Merge branch 'master' into stable

* master: (214 commits) release preparations postgresql auth plugin: correct function name parse AT parameter: first strtotime then timestamp remove config option move more strings to lang.php move strings to lang.php add placeholders for create page text phpdocs parserutils improve some scrutinizer issues visibility plugin methods use config cascade for loading of localizations reformatting config cascade add lang files to cascading work around missing gzopen on certain systems #865 translation update fix scrutinizer issues fixed typos in docblock comments do not allow empty passwords clean user credentials from control chars added filter method to INPUT class translation update ...
author: Andreas Gohr <andi@splitbrain.org> 2014-09-29 20:17:39 +0200
committer: Andreas Gohr <andi@splitbrain.org> 2014-09-29 20:17:39 +0200
commit: 6c1ae996157551dcf5bb4e7e8922677bb3d3d358 (patch)
tree: b3a4162367176a4e2ebadbd6ab31753c1b042be0 /lib/plugins/authldap/auth.php
parent: 35f3340eb3b989194a496861abfb5b3d3c9a630d (diff)
parent: 57271d078b9c433bec79d75cb44dadcafeae07df (diff)
download: rpg-6c1ae996157551dcf5bb4e7e8922677bb3d3d358.tar.gz
rpg-6c1ae996157551dcf5bb4e7e8922677bb3d3d358.tar.bz2
1 files changed, 69 insertions, 4 deletions
diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php
index 6c3637e15..b22b82ecc 100644
--- a/lib/plugins/authldap/auth.php
+++ b/lib/plugins/authldap/auth.php
@@ -36,8 +36,8 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
             return;
         }
 
-        // auth_ldap currently just handles authentication, so no
-        // capabilities are set
+        // Add the capabilities to change the password
+        $this->cando['modPass'] = true;
     }
 
     /**
@@ -103,7 +103,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
             return true;
         } else {
             // See if we can find the user
-            $info = $this->getUserData($user, true);
+            $info = $this->_getUserData($user, true);
             if(empty($info['dn'])) {
                 return false;
             } else {
@@ -146,10 +146,19 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
      * @author  Steffen Schoch <schoch@dsb.net>
      *
      * @param   string $user
+     * @param   bool   $requireGroups (optional) - ignored, groups are always supplied by this plugin
+     * @return  array containing user data or false
+     */
+    public function getUserData($user, $requireGroups=true) {
+        return $this->_getUserData($user);
+    }
+
+    /**
+     * @param   string $user
      * @param   bool   $inbind authldap specific, true if in bind phase
      * @return  array containing user data or false
      */
-    public function getUserData($user, $inbind = false) {
+    protected function _getUserData($user, $inbind = false) {
         global $conf;
         if(!$this->_openLDAP()) return false;
 
@@ -264,6 +273,62 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
     }
 
     /**
+     * Definition of the function modifyUser in order to modify the password
+     */
+
+    function modifyUser($user,$changes){
+
+        // open the connection to the ldap
+        if(!$this->_openLDAP()){
+            msg('LDAP cannot connect: '. htmlspecialchars(ldap_error($this->con)));
+            return false;
+        }
+
+        // find the information about the user, in particular the "dn"
+        $info = $this->getUserData($user,true);
+        if(empty($info['dn'])) {
+            msg('LDAP cannot find your user dn');
+            return false;
+        }
+        $dn = $info['dn'];
+
+        // find the old password of the user
+        list($loginuser,$loginsticky,$loginpass) = auth_getCookie();
+        if ($loginuser !== null) { // the user is currently logged in
+            $secret = auth_cookiesalt(!$loginsticky, true);
+            $pass   = auth_decrypt($loginpass, $secret);
+
+            // bind with the ldap
+            if(!@ldap_bind($this->con, $dn, $pass)){
+                msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
+                return false;
+            }
+        } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
+            // we are changing the password on behalf of the user (eg: forgotten password)
+            // bind with the superuser ldap
+            if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){
+                $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
+                return false;
+            }
+        }
+        else {
+            return false; // no otherway
+        }
+
+        // Generate the salted hashed password for LDAP
+        $phash = new PassHash();
+        $hash = $phash->hash_ssha($changes['pass']);
+
+        // change the password
+        if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){
+            msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)));
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
      * Most values in LDAP are case-insensitive
      *
      * @return bool
author	Andreas Gohr <andi@splitbrain.org>	2014-09-29 20:17:39 +0200
committer	Andreas Gohr <andi@splitbrain.org>	2014-09-29 20:17:39 +0200
commit	6c1ae996157551dcf5bb4e7e8922677bb3d3d358 (patch)
tree	b3a4162367176a4e2ebadbd6ab31753c1b042be0 /lib/plugins/authldap/auth.php
parent	35f3340eb3b989194a496861abfb5b3d3c9a630d (diff)
parent	57271d078b9c433bec79d75cb44dadcafeae07df (diff)
download	rpg-6c1ae996157551dcf5bb4e7e8922677bb3d3d358.tar.gz rpg-6c1ae996157551dcf5bb4e7e8922677bb3d3d358.tar.bz2