From: Ismaƫl Bouya Date: Sun, 7 Jul 2024 00:36:38 +0000 (+0200) Subject: Fix ldap passwords X-Git-Url: https://git.immae.eu/?a=commitdiff_plain;h=927ea90d2d0b16b510fc9dad618ccb9ac374c4cd;p=perso%2FImmae%2FConfig%2FNix.git Fix ldap passwords --- diff --git a/deploy/flake.lock b/deploy/flake.lock index c5cd82e..de358ff 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock @@ -2783,7 +2783,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-mPLHIHp2ZF2MQSiKJhYj2SA9JTN3iKjyUkW6tF+uTsM=", + "narHash": "sha256-DK32C6dLSeXBxrQx3B6RVyLnqIB6i9trlZlb0vkl7J4=", "path": "../flakes", "type": "path" }, @@ -3903,7 +3903,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-+wiHTKFrgD2yAUUioWhq3rnIX/Is37UsMpLb6YDfpIs=", + "narHash": "sha256-IiNmTt+EL9aW6oEWp/JyUfjVLnLAu2MfX9e0b8J7/h0=", "path": "../systems/eldiron", "type": "path" }, diff --git a/flake.lock b/flake.lock index 3ae807d..2a51070 100644 --- a/flake.lock +++ b/flake.lock @@ -2664,7 +2664,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-mPLHIHp2ZF2MQSiKJhYj2SA9JTN3iKjyUkW6tF+uTsM=", + "narHash": "sha256-DK32C6dLSeXBxrQx3B6RVyLnqIB6i9trlZlb0vkl7J4=", "path": "./flakes", "type": "path" }, @@ -3919,7 +3919,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-+wiHTKFrgD2yAUUioWhq3rnIX/Is37UsMpLb6YDfpIs=", + "narHash": "sha256-IiNmTt+EL9aW6oEWp/JyUfjVLnLAu2MfX9e0b8J7/h0=", "path": "../systems/eldiron", "type": "path" }, diff --git a/flakes/flake.lock b/flakes/flake.lock index 1d7486d..e8924ee 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock @@ -3824,7 +3824,7 @@ }, "locked": { "lastModified": 1, - "narHash": "sha256-+wiHTKFrgD2yAUUioWhq3rnIX/Is37UsMpLb6YDfpIs=", + "narHash": "sha256-IiNmTt+EL9aW6oEWp/JyUfjVLnLAu2MfX9e0b8J7/h0=", "path": "../systems/eldiron", "type": "path" }, diff --git a/systems/eldiron/base.nix b/systems/eldiron/base.nix index fa5e504..4535dcf 100644 --- a/systems/eldiron/base.nix +++ b/systems/eldiron/base.nix @@ -189,7 +189,7 @@ table = ldap_users user_column = login pw_type = function - auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( %p || salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login || '@' || realm = %u + auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( convert_to(%p, 'UTF8') || salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login || '@' || realm = %u #pwd_query = WITH newsalt as (select gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( %p || (SELECT * FROM newsalt), 'sha1'), 'hex'), salt = (SELECT * FROM newsalt), mechanism = 'SSHA' WHERE login = %u OR login || '@' || realm = %u ''; }; diff --git a/systems/eldiron/websites/tools/landing/ldap_password.php b/systems/eldiron/websites/tools/landing/ldap_password.php index efb4f57..b3b2f15 100644 --- a/systems/eldiron/websites/tools/landing/ldap_password.php +++ b/systems/eldiron/websites/tools/landing/ldap_password.php @@ -45,7 +45,7 @@ function changePasswordSQL($user_realm, $newPassword) { } } $con = pg_connect(""); - $result = pg_query_params($con, "WITH newsalt as (SELECT gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( $1 || (SELECT * FROM newsalt), 'sha1'), 'hex'), mechanism = 'SSHA', salt = (SELECT * FROM newsalt) where login || '@' || realm = $2", array($newPassword, $user_realm)); + $result = pg_query_params($con, "WITH newsalt as (SELECT gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( convert_to($1, 'UTF8') || (SELECT * FROM newsalt), 'sha1'), 'hex'), mechanism = 'SSHA', salt = (SELECT * FROM newsalt) where login || '@' || realm = $2", array($newPassword, $user_realm)); if (!$result) { $message[] = "Error when accessing database"; return false;