diff options
Diffstat (limited to 'perl-install/authentication.pm')
| -rw-r--r-- | perl-install/authentication.pm | 238 |
1 files changed, 134 insertions, 104 deletions
diff --git a/perl-install/authentication.pm b/perl-install/authentication.pm index 886b45d15..55491edfb 100644 --- a/perl-install/authentication.pm +++ b/perl-install/authentication.pm @@ -1,9 +1,8 @@ -package authentication; # $Id$ +package authentication; use common; -my $ccreds = 1; -my ($authentication) = @_; +my $authentication; sub kinds { my $no_para = @_ == 0; @@ -48,27 +47,35 @@ my %kind2nsswitch = ( winbind => ['winbind'], ); +my $lib = get_libdir(); + my %kind2packages = ( local => [], SmartCard => [ 'castella-pam' ], - LDAP => [ 'openldap-clients', 'nss_ldap', 'pam_ldap', 'autofs', 'pam_ccreds', 'nss_updatedb' ], - KRB5 => [ 'nss_ldap', 'pam_krb5', 'libsasl2-plug-gssapi', 'pam_ccreds', 'nss_updatedb' ], + LDAP => [ 'openldap-clients', 'nss-pam-ldapd', 'autofs', 'nss_updatedb' ], + KRB5 => [ 'nss-pam-ldapd', 'pam_krb5', "${lib}sasl2-plug-gssapi", 'nss_updatedb' ], NIS => [ 'ypbind', 'autofs' ], - winbind => [ 'samba-winbind', 'nss_ldap', 'pam_krb5', 'libsasl2-plug-gssapi', 'samba-server' ], + winbind => [ 'samba-winbind', 'nss-pam-ldapd', 'pam_krb5', "${lib}sasl2-plug-gssapi" ], ); -sub kind2description { +sub kind2description_raw { my (@kinds) = @_; my %kind2description = ( local => [ N("Local file:"), N("Use local for all authentication and information user tell in local file"), ], LDAP => [ N("LDAP:"), N("Tells your computer to use LDAP for some or all authentication. LDAP consolidates certain types of information within your organization."), ], NIS => [ N("NIS:"), N("Allows you to run a group of computers in the same Network Information Service domain with a common password and group file."), ], winbind => [ N("Windows Domain:"), N("Winbind allows the system to retrieve information and authenticate users in a Windows domain."), ], - KRB5 => [ N("Kerberos 5 :"), N("With Kerberos and Ldap for authentication in Active Directory Server "), ], + KRB5 => [ N("Kerberos 5 :"), N("With Kerberos and LDAP for authentication in Active Directory Server "), ], ); - join('', map { $_ ? qq($_->[0]\n$_->[1]\n\n) : '' } map { $kind2description{$_} } @kinds); + join('', map { $_ ? qq($_->[0]\n$_->[1]) : '' } map { $kind2description{$_} } @kinds); +} + +sub kind2description { + my (@kinds) = @_; + join('', map { $_ ? qq($_\n\n) : '' } map { kind2description_raw($_) } @kinds); } + sub to_kind { my ($authentication) = @_; (find { exists $authentication->{$_} } kinds()) || 'local'; @@ -86,13 +93,16 @@ sub ask_parameters { foreach (kinds()) { delete $authentication->{$_} if $_ ne $kind; } + # do not enable ccreds unless required + undef $authentication->{ccreds}; if ($kind eq 'LDAP') { $authentication->{LDAPDOMAIN} ||= domain_to_ldap_domain($net->{resolv}{DOMAINNAME}); - #$authentication->{anonymous} = "0"; - #$authentication->{cafile} = "0"; - #$authentication->{nssgrp} = "0"; + $authentication->{ccreds} = 1; + # this package must be installed for 'Fetch DN' button to actually work + $in->do_pkgs->ensure_are_installed([ 'openldap-clients' ], 1) or return; + $in->ask_from('', N(" "), [ { label => N("Welcome to the Authentication Wizard"), title => 1 }, {}, @@ -100,12 +110,12 @@ sub ask_parameters { {}, { label => N("LDAP Server"), val => \$authentication->{LDAP_server} }, { label => N("Base dn"), val => \$authentication->{LDAPDOMAIN} }, - { val => N("Fetch base Dn "), type => button , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 } }, + { val => N("Fetch base Dn "), type => 'button' , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 } }, {}, { text => N("Use encrypt connection with TLS "), val => \$authentication->{cafile}, type => 'bool' }, - { val => N("Download CA Certificate "), type => button , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 } }, + { val => N("Download CA Certificate "), type => 'button' , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 } }, - { text => N("Use Disconnect mode "), val => \$ccreds, type => 'bool' }, + { text => N("Use Disconnect mode "), val => \$authentication->{ccreds}, type => 'bool' }, { text => N("Use anonymous BIND "), val => \$authentication->{anonymous}, type => 'bool' , advanced => 1 }, { text => N(" "), advanced => 1 }, { label => N("Bind DN "), val => \$authentication->{LDAP_binddn}, disabled => sub { !$authentication->{anonymous} }, advanced => 1 }, @@ -122,10 +132,10 @@ sub ask_parameters { $authentication->{AD_domain} ||= $net->{resolv}{DOMAINNAME}; $in->do_pkgs->ensure_are_installed([ 'perl-Net-DNS' ], 1) or return; - my @srvs = query_srv_names($authentication->{AD_domain}); + my @srvs = query_srv_names($authentication->{AD_domain}); #FIXME: update this list if the REALM has changed $authentication->{AD_server} ||= $srvs[0] if @srvs; my $AD_user = $authentication->{AD_user} =~ /(.*)\@\Q$authentication->{AD_domain}\E$/ ? $1 : $authentication->{AD_user}; - #my $authentication->{ccreds} ; + $authentication->{ccreds} = 1; $in->ask_from('', N(" "), [ { label => N("Welcome to the Authentication Wizard"), title => 1 }, @@ -134,16 +144,16 @@ sub ask_parameters { {}, { label => N("Realm "), val => \$authentication->{AD_domain} }, {}, - { label => N("KDCs Servers"), title => 1, val => \$authentication->{AD_server} , list => \@srvs , not_edit => 0, title => 1 }, + { label => N("KDCs Servers"), title => 1, val => \$authentication->{AD_server} , list => \@srvs , not_edit => 0, title => 1 }, {}, - { text => N("Use DNS to resolve hosts for realms "), val => \$authentication->{KRB_host_lookup}, type => 'bool' }, - { text => N("Use DNS to resolve KDCs for realms "), val => \$authentication->{KRB_dns_lookup}, type => 'bool' }, - { text => N("Use Disconnect mode "), val => \$ccreds, type => 'bool' }, + { text => N("Use DNS to locate KDC for the realm"), val => \$authentication->{KRB_host_lookup}, type => 'bool' }, + { text => N("Use DNS to locate realms"), val => \$authentication->{KRB_dns_lookup}, type => 'bool' }, + { text => N("Use Disconnect mode "), val => \$authentication->{ccreds}, type => 'bool' }, ]) or return; my %level = ( - 1 => N("Use local file for users informations"), - 2 => N("Use Ldap for users informations"), + 1 => N("Use local file for users information"), + 2 => N("Use LDAP for users information"), ); $in->ask_from('', N(" "), @@ -155,10 +165,10 @@ my %level = ( {}, { label => N("LDAP Server"), val => \$authentication->{LDAP_server}, disabled => sub { $authentication->{nsskrb} eq "1" } }, { label => N("Base dn"), val => \$authentication->{LDAPDOMAIN} , disabled => sub { $authentication->{nsskrb} eq "1" } }, - { val => N("Fecth base Dn "), type => button , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 }, disabled => sub { $authentication->{nsskrb} eq "1" } }, + { val => N("Fetch base DN "), type => 'button' , clicked_may_quit => sub { $authentication->{LDAPDOMAIN} = fetch_dn($authentication->{LDAP_server}); 0 }, disabled => sub { $authentication->{nsskrb} eq "1" } }, {}, { text => N("Use encrypt connection with TLS "), val => \$authentication->{cafile}, type => 'bool',, disabled => sub { $authentication->{nsskrb} eq "1" } }, - { val => N("Download CA Certificate "), type => button , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 } }, + { val => N("Download CA Certificate "), type => 'button' , disabled => sub { !$authentication->{cafile} }, clicked_may_quit => sub { $authentication->{file} = add_cafile(); 0 } }, { text => N("Use anonymous BIND "), val => \$authentication->{anonymous}, type => 'bool', disabled => sub { $authentication->{nsskrb} eq "1" } }, { label => N("Bind DN "), val => \$authentication->{LDAP_binddn}, disabled => sub { !$authentication->{anonymous} } }, { label => N("Bind Password "), val => \$authentication->{LDAP_bindpwd}, disabled => sub { !$authentication->{anonymous} } }, @@ -170,7 +180,7 @@ my %level = ( $authentication->{AD_password} = '' if !$authentication->{AD_user}; - } elsif ($kind eq 'NIS') { + } elsif ($kind eq 'NIS') { $authentication->{NIS_server} ||= 'broadcast'; $net->{network}{NISDOMAIN} ||= $net->{resolv}{DOMAINNAME}; $in->ask_from('', N(" "), @@ -187,12 +197,12 @@ my %level = ( #- but networking is not setup yet necessarily # my @sec_domain = ( - "Windows NT4 Domain", "Windows Active Directory Domain", + "Windows NT4 Domain", ); - $authentication->{AD_domain} ||= $net->{resolv}{DOMAINNAME}; + $authentication->{DNS_domain} ||= $net->{resolv}{DOMAINNAME}; $authentication->{WINDOMAIN} ||= $net->{resolv}{DOMAINNAME}; $in->do_pkgs->ensure_are_installed([ 'samba-client' ], 1) or return; my @domains=list_domains(); @@ -207,8 +217,8 @@ my %level = ( { label => N("Domain Model "), val => \$authentication->{model}, list => \@sec_domain , not_edit => 1 }, {}, { label => N("Active Directory Realm "), val => \$authentication->{AD_domain} , disabled => sub { $authentication->{model} eq "Windows NT4 Domain" } }, - {}, - {}, + { label => N("DNS Domain"), val => \$authentication->{DNS_domain} , disabled => sub { $authentication->{model} eq "Windows NT4 Domain" } }, + { label => N("DC Server"), val => \$authentication->{AD_server} , disabled => sub { $authentication->{model} eq "Windows NT4 Domain" } }, {}, ]) or return; } @@ -262,6 +272,8 @@ sub get() { my $authentication = { blowfish => to_bool($system_auth =~ /\$2a\$/), md5 => to_bool($system_auth =~ /md5/), + sha256 => to_bool($system_auth =~ /sha256/), + sha512 => to_bool($system_auth =~ /sha512/), shadow => to_bool($system_auth =~ /shadow/), }; @@ -279,8 +291,10 @@ sub get() { } sub install_needed_packages { - my ($do_pkgs, $kind) = @_; + my ($do_pkgs, $kind, $ccreds) = @_; if (my $pkgs = $kind2packages{$kind}) { + # install ccreds if required + $ccreds and push(@$pkgs, 'pam_ccreds'); #- automatic during install $do_pkgs->ensure_are_installed($pkgs, $::isInstall) or return; } else { @@ -292,7 +306,7 @@ sub install_needed_packages { sub set { my ($in, $net, $authentication, $o_when_network_is_up) = @_; - install_needed_packages($in->do_pkgs, to_kind($authentication)) or