martin: server/kolab/kolab/admin/user create_user.php,1.11,1.12

[cvs at intevation.de]

Author: martin

Update of /kolabrepository/server/kolab/kolab/admin/user
In directory doto:/tmp/cvs-serv20773/admin/user

Modified Files:
	create_user.php 
Log Message:
Martin Konold: Introduce sha1 encoded passwords instead of plain cleartext passwords in the LDAP db. 
Fixes: administrators and maintainers can see the users passwords in cleartext
Fixes: users can see their own password in cleartext
Fixes: cleartext password visible in source of html when modifying user account

Please note that no user could ever see another users password and anonymous users can not see any passwords.
Last but not least OpenLDAP acl protecting the password field seems to work OK and all network traffic with passwords was always secured by SSL/TLS.

Please help us testing this new feature and report success / failure


Index: create_user.php
===================================================================
RCS file: /kolabrepository/server/kolab/kolab/admin/user/create_user.php,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -d -r1.11 -r1.12
--- create_user.php	14 Jun 2003 17:06:31 -0000	1.11
+++ create_user.php	28 Nov 2003 02:01:04 -0000	1.12
@@ -273,7 +273,7 @@
             }
             if ($password_0 && $password_1) {
                if ($password_0 == $password_1) {
-                  $ldap_object['userPassword'] = $password_0;
+                  $ldap_object['userPassword'] = '{sha}'.base64_encode(pack("H*", sha1($password_0)));
                } else {
                   $comment['password_1'] = "<span class=\"warning\"> Passwords do not match </span>";
                   missing_input();