| | 198 | |
| | 199 | '''Search parameters''' |
| | 200 | |
| | 201 | {{{$ldap_base = "dc=learn,dc=ac,dc=lk";}}} |
| | 202 | |
| | 203 | The filter can be set in $ldap_filter |
| | 204 | |
| | 205 | {{{ |
| | 206 | $ldap_filter = "(&(objectClass=person)(uid={login}))"; |
| | 207 | }}} |
| | 208 | |
| | 209 | '''Extensions''' |
| | 210 | |
| | 211 | You can use LDAP password modify extended operation wit |
| | 212 | |
| | 213 | {{{ |
| | 214 | $ldap_use_exop_passwd = true; |
| | 215 | }}} |
| | 216 | |
| | 217 | You can also enable LDAP password policy control with |
| | 218 | |
| | 219 | {{{ |
| | 220 | $ldap_use_ppolicy_control = true; |
| | 221 | }}} |
| | 222 | |
| | 223 | Force unlock: will unlock a locked account when password is changed |
| | 224 | |
| | 225 | {{{ |
| | 226 | $ad_options['force_unlock'] = true; |
| | 227 | }}} |
| | 228 | |
| | 229 | Force user to change password at next login: |
| | 230 | {{{ |
| | 231 | $ad_options['force_pwd_change'] = true; |
| | 232 | }}} |
| | 233 | |
| | 234 | Allow user to change password if password is expired (this will force the password to be changed as manager): |
| | 235 | |
| | 236 | {{{ |
| | 237 | $ad_options['change_expired_password'] = true; |
| | 238 | }}} |
| | 239 | |
| | 240 | //'''Password Policy'''// |
| | 241 | |
| | 242 | You can use these schemes to hash the password before sending it to LDAP directory: |
| | 243 | - SHA, SHA256, SHA384, SHA512 |
| | 244 | - SSHA, SSHA256, SSHA384, SSHA512 |
| | 245 | - MD5 |
| | 246 | - SMD5 |
| | 247 | - CRYPT |
| | 248 | - ARGON2 |
| | 249 | - clear |
| | 250 | - auto |
| | 251 | |
| | 252 | Set one of them in $hash |
| | 253 | |
| | 254 | {{{ |
| | 255 | $hash = "clear"; |
| | 256 | }}} |
| | 257 | |
| | 258 | You can configure the crypt salt prefix to choose the algorithm |
| | 259 | Optional: |
| | 260 | [http://php.net/manual/en/function.crypt.php crypt document] |
| | 261 | |
| | 262 | {{{ |
| | 263 | $hash_options['crypt_salt_prefix'] = "$6$"; |
| | 264 | }}} |
| | 265 | |
| | 266 | '''Size''' |
| | 267 | |
| | 268 | Set minimal and maximal length in $pwd_min_length and $pwd_max_length: |
| | 269 | |
| | 270 | {{{ |
| | 271 | $pwd_min_length = 4; |
| | 272 | $pwd_max_length = 8; |
| | 273 | }}} |
| | 274 | |
| | 275 | //{{{Set 0 in $pwd_max_length to disable maximal length checking.}}}// |
| | 276 | |
| | 277 | '''Characters''' |
| | 278 | You can set the minimal number of lower, upper, digit and special characters: |
| | 279 | |
| | 280 | {{{ |
| | 281 | $pwd_min_lower = 3; |
| | 282 | $pwd_min_upper = 1; |
| | 283 | $pwd_min_digit = 1; |
| | 284 | $pwd_min_special = 1; |
| | 285 | }}} |
| | 286 | |
| | 287 | Special characters are defined with a regular expression, by default: |
| | 288 | {{{ |
| | 289 | $pwd_special_chars = "^a-zA-Z0-9"; |
| | 290 | }}} |
| | 291 | |
| | 292 | This means special characters are all characters except alphabetical letters and digits. |
| | 293 | |
| | 294 | You can check that these special characters are not at beginning or end of the password: |
| | 295 | |
| | 296 | {{{ |
| | 297 | $pwd_no_special_at_ends = true; |
| | 298 | }}} |
| | 299 | |
| | 300 | You can also disallow characters from being in password, with $pwd_forbidden_chars: |
| | 301 | |
| | 302 | {{{ |
| | 303 | $pwd_forbidden_chars = "@%"; |
| | 304 | }}} |
| | 305 | |
| | 306 | //This means that @ and % could not be present in a password.// |
| | 307 | |
| | 308 | You can define how many different class of characters (lower, upper, digit, special) are needed in the password: |
| | 309 | {{{ |
| | 310 | $pwd_complexity = 2; |
| | 311 | }}} |
| | 312 | |
| | 313 | '''Pwned Passwords''' |
| | 314 | |
| | 315 | Allows to check if the password was already compromised |
| | 316 | [https://haveibeenpwned.com/] |
| | 317 | {{{ |
| | 318 | $use_pwnedpasswords = true; |
| | 319 | }}} |
| | 320 | |
| | 321 | '''Re use''' |
| | 322 | You can prevent a user from using his old password as a new password if this check is not done by the directory: |
| | 323 | {{{ |
| | 324 | $pwd_no_reuse = true; |
| | 325 | }}} |
| | 326 | |
| | 327 | You may also want to check for partial password reuses, ensuring the new password includes at least N distinct new characters: |
| | 328 | |
| | 329 | {{{ |
| | 330 | $pwd_diff_last_min_chars = 3; |
| | 331 | }}} |
| | 332 | |
| | 333 | '''Forbidden words''' |
| | 334 | |
| | 335 | Give a list of forbidden words that the password should not contain |
| | 336 | {{{ |
| | 337 | $pwd_forbidden_words = array("azerty", "qwerty", "password"); |
| | 338 | }}} |
| | 339 | |
| | 340 | '''Forbidden LDAP fields''' |
| | 341 | |
| | 342 | Give a list of LDAP fields which values should not be present in the password: |
| | 343 | |
| | 344 | {{{ |
| | 345 | $pwd_forbidden_ldap_fields = array('cn', 'givenName', 'sn', 'mail'); |
| | 346 | }}} |
| | 347 | |
