1 files changed, 58 insertions, 2 deletions

diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php
index 6c3637e15..0d5e130ea 100644
--- a/lib/plugins/authldap/auth.php
+++ b/lib/plugins/authldap/auth.php
@@ -36,8 +36,8 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
             return;
         }
 
-        // auth_ldap currently just handles authentication, so no
-        // capabilities are set
+        // Add the capabilities to change the password
+        $this->cando['modPass'] = true;
     }
 
     /**
@@ -264,6 +264,62 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
     }
 
     /**
+     * Definition of the function modifyUser in order to modify the password
+     */
+
+    function modifyUser($user,$changes){
+
+        // open the connection to the ldap
+        if(!$this->_openLDAP()){
+            msg('LDAP cannot connect: '. htmlspecialchars(ldap_error($this->con)));
+            return false;
+        }
+
+        // find the information about the user, in particular the "dn"
+        $info = $this->getUserData($user,true);
+        if(empty($info['dn'])) {
+            msg('LDAP cannot find your user dn');
+            return false;
+        }
+        $dn = $info['dn'];
+
+        // find the old password of the user
+        list($loginuser,$loginsticky,$loginpass) = auth_getCookie();
+        if ($loginuser !== null) { // the user is currently logged in
+            $secret = auth_cookiesalt(!$loginsticky, true);
+            $pass   = auth_decrypt($loginpass, $secret);
+
+            // bind with the ldap
+            if(!@ldap_bind($this->con, $dn, $pass)){
+                msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
+                return false;
+            }
+        } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
+            // we are changing the password on behalf of the user (eg: forgotten password)
+            // bind with the superuser ldap
+            if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){
+                $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
+                return false;
+            }
+        }
+        else {
+            return false; // no otherway
+        }
+
+        // Generate the salted hashed password for LDAP
+        $phash = new PassHash();
+        $hash = $phash->hash_ssha($changes['pass']);
+
+        // change the password
+        if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){
+            msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)));
+            return false;
+        }
+
+        return true;
+    }
+
+    /**
      * Most values in LDAP are case-insensitive
      *
      * @return bool