Fix ldap passwords

author: Ismaël Bouya <ismael.bouya@normalesup.org> 2024-07-07 02:36:38 +0200
committer: Ismaël Bouya <ismael.bouya@normalesup.org> 2024-07-07 02:42:21 +0200
commit: 927ea90d2d0b16b510fc9dad618ccb9ac374c4cd (patch)
tree: 770f6008712412354d53ccb8a0a3776d4a79752d
parent: c55d7e13d4e689f155f0483505181c4dd1ce5904 (diff)
download: Nix-927ea90d2d0b16b510fc9dad618ccb9ac374c4cd.tar.gz
Nix-927ea90d2d0b16b510fc9dad618ccb9ac374c4cd.tar.zst
Nix-927ea90d2d0b16b510fc9dad618ccb9ac374c4cd.zip
5 files changed, 7 insertions, 7 deletions
diff --git a/deploy/flake.lock b/deploy/flake.lock
index c5cd82e..de358ff 100644
--- a/deploy/flake.lock
+++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-mPLHIHp2ZF2MQSiKJhYj2SA9JTN3iKjyUkW6tF+uTsM=",
+        "narHash": "sha256-DK32C6dLSeXBxrQx3B6RVyLnqIB6i9trlZlb0vkl7J4=",
        "path": "../flakes",
        "type": "path"
      },
@@ -3903,7 +3903,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-+wiHTKFrgD2yAUUioWhq3rnIX/Is37UsMpLb6YDfpIs=",
+        "narHash": "sha256-IiNmTt+EL9aW6oEWp/JyUfjVLnLAu2MfX9e0b8J7/h0=",
        "path": "../systems/eldiron",
        "type": "path"
      },
diff --git a/flake.lock b/flake.lock
index 3ae807d..2a51070 100644
--- a/flake.lock
+++ b/flake.lock
@@ -2664,7 +2664,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-mPLHIHp2ZF2MQSiKJhYj2SA9JTN3iKjyUkW6tF+uTsM=",
+        "narHash": "sha256-DK32C6dLSeXBxrQx3B6RVyLnqIB6i9trlZlb0vkl7J4=",
        "path": "./flakes",
        "type": "path"
      },
@@ -3919,7 +3919,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-+wiHTKFrgD2yAUUioWhq3rnIX/Is37UsMpLb6YDfpIs=",
+        "narHash": "sha256-IiNmTt+EL9aW6oEWp/JyUfjVLnLAu2MfX9e0b8J7/h0=",
        "path": "../systems/eldiron",
        "type": "path"
      },
diff --git a/flakes/flake.lock b/flakes/flake.lock
index 1d7486d..e8924ee 100644
--- a/flakes/flake.lock
+++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
      },
      "locked": {
        "lastModified": 1,
-        "narHash": "sha256-+wiHTKFrgD2yAUUioWhq3rnIX/Is37UsMpLb6YDfpIs=",
+        "narHash": "sha256-IiNmTt+EL9aW6oEWp/JyUfjVLnLAu2MfX9e0b8J7/h0=",
        "path": "../systems/eldiron",
        "type": "path"
      },
diff --git a/systems/eldiron/base.nix b/systems/eldiron/base.nix
index fa5e504..4535dcf 100644
--- a/systems/eldiron/base.nix
+++ b/systems/eldiron/base.nix
@@ -189,7 +189,7 @@
        table = ldap_users
        user_column = login
        pw_type = function
-        auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( %p || salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login || '@' || realm = %u
+        auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( convert_to(%p, 'UTF8') || salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login || '@' || realm = %u
        #pwd_query = WITH newsalt as (select gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( %p || (SELECT * FROM newsalt), 'sha1'), 'hex'), salt = (SELECT * FROM newsalt), mechanism = 'SSHA' WHERE login = %u OR login || '@' || realm = %u
      '';
    };
diff --git a/systems/eldiron/websites/tools/landing/ldap_password.php b/systems/eldiron/websites/tools/landing/ldap_password.php
index efb4f57..b3b2f15 100644
--- a/systems/eldiron/websites/tools/landing/ldap_password.php
+++ b/systems/eldiron/websites/tools/landing/ldap_password.php
@@ -45,7 +45,7 @@ function changePasswordSQL($user_realm, $newPassword) {
    }
  }
  $con = pg_connect("");
-  $result = pg_query_params($con, "WITH newsalt as (SELECT gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( $1 || (SELECT * FROM newsalt), 'sha1'), 'hex'), mechanism = 'SSHA', salt = (SELECT * FROM newsalt) where login || '@' || realm = $2", array($newPassword, $user_realm));
+  $result = pg_query_params($con, "WITH newsalt as (SELECT gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( convert_to($1, 'UTF8') || (SELECT * FROM newsalt), 'sha1'), 'hex'), mechanism = 'SSHA', salt = (SELECT * FROM newsalt) where login || '@' || realm = $2", array($newPassword, $user_realm));
  if (!$result) {
    $message[] = "Error when accessing database";
    return false;
author	Ismaël Bouya <ismael.bouya@normalesup.org>	2024-07-07 02:36:38 +0200
committer	Ismaël Bouya <ismael.bouya@normalesup.org>	2024-07-07 02:42:21 +0200
commit	927ea90d2d0b16b510fc9dad618ccb9ac374c4cd (patch)
tree	770f6008712412354d53ccb8a0a3776d4a79752d
parent	c55d7e13d4e689f155f0483505181c4dd1ce5904 (diff)
download	Nix-927ea90d2d0b16b510fc9dad618ccb9ac374c4cd.tar.gz Nix-927ea90d2d0b16b510fc9dad618ccb9ac374c4cd.tar.zst Nix-927ea90d2d0b16b510fc9dad618ccb9ac374c4cd.zip