return; + install_needed_packages($in->do_pkgs, to_kind($authentication), $authentication->{ccreds}) or return; set_raw($net, $authentication, $o_when_network_is_up); require services; @@ -313,16 +327,15 @@ sub set_raw { my $pam_modules = $kind2pam_kind{$kind} or log::l("kind2pam_kind does not know $kind"); $pam_modules ||= []; - sshd_config_UsePAM(@$pam_modules > 0); - set_pam_authentication($pam_modules, $ccreds); + set_pam_authentication($pam_modules, $authentication->{ccreds}); my $nsswitch = $kind2nsswitch{$kind} or log::l("kind2nsswitch does not know $kind"); $nsswitch ||= []; - set_nsswitch_priority($nsswitch,$ccreds); + set_nsswitch_priority($nsswitch, $authentication->{ccreds}); if ($kind eq 'local') { -output($conf_file, <<EOF); + output($conf_file, <<EOF); auth=Local File server=none realm=none @@ -335,18 +348,22 @@ EOF configure_nss_ldap($authentication); -output($conf_file, <<EOF); -auth=Ldap Directory + output($conf_file, <<EOF); +auth=LDAP Directory server=$authentication->{LDAP_server} realm=$authentication->{LDAPDOMAIN} EOF + if ($authentication->{ccreds}) { + run_program::rooted($::prefix, '/usr/sbin/nss_updatedb.cron'); # updates offline cache. + } + } elsif ($kind eq 'KRB5') { configure_krb5_for_AD($authentication); configure_nss_ldap($authentication); -output($conf_file, <<EOF); + output($conf_file, <<EOF); auth=Kerberos 5 server=$authentication->{AD_server} realm=$authentication->{AD_domain} @@ -355,7 +372,7 @@ EOF } elsif ($kind eq 'NIS') { my $domain = $net->{network}{NISDOMAIN}; my $NIS_server = $authentication->{NIS_server}; - $domain || $NIS_server ne "broadcast" or die N("Can not use broadcast with no NIS domain"); + $domain || $NIS_server ne "broadcast" or die N("Cannot use broadcast with no NIS domain"); my $t = $domain ? ($NIS_server eq 'broadcast' ? "domain $domain broadcast" : @@ -378,14 +395,12 @@ EOF run_program::rooted($::prefix, 'service', 'ypbind', 'restart'); }); -output($conf_file, <<EOF); + output($conf_file, <<EOF); auth=$kind server=$NIS_server realm=$domain EOF -# } elsif ($kind eq 'winbind' || $kind eq 'AD' && $authentication->{subkind} eq 'winbind') { - } elsif ($kind eq 'winbind') { my $domain = uc $authentication->{WINDOMAIN}; @@ -404,11 +419,11 @@ EOF $when_network_is_up->(sub { run_program::raw({ root => $::prefix, sensitive_arguments => 1 }, - #'net', 'join', $domain, '-U', $authentication->{winuser} . '%' . $authentication->{winpass}); + #'net', 'join', $domain, '-U', $authentication->{winuser} . '%' . $authentication->{winpass}); 'echo', '"', 'net', 'join', $domain, '-U', $authentication->{winuser} . '%' . $authentication->{winpass}, '"'); }); -output($conf_file, <<EOF); + output($conf_file, <<EOF); auth=Windows NT4 Domain server= none realm=$domain @@ -418,7 +433,7 @@ EOF } else { - + # FIXME: the DC isn't named ads.domain... try to do reserve lookup? $authentication->{AD_server} ||= 'ads.' . $authentication->{AD_domain}; my $domain = uc $authentication->{WINDOMAIN}; my $realm = $authentication->{AD_domain}; @@ -431,15 +446,15 @@ EOF mkdir_p("$::prefix/home/$domain"); run_program::rooted($::prefix, 'net', 'time', 'set', '-S', $authentication->{AD_server}); run_program::rooted($::prefix, 'service', 'smb', 'restart'); - run_program::rooted($::prefix, 'service', 'winbind', 'restart'); $when_network_is_up->(sub { run_program::raw({ root => $::prefix, sensitive_arguments => 1 }, 'net', 'ads', 'join', '-U', $authentication->{winuser} . '%' . $authentication->{winpass}); + run_program::rooted($::prefix, 'service', 'winbind', 'restart'); }); - -output($conf_file, <<EOF); + #FIXME: perhaps save the defaults values ? + output($conf_file, <<EOF); auth=Windows Active Directory Domain server= none realm=$realm @@ -466,11 +481,9 @@ sub pam_format_line { sub get_raw_pam_authentication() { my %before_deny; foreach (cat_("$::prefix/etc/pam.d/system-auth")) { - #my ($type, $control, $module, @para) = split; my ($type, $_control, $other) = /(\S+)\s+(\[.*?\]|\S+)\s+(.*)/; my ($module, @para) = split(' ', $other); if ($module = pam_module_from_path($module)) { - #$before_deny{$type}{$module} = \@para if $control eq 'sufficient' && member($module, pam_modules()); $before_deny{$type}{$module} = \@para if member($module, pam_modules()); } } @@ -511,25 +524,18 @@ sub pam_sufficient_line { sub set_pam_authentication { - #my (@authentication_kinds) = @_; - my ($authentication_kinds, $ccreds) = @_; + my ($authentication_kinds, $o_ccreds) = @_; my %special = ( - #auth => [ difference2(\@authentication_kinds,, [ 'mount' ]) ], - #account => [ difference2(\@authentication_kinds, [ 'castella', 'mount' ]) ], - #password => [ intersection(\@authentication_kinds, [ 'ldap', 'krb5' ]) ], auth => [ difference2($authentication_kinds,, [ 'mount' ]) ], account => [ difference2($authentication_kinds, [ 'castella', 'mount', 'ccreds' ]) ], password => [ intersection($authentication_kinds, [ 'ldap', 'krb5', 'ccreds' ]) ], ); my %before_first = ( - #auth => member('mount', @authentication_kinds) ? pam_format_line('auth', 'required', 'pam_mount') : '', auth => member('mount', @$authentication_kinds) ? pam_format_line('auth', 'required', 'pam_mount') : '', session => - #intersection(\@authentication_kinds, [ 'winbind', 'krb5', 'ldap' ]) intersection($authentication_kinds, [ 'winbind', 'krb5', 'ldap' ]) ? pam_format_line('session', 'optional', 'pam_mkhomedir', 'skel=/etc/skel/', 'umask=0022') : - #member('castella', @authentication_kinds) member('castella', @$authentication_kinds) ? pam_format_line('session', 'optional', 'pam_castella') : '', ); @@ -542,7 +548,6 @@ sub set_pam_authentication { ); substInFile { - #my ($type, $control, $module, @para) = split; my ($type, $control, $other) = /(\S+)\s+(\[.*?\]|\S+)\s+(.*)/; my ($module, @para) = split(' ', $other); if ($module = pam_module_from_path($module)) { @@ -566,16 +571,15 @@ sub set_pam_authentication { (map { [ "pam_$_" ] } @$ask), ); push @{$l[-1]}, @para_for_last; - #$_ = join('', map { pam_format_line($type, 'sufficient', @$_) } @l); - ### $_ = join('', map { pam_format_line($type, sufficient($ccreds, $_->[0], $type), @$_) } @l); - $_ = join('', map { pam_sufficient_line($ccreds, $type, @$_) } @l); + + $_ = join('', map { pam_sufficient_line($o_ccreds, $type, @$_) } @l); if ($control eq 'required') { #- ensure a pam_deny line is there. it will be added below ($module, @para) = ('pam_deny'); } - if ($type eq 'auth' && $ccreds) { + if ($type eq 'auth' && $o_ccreds) { $_ .= pam_format_line('auth', '[default=done]', 'pam_ccreds', 'action=validate use_first_pass'); $_ .= pam_format_line('auth', '[default=done]', 'pam_ccreds', 'action=store'); $_ .= pam_format_line('auth', '[default=bad]', 'pam_ccreds', 'action=update'); @@ -585,7 +589,7 @@ sub set_pam_authentication { if (member($module, 'pam_deny', 'pam_permit')) { $_ .