From 69624201690664c44269f8cfd1dee258beaa719e Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sat, 7 Jul 2018 14:05:39 +0200
Subject: [PATCH] support password exop

---
 lam/lib/account.inc              |  6 ++-
 lam/lib/modules/posixAccount.inc | 93 +++++++++++++++++++++++++++++---
 2 files changed, 91 insertions(+), 8 deletions(-)

diff --git a/lam/lib/account.inc b/lam/lib/account.inc
index 9568b7cf..97b9844c 100644
--- a/lam/lib/account.inc
+++ b/lam/lib/account.inc
@@ -188,7 +188,11 @@ function pwd_hash($password, $enabled = true, $hashType = 'SSHA') {
  * @return array hash types
  */
 function getSupportedHashTypes() {
-	return array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL', 'K5KEY');
+	$hashes = array('CRYPT', 'CRYPT-SHA512', 'SHA', 'SSHA', 'MD5', 'SMD5', 'PLAIN', 'SASL', 'K5KEY');
+	if (version_compare(phpversion(), '7.2.0') >= 0) {
+		$hashes[] = 'LDAP_EXOP';
+	}
+	return $hashes;
 }
 
 /**
diff --git a/lam/lib/modules/posixAccount.inc b/lam/lib/modules/posixAccount.inc
index bc6f3c7f..034c19af 100644
--- a/lam/lib/modules/posixAccount.inc
+++ b/lam/lib/modules/posixAccount.inc
@@ -696,8 +696,10 @@ class posixAccount extends baseModule implements passwordService {
 			return $messages;
 		}
 		$modules = $accountContainer->get_type()->getModules();
-		$homeDirAttr = $this->getHomedirAttrName($modules);
+		// set exop password
+		$messages = array_merge($messages, $this->setExopPassword($this->moduleSettings));
 		// create home directories if needed
+		$homeDirAttr = $this->getHomedirAttrName($modules);
 		if (sizeof($this->lamdaemonServers) > 0) {
 			$server = null;
 			$lamdaemonServers = explode(";", $_SESSION['config']->get_scriptServers());
@@ -876,6 +878,23 @@ class posixAccount extends baseModule implements passwordService {
 		return $messages;
 	}
 
