diff --git a/htdocs/admin/ldap_members.php b/htdocs/admin/ldap_members.php index 2b1309e7994..3ee51c5154d 100644 --- a/htdocs/admin/ldap_members.php +++ b/htdocs/admin/ldap_members.php @@ -57,6 +57,7 @@ if ($_GET["action"] == 'setvalue' && $user->admin) if (! dolibarr_set_const($db, 'LDAP_FIELD_LOGIN',$_POST["fieldlogin"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_LOGIN_SAMBA',$_POST["fieldloginsamba"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_PASSWORD',$_POST["fieldpassword"])) $error++; + if (! dolibarr_set_const($db, 'LDAP_FIELD_PASSWORD_CRYPTED',$_POST["fieldpasswordcrypted"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_NAME',$_POST["fieldname"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_FIRSTNAME',$_POST["fieldfirstname"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_MAIL',$_POST["fieldmail"])) $error++; @@ -191,14 +192,22 @@ print ''.$langs->trans("LDAPFieldLoginSambaExample").''; print 'global->LDAP_KEY_MEMBERS==$conf->global->LDAP_FIELD_LOGIN_SAMBA?' checked="true"':'').">"; print ''; -// Password +// Password not crypted $var=!$var; -print ''.$langs->trans("LDAPFieldPassword").''; +print ''.$langs->trans("LDAPFieldPasswordNotCrypted").''; print ''; print ''.$langs->trans("LDAPFieldPasswordExample").''; print 'global->LDAP_KEY_USERS==$conf->global->LDAP_FIELD_PASSWORD?' checked="true"':'').">"; print ''; +// Password crypted +$var=!$var; +print ''.$langs->trans("LDAPFieldPasswordCrypted").''; +print ''; +print ''.$langs->trans("LDAPFieldPasswordExample").''; +print 'global->LDAP_KEY_USERS==$conf->global->LDAP_FIELD_PASSWORD_CRYPTED?' checked="true"':'').">"; +print ''; + // Mail $var=!$var; print ''.$langs->trans("LDAPFieldMail").''; diff --git a/htdocs/admin/ldap_users.php b/htdocs/admin/ldap_users.php index bf6d6ca5668..b64cd0f3af3 100644 --- a/htdocs/admin/ldap_users.php +++ b/htdocs/admin/ldap_users.php @@ -58,6 +58,7 @@ if ($_GET["action"] == 'setvalue' && $user->admin) if (! dolibarr_set_const($db, 'LDAP_FIELD_LOGIN',$_POST["fieldlogin"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_LOGIN_SAMBA',$_POST["fieldloginsamba"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_PASSWORD',$_POST["fieldpassword"])) $error++; + if (! dolibarr_set_const($db, 'LDAP_FIELD_PASSWORD_CRYPTED',$_POST["fieldpasswordcrypted"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_NAME',$_POST["fieldname"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_FIRSTNAME',$_POST["fieldfirstname"])) $error++; if (! dolibarr_set_const($db, 'LDAP_FIELD_MAIL',$_POST["fieldmail"])) $error++; @@ -187,14 +188,22 @@ print ''.$langs->trans("LDAPFieldLoginSambaExample").''; print 'global->LDAP_KEY_USERS==$conf->global->LDAP_FIELD_LOGIN_SAMBA?' checked="true"':'').">"; print ''; -// Password +// Password not crypted $var=!$var; -print ''.$langs->trans("LDAPFieldPassword").''; +print ''.$langs->trans("LDAPFieldPasswordNotCrypted").''; print ''; print ''.$langs->trans("LDAPFieldPasswordExample").''; print 'global->LDAP_KEY_USERS==$conf->global->LDAP_FIELD_PASSWORD?' checked="true"':'').">"; print ''; +// Password crypted +$var=!$var; +print ''.$langs->trans("LDAPFieldPasswordCrypted").''; +print ''; +print ''.$langs->trans("LDAPFieldPasswordExample").''; +print 'global->LDAP_KEY_USERS==$conf->global->LDAP_FIELD_PASSWORD_CRYPTED?' checked="true"':'').">"; +print ''; + // Mail $var=!$var; print ''.$langs->trans("LDAPFieldMail").''; diff --git a/htdocs/admin/security.php b/htdocs/admin/security.php index b11bbf4b3fc..f937682a2b7 100644 --- a/htdocs/admin/security.php +++ b/htdocs/admin/security.php @@ -180,9 +180,23 @@ foreach ($arrayhandler as $key => $module) } print ''; print ''; + +// Cryptage mot de passe + +/* +* \TODO +* Fonctionnalité désactivée car à revoir différemment sous peine +* de ne pouvoir gérer son propre module de cryptage ni aucune interface +* avec une base extérieure. Les modifs à faire sont : +* +* Ajouter options: +* - "Ne pas conserver mot de passe en clair en base" +* qui désactive le stockage du champ pass (seul le champ pass_crypted est alors stocké) +* - "Algorithme de cryptage = MD5,..." +* + print '
