Commit e7530137 authored by Francesc Guasch's avatar Francesc Guasch
Browse files

wip(auth): use PBKDF2 to store encripted data in LDAP

issue #1208
parent 98bdcfdf
...@@ -13,7 +13,9 @@ use Authen::Passphrase; ...@@ -13,7 +13,9 @@ use Authen::Passphrase;
use Authen::Passphrase::SaltedDigest; use Authen::Passphrase::SaltedDigest;
use Carp qw(carp); use Carp qw(carp);
use Data::Dumper; use Data::Dumper;
use Digest::SHA qw(sha1_hex); use Digest::SHA qw(sha1_hex sha256_hex);
use Encode;
use PBKDF2::Tiny qw/derive_hex verify_hex/;
use Moose; use Moose;
use Net::LDAP; use Net::LDAP;
use Net::LDAPS; use Net::LDAPS;
...@@ -64,8 +66,7 @@ Adds a new user in the LDAP directory ...@@ -64,8 +66,7 @@ Adds a new user in the LDAP directory
=cut =cut
sub add_user { sub add_user($name, $password, $storage='rfc2307', $algorithm=undef ) {
my ($name, $password, $is_admin) = @_;
_init_ldap_admin(); _init_ldap_admin();
...@@ -76,8 +77,6 @@ sub add_user { ...@@ -76,8 +77,6 @@ sub add_user {
if !_dc_base(); if !_dc_base();
my ($givenName, $sn) = $name =~ m{(\w+)\.(.*)}; my ($givenName, $sn) = $name =~ m{(\w+)\.(.*)};
my $apr=Authen::Passphrase::SaltedDigest->new(passphrase => $password, algorithm => "MD5");
my %entry = ( my %entry = (
cn => $name cn => $name
, uid => $name , uid => $name
...@@ -87,7 +86,7 @@ sub add_user { ...@@ -87,7 +86,7 @@ sub add_user {
, givenName => ($givenName or $name) , givenName => ($givenName or $name)
, sn => ($sn or $name) , sn => ($sn or $name)
# , homeDirectory => "/home/$name" # , homeDirectory => "/home/$name"
,userPassword => $apr->as_rfc2307() ,userPassword => _password_store($password, $storage, $algorithm)
); );
my $dn = "cn=$name,"._dc_base(); my $dn = "cn=$name,"._dc_base();
...@@ -97,6 +96,29 @@ sub add_user { ...@@ -97,6 +96,29 @@ sub add_user {
} }
} }
sub _password_store($password, $storage, $algorithm) {
return _password_rfc2307($password, $algorithm) if lc($storage) eq 'rfc2307';
return _password_pbkdf2($password, $algorithm) if lc($storage) eq 'pbkdf2';
confess "Error: Unknown storage '$storage'";
}
sub _password_pbkdf2($password, $algorithm='SHA-1') {
$algorithm = 'SHA-1' if ! defined $algorithm;
my $salt = encode('ascii', 'random_name');
my $iters = 100;
return "{PBKDF2_$algorithm}".derive_hex( $algorithm, encode('ascii',$password), $salt );
}
sub _password_rfc2307($password, $algorithm='MD5') {
my $apr=Authen::Passphrase::SaltedDigest->new(passphrase => $password
, algorithm => ($algorithm or 'MD5'));
return $apr->as_rfc2307();
}
=head2 remove_user =head2 remove_user
Removes the user Removes the user
...@@ -454,7 +476,22 @@ sub _match_password { ...@@ -454,7 +476,22 @@ sub _match_password {
# ."\n" # ."\n"
# .sha1_hex($password); # .sha1_hex($password);
return Authen::Passphrase->from_rfc2307($password_ldap)->match($password); my ($storage) = $password_ldap =~ /^{([a-z0-9]+)[_}]/i;
return Authen::Passphrase->from_rfc2307($password_ldap)->match($password)
if $storage =~ /rfc2307|md5/i;
my $salt = encode('ascii', 'random_name');
if ( lc($storage) eq 'pbkdf2') {
my ($algorithm) = $password_ldap =~ /^{[a-z0-9]+_([a-z0-9]+)}/i;
confess "Error: I can't find the algorithm in $password_ldap"
if !$algorithm;
return verify_hex($password_ldap, $algorithm
, encode('ascii',$password)
, $salt)
}
confess "Error: Unknown password storage $storage";
} }
sub _dc_base { sub _dc_base {
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment