summaryrefslogtreecommitdiff
path: root/lib/plugins/authldap/auth.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/plugins/authldap/auth.php')
-rw-r--r--lib/plugins/authldap/auth.php113
1 files changed, 93 insertions, 20 deletions
diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php
index 31e2c5135..50735882f 100644
--- a/lib/plugins/authldap/auth.php
+++ b/lib/plugins/authldap/auth.php
@@ -36,8 +36,8 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
return;
}
- // auth_ldap currently just handles authentication, so no
- // capabilities are set
+ // Add the capabilities to change the password
+ $this->cando['modPass'] = true;
}
/**
@@ -103,7 +103,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
return true;
} else {
// See if we can find the user
- $info = $this->getUserData($user, true);
+ $info = $this->_getUserData($user, true);
if(empty($info['dn'])) {
return false;
} else {
@@ -143,12 +143,22 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
* @author Dan Allen <dan.j.allen@gmail.com>
* @author <evaldas.auryla@pheur.org>
* @author Stephane Chazelas <stephane.chazelas@emerson.com>
+ * @author Steffen Schoch <schoch@dsb.net>
*
* @param string $user
+ * @param bool $requireGroups (optional) - ignored, groups are always supplied by this plugin
+ * @return array containing user data or false
+ */
+ public function getUserData($user, $requireGroups=true) {
+ return $this->_getUserData($user);
+ }
+
+ /**
+ * @param string $user
* @param bool $inbind authldap specific, true if in bind phase
* @return array containing user data or false
*/
- public function getUserData($user, $inbind = false) {
+ protected function _getUserData($user, $inbind = false) {
global $conf;
if(!$this->_openLDAP()) return false;
@@ -171,6 +181,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
}
}
+ $info = array();
$info['user'] = $user;
$info['server'] = $this->getConf('server');
@@ -240,9 +251,17 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
ldap_free_result($sr);
if(is_array($result)) foreach($result as $grp) {
- if(!empty($grp[$this->getConf('groupkey')][0])) {
- $this->_debug('LDAP usergroup: '.htmlspecialchars($grp[$this->getConf('groupkey')][0]), 0, __LINE__, __FILE__);
- $info['grps'][] = $grp[$this->getConf('groupkey')][0];
+ if(!empty($grp[$this->getConf('groupkey')])) {
+ $group = $grp[$this->getConf('groupkey')];
+ if(is_array($group)){
+ $group = $group[0];
+ } else {
+ $this->_debug('groupkey did not return a detailled result', 0, __LINE__, __FILE__);
+ }
+ if($group === '') continue;
+
+ $this->_debug('LDAP usergroup: '.htmlspecialchars($group), 0, __LINE__, __FILE__);
+ $info['grps'][] = $group;
}
}
}
@@ -255,6 +274,62 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
}
/**
+ * Definition of the function modifyUser in order to modify the password
+ */
+
+ function modifyUser($user,$changes){
+
+ // open the connection to the ldap
+ if(!$this->_openLDAP()){
+ msg('LDAP cannot connect: '. htmlspecialchars(ldap_error($this->con)));
+ return false;
+ }
+
+ // find the information about the user, in particular the "dn"
+ $info = $this->getUserData($user,true);
+ if(empty($info['dn'])) {
+ msg('LDAP cannot find your user dn');
+ return false;
+ }
+ $dn = $info['dn'];
+
+ // find the old password of the user
+ list($loginuser,$loginsticky,$loginpass) = auth_getCookie();
+ if ($loginuser !== null) { // the user is currently logged in
+ $secret = auth_cookiesalt(!$loginsticky, true);
+ $pass = auth_decrypt($loginpass, $secret);
+
+ // bind with the ldap
+ if(!@ldap_bind($this->con, $dn, $pass)){
+ msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
+ return false;
+ }
+ } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) {
+ // we are changing the password on behalf of the user (eg: forgotten password)
+ // bind with the superuser ldap
+ if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){
+ $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
+ return false;
+ }
+ }
+ else {
+ return false; // no otherway
+ }
+
+ // Generate the salted hashed password for LDAP
+ $phash = new PassHash();
+ $hash = $phash->hash_ssha($changes['pass']);
+
+ // change the password
+ if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){
+ msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)));
+ return false;
+ }
+
+ return true;
+ }
+
+ /**
* Most values in LDAP are case-insensitive
*
* @return bool
@@ -272,7 +347,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
* @param array $filter array of field/pattern pairs, null for no filter
* @return array of userinfo (refer getUserData for internal userinfo details)
*/
- function retrieveUsers($start = 0, $limit = -1, $filter = array()) {
+ function retrieveUsers($start = 0, $limit = 0, $filter = array()) {
if(!$this->_openLDAP()) return false;
if(is_null($this->users)) {
@@ -307,7 +382,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
}
if($this->_filter($user, $info)) {
$result[$user] = $info;
- if(($limit >= 0) && (++$count >= $limit)) break;
+ if(($limit > 0) && (++$count >= $limit)) break;
}
}
return $result;
@@ -441,13 +516,13 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
}
}
// needs version 3
- if($this->getConf('referrals')) {
+ if($this->getConf('referrals') > -1) {
if(!@ldap_set_option(
$this->con, LDAP_OPT_REFERRALS,
$this->getConf('referrals')
)
) {
- msg('Setting LDAP referrals to off failed', -1);
+ msg('Setting LDAP referrals failed', -1);
$this->_debug('LDAP referal set: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__);
}
}
@@ -490,15 +565,13 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin {
* Wraps around ldap_search, ldap_list or ldap_read depending on $scope
*
* @author Andreas Gohr <andi@splitbrain.org>
- * @param resource $link_identifier
- * @param string $base_dn
- * @param string $filter
- * @param string $scope can be 'base', 'one' or 'sub'
- * @param null $attributes
- * @param int $attrsonly
- * @param int $sizelimit
- * @param int $timelimit
- * @param int $deref
+ * @param resource $link_identifier
+ * @param string $base_dn
+ * @param string $filter
+ * @param string $scope can be 'base', 'one' or 'sub'
+ * @param null|array $attributes
+ * @param int $attrsonly
+ * @param int $sizelimit
* @return resource
*/
protected function _ldapsearch($link_identifier, $base_dn, $filter, $scope = 'sub', $attributes = null,
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-16 20:47:54 +0000