= pam_format_line($type, $control, - $type eq 'account' && $ccreds ? 'pam_permit' : 'pam_deny'); + $type eq 'account' && $o_ccreds ? 'pam_permit' : 'pam_deny'); } if (my $s = delete $before_first{$type}) { $_ = $s . $_; @@ -600,14 +604,11 @@ sub set_pam_authentication { } sub set_nsswitch_priority { - #my (@kinds) = @_; my ($kinds, $connected) = @_; - my @known = qw(nis ldap winbind); + my @known = qw(nis ldap winbind compat); substInFile { if (my ($database, $l) = /^(\s*(?:passwd|shadow|group|automount):\s*)(.*)/) { my @l = difference2([ split(' ', $l) ], \@known); - # $_ = $database . join(' ', uniq('files', @kinds, @l)) . "\n"; - #} $_ = $database . join(' ', uniq('files', @$kinds, @l)) . "\n"; } if (/^\s*(?:passwd|group):/) { @@ -650,7 +651,7 @@ sub read_ldap_conf() { my %conf = map { s/^\s*#.*//; if_(_after_read_ldap_line($_) =~ /(\S+)\s+(.*)/, $1 => $2); - } cat_("$::prefix/etc/ldap.conf"); + } cat_("$::prefix/etc/nslcd.conf"); \%conf; } @@ -670,7 +671,7 @@ sub update_ldap_conf { $_ .= _pre_write_ldap_line("$cmd $val\n"); } } - } "$::prefix/etc/ldap.conf"; + } "$::prefix/etc/nslcd.conf"; } sub configure_krb5_for_AD { @@ -699,6 +700,7 @@ sub configure_krb5_for_AD { EOF domain_realm => <<EOF, .$authentication->{AD_domain} = $uc_domain + $authentication->{AD_domain} = $uc_domain EOF kdc => <<'EOF', profile = /etc/kerberos/krb5kdc/kdc.conf @@ -780,18 +782,6 @@ sub krb5_conf_update { } -sub sshd_config_UsePAM { - my ($UsePAM) = @_; - my $sshd = "$::prefix/etc/ssh/sshd_config"; - -e $sshd or return; - - my $val = "UsePAM " . bool2yesno($UsePAM); - substInFile { - $val = '' if s/^#?UsePAM.*/$val/; - $_ .= "$val\n" if eof && $val; - } $sshd; -} - sub query_srv_names { my ($domain) = @_; @@ -809,7 +799,7 @@ sub enable_shadow() { sub salt { my ($nb) = @_; require devices; - open(my $F, devices::make("random")) or die "missing random"; + open(my $F, "/dev/urandom") or die "missing urandom"; my $s; read $F, $s, $nb; $s = pack("b8" x $nb, unpack "b6" x $nb, $s); $s =~ tr|\0-\x3f|0-9a-zA-Z./|; @@ -822,9 +812,23 @@ sub user_crypted_passwd { require utf8; utf8::encode($u->{password}); #- we don't want perl to do "smart" things in crypt() - crypt($u->{password}, - !$authentication || $authentication->{blowfish} ? '$2a$08$' . salt(60) : - $authentication->{md5} ? '$1$' . salt(8) : salt(2)); + # Default to sha512 + $authentication = { sha512 => 1 } unless $authentication; + + my $salt; + if ($authentication->{blowfish}) { + $salt = '$2a$08$' . salt(60); + } elsif ($authentication->{md5}) { + $salt = '$1$' . salt(8); + } elsif ($authentication->{sha256}) { + $salt = '$5$' . salt(32); + } elsif ($authentication->{sha512}) { + $salt = '$6$' . salt(64); + } else { + $salt = salt(2); + } + + crypt($u->{password}, $salt); } else { $u->{pw} || ''; } @@ -868,15 +872,14 @@ sub pack_passwd { } sub add_cafile() { - my $file; my $in = interactive->vnew; - $file = $in->ask_filename({ title => N("Select file") }) or return; + $in->ask_filename({ title => N("Select file") }) or return; } sub auth() { my $in = interactive->vnew; $in->ask_from('', N(" "), [ - { label => N("Domain Windows for authentication : " , $authentication->{WINDOMAIN}) }, + { label => N("Domain Windows for authentication : ") . $authentication->{WINDOMAIN} }, {}, { label => N("Domain Admin User