From d397e6da631cb6d262ad14ec7b46b75d1b60fbcf Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 12 Mar 2014 15:25:18 +0000 Subject: Restore correct public interface of getUserData() for authldap plugin The outer/public getUserData() implemented as a wrapper for the previous fn which is now protected. --- lib/plugins/authldap/auth.php | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 6c3637e15..9d03afd7f 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -103,7 +103,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return true; } else { // See if we can find the user - $info = $this->getUserData($user, true); + $info = $this->_getUserData($user, true); if(empty($info['dn'])) { return false; } else { @@ -145,11 +145,19 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { * @author Stephane Chazelas * @author Steffen Schoch * + * @param string $user + * @return array containing user data or false + */ + public function getUserData($user) { + return $this->_getUserData($user); + } + + /** * @param string $user * @param bool $inbind authldap specific, true if in bind phase * @return array containing user data or false */ - public function getUserData($user, $inbind = false) { + protected function _getUserData($user, $inbind = false) { global $conf; if(!$this->_openLDAP()) return false; -- cgit v1.2.3 From 2046a6546c8ed62b9a7b33305b6201458f2f8291 Mon Sep 17 00:00:00 2001 From: Christopher Smith Date: Wed, 12 Mar 2014 15:38:28 +0000 Subject: Allow user info to be retrieved without groups Some parts of dokuwiki (e.g. recent changes, old revisions) can requests lots of user info (to provide editor names) without requiring any group information. This change also implements caching of user info by authmysql & authpgsql plugins to avoid repeated querying of the DB to retrieve the same user information. --- lib/plugins/authldap/auth.php | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 9d03afd7f..eaa2d160a 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -146,9 +146,10 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { * @author Steffen Schoch * * @param string $user + * @param bool $requireGroups (optional) - ignored, groups are always supplied by this plugin * @return array containing user data or false */ - public function getUserData($user) { + public function getUserData($user, $requireGroups=true) { return $this->_getUserData($user); } -- cgit v1.2.3 From 06da270e039cf517a6bd847ca0cd4a7819c9f879 Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Sun, 4 May 2014 11:46:35 +0200 Subject: Authldap: implement change password in modifyUser --- lib/plugins/authldap/auth.php | 55 +++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 53 insertions(+), 2 deletions(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 6c3637e15..13ffb8be2 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -36,8 +36,8 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return; } - // auth_ldap currently just handles authentication, so no - // capabilities are set + // Add the capabilities to change the password + $this->cando['modPass'] = true; } /** @@ -263,6 +263,57 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return $info; } + /** + * Definition of the function modifyUser in order to modify the password + */ + + function modifyUser($user,$changes){ + + // open the connection to the ldap + if(!$this->_openLDAP()){ + msg('LDAP cannot connect: '. htmlspecialchars(ldap_error($this->con))); + return false; + } + + // find the information about the user, in particular the "dn" + $info = $this->getUserData($user,true); + if(empty($info['dn'])) { + msg('LDAP cannot find your user dn: '. htmlspecialchars($info['dn'])); + return false; + } else { + $dn = $info['dn']; + } + + // find the new password and encrypt it whit SSHA + if(empty($changes['pass'])) { + msg('The new password is not allow because it\'s empty'); + return false; + } else { + mt_srand((double)microtime()*1000000); + $salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand()); + $hash = "{SSHA}" . base64_encode(pack("H*", sha1($changes['pass'] . $salt)) . $salt); + } + + // find the old password of the user + list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); + $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session + $pass = auth_decrypt($loginpass, $secret); + + // bind with the ldap + if(!