1 files changed, 72 insertions, 7 deletions
diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php
index 31e2c5135..0d5e130ea 100644
--- a/lib/plugins/authldap/auth.php
+++ b/lib/plugins/authldap/auth.php
@@ -36,8 +36,8 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
             return;
         }
 
-        // auth_ldap currently just handles authentication, so no
-        // capabilities are set
+        // Add the capabilities to change the password
+        $this->cando['modPass'] = true;
     }
 
     /**
@@ -143,6 +143,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
      * @author  Dan Allen <dan.j.allen@gmail.com>
      * @author  <evaldas.auryla@pheur.org>
      * @author  Stephane Chazelas <stephane.chazelas@emerson.com>
+     * @author  Steffen Schoch <schoch@dsb.net>
      *
      * @param   string $user
      * @param   bool   $inbind authldap specific, true if in bind phase
@@ -240,9 +241,17 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
             ldap_free_result($sr);
 
             if(is_array($result)) foreach($result as $grp) {
-                if(!empty($grp[$this->getConf('groupkey')][0])) {
-                    $this->_debug('LDAP usergroup: '.htmlspecialchars($grp[$this->getConf('groupkey')][0]), 0, __LINE__, __FILE__);
-                    $info['grps'][] = $grp[$this->getConf('groupkey')][0];
+                if(!empty($grp[$this->getConf('groupkey')])) {
+                    $group = $grp[$this->getConf('groupkey')];
+                    if(is_array($group)){
+                        $group = $group[0];
+                    } else {
+                        $this->_debug('groupkey did not return a detailled result', 0, __LINE__, __FILE__);
+                    }
+                    if($group === '') continue;
+
+                    $this->_debug('LDAP usergroup: '.htmlspecialchars($group), 0, __LINE__, __FILE__);
+                    $info['grps'][] = $group;
                 }
             }
         }
@@ -255,6 +264,62 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
     }
 
     /**
+     * Definition of the function modifyUser in order to modify the password
+     */
+
+    function modifyUser($user,$changes){
+
+        // open the connection to the ldap
+        if(!$this->_openLDAP()){
+            msg('LDAP cannot connect: '. htmlspecialchars(ldap_error($this->con)));
+            return false;
+        }
+
+        // find the information about the user, in particular the "dn"
+        $info = $this->getUserData($user,true);
+        if(empty($info['dn'])) {
+            msg('LDAP cannot find your user dn');
+            return false;
+        }
+        $dn = $info['dn'];
+
+        // find the old password of the user
+        list($loginuser,$loginsticky,$loginpass) = auth_getCookie();
+        if ($loginuser !== null) { // the user is currently logged in
+            $secret = auth_cookiesalt(!$loginsticky, true);
+            $pass   = auth_decrypt($loginpass, $secret);
+
+            // bind with the ldap
+            if(!@ldap_bind($this->con, $dn, $pass)){
+                msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
+                return false;
+            }
+        } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
+            // we are changing the password on behalf of the user (eg: forgotten password)
+            // bind with the superuser ldap
+            if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){
+                $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
+                return false;
+            }
+        }
+        else {
+            return false; // no otherway
+        }
+
+        // Generate the salted hashed password for LDAP
+        $phash = new PassHash();
+        $hash = $phash->hash_ssha($changes['pass']);
+
+        // change the password
+        if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){
+            msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)));
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
      * Most values in LDAP are case-insensitive
      *
      * @return bool
@@ -272,7 +337,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
      * @param   array $filter  array of field/pattern pairs, null for no filter
      * @return  array of userinfo (refer getUserData for internal userinfo details)
      */
-    function retrieveUsers($start = 0, $limit = -1, $filter = array()) {
+    function retrieveUsers($start = 0, $limit = 0, $filter = array()) {
         if(!$this->_openLDAP()) return false;
 
         if(is_null($this->users)) {
@@ -307,7 +372,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
             }
             if($this->_filter($user, $info)) {
                 $result[$user] = $info;
-                if(($limit >= 0) && (++$count >= $limit)) break;
+                if(($limit > 0) && (++$count >= $limit)) break;
             }
         }
         return $result;