LDAP EXOP password change

This commit is contained in:
Roland Gruber 2018-07-07 17:40:44 +02:00
parent c4e8811056
commit 86b10eda6a
2 changed files with 45 additions and 1 deletions

View File

@ -1,4 +1,5 @@
September 2018 6.5 September 2018 6.5
- Password change possible via LDAP EXOP operation (set LDAP_EXOP as password hash)
- LAM Pro: - LAM Pro:
-> Auto deletion of entries with dynamic directory services support (requires PHP 7.2). -> Auto deletion of entries with dynamic directory services support (requires PHP 7.2).
- Fixed bugs: - Fixed bugs:

View File

@ -915,6 +915,8 @@ class inetOrgPerson extends baseModule implements passwordService {
*/ */
public function postModifyActions($newAccount, $attributes) { public function postModifyActions($newAccount, $attributes) {
$messages = array(); $messages = array();
// set exop password
$messages = array_merge($messages, $this->setExopPassword($this->moduleSettings));
// add address book // add address book
$accountContainer = $this->getAccountContainer(); $accountContainer = $this->getAccountContainer();
if ($this->isBooleanConfigOptionSet('inetOrgPerson_addAddressbook') && !empty($accountContainer)) { if ($this->isBooleanConfigOptionSet('inetOrgPerson_addAddressbook') && !empty($accountContainer)) {
@ -940,6 +942,23 @@ class inetOrgPerson extends baseModule implements passwordService {
return $messages; return $messages;
} }
/**
* Sets the password via ldap_exop if configured.
*
* @param array $settings settings
* @return array error message parameters if any
*/
private function setExopPassword($settings) {
if (!empty($this->clearTextPassword) && !empty($settings['posixAccount_pwdHash'][0])
&& ($settings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
$success = ldap_exop_passwd($_SESSION['ldap']->server(), $this->getAccountContainer()->finalDN, null, $this->clearTextPassword);
if (!$success) {
return array('ERROR', _('Unable to set password'), getExtendedLDAPErrorMessage($_SESSION['ldap']->server()));
}
}
return array();
}
/** /**
* Processes user input of the primary module page. * Processes user input of the primary module page.
* It checks if all input values are correct and updates the associated LDAP attributes. * It checks if all input values are correct and updates the associated LDAP attributes.
@ -2384,8 +2403,12 @@ class inetOrgPerson extends baseModule implements passwordService {
} }
} }
// password // password
// delay exop passwords
if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
// changed in post action
}
// set SASL password // set SASL password
if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) { elseif (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$partialAccounts[$i]['userPassword'] = '{SASL}' . $partialAccounts[$i]['uid']; $partialAccounts[$i]['userPassword'] = '{SASL}' . $partialAccounts[$i]['uid'];
} }
// set K5KEY password // set K5KEY password
@ -2454,6 +2477,22 @@ class inetOrgPerson extends baseModule implements passwordService {
logNewMessage(LOG_NOTICE, 'Added addressbook for user ' . $accounts[$temp['counter']]['dn']); logNewMessage(LOG_NOTICE, 'Added addressbook for user ' . $accounts[$temp['counter']]['dn']);
} }
} }
// set password via exop
if (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
if (isset($ids['inetOrgPerson_userPassword']) && !empty($data[$temp['counter']][$ids['inetOrgPerson_userPassword']])) {
$dn = $accounts[$temp['counter']]['dn'];
$password = $data[$temp['counter']][$ids['inetOrgPerson_userPassword']];
$success = ldap_exop_passwd($_SESSION['ldap']->server(), $dn, null, $password);
if (!$success) {
$errors[] = array(
"ERROR",
_('Unable to set password'),
$dn . '<br>' . getDefaultLDAPErrorString($_SESSION['ldap']->server()),
array($temp['groups'][$temp['counter']])
);
}
}
}
} }
$temp['counter']++; $temp['counter']++;
if ($temp['counter'] < $dataSize) { if ($temp['counter'] < $dataSize) {
@ -3723,6 +3762,10 @@ class inetOrgPerson extends baseModule implements passwordService {
&& ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) { && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'SASL')) {
$this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0]; $this->attributes['userPassword'][0] = '{SASL}' . $this->attributes['uid'][0];
} }
// delay on ldap_exop
elseif (!empty($this->moduleSettings['posixAccount_pwdHash'][0]) && ($this->moduleSettings['posixAccount_pwdHash'][0] === 'LDAP_EXOP')) {
logNewMessage(LOG_DEBUG, 'Setting password in post action, exop');
}
// set normal password // set normal password
else { else {
$this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]); $this->attributes['userPassword'][0] = pwd_hash($password, true, $this->moduleSettings['posixAccount_pwdHash'][0]);