From 86b10eda6a21b49d380cc2b199eebea834bb0c62 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Sat, 7 Jul 2018 17:40:44 +0200
Subject: [PATCH] LDAP EXOP password change

---
 lam/HISTORY                       |  1 +
 lam/lib/modules/inetOrgPerson.inc | 45 ++++++++++++++++++++++++++++++-
 2 files changed, 45 insertions(+), 1 deletion(-)

diff --git a/lam/HISTORY b/lam/HISTORY
index bf8b0bdc..3e01092a 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -1,4 +1,5 @@
 September 2018 6.5
+  - Password change possible via LDAP EXOP operation (set LDAP_EXOP as password hash)
   - LAM Pro:
    -> Auto deletion of entries with dynamic directory services support (requires PHP 7.2).
   - Fixed bugs:
diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc
index aa877d1c..71600c2b 100644
--- a/lam/lib/modules/inetOrgPerson.inc
+++ b/lam/lib/modules/inetOrgPerson.inc
@@ -915,6 +915,8 @@ class inetOrgPerson extends baseModule implements passwordService {
 	 */
 	public function postModifyActions($newAccount, $attributes) {
 		$messages = array();
+		// set exop password
+		$messages = array_merge($messages, $this->setExopPassword($this->moduleSettings));
 		// add address book
 		$accountContainer = $this->getAccountContainer();
 		if ($this->isBooleanConfigOptionSet('inetOrgPerson_addAddressbook') && !empty($accountContainer)) {
@@ -940,6 +942,23 @@ class inetOrgPerson extends baseModule implements passwordService {
 		return $messages;
 	}
 
+	/**
+	 * Sets the password via ldap_exop if configured.
+	 *
+	 * @param array $settings settings
+	 * @return array error message parameters if any
+	 */
+	private function setExopPassword($settings) {
+		if (!empty($this->clearTextPassword) && !empty($settings['posixAccount_pwdHash'][0])
+				&& ($settings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
+			$success = ldap_exop_passwd($_SESSION['ldap']->server(), $this->getAccountContainer()->finalDN, null, $this->clearTextPassword);
+			if (!$success) {
+				return array('ERROR', _('Unable to set password'), getExtendedLDAPErrorMessage($_SESSION['ldap']->server()));
+			}
+		}
+		return array();
+	}
+
 	/**
 	* Processes user input of the primary module page.
 	* It checks if all input values are correct and updates the associated LDAP attributes.
@@ -2384,8 +2403,12 @@ class inetOrgPerson extends baseModule implements passwordService {
 					}
 				}
 				// password
+				// delay exop passwords
+				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
+					// changed in post action
+				}
 				// set SASL password
-				if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
+				elseif (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
 					$partialAccounts[$i]['userPassword'] = '{SASL}' . $partialAccounts[$i]['uid'];
 				}
 				// set K5KEY password
@@ -2454,6 +2477,22 @@ class inetOrgPerson extends baseModule implements passwordService {
 					logNewMessage(LOG_NOTICE, 'Added addressbook for user ' . $accounts[$temp['counter']]['dn']);
 				}
 			}
+			// set password via exop
+			if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
+				if (isset($ids['inetOrgPerson_userPassword']) && !empty($data[$temp['counter']][$ids['inetOrgPerson_userPassword']])) {
+					$dn = $accounts[$temp['counter']]['dn'];
+					$password = $data[$temp['counter']][$ids['inetOrgPerson_userPassword']];
+					$success = ldap_exop_passwd($_SESSION['ldap']->server(), $dn, null, $password);
+					if (!$success) {
+						$errors[] = array(
+							"ERROR",
+							_('Unable to set password'),
+							$dn . '<br>' . getDefaultLDAPErrorString($_SESSION['ldap']->server()),
+							array($temp['groups'][$temp['counter']])
+						);
+					}
+				}
+			}
 		}
 		$temp['counter']++;
 		if ($temp['counter'] < $dataSize) {
@@ -3723,6 +3762,10 @@ class inetOrgPerson extends baseModule implements passwordService {
 				&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
 			$this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0];
 		}
+		// delay on ldap_exop
+		elseif (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
+			logNewMessage(LOG_DEBUG, 'Setting password in post action, exop');
+		}
 		// set normal password
 		else {
 			$this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);