From 90787316cab5b32d115c71d5cf8e83e5a06d90cb Mon Sep 17 00:00:00 2001 From: David Coutadeur Date: Mon, 9 Sep 2024 20:45:28 +0200 Subject: [PATCH] use local password policy feature from ltb-common (#119) --- .gitignore | 3 + composer.json | 6 +- conf/config.inc.php | 47 +++++++++ docs/index.rst | 1 + docs/ppolicy.rst | 139 ++++++++++++++++++++++++++ docs/upgrade.rst | 36 +++++++ htdocs/checkentropy.php | 16 +++ htdocs/display.php | 41 +++++++- htdocs/index.php | 36 ++++++- htdocs/resetpassword.php | 71 ++++++++++--- htdocs/search.php | 2 +- lang/en.inc.php | 43 ++++++++ lang/fr.inc.php | 43 ++++++++ packaging/debian/control | 23 ++++- packaging/rpm/SPECS/service-desk.spec | 23 ++++- templates/display.tpl | 17 +++- templates/footer.tpl | 3 + templates/header.tpl | 1 + 18 files changed, 520 insertions(+), 31 deletions(-) create mode 100644 docs/ppolicy.rst create mode 100644 htdocs/checkentropy.php diff --git a/.gitignore b/.gitignore index 5d0c9b61..8c42a1e1 100644 --- a/.gitignore +++ b/.gitignore @@ -5,3 +5,6 @@ docs/_build /htdocs/vendor/bootstrap/ composer.lock tests/.phpunit.result.cache +htdocs/js/ppolicy.js +htdocs/css/ppolicy.css +templates/policy.tpl diff --git a/composer.json b/composer.json index c9ff44ee..d27aa110 100644 --- a/composer.json +++ b/composer.json @@ -32,7 +32,11 @@ "rm -rf htdocs/vendor/font-awesome/*", "cp -R vendor/fortawesome/font-awesome/css htdocs/vendor/font-awesome", "cp -R vendor/fortawesome/font-awesome/webfonts htdocs/vendor/font-awesome", - "rm -rf vendor/fortawesome/font-awesome" + "rm -rf vendor/fortawesome/font-awesome", + + "cp -f vendor/ltb-project/ltb-common/src/ppolicy/html/policy.tpl templates/policy.tpl", + "cp -f vendor/ltb-project/ltb-common/src/ppolicy/js/ppolicy.js htdocs/js/ppolicy.js", + "cp -f vendor/ltb-project/ltb-common/src/ppolicy/css/ppolicy.css htdocs/css/ppolicy.css" ] }, "require-dev": { diff --git a/conf/config.inc.php b/conf/config.inc.php index 565d981e..84cc0998 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -118,6 +118,53 @@ $use_searchidle = true; $idledays = 60; + +# Local password policy +# This is applied before directory password policy +# Minimal length +$pwd_min_length = 0; +# Maximal length +$pwd_max_length = 0; +# Minimal lower characters +$pwd_min_lower = 0; +# Minimal upper characters +$pwd_min_upper = 0; +# Minimal digit characters +$pwd_min_digit = 0; +# Minimal special characters +$pwd_min_special = 0; +# Definition of special characters +$pwd_special_chars = "^a-zA-Z0-9"; +# Forbidden characters +#$pwd_forbidden_chars = "@%"; +# Check that password is different than login +$pwd_diff_login = true; +# Forbidden words which must not appear in the password +$pwd_forbidden_words = array(); +# Forbidden ldap fields +# Respective values of the user's entry must not appear in the password +# example: $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail'); +$pwd_forbidden_ldap_fields = array(); +# Complexity: number of different class of character required +$pwd_complexity = 0; +# use pwnedpasswords api v2 to securely check if the password has been on a leak +$use_pwnedpasswords = false; +# show password entropy bar (require php zxcvbn module) +$pwd_display_entropy = false; +# enforce password entropy check +$pwd_check_entropy = false; +# minimum entropy level required (when $pwd_check_entropy enabled) +$pwd_min_entropy = 3; +# Show policy constraints message: +# always +# never +# onerror +$pwd_show_policy = "never"; +# Position of password policy constraints message: +# above - the form +# below - the form +$pwd_show_policy_pos = "above"; + ## Mail # LDAP mail attribute $mail_attributes = array( "mail", "gosaMailAlternateAddress", "proxyAddresses" ); diff --git a/docs/index.rst b/docs/index.rst index ca4d322f..87553701 100644 --- a/docs/index.rst +++ b/docs/index.rst @@ -19,6 +19,7 @@ LDAP Tool Box Service Desk documentation configuration-nginx.rst general-parameters.rst ldap-parameters.rst + ppolicy.rst attributes.rst search-parameters.rst display-parameters.rst diff --git a/docs/ppolicy.rst b/docs/ppolicy.rst new file mode 100644 index 00000000..34c22363 --- /dev/null +++ b/docs/ppolicy.rst @@ -0,0 +1,139 @@ +Password policy +=============== + +Size +---- + +Set minimal and maximal length in ``$pwd_min_length`` and +``$pwd_max_length``: + +.. code-block:: php + + $pwd_min_length = 4; + $pwd_max_length = 8; + +.. tip:: Set ``0`` in ``$pwd_max_length`` to disable maximal length + checking. + +Characters +---------- + +You can set the minimal number of lower, upper, digit and special +characters: + +.. code-block:: php + + $pwd_min_lower = 3; + $pwd_min_upper = 1; + $pwd_min_digit = 1; + $pwd_min_special = 1; + +Special characters are defined with a regular expression, by default: + +.. code-block:: php + + $pwd_special_chars = "^a-zA-Z0-9"; + +This means special characters are all characters except alphabetical +letters and digits. + +You can check that these special characters are not at beginning or end +of the password: + +.. code-block:: php + + $pwd_no_special_at_ends = true; + +You can also disallow characters from being in password, with +``$pwd_forbidden_chars``: + +.. code-block:: php + + $pwd_forbidden_chars = "@%"; + +This means that ``@`` and ``%`` could not be present in a password. + +You can define how many different class of characters (lower, upper, +digit, special) are needed in the password: + +.. code-block:: php + + $pwd_complexity = 2; + +Pwned Passwords +--------------- + +Allows to check if the password was already compromised, using +https://haveibeenpwned.com/ database: + +.. code-block:: php + + $use_pwnedpasswords = true; + +Forbidden words +--------------- + +Give a list of forbidden words that the password should not contain: + +.. code-block:: php + + $pwd_forbidden_words = array("azerty", "qwerty", "password"); + +Forbidden LDAP fields +--------------------- + +Give a list of LDAP fields which values should not be present in the password: + +.. code-block:: php + + $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail'); + +Show policy +----------- + +Password policy can be displayed to user by configuring +``$pwd_show_policy``. Three values are accepted: + +- ``always``: policy is always displayed +- ``never``: policy is never displayed +- ``onerror``: policy is only displayed if password is rejected because + of it, and the user provided his old password correctly. + +.. code-block:: php + + $pwd_show_policy = "never"; + +You can also configure if the policy will be displayed above or below +the form: + +.. code-block:: php + + $pwd_show_policy_pos = "above"; + +Entropy +------- + +When the user is typing his new password, you can enable an entropy bar, +showing the strength of the password. + +.. code-block:: php + + $pwd_display_entropy = true; + +You can also require the entropy bar to hit a minimum level for the +password to be accepted: + +.. code-block:: php + + # enforce password entropy check + $pwd_check_entropy = true; + + # minimum entropy level required (when $pwd_check_entropy enabled) + $pwd_min_entropy = 3; + +``$pwd_min_entropy`` must be an integer between 0 (very risky) and 4 (very strong). + +.. tip:: The entropy check is computed by the + `zxcvbn library `_ + + diff --git a/docs/upgrade.rst b/docs/upgrade.rst index 3300fb6e..04d3d59d 100644 --- a/docs/upgrade.rst +++ b/docs/upgrade.rst @@ -29,6 +29,20 @@ Please take in consideration that ``config.inc.php`` is now replaced systematica Avoid as much as possible editing the ``/etc/service-desk/config.inc.php`` file. Prefer modifying the ``/etc/service-desk/config.inc.local.php``. +password policy +~~~~~~~~~~~~~~~ + +When you change the password for a user, you can now configure a local password policy for ensuring the password strength is sufficient. + +Most of the criteria are checked dynamically, while the password is being typed, and they are also enforced at server side. + +You can give a look to the :doc:`password policy documentation ` for more information. + +.. tip:: + + The local password policy is now defined in a library: `ltb-common `_. + + cache cleaning ~~~~~~~~~~~~~~ @@ -62,6 +76,28 @@ Bundled dependencies: * fontawesome-fonts has been updated from version 4.7.0 to version 6.5.2 * php-ltb-project-ltb-common has been updated from version 0.1 to version 0.3.0 * php-phpmailer has been updated from version 6.8.0 to version v6.9.1 +* php-bjeavons-zxcvbn-php version 1.3.1 has been added +* php-guzzlehttp-guzzle version 7.8.1 has been added +* php-guzzlehttp-promises version 2.0.2 has been added +* php-guzzlehttp-psr7 version 2.6.2 has been added +* php-mxrxdxn-pwned-passwords version 2.1.0 has been added +* php-phpmailer version 6.9.1 has been added +* php-psr-http-client version 1.0.3 has been added +* php-psr-http-factory version 1.0.2 has been added +* php-psr-http-message version 2.0 has been added +* php-ralouphie-getallheaders version 3.0.3 has been added +* php-symfony-deprecation-contracts version 2.5.1 has been added +* php-symfony-finder version 7.0.0 has been added +* php-symfony-polyfill version v1.31.0 has been added +* php-symfony-deprecation-contracts version v2.5.3 has been added +* php-symfony-var-exporter version v5.4.40 has been added +* php-psr-container version 1.1.2 has been added +* php-symfony-service-contracts version v2.5.3 has been added +* php-psr-cache version 1.0.1 has been added +* php-symfony-cache-contracts version v2.5.3 has been added +* php-psr-log version 1.1.4 has been added +* php-symfony-cache version v5.4.42 has been added +* php-predis-predis version v2.2.2 has been added Removed bundled dependencies: diff --git a/htdocs/checkentropy.php b/htdocs/checkentropy.php new file mode 100644 index 00000000..999de47d --- /dev/null +++ b/htdocs/checkentropy.php @@ -0,0 +1,16 @@ + + diff --git a/htdocs/display.php b/htdocs/display.php index fd53aad8..21feccaa 100644 --- a/htdocs/display.php +++ b/htdocs/display.php @@ -126,9 +126,26 @@ } # Lock - $pwdLockout = strtolower($ppolicy_entry[0]['pwdlockout'][0]) == "true" ? true : false; - $pwdLockoutDuration = $ppolicy_entry[0]['pwdlockoutduration'][0]; - $pwdAccountLockedTime = $entry[0]['pwdaccountlockedtime'][0]; + if(isset($ppolicy_entry[0]['pwdlockout'][0])) + { + $pwdLockout = strtolower($ppolicy_entry[0]['pwdlockout'][0]) == "true" ? true : false; + } + else + { + $pwdLockout = false; + } + if(isset($ppolicy_entry[0]['pwdlockoutduration'][0])) + { + $pwdLockoutDuration = $ppolicy_entry[0]['pwdlockoutduration'][0]; + } + if(isset($entry[0]['pwdaccountlockedtime'][0])) + { + $pwdAccountLockedTime = $entry[0]['pwdaccountlockedtime'][0]; + } + else + { + $pwdAccountLockedTime = null; + } if ( $pwdAccountLockedTime === "000001010000Z" ) { $isLocked = true; @@ -146,8 +163,14 @@ } # Expiration - $pwdMaxAge = $ppolicy_entry[0]['pwdmaxage'][0]; - $pwdChangedTime = $entry[0]['pwdchangedtime'][0]; + if(isset($ppolicy_entry[0]['pwdmaxage'][0])) + { + $pwdMaxAge = $ppolicy_entry[0]['pwdmaxage'][0]; + } + if(isset($entry[0]['pwdchangedtime'][0])) + { + $pwdChangedTime = $entry[0]['pwdchangedtime'][0]; + } if (isset($pwdChangedTime) and isset($pwdMaxAge) and ($pwdMaxAge > 0)) { $changedDate = ldapDate2phpDate($pwdChangedTime); @@ -186,4 +209,12 @@ $smarty->assign("prehookresult", $prehookresult); $smarty->assign("posthookresult", $posthookresult); if ($pwdLockout == false) $smarty->assign("use_lockaccount", $pwdLockout); +if(isset($messages[$resetpasswordresult])) +{ + $smarty->assign('msg_resetpasswordresult',$messages[$resetpasswordresult]); +} +else +{ + $smarty->assign('msg_resetpasswordresult',''); +} ?> diff --git a/htdocs/index.php b/htdocs/index.php index 070a4bd2..81508294 100644 --- a/htdocs/index.php +++ b/htdocs/index.php @@ -63,10 +63,41 @@ isset($ldap_bindpw) ? $ldap_bindpw : null, isset($ldap_network_timeout) ? $ldap_network_timeout : null, $ldap_user_base, - null, + isset($ldap_size_limit) ? $ldap_size_limit : 0, isset($ldap_krb5ccname) ? $ldap_krb5ccname : null ); +#============================================================================== +# Other default values +#============================================================================== +if (!isset($pwd_forbidden_chars)) { $pwd_forbidden_chars = ""; } + +# Password policy array +$pwd_policy_config = array( + "pwd_show_policy" => $pwd_show_policy, + "pwd_min_length" => $pwd_min_length, + "pwd_max_length" => $pwd_max_length, + "pwd_min_lower" => $pwd_min_lower, + "pwd_min_upper" => $pwd_min_upper, + "pwd_min_digit" => $pwd_min_digit, + "pwd_min_special" => $pwd_min_special, + "pwd_special_chars" => $pwd_special_chars, + "pwd_no_reuse" => false, # old password not available + "pwd_forbidden_chars" => $pwd_forbidden_chars, + "pwd_diff_last_min_chars" => 0, # old password not available + "pwd_diff_login" => $pwd_diff_login, + "pwd_complexity" => $pwd_complexity, + "use_pwnedpasswords" => $use_pwnedpasswords, + "pwd_no_special_at_ends" => $pwd_no_special_at_ends, + "pwd_forbidden_words" => $pwd_forbidden_words, + "pwd_forbidden_ldap_fields" => $pwd_forbidden_ldap_fields, + "pwd_display_entropy" => $pwd_display_entropy, + "pwd_check_entropy" => $pwd_check_entropy, + "pwd_min_entropy" => $pwd_min_entropy +); + +if (!isset($pwd_show_policy_pos)) { $pwd_show_policy_pos = "above"; } + #============================================================================== # Smarty #============================================================================== @@ -134,6 +165,7 @@ $smarty->assign('use_showauditlog',$use_showauditlog); $smarty->assign('fake_password_inputs',$fake_password_inputs); + # Assign messages $smarty->assign('lang',$lang); foreach ($messages as $key => $message) { @@ -193,6 +225,8 @@ if ( file_exists($page.".php") ) { require_once($page.".php"); } $smarty->assign('page',$page); +\Ltb\Ppolicy::smarty_assign_ppolicy($smarty, $pwd_show_policy_pos, $pwd_show_policy, $result, $pwd_policy_config); + if ($result) { $smarty->assign('error',$messages[$result]); } else { diff --git a/htdocs/resetpassword.php b/htdocs/resetpassword.php index 69d2860e..164f8810 100644 --- a/htdocs/resetpassword.php +++ b/htdocs/resetpassword.php @@ -57,32 +57,71 @@ } } + # save LDAP modifications to apply in $entry variable $entry["userPassword"] = $password; if ( $pwdreset === "true" ) { $entry["pwdReset"] = "TRUE"; } - if ( isset($prehook) ) { + # Get current entry first + $entries_search = $ldapInstance->search_with_scope("base", $dn, '(objectClass=*)'); + $errno = ldap_errno($ldap); + if ( $errno ) { + $result = "ldaperror"; + error_log("LDAP - Search error $errno (".ldap_error($ldap).")"); + } + $entry_search = ldap_first_entry($ldap, $entries_search); + $entry_array = ldap_get_attributes($ldap, $entry_search); + # Get identifier attribute + $identifiers = ldap_get_values( $ldap, + $entry_search, + $attributes_map['identifier']['attribute'] + ); + $identifier = $identifiers[0]; + if ( !isset($identifier) || $identifier == "" ) { + $result = "ldaperror"; + error_log("LDAP - Unable to find identifier for LDAP entry ". + var_export($entry_array, true)); + } - if ( !isset($prehook_login_value) ) { - $prehook_return = 255; - $prehook_message = "No login found, cannot execute prehook script"; - } else { - $command = hook_command($prehook, $prehook_login_value, $password, null, $prehook_password_encodebase64); - exec($command, $prehook_output, $prehook_return); - $prehook_message = $prehook_output[0]; - } + #============================================================================== + # Check password strength + #============================================================================== + if( $result != "ldaperror" ) + { + $result = \Ltb\Ppolicy::check_password_strength( $password, + "", + $pwd_policy_config, + $identifier, + $entry_array, + array() + ); } - if ( $prehook_return > 0 and !$ignore_prehook_return) { - $result = "passwordrefused"; - } else { - $modification = ldap_mod_replace($ldap, $dn, $entry); - $errno = ldap_errno($ldap); - if ( $errno ) { + if( $result === "") + { + if ( isset($prehook) ) { + + if ( !isset($prehook_login_value) ) { + $prehook_return = 255; + $prehook_message = "No login found, cannot execute prehook script"; + } else { + $command = hook_command($prehook, $prehook_login_value, $password, null, $prehook_password_encodebase64); + exec($command, $prehook_output, $prehook_return); + $prehook_message = $prehook_output[0]; + } + } + + if ( $prehook_return > 0 and !$ignore_prehook_return) { $result = "passwordrefused"; } else { - $result = "passwordchanged"; + $modification = ldap_mod_replace($ldap, $dn, $entry); + $errno = ldap_errno($ldap); + if ( $errno ) { + $result = "passwordrefused"; + } else { + $result = "passwordchanged"; + } } } diff --git a/htdocs/search.php b/htdocs/search.php index 13bbe067..aad6257f 100644 --- a/htdocs/search.php +++ b/htdocs/search.php @@ -10,7 +10,7 @@ require_once("../conf/config.inc.php"); require __DIR__ . '/../vendor/autoload.php'; - $filter_escape_chars = null; + $filter_escape_chars = ""; if (!$search_use_substring_match) { $filter_escape_chars = "*"; } $search_query = ldap_escape($_POST["search"], $filter_escape_chars, LDAP_ESCAPE_FILTER); diff --git a/lang/en.inc.php b/lang/en.inc.php index fcc77aad..ee1a93e0 100644 --- a/lang/en.inc.php +++ b/lang/en.inc.php @@ -108,5 +108,48 @@ $messages['welcome'] = "Welcome to LDAP Tool Box service desk"; $messages['willexpireaccounts'] = "Passwords soon expired"; $messages['willexpireaccountstitle'] = "Passwords that will expire within $willexpiredays days"; +$messages['notcomplex'] = "Your password does not have enough different classes of characters"; +$messages['tooshort'] = "Your password is too short"; +$messages['toobig'] = "Your password is too long"; +$messages['minlower'] = "Your password does not have enough lowercase characters"; +$messages['policyminlower'] = "Minimum number of lowercase characters:"; +$messages['minupper'] = "Your password does not have enough uppercase characters"; +$messages['policyminupper'] = "Minimum number of uppercase characters:"; +$messages['mindigit'] = "Your password does not have enough digits"; +$messages['policymindigit'] = "Minimum number of digits:"; +$messages['minspecial'] = "Your password does not have enough special characters"; +$messages['policyminspecial'] = "Minimum number