@ldap_bind($this->con,$dn,$pass)){ + msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + + // change the password + if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){ + msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con))); + return false; + } + + return true; + } + /** * Most values in LDAP are case-insensitive * -- cgit v1.2.3 From 719c6730c7da93e830205e42dc230de831446e8f Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Sun, 4 May 2014 12:26:13 +0200 Subject: Allow authldap to change password with ldap superuser only if necessary --- lib/plugins/authldap/auth.php | 24 ++++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 13ffb8be2..5bdaf0446 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -296,13 +296,25 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { // find the old password of the user list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); - $secret = auth_cookiesalt(!$sticky, true); //bind non-sticky to session - $pass = auth_decrypt($loginpass, $secret); + if ($loginuser !== null) { // the user is currently logged in + $secret = auth_cookiesalt(!$sticky, true); + $pass = auth_decrypt($loginpass, $secret); - // bind with the ldap - if(!@ldap_bind($this->con,$dn,$pass)){ - msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); - return false; + // bind with the ldap + if(!@ldap_bind($this->con, $dn, $pass)){ + msg('LDAP user bind failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + } elseif ($this->getConf('binddn') && $this->getConf('bindpw')) { + // we are changing the password on behalf of the user (eg: forgotten password) + // bind with the superuser ldap + if (!@ldap_bind($this->con, $this->getConf('binddn'), $this->getConf('bindpw'))){ + $this->_debug('LDAP bind as superuser: '.htmlspecialchars(ldap_error($this->con)), 0, __LINE__, __FILE__); + return false; + } + } + else { + return false; // no otherway } // change the password -- cgit v1.2.3 From 67723447f02824ff2df7daa0f1f97d8b289c5d7a Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Sun, 4 May 2014 19:54:37 +0200 Subject: Hash and salt password with PassHash::ssha Moved the block closer to the variable use (indent clearer) --- lib/plugins/authldap/auth.php | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index 5bdaf0446..ecbbc2a3a 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -288,10 +288,6 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { if(empty($changes['pass'])) { msg('The new password is not allow because it\'s empty'); return false; - } else { - mt_srand((double)microtime()*1000000); - $salt = pack("CCCC", mt_rand(), mt_rand(), mt_rand(), mt_rand()); - $hash = "{SSHA}" . base64_encode(pack("H*", sha1($changes['pass'] . $salt)) . $salt); } // find the old password of the user @@ -317,6 +313,10 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { return false; // no otherway } + // Generate the salted hashed password for LDAP + $phash = new PassHash(); + $hash = $phash->hash_ssha($changes['pass']); + // change the password if(!@ldap_mod_replace($this->con, $dn,array('userpassword' => $hash))){ msg('LDAP mod replace failed: '. htmlspecialchars($dn) .': '.htmlspecialchars(ldap_error($this->con))); -- cgit v1.2.3 From 8f2ea93bb09b8744de56a8797176d3a209c2e8d7 Mon Sep 17 00:00:00 2001 From: Axel Angel Date: Thu, 8 May 2014 12:19:39 +0200 Subject: Simplify code and remove unreachable check --- lib/plugins/authldap/auth.php | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index ecbbc2a3a..bda8f2abe 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -278,17 +278,10 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { // find the information about the user, in particular the "dn" $info = $this->getUserData($user,true); if(empty($info['dn'])) { - msg('LDAP cannot find your user dn: '. htmlspecialchars($info['dn'])); - return false; - } else { - $dn = $info['dn']; - } - - // find the new password and encrypt it whit SSHA - if(empty($changes['pass'])) { - msg('The new password is not allow because it\'s empty'); + msg('LDAP cannot find your user dn'); return false; } + $dn = $info['dn']; // find the old password of the user list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); -- cgit v1.2.3 From 93691af57f65173963a122e19915917814a32b71 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?ilker=20rifat=20kapa=C3=A7?