'; -// Bon de livraison activation/desactivation $var=false; print "
"; print ""; @@ -224,6 +238,8 @@ if($conf->global->DATABASE_PWD_ENCRYPTED == 1 && $allow_disable_encryption) print ""; print ''; +*/ + print ''; print '
'; diff --git a/htdocs/langs/en_US/admin.lang b/htdocs/langs/en_US/admin.lang index e18c0a5ed63..0f122380476 100644 --- a/htdocs/langs/en_US/admin.lang +++ b/htdocs/langs/en_US/admin.lang @@ -595,6 +595,8 @@ LDAPFieldLoginSambaExample=Example : samaccountname LDAPFieldFullname=Firstname Name LDAPFieldFullnameExample=Example : cn LDAPFieldPassword=Password +LDAPFieldPasswordNotCrypted=Password not crypted +LDAPFieldPasswordCrypted¨Password crypted LDAPFieldPasswordExample=Example : userPassword LDAPFieldCommonName=Common name LDAPFieldCommonNameExample=Example : cn diff --git a/htdocs/langs/fr_FR/admin.lang b/htdocs/langs/fr_FR/admin.lang index e74949de295..d89b3088391 100644 --- a/htdocs/langs/fr_FR/admin.lang +++ b/htdocs/langs/fr_FR/admin.lang @@ -595,6 +595,8 @@ LDAPFieldLoginSambaExample=Exemple : samaccountname LDAPFieldFullname=Prénom Nom LDAPFieldFullnameExample=Exemple : cn LDAPFieldPassword=Mot de passe +LDAPFieldPasswordNotCrypted=Mot de passe non crypté +LDAPFieldPasswordCrypted=Mot de passe crypté LDAPFieldPasswordExample=Exemple : userPassword LDAPFieldCommonName=Nom commun LDAPFieldCommonNameExample=Exemple : cn diff --git a/htdocs/main.inc.php b/htdocs/main.inc.php index 7cd3b1fec79..3515aa575a0 100644 --- a/htdocs/main.inc.php +++ b/htdocs/main.inc.php @@ -132,20 +132,23 @@ if (! session_id() || ! isset($_SESSION["dol_login"])) $pear = $dolibarr_main_db_type.'://'.$dolibarr_main_db_user.':'.$dolibarr_main_db_pass.'@'.$dolibarr_main_db_host.'/'.$dolibarr_main_db_name; + // \TODO Virer ce test et toujours faire le test sur le champ crypté if ($conf->password_encrypted) { $cryptType = "md5"; + $fieldtotest="pass_crypted"; } else { $cryptType = "none"; + $fieldtotest="pass"; } $params = array( "dsn" => $pear, "table" => MAIN_DB_PREFIX."user", "usernamecol" => "login", - "passwordcol" => "pass", + "passwordcol" => $fieldtotest, "cryptType" => $cryptType, ); @@ -186,17 +189,19 @@ if (! session_id() || ! isset($_SESSION["dol_login"])) if ($conf->password_encrypted) { $cryptType = "md5"; + $fieldtotest="pass_crypted"; } else { $cryptType = "none"; + $fieldtotest="pass"; } $params = array( "dsn" => $pear, "table" => MAIN_DB_PREFIX."user", "usernamecol" => "login", - "passwordcol" => "pass", + "passwordcol" => $fieldtotest, "cryptType" => $cryptType, ); @@ -252,7 +257,7 @@ if (! session_id() || ! isset($_SESSION["dol_login"])) 'binddn' => $conf->global->LDAP_ADMIN_DN, 'bindpw' => $conf->global->LDAP_ADMIN_PASS, - 'debug' => $ldapdebug, + 'debug' => $ldapdebug, 'userattr' => $userattr, @@ -285,7 +290,7 @@ if (! session_id() || ! isset($_SESSION["dol_login"])) exit; } } - + // Charge l'objet user depuis son login $result=$user->fetch($login); if ($result <= 0) diff --git a/htdocs/user.class.php b/htdocs/user.class.php index ed54a6c39b7..eacede09a0b 100644 --- a/htdocs/user.class.php +++ b/htdocs/user.class.php @@ -60,10 +60,14 @@ class User var $user_mobile; var $admin; var $login; - //! Mot de passe en clair + + //! Mot de passe en clair en mémoire var $pass; - //! Mot de passe crypté en base + //! Mot de passe en clair en base (renseigné si DATABASE_PWD_ENCRYPTED=0) var $pass_indatabase; + //! Mot de passe crypté en base (toujours renseigné) + var $pass_indatabase_crypted; + var $datec; var $datem; var $societe_id; @@ -117,7 +121,8 @@ class User // Recupere utilisateur $sql = "SELECT u.rowid, u.name, u.firstname, u.email, u.office_phone, u.office_fax, u.user_mobile,"; - $sql.= " u.admin, u.login, u.pass, u.webcal_login, u.note,"; + $sql.= " u.admin, u.login, u.webcal_login, u.note,"; + $sql.= " u.pass, u.pass_crypted,"; $sql.= " u.fk_societe, u.fk_socpeople, u.ldap_sid,"; $sql.= " u.statut, u.lang,"; $sql.= " ".