of special characters:"; +$messages['forbiddenchars'] = "You password contains forbidden characters"; +$messages['policyforbiddenchars'] = "Forbidden characters:"; +$messages['specialatends'] = "Your new password has its only special character at the beginning or end"; +$messages['policyspecialatends'] = "Your new password may not have its only special character at the beginning or end"; +$messages['sameasold'] = "Your new password is identical to your old password"; +$messages['sameaslogin'] = "Your new password is identical to your login"; +$messages['policydiffminchars'] = "Minimum number of new unique characters:"; +$messages['diffminchars'] = "Your new password is too similar to your old password"; +$messages['forbiddenwords'] = "Your passwords contains forbidden words or strings"; +$messages['policyforbiddenwords'] = "Your password must not contain:"; +$messages['forbiddenldapfields'] = "Your password contains values from your LDAP entry"; +$messages['policyforbiddenldapfields'] = "Your password may not contain values from the following LDAP fields:"; +$messages['sameascustompwd'] = "The new password is not unique across other password fields"; +$messages['pwned'] = "Your new password has already been published on leaks, you should consider changing it on any other service that it is in use"; +$messages['policypwned'] = "Your new password may not be published on any previous public password leak from any site"; +$messages['insufficiententropy'] = "Insufficient entropy for new password"; +$messages['policy'] = "Your password must conform to the following constraints:"; +$messages['policyminlength'] = "Minimum length:"; +$messages['policymaxlength'] = "Maximum length:"; +$messages['policyminlower'] = "Minimum number of lowercase characters:"; +$messages['policyminupper'] = "Minimum number of uppercase characters:"; +$messages['policymindigit'] = "Minimum number of digits:"; +$messages['policyminspecial'] = "Minimum number of special characters:"; +$messages['policycomplex'] = "Minimum number of different classes of characters:"; +$messages['policyforbiddenchars'] = "Forbidden characters:"; +$messages['policydiffminchars'] = "Minimum number of new unique characters:"; +$messages['policynoreuse'] = "Your new password may not be the same as your old password"; +$messages['policynoreusecustompwdfield'] = "Your new password may not be the same as your login password"; +$messages['policydifflogin'] = "Your new password may not be the same as your login"; +$messages['policypwned'] = "Your new password may not be published on any previous public password leak from any site"; +$messages['policyspecialatends'] = "Your new password may not have its only special character at the beginning or end"; +$messages['policyentropy'] = "Password strength"; ?> diff --git a/lang/fr.inc.php b/lang/fr.inc.php index 8176ddec..911d6886 100644 --- a/lang/fr.inc.php +++ b/lang/fr.inc.php @@ -107,5 +107,48 @@ $messages['welcome'] = "Bienvenue sur le guichet de service LDAP Tool Box"; $messages['willexpireaccounts'] = "Mots de passe bientôt expirés"; $messages['willexpireaccountstitle'] = "Mots de passe allant expirer dans moins de $willexpiredays jours"; +$messages['notcomplex'] = "Votre mot de passe n'a pas assez de classes de caractères différentes."; +$messages['tooshort'] = "Votre mot de passe est trop court"; +$messages['toobig'] = "Votre mot de passe est trop long"; +$messages['minlower'] = "Votre mot de passe n'a pas assez de minuscules"; +$messages['policyminlower'] = "Nombre minimum de minuscules :"; +$messages['minupper'] = "Votre mot de passe n'a pas assez de majuscules"; +$messages['policyminupper'] = "Nombre