diff --git a/deploy/flake.lock b/deploy/flake.lock index c5cd82e..de358ff 100644 --- a/deploy/flake.lock +++ b/deploy/flake.lock
@@ -2783,7 +2783,7 @@
2783	},	2783	},
2784	"locked": {	2784	"locked": {
2785	"lastModified": 1,	2785	"lastModified": 1,
2786	"narHash": "sha256-mPLHIHp2ZF2MQSiKJhYj2SA9JTN3iKjyUkW6tF+uTsM=",	2786	"narHash": "sha256-DK32C6dLSeXBxrQx3B6RVyLnqIB6i9trlZlb0vkl7J4=",
2787	"path": "../flakes",	2787	"path": "../flakes",
2788	"type": "path"	2788	"type": "path"
2789	},	2789	},
@@ -3903,7 +3903,7 @@
3903	},	3903	},
3904	"locked": {	3904	"locked": {
3905	"lastModified": 1,	3905	"lastModified": 1,
3906	"narHash": "sha256-+wiHTKFrgD2yAUUioWhq3rnIX/Is37UsMpLb6YDfpIs=",	3906	"narHash": "sha256-IiNmTt+EL9aW6oEWp/JyUfjVLnLAu2MfX9e0b8J7/h0=",
3907	"path": "../systems/eldiron",	3907	"path": "../systems/eldiron",
3908	"type": "path"	3908	"type": "path"
3909	},	3909	},


diff --git a/flake.lock b/flake.lock index 3ae807d..2a51070 100644 --- a/flake.lock +++ b/flake.lock
@@ -2664,7 +2664,7 @@
2664	},	2664	},
2665	"locked": {	2665	"locked": {
2666	"lastModified": 1,	2666	"lastModified": 1,
2667	"narHash": "sha256-mPLHIHp2ZF2MQSiKJhYj2SA9JTN3iKjyUkW6tF+uTsM=",	2667	"narHash": "sha256-DK32C6dLSeXBxrQx3B6RVyLnqIB6i9trlZlb0vkl7J4=",
2668	"path": "./flakes",	2668	"path": "./flakes",
2669	"type": "path"	2669	"type": "path"
2670	},	2670	},
@@ -3919,7 +3919,7 @@
3919	},	3919	},
3920	"locked": {	3920	"locked": {
3921	"lastModified": 1,	3921	"lastModified": 1,
3922	"narHash": "sha256-+wiHTKFrgD2yAUUioWhq3rnIX/Is37UsMpLb6YDfpIs=",	3922	"narHash": "sha256-IiNmTt+EL9aW6oEWp/JyUfjVLnLAu2MfX9e0b8J7/h0=",
3923	"path": "../systems/eldiron",	3923	"path": "../systems/eldiron",
3924	"type": "path"	3924	"type": "path"
3925	},	3925	},