+	/**
+	 * Sets the password via ldap_exop if configured.
+	 *
+	 * @param array $settings settings
+	 * @return array error message parameters if any
+	 */
+	private function setExopPassword($settings) {
+		if (!empty($this->clearTextPassword) && !empty($settings['posixAccount_pwdHash'][0])
+				&& ($settings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
+			$success = ldap_exop_passwd($_SESSION['ldap']->server(), $this->getAccountContainer()->finalDN, null, $this->clearTextPassword);
+			if (!$success) {
+				return array('ERROR', _('Unable to set password'), getExtendedLDAPErrorMessage($_SESSION['ldap']->server()));
+			}
+		}
+		return array();
+	}
+
 	/**
 	* Additional LDAP operations on delete.
 	*
@@ -2627,8 +2646,12 @@ class posixAccount extends baseModule implements passwordService {
 					$errors[] = $errMsg;
 				}
 				// password
+				// delay exop passwords
+				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
+					// changed in post action
+				}
 				// set SASL passwords
-				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
+				elseif (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
 					$partialAccounts[$i][$pwdAttrName] = '{SASL}' . $partialAccounts[$i]['uid'];
 				}
 				// set K5KEY password
@@ -2743,6 +2766,7 @@ class posixAccount extends baseModule implements passwordService {
 			$temp['groups'] = array();
 			$temp['dn_gon'] = array();
 			$temp['createHomes'] = array();
+			$temp['exop'] = array();
 			$temp['counter'] = 0;
 			$col = $ids['posixAccount_additionalGroups'];
 			$col_home = $ids['posixAccount_createHomeDir'];
@@ -2795,6 +2819,11 @@ class posixAccount extends baseModule implements passwordService {
 				if (!empty($dataRow[$col_home])) {
 					$temp['createHomes'][] = $i;
 				}
+				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
+					if (isset($ids['posixAccount_password']) && !empty($dataRow[$ids['posixAccount_password']])) {
+						$temp['exop'][] = array($accounts[$i]['dn'], $dataRow[$ids['posixAccount_password']]);
+					}
+				}
 			}
 			$temp['dn_gon_keys'] = array_keys($temp['dn_gon']);
 			return array(
@@ -2832,7 +2861,7 @@ class posixAccount extends baseModule implements passwordService {
 				$temp['counter']++;
 				return array (
 					'status' => 'inProgress',
-					'progress' => ($temp['counter'] * 100) / (sizeof($temp['groups']) + sizeof($temp['createHomes']) + sizeof($temp['dn_gon'])),
+					'progress' => ($temp['counter'] * 100) / (sizeof($temp['groups']) + sizeof($temp['createHomes']) + sizeof($temp['dn_gon']) + sizeof($temp['exop'])),
 					'errors' => $errors
 				);
 			}
@@ -2840,7 +2869,7 @@ class posixAccount extends baseModule implements passwordService {
 				$temp['counter']++;
 				return array (
 					'status' => 'inProgress',
-					'progress' => ($temp['counter'] * 100) / (sizeof($temp['groups'] + sizeof($temp['createHomes']) + sizeof($temp['dn_gon']))),
+					'progress' => ($temp['counter'] * 100) / (sizeof($temp['groups'] + sizeof($temp['createHomes']) + sizeof($temp['dn_gon']) + sizeof($temp['exop']))),
 					'errors' => array(array('ERROR', _('Unable to find group in LDAP.'), $temp['groups'][$temp['counter']]))
 				);
 			}
@@ -2879,7 +2908,7 @@ class posixAccount extends baseModule implements passwordService {
 			$temp['counter']++;
 			return array (
 				'status' => 'inProgress',
-				'progress' => ($temp['counter'] * 100) / (sizeof($temp['groups']) + sizeof($temp['createHomes']) + sizeof($temp['dn_gon'])),
+				'progress' => ($temp['counter'] * 100) / (sizeof($temp['groups']) + sizeof($temp['createHomes']) + sizeof($temp['dn_gon']) + sizeof($temp['exop'])),
 				'errors' => $errors
 			);
 		}
@@ -2898,10 +2927,31 @@ class posixAccount extends baseModule implements passwordService {
 				);
 			}
 			$temp['counter']++;
-			$errors = array();
 			return array (
 				'status' => 'inProgress',
-				'progress' => ($temp['counter'] * 100) / (sizeof($temp['groups']) + sizeof($temp['createHomes']) + sizeof($temp['dn_gon'])),
+				'progress' => ($temp['counter'] * 100) / (sizeof($temp['groups']) + sizeof($temp['createHomes']) + sizeof($temp['dn_gon']) + sizeof($temp['exop'])),
+				'errors' => $errors
+			);
+		}
+		// run password exop commands
+		elseif ($temp['counter'] < (sizeof($temp['groups']) + sizeof($temp['createHomes']) + sizeof($temp['dn_gon']) + sizeof($temp['exop']))) {
+			$data = $temp['exop'][$temp['counter'] - sizeof($temp['groups']) - sizeof($temp['createHomes']) - sizeof($temp['dn_gon'])];
+			$dn = $data[0];
+			$password = $data[1];
+			$success = ldap_exop_passwd($_SESSION['ldap']->server(), $dn, null, $password);
+			$errors = array();
+			if (!$success) {
+				$errors[] = array(
+					"ERROR",
+					_('Unable to set password'),
+					$dn . '<br>' . getDefaultLDAPErrorString($_SESSION['ldap']->server()),
+					array($temp['groups'][$temp['counter']])
+				);
+			}
+			$temp['counter']++;
+			return array (
+				'status' => 'inProgress',
+				'progress' => ($temp['counter'] * 100) / (sizeof($temp['groups']) + sizeof($temp['createHomes']) + sizeof($temp['dn_gon']) + sizeof($temp['exop'])),
 				'errors' => $errors
 			);
 		}
@@ -3178,6 +3228,10 @@ class posixAccount extends baseModule implements passwordService {
 								if (!empty($attributes['uid'][0]) && ($passwordHash === 'SASL')) {
 									$return['mod']['userPassword'][0] = '{SASL}' . $attributes['uid'][0];
 								}
+								elseif ($passwordHash === 'LDAP_EXOP') {
+									// no LDAP modify action, use ldap_exop_passwd
+									$return['info']['userPasswordModify'][0] = 'exop';
+								}
 								// set other password hashes
 								else {
 									$return['mod']['userPassword'][0] = pwd_hash($_POST['posixAccount_password'], true, $passwordHash);
@@ -3238,6 +3292,27 @@ class posixAccount extends baseModule implements passwordService {
 		return $return;
 	}
 
+	/**
+	 * {@inheritDoc}
+	 * @see baseModule::postModifySelfService()
+	 */
+	public function postModifySelfService($newAccount, $attributes) {
+		if (isset($attributes['INFO.userPasswordModify'][0])
+			&& ($attributes['INFO.userPasswordModify'][0] === 'exop')) {
+			$password = $attributes['INFO.userPasswordClearText'][0];
+			$dn = $attributes['dn'][0];
+			$success = ldap_exop_passwd($_SESSION['ldapHandle'], $dn, null, $password);
+			if (!$success) {
+				StatusMessage('ERROR', _('Unable to set password'), getExtendedLDAPErrorMessage($_SESSION['ldapHandle']));
+			}
+			else {
+				StatusMessage('INFO', _('Password changed.'));
+			}
+			return $success;
+		}
+		return true;
+	}
+
 	/**
 	 * This method specifies if a module manages password attributes.
 	 * @see passwordService::managesPasswordAttributes
@@ -3296,6 +3371,10 @@ class posixAccount extends baseModule implements passwordService {
 				&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
 			$this->attributes[$this->getPasswordAttrName($accountModules)][0] = '{SASL}' . $this->attributes['uid'][0];
 		}
+		// delay on ldap_exop
+		elseif (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
+			logNewMessage(LOG_DEBUG, 'Setting password in post action, exop');
+		}
 		// set normal password
 		else {
 			$this->attributes[$this->getPasswordAttrName($accountModules)][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);