#!/usr/bin/php /* This code is part of FusionDirectory (http://www.fusiondirectory.org/) Copyright (C) 2003-2010 Cajus Pollmeier Copyright (C) 2011-2013 FusionDirectory This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301, USA. */ <?php $conf = "/etc/fusiondirectory/fusiondirectory.conf"; $conforig = "/etc/fusiondirectory/fusiondirectory.conf.orig"; $confsecret = "/etc/fusiondirectory/fusiondirectory.secrets"; function cred_encrypt($input, $password) { $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC); $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM); return bin2hex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $password, $input, MCRYPT_MODE_ECB, $iv)); } function get_random_char() { $randno = rand (0, 63); if ($randno < 12) { return (chr ($randno + 46)); // Digits, '/' and '.' } else if ($randno < 38) { return (chr ($randno + 53)); // Uppercase } else { return (chr ($randno + 59)); // Lowercase } } function get_random_string($size= 32){ $str= ""; for ($i = 0; $i < $size; $i++) { $str .= get_random_char(); } return $str; } # We need to have access to fusiondirectory.secrets if (posix_getuid() != 0) { die ("This program needs to be called by root!\n"); } # Do we have a valid fusiondirectory.conf ? if (!file_exists($conf)) { die ("Cannot find a valid $conf!\n"); } echo "Starting password encryption\n"; echo "* generating random master key\n"; $master_key= get_random_string(); # Do we have a valid fusiondirectory.secrets, already? if (file_exists($confsecret)) { die ("There's already a $confsecret. Cannot convert your existing fusiondirectory.conf - aborted\n"); } else { echo "* creating $confsecret\n"; $fp = fopen ($confsecret, 'w') or die("Cannot open $confsecret for writing - aborted"); fwrite ($fp, "RequestHeader set FD_KEY $master_key\n"); fclose ($fp); chmod ($confsecret, 0600); chown ($confsecret, "root"); chgrp ($confsecret, "root"); } # Locate all passwords inside the fusiondirectory.conf echo "* loading $conf\n"; $config = new DOMDocument(); $config->load($conf) or die ("Cannot read $conf - aborted\n"); $config->encoding = 'UTF-8'; $referrals= $config->getElementsByTagName("referral"); foreach ($referrals as $referral) { $user = $referral->attributes->getNamedItem("adminDn"); echo "* encrypting FusionDirectory password for: ".$user->nodeValue."\n"; $pw= $referral->attributes->getNamedItem("adminPassword"); $pw->nodeValue= cred_encrypt($pw->nodeValue, $master_key); } # Encrypt the snapshot passwords $locations= $config->getElementsByTagName("location"); foreach ($locations as $location) { $name = $location->attributes->getNamedItem("name"); $node = $location->attributes->getNamedItem("snapshotAdminPassword"); if ($node->nodeValue) { echo "* encrypting snapshot pasword for location: ".$name->nodeValue."\n"; $node->nodeValue = cred_encrypt($node->nodeValue, $master_key);; } } # Move original fusiondirectory.conf out of the way and make it unreadable for the web user echo "* creating backup in $conforig\n"; rename ($conf, $conforig); chmod ($conforig, 0600); chown ($conforig, "root"); chgrp ($conforig, "root"); # Save new passwords echo "* saving modified $conf\n"; $config->save($conf) or die("Cannot write modified $conf - aborted\n"); chmod ($conf, 0640); chown ($conf, "root"); chgrp ($conf, "www-data"); echo "OK\n\n"; # Print reminder echo<<<EOF Please adapt your http fusiondirectory location declaration to include the newly created $confsecret. Example: Alias /fusiondirectory /usr/share/fusiondirectory/html <Location /fusiondirectory> php_admin_flag engine on php_admin_flag register_globals off php_admin_flag allow_call_time_pass_reference off php_admin_flag expose_php off php_admin_flag zend.ze1_compatibility_mode off php_admin_flag register_long_arrays off php_admin_value upload_tmp_dir /var/spool/fusiondirectory/ php_admin_value session.cookie_lifetime 0 include /etc/fusiondirectory/fusiondirectory.secrets </Location> Please reload your httpd configuration after you've modified anything. EOF; ?>