diff --git a/flakes/flake.lock b/flakes/flake.lock index 1d7486d..e8924ee 100644 --- a/flakes/flake.lock +++ b/flakes/flake.lock
@@ -3824,7 +3824,7 @@
3824	},	3824	},
3825	"locked": {	3825	"locked": {
3826	"lastModified": 1,	3826	"lastModified": 1,
3827	"narHash": "sha256-+wiHTKFrgD2yAUUioWhq3rnIX/Is37UsMpLb6YDfpIs=",	3827	"narHash": "sha256-IiNmTt+EL9aW6oEWp/JyUfjVLnLAu2MfX9e0b8J7/h0=",
3828	"path": "../systems/eldiron",	3828	"path": "../systems/eldiron",
3829	"type": "path"	3829	"type": "path"
3830	},	3830	},


diff --git a/systems/eldiron/base.nix b/systems/eldiron/base.nix index fa5e504..4535dcf 100644 --- a/systems/eldiron/base.nix +++ b/systems/eldiron/base.nix
@@ -189,7 +189,7 @@
189	table = ldap_users	189	table = ldap_users
190	user_column = login	190	user_column = login
191	pw_type = function	191	pw_type = function
192	auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( %p \|\| salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login \|\| '@' \|\| realm = %u	192	auth_query = SELECT ((mechanism = 'SSHA' AND password = encode(digest( convert_to(%p, 'UTF8') \|\| salt, 'sha1'), 'hex')) OR (mechanism = 'PLAIN' AND password = %p)) FROM ldap_users WHERE login = %u OR login \|\| '@' \|\| realm = %u
193	#pwd_query = WITH newsalt as (select gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( %p \|\| (SELECT * FROM newsalt), 'sha1'), 'hex'), salt = (SELECT * FROM newsalt), mechanism = 'SSHA' WHERE login = %u OR login \|\| '@' \|\| realm = %u	193	#pwd_query = WITH newsalt as (select gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( %p \|\| (SELECT * FROM newsalt), 'sha1'), 'hex'), salt = (SELECT * FROM newsalt), mechanism = 'SSHA' WHERE login = %u OR login \|\| '@' \|\| realm = %u
194	'';	194	'';
195	};	195	};


diff --git a/systems/eldiron/websites/tools/landing/ldap_password.php b/systems/eldiron/websites/tools/landing/ldap_password.php index efb4f57..b3b2f15 100644 --- a/systems/eldiron/websites/tools/landing/ldap_password.php +++ b/systems/eldiron/websites/tools/landing/ldap_password.php
@@ -45,7 +45,7 @@ function changePasswordSQL($user_realm, $newPassword) {
45	}	45	}
46	}	46	}
47	$con = pg_connect("");	47	$con = pg_connect("");
48	$result = pg_query_params($con, "WITH newsalt as (SELECT gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( $1 \|\| (SELECT * FROM newsalt), 'sha1'), 'hex'), mechanism = 'SSHA', salt = (SELECT * FROM newsalt) where login \|\| '@' \|\| realm = $2", array($newPassword, $user_realm));	48	$result = pg_query_params($con, "WITH newsalt as (SELECT gen_random_bytes(4)) UPDATE ldap_users SET password = encode(digest( convert_to($1, 'UTF8') \|\| (SELECT * FROM newsalt), 'sha1'), 'hex'), mechanism = 'SSHA', salt = (SELECT * FROM newsalt) where login \|\| '@' \|\| realm = $2", array($newPassword, $user_realm));
49	if (!$result) {	49	if (!$result) {
50	$message[] = "Error when accessing database";	50	$message[] = "Error when accessing database";
51	return false;	51	return false;