile = /etc/kerberos/krb5kdc/kdc.conf @@ -786,18 +782,6 @@ sub krb5_conf_update {  } -sub sshd_config_UsePAM { -    my ($UsePAM) = @_; -    my $sshd = "$::prefix/etc/ssh/sshd_config"; -    -e $sshd or return; - -    my $val = "UsePAM " . bool2yesno($UsePAM); -    substInFile { -	$val = '' if s/^#?UsePAM.*/$val/; -	$_ .= "$val\n" if eof && $val; -    } $sshd; -} -  sub query_srv_names {      my ($domain) = @_; @@ -815,7 +799,7 @@ sub enable_shadow() {  sub salt {      my ($nb) = @_;      require devices; -    open(my $F, devices::make("random")) or die "missing random"; +    open(my $F, "/dev/urandom") or die "missing urandom";      my $s; read $F, $s, $nb;      $s = pack("b8" x $nb, unpack "b6" x $nb, $s);      $s =~ tr|\0-\x3f|0-9a-zA-Z./|; @@ -828,9 +812,23 @@ sub user_crypted_passwd {  	require utf8;  	utf8::encode($u->{password}); #- we don't want perl to do "smart" things in crypt() -	crypt($u->{password},  -	      !$authentication || $authentication->{blowfish} ? '$2a$08$' . salt(60) : -	      $authentication->{md5} ? '$1$' . salt(8) : salt(2)); +	# Default to sha512 +	$authentication = { sha512 => 1 } unless $authentication; + +	my $salt; +	if ($authentication->{blowfish}) { +	    $salt = '$2a$08$' . salt(60); +	} elsif ($authentication->{md5}) { +	    $salt = '$1$' . salt(8); +	} elsif ($authentication->{sha256}) { +	    $salt = '$5$' . salt(32); +	} elsif ($authentication->{sha512}) { +	    $salt = '$6$' . salt(64); +	} else { +	    $salt = salt(2); +	} + +	crypt($u->{password}, $salt);      } else {  	$u->{pw} || '';      } @@ -874,15 +872,14 @@ sub pack_passwd {  }  sub add_cafile() { -	my $file;  	my $in = interactive->vnew; -	$file = $in->ask_filename({ title => N("Select file") }) or return; +	$in->ask_filename({ title => N("Select file") }) or return;  }  sub auth() {  	my $in = interactive->vnew;          $in->ask_from('', N(" "), [ -		{ label => N("Domain Windows for authentication : " , $authentication->{WINDOMAIN}) }, +		{ label => N("Domain Windows for authentication : ") . $authentication->{WINDOMAIN} },  		{},  		{ label => N("Domain Admin User Name"), val => \$authentication->{winuser} },  	        { label => N("Domain Admin Password"), val => \$authentication->{winpass}, hidden => 1 }, @@ -901,7 +898,6 @@ sub list_domains() {  }  sub get_server_for_domain {      my $smb = fs::remote::smb->new; -    my %domains;      foreach my $server ($smb->find_servers) {          return $server->{name} if $server->{group} == $_[0];      } @@ -909,7 +905,6 @@ sub get_server_for_domain {  sub fetch_dn {  	my ($srv) = @_; -	#print "$srv";  	my $s = run_program::rooted_get_stdout($::prefix, 'ldapsearch', '-x', '-h', $srv, '-b', '', '-s', 'base', '+');  	$authentication->{LDAPDOMAIN} = first($s =~ /namingContexts: (.+)/);  	return $authentication->{LDAPDOMAIN}; @@ -917,28 +912,26 @@ sub fetch_dn {  sub configure_nss_ldap {  	my ($authentication) = @_; -	#my $authentication->{domain} = $authentication->{LDAPDOMAIN} || do { -        #    my $s = run_program::rooted_get_stdout($::prefix, 'ldapsearch', '-x', '-h', $authentication->{LDAP_server}, '-b', '', '-s', 'base', '+'); -        #    first($s =~ /namingContexts: (.+)/); -        #} or log::l("no ldap domain found on server $authentication->{LDAP_server}"), return;  	update_ldap_conf( -                         host => $authentication->{LDAP_server}, +			 uri => $authentication->{cafile} eq '1' ? "ldaps://" . $authentication->{LDAP_server} . "/" : "ldap://" . $authentication->{LDAP_server} . "/",                           base => $authentication->{LDAPDOMAIN},                          );          if ($authentication->{nssgrp} eq '1') {          update_ldap_conf( -                         nss_base_shadow => $authentication->{nss_shadow} . "?sub", -                         nss_base_passwd => $authentication->{nss_pwd} . "?sub", -                         nss_base_group => $authentication->{nss_grp} . "?sub", +                         'base shadow' => $authentication->{nss_shadow}, +                         'base passwd' => $authentication->{nss_pwd}, +                         'base group' => $authentication->{nss_grp}, +			 scope => "sub",                          );          } else {          update_ldap_conf( -                         nss_base_shadow => $authentication->{LDAPDOMAIN} . "?sub", -                         nss_base_passwd => $authentication->{LDAPDOMAIN} . "?sub", -                         nss_base_group => $authentication->{LDAPDOMAIN}  . "?sub", +                         'base shadow' => $authentication->{LDAPDOMAIN}, +                         'base passwd' => $authentication->{LDAPDOMAIN}, +                         'base group' => $authentication->{LDAPDOMAIN}, +			 scope => "sub",                          );                  }          if ($authentication->{anonymous} eq '1') { @@ -951,9 +944,40 @@ sub configure_nss_ldap {          if ($authentication->{cafile} eq '1') {                   update_ldap_conf(                   ssl => "on", -                 tls_checkpeer => "yes", +                 tls_reqcert => "allow",                   tls_cacertfile => $authentication->{file},                  );          }   } + + sub compute_password_weakness { + +   my ($password) = @_; +   my $score = 0; +   my $len = length($password); + +   return 0 if $len == 0; + +   $score = $len < 5 ? 3 : +   $len > 4 && $len < 8 ? 6 : +   $len > 7 && $len < 16 ? 12 : 18; + +   $score += 1 if $password =~ /[a-z]/; +   $score += 5 if $password =~ /[A-Z]/; +   $score += 5 if $password =~ /\d+/; +   $score += 5 if $password =~ /(.*[0-9].*[0-9].*[0-9])/; +   $score += 5 if $password =~ /.[!@#$%^&*?_~,]/; +   $score += 5 if $password =~ /(.*[!@#$%^&*?_~,].*[!@#$%^&*?_~,])/; +   $score += 2 if $password =~ /([a-z].*[A-Z])|([A-Z].*[a-z])/; +   $score += 2 if $password =~ /([a-zA-Z])/ && $password =~ /([0-9])/; +   $score += 2 if $password =~ /([a-z].*[A-Z])|([A-Z].*[a-z])/; +   $score += 2 if $password =~ /([a-zA-Z0-9].*[!@#$%^&*?_~])|([!@#$%^&*?_~,].*[a-zA-Z0-9])/; + +   my $level = $score < 11 ? 1 : +   $score > 10 && $score < 20 ? 2 : +   $score > 19 && $score < 30 ? 3 : +   $score > 29 && $score < 40 ? 4 : 5; + +   return $level; + }  1; | 