minimum de majuscules :"; +$messages['mindigit'] = "Votre mot de passe n'a pas assez de chiffres"; +$messages['policymindigit'] = "Nombre minimum de chiffres :"; +$messages['minspecial'] = "Votre mot de passe n'a pas assez de caractères spéciaux"; +$messages['policyminspecial'] = "Nombre minimum de caractères spéciaux :"; +$messages['forbiddenchars'] = "Votre mot de passe contient des caractères interdits"; +$messages['policyforbiddenchars'] = "Caractères interdits :"; +$messages['specialatends'] = "Votre nouveau mot de passe a son unique caractère spécial en première ou dernière position"; +$messages['policyspecialatends'] = "Votre nouveau mot de passe ne doit pas avoir son seul caractère spécial en première ou dernière position."; +$messages['sameasold'] = "Votre mot de passe est identique au précédent"; +$messages['sameaslogin'] = "Votre mot de passe est identique à votre identifiant"; +$messages['policydiffminchars'] = "Nombre de nouveaux caractères unique :"; +$messages['diffminchars'] = "Votre nouveau mot de passe est trop similaire au précédant"; +$messages['forbiddenwords'] = "Votre mot de passe contient des mots interdits"; +$messages['policyforbiddenwords'] = "Votre mot de passe ne doit pas contenir ::"; +$messages['forbiddenldapfields'] = "Votre mot de passe contient des valeurs de votre entrée LDAP"; +$messages['policyforbiddenldapfields'] = "Votre mot de passe ne doit pas contenir la valeur des attributs de votre entrée :"; +$messages['sameascustompwd'] = "Le nouveau mot de passe n'est pas unique par rapport aux autres champs de mots de passe personnalisés"; +$messages['pwned'] = "Votre nouveau mot de passe est compromis, vous devriez le changer partout où vous l'utilisez"; +$messages['policypwned'] = "Votre nouveau mot de passe ne doit pas être connu d'une base publique de mots de passe compromis"; +$messages['insufficiententropy'] = "Entropie insuffisante pour le nouveau mot de passe"; +$messages['policy'] = "Votre mot de passe doit respecter les contraintes suivantes :"; +$messages['policyminlength'] = "Nombre minimum de caractères :"; +$messages['policymaxlength'] = "Nombre maximum de caractères :"; +$messages['policyminlower'] = "Nombre minimum de minuscules :"; +$messages['policyminupper'] = "Nombre minimum de majuscules :"; +$messages['policymindigit'] = "Nombre minimum de chiffres :"; +$messages['policyminspecial'] = "Nombre minimum de caractères spéciaux :"; +$messages['policycomplex'] = "Nombre minimum de classes de caractères :"; +$messages['policyforbiddenchars'] = "Caractères interdits :"; +$messages['policydiffminchars'] = "Nombre de nouveaux caractères unique :"; +$messages['policynoreuse'] = "Votre nouveau mot de passe ne doit pas être identique à l'ancien"; +$messages['policynoreusecustompwdfield'] = "Votre nouveau mot de passe ne devrait pas être le même que le mot de passe de connexion"; +$messages['policydifflogin'] = "Votre nouveau mot de passe ne doit pas être identique à votre identifiant"; +$messages['policypwned'] = "Votre nouveau mot de passe ne doit pas être connu d'une base publique de mots de passe compromis"; +$messages['policyspecialatends'] = "Votre nouveau mot de passe ne doit pas avoir son seul caractère spécial en première ou dernière position."; +$messages['policyentropy'] = "Force du mot de passe"; ?