From d397e6da631cb6d262ad14ec7b46b75d1b60fbcf Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 12 Mar 2014 15:25:18 +0000 Subject: Restore correct public interface of getUserData() for authldap plugin The outer/public getUserData() implemented as a wrapper for the previous fn which is now protected. --- lib/plugins/authldap/auth.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'lib/plugins/authldap/auth.php') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 6c3637e15..9d03afd7f 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -103,7 +103,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return true; } else { // See if we can find the user - $info = $this->getUserData($user, true); + $info = $this->_getUserData($user, true); if(empty($info['dn'])) { return false; } else { @@ -145,11 +145,19 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { * @author Stephane Chazelas * @author Steffen Schoch * + * @param string $user + * @return array containing user data or false + */ + public function getUserData($user) { + return $this->_getUserData($user); + } + + /** * @param string $user * @param bool $inbind authldap specific, true if in bind phase * @return array containing user data or false */ - public function getUserData($user, $inbind = false) { + protected function _getUserData($user, $inbind = false) { global $conf; if(!$this->_openLDAP()) return false; -- cgit v1.2.3 From 2046a6546c8ed62b9a7b33305b6201458f2f8291 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 12 Mar 2014 15:38:28 +0000 Subject: Allow user info to be retrieved without groups Some parts of dokuwiki (e.g. recent changes, old revisions) can requests lots of user info (to provide editor names) without requiring any group information. This change also implements caching of user info by authmysql & authpgsql plugins to avoid repeated querying of the DB to retrieve the same user information. --- lib/plugins/authldap/auth.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/plugins/authldap/auth.php') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 9d03afd7f..eaa2d160a 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -146,9 +146,10 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { * @author Steffen Schoch * * @param string $user + * @param bool $requireGroups (optional) - ignored, groups are always supplied by this plugin * @return array containing user data or false */ - public function getUserData($user) { + public function getUserData($user, $requireGroups=true) { return $this->_getUserData($user); } -- cgit v1.2.3 From 06da270e039cf517a6bd847ca0cd4a7819c9f879 Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Sun, 4 May 2014 11:46:35 +0200 Subject: Authldap: implement change password in modifyUser --- lib/plugins/authldap/auth.php | 55 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 2 deletions(-) (limited to 'lib/plugins/authldap/auth.php') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 6c3637e15..13ffb8be2 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -36,8 +36,8 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return; } - // auth_ldap currently just handles authentication, so no - // capabilities are set + // Add the capabilities to change the password + $this->cando['modPass'] = true; } /** @@ -263,6 +263,57 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return $info; } + /** + * Definition of the function modifyUser in order to modify the password + */ + + function modifyUser($user,$changes){ + + // open the connection to the ldap + if(!$this->_openLDAP()){ + msg('LDAP cannot connect: '. htmlspecialchars(ldap_error($this->con))); + return false; + } + + // find the information about the user, in particular the "dn" + $info = $this->getUserData($user,true); + if(empty($info['dn'])) { + msg('LDAP cannot find your user dn: '. htmlspecialchars($info['dn'])); + return false; + } else { + $dn = $info['dn']; + } + + // find the new password and encrypt it whit SSHA + if(empty($changes['pass'])) { + msg('The new password is not allow because it\'s empty'); + return false; + } else { + mt_srand((double)microtime()*1000000); + $salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand()); + $hash = "{SSHA}" . base64_encode(pack("H*", sha1($changes['pass'] . $salt)) . $salt); + } + + // find the old password of the user + list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); + $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session + $pass = auth_decrypt($loginpass, $secret); + + // bind with the ldap + if(!@ldap_bind($this->con,$dn,$pass)){ + msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + + // change the password + if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){ + msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con))); + return false; + } + + return true; + } + /** * Most values in LDAP are case-insensitive * -- cgit v1.2.3 From 719c6730c7da93e830205e42dc230de831446e8f Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Sun, 4 May 2014 12:26:13 +0200 Subject: Allow authldap to change password with ldap superuser only if necessary --- lib/plugins/authldap/auth.php | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'lib/plugins/authldap/auth.php') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 13ffb8be2..5bdaf0446 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -296,13 +296,25 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { // find the old password of the user list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); - $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session - $pass = auth_decrypt($loginpass, $secret); + if ($loginuser !== null) { // the user is currently logged in + $secret = auth_cookiesalt(!$sticky, true); + $pass = auth_decrypt($loginpass, $secret); - // bind with the ldap - if(!@ldap_bind($this->con,$dn,$pass)){ - msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); - return false; + // bind with the ldap + if(!@ldap_bind($this->con, $dn, $pass)){ + msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) { + // we are changing the password on behalf of the user (eg: forgotten password) + // bind with the superuser ldap + if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){ + $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + } + else { + return false; // no otherway } // change the password -- cgit v1.2.3 From 67723447f02824ff2df7daa0f1f97d8b289c5d7a Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Sun, 4 May 2014 19:54:37 +0200 Subject: Hash and salt password with PassHash::ssha Moved the block closer to the variable use (indent clearer) --- lib/plugins/authldap/auth.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib/plugins/authldap/auth.php') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 5bdaf0446..ecbbc2a3a 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -288,10 +288,6 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { if(empty($changes['pass'])) { msg('The new password is not allow because it\'s empty'); return false; - } else { - mt_srand((double)microtime()*1000000); - $salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand()); - $hash = "{SSHA}" . base64_encode(pack("H*", sha1($changes['pass'] . $salt)) . $salt); } // find the old password of the user @@ -317,6 +313,10 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return false; // no otherway } + // Generate the salted hashed password for LDAP + $phash = new PassHash(); + $hash = $phash->hash_ssha($changes['pass']); + // change the password if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){ msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con))); -- cgit v1.2.3 From 8f2ea93bb09b8744de56a8797176d3a209c2e8d7 Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Thu, 8 May 2014 12:19:39 +0200 Subject: Simplify code and remove unreachable check --- lib/plugins/authldap/auth.php | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) (limited to 'lib/plugins/authldap/auth.php') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index ecbbc2a3a..bda8f2abe 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -278,17 +278,10 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { // find the information about the user, in particular the "dn" $info = $this->getUserData($user,true); if(empty($info['dn'])) { - msg('LDAP cannot find your user dn: '. htmlspecialchars($info['dn'])); - return false; - } else { - $dn = $info['dn']; - } - - // find the new password and encrypt it whit SSHA - if(empty($changes['pass'])) { - msg('The new password is not allow because it\'s empty'); + msg('LDAP cannot find your user dn'); return false; } + $dn = $info['dn']; // find the old password of the user list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); -- cgit v1.2.3 From 18496fe0decfb1382393daca3141bf315cda7254 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 18 May 2014 20:33:21 +0200 Subject: fixed undefined variable in LDAP plugin --- lib/plugins/authldap/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/plugins/authldap/auth.php') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index bda8f2abe..0d5e130ea 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -286,7 +286,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { // find the old password of the user list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); if ($loginuser !== null) { // the user is currently logged in - $secret = auth_cookiesalt(!$sticky, true); + $secret = auth_cookiesalt(!$loginsticky, true); $pass = auth_decrypt($loginpass, $secret); // bind with the ldap -- cgit v1.2.3