diff options
| author | Andreas Gohr <andi@splitbrain.org> | 2014-05-18 20:19:38 +0200 |
|---|---|---|
| committer | Andreas Gohr <andi@splitbrain.org> | 2014-05-18 20:19:38 +0200 |
| commit | 38111df8da7d432ba9a723946149cd982d4c1944 (patch) | |
| tree | ebfab72f0b53f46a41b508f452ce04f64d4f2cca | |
| parent | 60bf39dd81584414d4cb6f8cf568330d1a843a93 (diff) | |
| parent | 8f2ea93bb09b8744de56a8797176d3a209c2e8d7 (diff) | |
| download | rpg-38111df8da7d432ba9a723946149cd982d4c1944.tar.gz rpg-38111df8da7d432ba9a723946149cd982d4c1944.tar.bz2 | |
Merge pull request #674 from axel-angel/authldap_modify-pass
Authldap: implement change password in modifyUser
| -rw-r--r-- | lib/plugins/authldap/auth.php | 60 |
1 files changed, 58 insertions, 2 deletions
diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 6c3637e15..bda8f2abe 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -36,8 +36,8 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return; } - // auth_ldap currently just handles authentication, so no - // capabilities are set + // Add the capabilities to change the password + $this->cando['modPass'] = true; } /** @@ -264,6 +264,62 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { } /** + * Definition of the function modifyUser in order to modify the password + */ + + function modifyUser($user,$changes){ + + // open the connection to the ldap + if(!$this->_openLDAP()){ + msg('LDAP cannot connect: '. htmlspecialchars(ldap_error($this->con))); + return false; + } + + // find the information about the user, in particular the "dn" + $info = $this->getUserData($user,true); + if(empty($info['dn'])) { + msg('LDAP cannot find your user dn'); + return false; + } + $dn = $info['dn']; + + // find the old password of the user + list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); + if ($loginuser !== null) { // the user is currently logged in + $secret = auth_cookiesalt(!$sticky, true); + $pass = auth_decrypt($loginpass, $secret); + + // bind with the ldap + if(!@ldap_bind($this->con, $dn, $pass)){ + msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) { + // we are changing the password on behalf of the user (eg: forgotten password) + // bind with the superuser ldap + if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){ + $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + } + else { + return false; // no otherway + } + + // Generate the salted hashed password for LDAP + $phash = new PassHash(); + $hash = $phash->hash_ssha($changes['pass']); + + // change the password + if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){ + msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con))); + return false; + } + + return true; + } + + /** * Most values in LDAP are case-insensitive * * @return bool |