1 #!/usr/bin/php
2 <?php
4 function cred_encrypt($input, $password) {
6 $size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_128, MCRYPT_MODE_CBC);
7 $iv = mcrypt_create_iv($size, MCRYPT_DEV_RANDOM);
9 return bin2hex(mcrypt_encrypt(MCRYPT_RIJNDAEL_128, $password, $input, MCRYPT_MODE_ECB, $iv));
10 }
13 function get_random_char() {
14 $randno = rand (0, 63);
15 if ($randno < 12) {
16 return (chr ($randno + 46)); // Digits, '/' and '.'
17 } else if ($randno < 38) {
18 return (chr ($randno + 53)); // Uppercase
19 } else {
20 return (chr ($randno + 59)); // Lowercase
21 }
22 }
25 function get_random_string($size= 32){
26 $str= "";
27 for ($i = 0; $i < $size; $i++) {
28 $str .= get_random_char();
29 }
30 return $str;
31 }
34 # We need to have access to gosa.secrets
35 if (posix_getuid() != 0){
36 die ("This program needs to be called by root!\n");
37 }
39 # Do we have a valid gosa.conf?
40 if (!file_exists("/etc/gosa/gosa.conf")){
41 die ("Cannot find a valid /etc/gosa/gosa.conf!\n");
42 }
44 echo "Starting password encryption\n";
45 echo "* generating random master key\n";
46 $master_key= get_random_string();
48 # Do we have a valid gosa.secrets, already?
49 if (file_exists("/etc/gosa/gosa.secrets")){
50 die ("There's already a /etc/gosa/gosa.secrets. Cannot convert your existing gosa.conf - aborted\n");
51 } else {
52 echo "* creating /etc/gosa/gosa.secrets\n";
53 $fp = fopen("/etc/gosa/gosa.secrets", 'w') or die("Cannot open /etc/gosa/gosa.secrets for writing - aborted");
54 fwrite($fp, "RequestHeader set GOSA_KEY $master_key\n");
55 fclose($fp);
56 chmod ("/etc/gosa/gosa.secrets", 0600);
57 chown ("/etc/gosa/gosa.secrets", "root");
58 chgrp ("/etc/gosa/gosa.secrets", "root");
59 }
61 # Locate all passwords inside the gosa.conf
62 echo "* loading /etc/gosa/gosa.conf\n";
63 $conf = new DOMDocument();
64 $conf->load("/etc/gosa/gosa.conf") or die ("Cannot read /etc/gosa/gosa.conf - aborted\n");
65 $conf->encoding = 'UTF-8';
66 $referrals= $conf->getElementsByTagName("referral");
67 foreach($referrals as $referral){
68 $user = $referral->attributes->getNamedItem("adminDn");
69 echo "* encrypting GOsa password for: ".$user->nodeValue."\n";
70 $pw= $referral->attributes->getNamedItem("adminPassword");
71 $pw->nodeValue= cred_encrypt($pw->nodeValue, $master_key);
72 }
74 # Encrypt the snapshot passwords
75 $locations= $conf->getElementsByTagName("location");
76 foreach($locations as $location){
77 $name = $location->attributes->getNamedItem("name");
78 $node = $location->attributes->getNamedItem("snapshotAdminPassword");
79 if($node->nodeValue){
80 echo "* encrypting snapshot pasword for location: ".$name->nodeValue."\n";
81 $node->nodeValue = cred_encrypt($node->nodeValue, $master_key);;
82 }
83 }
85 # Move original gosa.conf out of the way and make it unreadable for the web user
86 echo "* creating backup in /etc/gosa/gosa.conf.orig\n";
87 rename("/etc/gosa/gosa.conf", "/etc/gosa/gosa.conf.orig");
88 chmod("/etc/gosa/gosa.conf.orig", 0600);
89 chown ("/etc/gosa/gosa.conf.orig", "root");
90 chgrp ("/etc/gosa/gosa.conf.orig", "root");
92 # Save new passwords
93 echo "* saving modified /etc/gosa/gosa.conf\n";
94 $conf->save("/etc/gosa/gosa.conf") or die("Cannot write modified /etc/gosa/gosa.conf - aborted\n");
95 chmod("/etc/gosa/gosa.conf", 0640);
96 chown ("/etc/gosa/gosa.conf", "root");
97 chgrp ("/etc/gosa/gosa.conf", "www-data");
98 echo "OK\n\n";
100 # Print reminder
101 echo<<<EOF
102 Please adapt your http gosa location declaration to include the newly
103 created "/etc/gosa/gosa.secrets".
105 Example:
107 Alias /gosa /usr/share/gosa/html
109 <Location /gosa>
110 php_admin_flag engine on
111 php_admin_value open_basedir "/etc/gosa/:/usr/share/gosa/:/var/cache/gosa/:/var/spool/gosa/"
112 php_admin_flag register_globals off
113 php_admin_flag allow_call_time_pass_reference off
114 php_admin_flag expose_php off
115 php_admin_flag zend.ze1_compatibility_mode off
116 php_admin_flag register_long_arrays off
117 php_admin_flag magic_quotes_gpc on
118 include /etc/gosa/gosa.secrets
119 </Location>
122 Please reload your httpd configuration after you've modified anything.
125 EOF;
126 ?>