From 06da270e039cf517a6bd847ca0cd4a7819c9f879 Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Sun, 4 May 2014 11:46:35 +0200 Subject: Authldap: implement change password in modifyUser --- lib/plugins/authldap/auth.php | 55 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 2 deletions(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 6c3637e15..13ffb8be2 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -36,8 +36,8 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return; } - // auth_ldap currently just handles authentication, so no - // capabilities are set + // Add the capabilities to change the password + $this->cando['modPass'] = true; } /** @@ -263,6 +263,57 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return $info; } + /** + * Definition of the function modifyUser in order to modify the password + */ + + function modifyUser($user,$changes){ + + // open the connection to the ldap + if(!$this->_openLDAP()){ + msg('LDAP cannot connect: '. htmlspecialchars(ldap_error($this->con))); + return false; + } + + // find the information about the user, in particular the "dn" + $info = $this->getUserData($user,true); + if(empty($info['dn'])) { + msg('LDAP cannot find your user dn: '. htmlspecialchars($info['dn'])); + return false; + } else { + $dn = $info['dn']; + } + + // find the new password and encrypt it whit SSHA + if(empty($changes['pass'])) { + msg('The new password is not allow because it\'s empty'); + return false; + } else { + mt_srand((double)microtime()*1000000); + $salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand()); + $hash = "{SSHA}" . base64_encode(pack("H*", sha1($changes['pass'] . $salt)) . $salt); + } + + // find the old password of the user + list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); + $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session + $pass = auth_decrypt($loginpass, $secret); + + // bind with the ldap + if(!@ldap_bind($this->con,$dn,$pass)){ + msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + + // change the password + if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){ + msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con))); + return false; + } + + return true; + } + /** * Most values in LDAP are case-insensitive * -- cgit v1.2.3 From 719c6730c7da93e830205e42dc230de831446e8f Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Sun, 4 May 2014 12:26:13 +0200 Subject: Allow authldap to change password with ldap superuser only if necessary --- lib/plugins/authldap/auth.php | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 13ffb8be2..5bdaf0446 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -296,13 +296,25 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { // find the old password of the user list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); - $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session - $pass = auth_decrypt($loginpass, $secret); + if ($loginuser !== null) { // the user is currently logged in + $secret = auth_cookiesalt(!$sticky, true); + $pass = auth_decrypt($loginpass, $secret); - // bind with the ldap - if(!@ldap_bind($this->con,$dn,$pass)){ - msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); - return false; + // bind with the ldap + if(!@ldap_bind($this->con, $dn, $pass)){ + msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) { + // we are changing the password on behalf of the user (eg: forgotten password) + // bind with the superuser ldap + if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){ + $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + } + else { + return false; // no otherway } // change the password -- cgit v1.2.3 From 67723447f02824ff2df7daa0f1f97d8b289c5d7a Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Sun, 4 May 2014 19:54:37 +0200 Subject: Hash and salt password with PassHash::ssha Moved the block closer to the variable use (indent clearer) --- lib/plugins/authldap/auth.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 5bdaf0446..ecbbc2a3a 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -288,10 +288,6 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { if(empty($changes['pass'])) { msg('The new password is not allow because it\'s empty'); return false; - } else { - mt_srand((double)microtime()*1000000); - $salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand()); - $hash = "{SSHA}" . base64_encode(pack("H*", sha1($changes['pass'] . $salt)) . $salt); } // find the old password of the user @@ -317,6 +313,10 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return false; // no otherway } + // Generate the salted hashed password for LDAP + $phash = new PassHash(); + $hash = $phash->hash_ssha($changes['pass']); + // change the password if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){ msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con))); -- cgit v1.2.3 From 8f2ea93bb09b8744de56a8797176d3a209c2e8d7 Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Thu, 8 May 2014 12:19:39 +0200 Subject: Simplify code and remove unreachable check --- lib/plugins/authldap/auth.php | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index ecbbc2a3a..bda8f2abe 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -278,17 +278,10 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { // find the information about the user, in particular the "dn" $info = $this->getUserData($user,true); if(empty($info['dn'])) { - msg('LDAP cannot find your user dn: '. htmlspecialchars($info['dn'])); - return false; - } else { - $dn = $info['dn']; - } - - // find the new password and encrypt it whit SSHA - if(empty($changes['pass'])) { - msg('The new password is not allow because it\'s empty'); + msg('LDAP cannot find your user dn'); return false; } + $dn = $info['dn']; // find the old password of the user list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); -- cgit v1.2.3 From f88adfe0b3b6ae718cb4a99c6f8363042c7b0b6e Mon Sep 17 00:00:00 2001 From: PzF_X Date: Sun, 18 May 2014 13:56:03 +0200 Subject: translation update --- lib/plugins/authldap/lang/ja/settings.php | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/lang/ja/settings.php b/lib/plugins/authldap/lang/ja/settings.php index 3c0e08f6a..6cff0ea67 100644 --- a/lib/plugins/authldap/lang/ja/settings.php +++ b/lib/plugins/authldap/lang/ja/settings.php @@ -6,6 +6,7 @@ * @author Satoshi Sahara * @author Hideaki SAWADA * @author Hideaki SAWADA + * @author PzF_X */ $lang['server'] = 'LDAPサーバー。ホスト名(localhost)又は完全修飾URL(ldap://server.tld:389)'; $lang['port'] = '上記が完全修飾URLでない場合、LDAPサーバーポート'; @@ -15,8 +16,14 @@ $lang['userfilter'] = 'ユーザーアカウントを探すためのL $lang['groupfilter'] = 'グループを探すLDAP抽出条件。例:(&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))'; $lang['version'] = '使用するプロトコルのバージョン。3を設定する必要がある場合があります。'; $lang['starttls'] = 'TLS接続を使用しますか?'; +$lang['referrals'] = '紹介に従いますか?'; +$lang['deref'] = 'どのように間接参照のエイリアスにしますか?'; $lang['binddn'] = '匿名バインドでは不十分な場合、オプションバインドユーザーのDN。例:cn=admin, dc=my, dc=home'; $lang['bindpw'] = '上記ユーザーのパスワード'; +$lang['userscope'] = 'ユーザー検索の範囲を限定させる'; +$lang['groupscope'] = 'グループ検索の範囲を限定させる'; +$lang['groupkey'] = 'ユーザー属性をグループのメンバーシップから設定します(代わりに標準のADグループ)。 +例えば、部署や電話番号などです。'; $lang['debug'] = 'エラーに関して追加のデバッグ情報を表示する。'; $lang['deref_o_0'] = 'LDAP_DEREF_NEVER'; $lang['deref_o_1'] = 'LDAP_DEREF_SEARCHING'; -- cgit v1.2.3 From 18496fe0decfb1382393daca3141bf315cda7254 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 18 May 2014 20:33:21 +0200 Subject: fixed undefined variable in LDAP plugin --- lib/plugins/authldap/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index bda8f2abe..0d5e130ea 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -286,7 +286,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { // find the old password of the user list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); if ($loginuser !== null) { // the user is currently logged in - $secret = auth_cookiesalt(!$sticky, true); + $secret = auth_cookiesalt(!$loginsticky, true); $pass = auth_decrypt($loginpass, $secret); // bind with the ldap -- cgit v1.2.3