- Added a new flag $use_checkpasswordhistory to config.inc.php

- Documented feature for use
Worteks · Sep 4, 2024 · 7639545 · 7639545
1 parent 7a39be8
commit 7639545
Show file tree

Hide file tree

Showing 6 changed files with 28 additions and 4 deletions.
diff --git a/conf/config.inc.php b/conf/config.inc.php
@@ -100,6 +100,7 @@
 
 # Features
 $use_checkpassword = true;
+$use_checkpasswordhistory = true;
 $use_resetpassword = true;
 $use_resetpassword_resetchoice = true;
 $resetpassword_reset_default = true;

diff --git a/docs/checkpassword.rst b/docs/checkpassword.rst
@@ -11,3 +11,14 @@ To enable this feature:
 .. code-block:: php
 
     $use_checkpassword = true;
+
+Check password history
+----------------------
+
+The password history can be checked by enabling this feature.
+
+To enable this feature:
+
+.. code-block:: php
+
+    $use_checkpasswordhistory = true;
diff --git a/htdocs/checkpassword.php b/htdocs/checkpassword.php
@@ -19,8 +19,6 @@
     $result = "passwordrequired";
 }
 
-
-
 if ($result === "") {
 
     require_once("../conf/config.inc.php");
@@ -32,8 +30,17 @@
     $ldap = $ldap_connection[0];
     $result = $ldap_connection[1];
 
-    if( !$result ) {
-
+    if ($use_checkpasswordhistory) {
+        $hashed_password_history = $ldapInstance->get_attribute_values($dn, "pwdHistory");
+        foreach ($hashed_password_history as $hashed_password) {
+            preg_match("/(?<={).*(?=})/", $hashed_password, $algorithm);
+            preg_match("/{(?<={).*/", $hashed_password, $password_hash);
+            if (\Ltb\Password::check_password($password, $password_hash[0], $algorithm[0])) {
+                $result = "passwordinhistory";
+            }
+        }
+    }
+    if (!$result) {
         $bind = ldap_bind($ldap, $dn, $password);
         $result = $bind ? "passwordok" : "ldaperror";
     }

diff --git a/htdocs/index.php b/htdocs/index.php
@@ -105,6 +105,7 @@
 $smarty->assign('display_footer',$display_footer);
 $smarty->assign('logout_link',isset($logout_link) ? $logout_link : false);
 $smarty->assign('use_checkpassword',$use_checkpassword);
+$smarty->assign('use_checkpasswordhistory',$use_checkpasswordhistory);
 $smarty->assign('use_resetpassword',$use_resetpassword);
 $smarty->assign('use_resetpassword_resetchoice',$use_resetpassword_resetchoice);
 $smarty->assign('resetpassword_reset_default',$resetpassword_reset_default);

diff --git a/lang/en.inc.php b/lang/en.inc.php
@@ -80,6 +80,7 @@
 $messages['passwordinvalid'] = "Authentication has failed";
 $messages['passwordok'] = "Authentication succeeds!";
 $messages['passwordrefused'] = "Password was refused";
+$messages['passwordinhistory'] = "Password in history";
 $messages['passwordrequired'] = "Please enter the password";
 $messages['resetpassword'] = "Reset password";
 $messages['search'] = "Search";

diff --git a/templates/display.tpl b/templates/display.tpl
@@ -120,6 +120,9 @@
                      {if $checkpasswordresult eq 'passwordok'}
                      <div class="alert alert-success"><i class="fa fa-fw fa-check"></i> {$msg_passwordok}</div>
                      {/if}
+                     {if $checkpasswordresult eq 'passwordinhistory'}
+                     <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$msg_passwordinhistory}</div>
+                     {/if}
                      <input type="hidden" name="dn" value="{$dn}" />
                      <div class="input-group mb-3">
                         <span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>