$this->db->pdate("u.datec")." as datec,"; @@ -149,7 +154,8 @@ class User $this->fullname = trim($this->prenom . ' ' . $this->nom); $this->login = $obj->login; $this->pass_indatabase = $obj->pass; - if (! $conf->password_encrypted) $this->pass = $obj->pass; + $this->pass_indatabase_crypted = $obj->pass_crypted; + $this->pass = $obj->pass; $this->office_phone = $obj->office_phone; $this->office_fax = $obj->office_fax; $this->user_mobile = $obj->user_mobile; @@ -858,18 +864,11 @@ class User // Mise a jour mot de passe if ($this->pass) { - if ($conf->password_encrypted) - { - // On met a jour systematiquement + if ($this->pass != $this->pass_indatabase && + $this->pass != $this->pass_indatabase_crypted) + { + // Si mot de passe saisi et différent de celui en base $this->password($user,$this->pass,$conf->password_encrypted); - } - else - { - if ($this->pass != $this->pass_indatabase) - { - // Si mot de passe saisi et différent de celui en base - $this->password($user,$this->pass,$conf->password_encrypted); - } } } @@ -948,12 +947,12 @@ class User /** * \brief Change le mot de passe d'un utilisateur - * \param user Object user de l'utilisateur qui fait la modification - * \param password Nouveau mot de passe (à générer si non communiqué) - * \param isencrypted 0 ou 1 si il faut crypter le mot de passe en base (0 par défaut) - * \return string mot de passe, < 0 si erreur + * \param user Object user de l'utilisateur qui fait la modification + * \param password Nouveau mot de passe (à générer si non communiqué) + * \param noclearpassword 0 ou 1 s'il ne faut pas stocker le mot de passe en clair + * \return string mot de passe, < 0 si erreur */ - function password($user, $password='', $isencrypted=0) + function password($user, $password='', $noclearpassword=0) { global $langs; @@ -967,20 +966,17 @@ class User //$password=creer_pass_aleatoire_2(''); } - // Cryptage mot de passe - if ($isencrypted) - { - // Crypte avec systeme encodage par defaut du PHP - //$sqlpass = crypt($password, makesalt()); - $password_indatabase = md5($password); - } - else - { - $password_indatabase = $password; - } + // Crypte avec systeme encodage par defaut du PHP + //$sqlpass = crypt($password, makesalt()); + $password_crypted = md5($password); // Mise a jour - $sql = "UPDATE ".MAIN_DB_PREFIX."user SET pass = '".addslashes($password_indatabase)."'"; + $sql = "UPDATE ".MAIN_DB_PREFIX."user"; + $sql.= " SET pass_crypted = '".$password_crypted."'"; + if (! $noclearpassword) + { + $sql.= ", pass = '".$password."'"; + } $sql.= " WHERE rowid = ".$this->id; $result = $this->db->query($sql); @@ -989,7 +985,8 @@ class User if ($this->db->affected_rows()) { $this->pass=$password; - $this->pass_indatabase=$password_indatabase; + $this->pass_indatabase=$password; + $this->pass_indatabase_crypted=$password_crypted; // Appel des triggers include_once(DOL_DOCUMENT_ROOT . "/interfaces.class.php"); diff --git a/mysql/migration/2.0.0-2.1.0.sql b/mysql/migration/2.0.0-2.1.0.sql index 814d934b2d2..8b137b4454d 100644 --- a/mysql/migration/2.0.0-2.1.0.sql +++ b/mysql/migration/2.0.0-2.1.0.sql @@ -726,6 +726,7 @@ alter table llx_user add column datepreviouslogin datetime after datelastlogin; alter table llx_user add column ldap_sid varchar(255) DEFAULT NULL; alter table llx_user add column statut tinyint DEFAULT 1; alter table llx_user add column lang varchar(6); +alter table llx_user add column pass_crypted varchar(128) after pass; alter table llx_user add column office_phone varchar(20); alter table llx_user add column office_fax varchar(20); @@ -736,6 +737,9 @@ alter table llx_user drop code; ALTER TABLE llx_user ADD UNIQUE uk_user_login (login); +update llx_user set pass_crypted = MD5(pass) where pass IS NOT NULL AND pass_crypted IS NULL and length(pass) < 32; +update llx_user set pass_crypted = pass where pass IS NOT NULL AND pass_crypted IS NULL and length(pass) = 32; +update llx_user set pass = NULL where length(pass) = 32; alter table llx_boxes add column fk_user integer; diff --git a/mysql/tables/llx_user.sql b/mysql/tables/llx_user.sql index f29566192b5..5bea59abe32 100644 --- a/mysql/tables/llx_user.sql +++ b/mysql/tables/llx_user.sql @@ -29,6 +29,7 @@ create table llx_user tms timestamp, login varchar(24) NOT NULL, pass varchar(32), + pass_crypted varchar(128), name varchar(50), firstname varchar(50), office_phone varchar(20),