Name"), val => \$authentication->{winuser} }, { label => N("Domain Admin Password"), val => \$authentication->{winpass}, hidden => 1 }, @@ -895,7 +898,6 @@ sub list_domains() { } sub get_server_for_domain { my $smb = fs::remote::smb->new; - my %domains; foreach my $server ($smb->find_servers) { return $server->{name} if $server->{group} == $_[0]; } @@ -903,7 +905,6 @@ sub get_server_for_domain { sub fetch_dn { my ($srv) = @_; - #print "$srv"; my $s = run_program::rooted_get_stdout($::prefix, 'ldapsearch', '-x', '-h', $srv, '-b', '', '-s', 'base', '+'); $authentication->{LDAPDOMAIN} = first($s =~ /namingContexts: (.+)/); return $authentication->{LDAPDOMAIN}; @@ -911,28 +912,26 @@ sub fetch_dn { sub configure_nss_ldap { my ($authentication) = @_; - #my $authentication->{domain} = $authentication->{LDAPDOMAIN} || do { - # my $s = run_program::rooted_get_stdout($::prefix, 'ldapsearch', '-x', '-h', $authentication->{LDAP_server}, '-b', '', '-s', 'base', '+'); - # first($s =~ /namingContexts: (.+)/); - #} or log::l("no ldap domain found on server $authentication->{LDAP_server}"), return; update_ldap_conf( - host => $authentication->{LDAP_server}, + uri => $authentication->{cafile} eq '1' ? "ldaps://" . $authentication->{LDAP_server} . "/" : "ldap://" . $authentication->{LDAP_server} . "/", base => $authentication->{LDAPDOMAIN}, ); if ($authentication->{nssgrp} eq '1') { update_ldap_conf( - nss_base_shadow => $authentication->{nss_shadow} . "?sub", - nss_base_passwd => $authentication->{nss_pwd} . "?sub", - nss_base_group => $authentication->{nss_grp} . "?sub", + 'base shadow' => $authentication->{nss_shadow}, + 'base passwd' => $authentication->{nss_pwd}, + 'base group' => $authentication->{nss_grp}, + scope => "sub", ); } else { update_ldap_conf( - nss_base_shadow => $authentication->{LDAPDOMAIN} . "?sub", - nss_base_passwd => $authentication->{LDAPDOMAIN} . "?sub", - nss_base_group => $authentication->{LDAPDOMAIN} . "?sub", + 'base shadow' => $authentication->{LDAPDOMAIN}, + 'base passwd' => $authentication->{LDAPDOMAIN}, + 'base group' => $authentication->{LDAPDOMAIN}, + scope => "sub", ); } if ($authentication->{anonymous} eq '1') { @@ -945,9 +944,40 @@ sub configure_nss_ldap { if ($authentication->{cafile} eq '1') { update_ldap_conf( ssl => "on", - tls_checkpeer => "yes", + tls_reqcert => "allow", tls_cacertfile => $authentication->{file}, ); } } + + sub compute_password_weakness { + + my ($password) = @_; + my $score = 0; + my $len = length($password); + + return 0 if $len == 0; + + $score = $len < 5 ? 3 : + $len > 4 && $len < 8 ? 6 : + $len > 7 && $len < 16 ? 12 : 18; + + $score += 1 if $password =~ /[a-z]/; + $score += 5 if $password =~ /[A-Z]/; + $score += 5 if $password =~ /\d+/; + $score += 5 if $password =~ /(.*[0-9].*[0-9].*[0-9])/; + $score += 5 if $password =~ /.[!@#$%^&*?_~,]/; + $score += 5 if $password =~ /(.*[!@#$%^&*?_~,].*[!@#$%^&*?_~,])/; + $score += 2 if $password =~ /([a-z].*[A-Z])|([A-Z].*[a-z])/; + $score += 2 if $password =~ /([a-zA-Z])/ && $password =~ /([0-9])/; + $score += 2 if $password =~ /([a-z].*[A-Z])|([A-Z].*[a-z])/; + $score += 2 if $password =~ /([a-zA-Z0-9].*[!@#$%^&*?_~])|([!@#$%^&*?_~,].*[a-zA-Z0-9])/; + + my $level = $score < 11 ? 1 : + $score > 10 && $score < 20 ? 2 : + $score > 19 && $score < 30 ? 3 : + $score > 29 && $score < 40 ? 4 : 5; + + return $level; + } 1; |