> diff --git a/packaging/debian/control b/packaging/debian/control index c6d0602b..875cb5a1 100644 --- a/packaging/debian/control +++ b/packaging/debian/control @@ -21,4 +21,25 @@ Description: LDAP Tool Box Service Desk web interface - js-datatables.net-datatables.net-buttons-bs5 = 3.0.2 - fontawesome-fonts = 6.5.2 - php-ltb-project-ltb-common = 0.3.0 - - php-phpmailer = v6.9.1 + - php-bjeavons-zxcvbn-php = 1.3.1 + - php-guzzlehttp-guzzle = 7.8.1 + - php-guzzlehttp-promises = 2.0.2 + - php-guzzlehttp-psr7 = 2.6.2 + - php-mxrxdxn-pwned-passwords = 2.1.0 + - php-phpmailer = 6.9.1 + - php-psr-http-client = 1.0.3 + - php-psr-http-factory = 1.0.2 + - php-psr-http-message = 2.0 + - php-ralouphie-getallheaders = 3.0.3 + - php-symfony-deprecation-contracts = 2.5.1 + - php-symfony-finder = 7.0.0 + - php-symfony-polyfill = v1.31.0 + - php-symfony-deprecation-contracts = v2.5.3 + - php-symfony-var-exporter = v5.4.40 + - php-psr-container = 1.1.2 + - php-symfony-service-contracts = v2.5.3 + - php-psr-cache = 1.0.1 + - php-symfony-cache-contracts = v2.5.3 + - php-psr-log = 1.1.4 + - php-symfony-cache = v5.4.42 + - php-predis-predis = v2.2.2 diff --git a/packaging/rpm/SPECS/service-desk.spec b/packaging/rpm/SPECS/service-desk.spec index 51ba3c69..067b5fd0 100755 --- a/packaging/rpm/SPECS/service-desk.spec +++ b/packaging/rpm/SPECS/service-desk.spec @@ -41,7 +41,28 @@ Provides: bundled(js-datatables.net-datatables.net-buttons) = 3.1.0 Provides: bundled(js-datatables.net-datatables.net-buttons-bs5) = 3.0.2 Provides: bundled(fontawesome-fonts) = 6.5.2 Provides: bundled(php-ltb-project-ltb-common) = 0.3.0 -Provides: bundled(php-phpmailer) = v6.9.1 +Provides: bundled(php-bjeavons-zxcvbn-php) = 1.3.1 +Provides: bundled(php-guzzlehttp-guzzle) = 7.8.1 +Provides: bundled(php-guzzlehttp-promises) = 2.0.2 +Provides: bundled(php-guzzlehttp-psr7) = 2.6.2 +Provides: bundled(php-mxrxdxn-pwned-passwords) = 2.1.0 +Provides: bundled(php-phpmailer) = 6.9.1 +Provides: bundled(php-psr-http-client) = 1.0.3 +Provides: bundled(php-psr-http-factory) = 1.0.2 +Provides: bundled(php-psr-http-message) = 2.0 +Provides: bundled(php-ralouphie-getallheaders) = 3.0.3 +Provides: bundled(php-symfony-deprecation-contracts) = 3.4.0 +Provides: bundled(php-symfony-finder) = 7.0.0 +Provides: bundled(php-symfony-polyfill) = v1.31.0 +Provides: bundled(php-symfony-deprecation-contracts) = v2.5.3 +Provides: bundled(php-symfony-var-exporter) = v5.4.40 +Provides: bundled(php-psr-container) = 1.1.2 +Provides: bundled(php-symfony-service-contracts) = v2.5.3 +Provides: bundled(php-psr-cache) = 1.0.1 +Provides: bundled(php-symfony-cache-contracts) = v2.5.3 +Provides: bundled(php-psr-log) = 1.1.4 +Provides: bundled(php-symfony-cache) = v5.4.42 +Provides: bundled(php-predis-predis) = v2.2.2 %description diff --git a/templates/display.tpl b/templates/display.tpl index 2786cf6c..a8f0a434 100644 --- a/templates/display.tpl +++ b/templates/display.tpl @@ -21,7 +21,7 @@ {if !({$entry.$attribute.0}) && ! $show_undef} {continue} {/if} - + @@ -151,12 +151,13 @@
{if $resetpasswordresult eq 'passwordrequired'}
{$msg_passwordrequired}
- {/if} - {if $resetpasswordresult eq 'passwordrefused'} + {elseif $resetpasswordresult eq 'passwordrefused'}
{$msg_passwordrefused}
- {/if} - {if $resetpasswordresult eq 'passwordchanged'} + {elseif $resetpasswordresult eq 'passwordchanged'}
{$msg_passwordchanged}
+ {elseif $resetpasswordresult eq ''} + {else} +
{$msg_resetpasswordresult}
{/if} {if $prehookresult}
{$prehookresult}
@@ -164,6 +165,9 @@ {if $posthookresult}
{$posthookresult}
{/if} + {if $pwd_show_policy !== "never" and $pwd_show_policy_pos === 'above'} + {include file="policy.tpl"} + {/if}
@@ -188,6 +192,9 @@ + {if $pwd_show_policy !== "never" and $pwd_show_policy_pos === 'below'} + {include file="policy.tpl"} + {/if}
diff --git a/templates/footer.tpl b/templates/footer.tpl index f016eee8..603b86a6 100644 --- a/templates/footer.tpl +++ b/templates/footer.tpl @@ -4,6 +4,8 @@ {/if} + + @@ -11,6 +13,7 @@ + {literal}