Custom Password Fields
Background
This Feature enables you to configure individiual Password Fields that are independent to the actual user password.
For example, you have an old application that needs the password to be stored with an insecure hash-algorithm, so you want to store it in an extra LDAP-Attribute. Changing this password is possible with this feature.
Activation
This feature is disabled by default. For enabling it, you have to define how many custom password fields you want the tool to manage and some additional properties.
A minimal configuration could look like this:
$change_custompwdfield = array(
array(
'attribute' => "customPasswordField",
'hash' => "MD5",
'label' => "Custom password"
)
)
Tip
If you do not set an Arraykey in this configuration, the settings for the main password will be applied!
For more information, follow the steps mentioned below.
Main structure of the configuration array
As seen above, the configuration consists of nested arrays. This is due to the fact that it could be possible that one could need not only one custom password field, but multiple.
So, if you want this feature to manage two custom password fields, you have to put two arrays into the array $change_custompwdfield, one for each:
$change_custompwdfield = array(
array(
// everything belonging to password field one
),
array(
// everything belonging to password field two
(
)
Possible configuration keys
Key |
Description |
default value |
---|---|---|
|
LDAP attribute name |
none |
|
hash algorithm. Possible values are the one listed in LtbPassword library: clear, SSHA, SSHA256, SSHA384, SSHA512, SHA, SHA256, SHA384, SHA512, SMD5, MD5, CRYPT, ARGON2, NTLM |
none |
|
array containing prefix and length options for salt when using CRYPT hash |
same value as the general $hash_options |
|
whether or not a captcha must be filled before changing the custom password |
same as for the main password |
|
Name of the application or the LDAP attribute to display |
‘Custom Password X’, where ‘X’ is a number starting with 0 |
|
who change the LDAP attribute? Possible values are “manager” or “user” |
same as for the main password |
|
An extra message presented to the user, for example “this password is meant for that application” |
empty |
|
whether or not the user should be notified by email. |
same as for the main password |
|
Do you want to change the LDAP attribute by sending a ppolicy control? (true or false) Most of the time useless, as custom password fields are not subject to password policies. |
false |
|
Array containing additional password policies for each custom password field. see below |
same as for the main password |
|
path to a script called before password change |
none |
|
boolean. Does the password needs to be base64 encoded before sent to prehook script? |
none |
|
path to a script called after password change |
none |
|
boolean. Does the password needs to be base64 encoded before sent to posthook script? |
none |
Key |
Description |
---|---|
|
Whether or not to show the policy |
|
whether or not the custom password may be the same as the main password |
|
boolean. if true, the new password must be different from all other custom password marked as unique |
|
how many characters of the custom password may be the same as the main password? |
|
minimum length |
|
maximum length |
|
minimum lower characters |
|
minimum upper characters |
|
minimum digits |
|
minimum of special characters |
|
what are special characters? |
|
forbidden characters |
|
whether or not the custom password may be the same as the login-name |
|
number of different class of character required |
|
use pwnedpasswords api v2 to securely check if the password has been on a leak |
|
forbid to have a special character (as defined by |
|
array of forbidden words |
|
array of attributes which values must not be used in the password |
|
where shall the password be shown? (“above”, “below”) |