= Date: Tue, 13 May 2014 10:15:52 +0200 Subject: translation update --- lib/plugins/authldap/lang/tr/settings.php | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 lib/plugins/authldap/lang/tr/settings.php (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/lang/tr/settings.php b/lib/plugins/authldap/lang/tr/settings.php new file mode 100644 index 000000000..843b7ef9c --- /dev/null +++ b/lib/plugins/authldap/lang/tr/settings.php @@ -0,0 +1,8 @@ + + */ +$lang['bindpw'] = 'Üstteki kullanıcının şifresi'; -- cgit v1.2.3 From 33cfab00505903e3bee37020f5e099e5c0fd70a9 Mon Sep 17 00:00:00 2001 From: Francesco Date: Wed, 14 May 2014 21:20:56 +0200 Subject: translation update --- lib/plugins/authldap/lang/it/settings.php | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/lang/it/settings.php b/lib/plugins/authldap/lang/it/settings.php index eba7cde6e..858c694b8 100644 --- a/lib/plugins/authldap/lang/it/settings.php +++ b/lib/plugins/authldap/lang/it/settings.php @@ -5,6 +5,7 @@ * * @author Edmondo Di Tucci * @author Claudio Lanconelli + * @author Francesco */ $lang['server'] = 'Il tuo server LDAP. Inserire o l\'hostname (localhost) oppure un URL completo (ldap://server.tld:389)'; $lang['port'] = 'Porta del server LDAP se non è stato fornito un URL completo più sopra.'; @@ -14,6 +15,11 @@ $lang['userfilter'] = 'Filtro per cercare l\'account utente LDAP. Eg. $lang['groupfilter'] = 'Filtro per cercare i gruppi LDAP. Eg. (&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))'; $lang['version'] = 'Versione protocollo da usare. Pu3'; $lang['starttls'] = 'Usare la connessione TSL?'; +$lang['deref'] = 'Come differenziare un alias?'; $lang['userscope'] = 'Limita il contesto di ricerca per la ricerca degli utenti'; $lang['groupscope'] = 'Limita il contesto di ricerca per la ricerca dei gruppi'; $lang['debug'] = 'In caso di errori mostra ulteriori informazioni di debug'; +$lang['deref_o_0'] = 'LDAP_DEREF_NEVER'; +$lang['deref_o_1'] = 'LDAP_DEREF_SEARCHING'; +$lang['deref_o_2'] = 'LDAP_DEREF_FINDING'; +$lang['deref_o_3'] = 'LDAP_DEREF_ALWAYS'; -- cgit v1.2.3 From f88adfe0b3b6ae718cb4a99c6f8363042c7b0b6e Mon Sep 17 00:00:00 2001 From: PzF_X Date: Sun, 18 May 2014 13:56:03 +0200 Subject: translation update --- lib/plugins/authldap/lang/ja/settings.php | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/lang/ja/settings.php b/lib/plugins/authldap/lang/ja/settings.php index 3c0e08f6a..6cff0ea67 100644 --- a/lib/plugins/authldap/lang/ja/settings.php +++ b/lib/plugins/authldap/lang/ja/settings.php @@ -6,6 +6,7 @@ * @author Satoshi Sahara * @author Hideaki SAWADA * @author Hideaki SAWADA + * @author PzF_X */ $lang['server'] = 'LDAPサーバー。ホスト名(localhost)又は完全修飾URL(ldap://server.tld:389)'; $lang['port'] = '上記が完全修飾URLでない場合、LDAPサーバーポート'; @@ -15,8 +16,14 @@ $lang['userfilter'] = 'ユーザーアカウントを探すためのL $lang['groupfilter'] = 'グループを探すLDAP抽出条件。例:(&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))'; $lang['version'] = '使用するプロトコルのバージョン。3を設定する必要がある場合があります。'; $lang['starttls'] = 'TLS接続を使用しますか?'; +$lang['referrals'] = '紹介に従いますか?'; +$lang['deref'] = 'どのように間接参照のエイリアスにしますか?'; $lang['binddn'] = '匿名バインドでは不十分な場合、オプションバインドユーザーのDN。例:cn=admin, dc=my, dc=home'; $lang['bindpw'] = '上記ユーザーのパスワード'; +$lang['userscope'] = 'ユーザー検索の範囲を限定させる'; +$lang['groupscope'] = 'グループ検索の範囲を限定させる'; +$lang['groupkey'] = 'ユーザー属性をグループのメンバーシップから設定します(代わりに標準のADグループ)。 +例えば、部署や電話番号などです。'; $lang['debug'] = 'エラーに関して追加のデバッグ情報を表示する。'; $lang['deref_o_0'] = 'LDAP_DEREF_NEVER'; $lang['deref_o_1'] = 'LDAP_DEREF_SEARCHING'; -- cgit v1.2.3 From 18496fe0decfb1382393daca3141bf315cda7254 Mon Sep 17 00:00:00 2001 From: Andreas Gohr Date: Sun, 18 May 2014 20:33:21 +0200 Subject: fixed undefined variable in LDAP plugin --- lib/plugins/authldap/auth.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/auth.php b/lib/plugins/authldap/auth.php index bda8f2abe..0d5e130ea 100644 --- a/lib/plugins/authldap/auth.php +++ b/lib/plugins/authldap/auth.php @@ -286,7 +286,7 @@ class auth_plugin_authldap extends DokuWiki_Auth_Plugin { // find the old password of the user list($loginuser,$loginsticky,$loginpass) = auth_getCookie(); if ($loginuser !== null) { // the user is currently logged in - $secret = auth_cookiesalt(!$sticky, true); + $secret = auth_cookiesalt(!$loginsticky, true); $pass = auth_decrypt($loginpass, $secret); // bind with the ldap -- cgit v1.2.3 From e1f856bac8f154dbb5a51c739630e38115fbbe0b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Aivars=20Mi=C5=A1ka?= Date: Tue, 10 Jun 2014 16:51:41 +0200 Subject: translation update --- lib/plugins/authldap/lang/lv/settings.php | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 lib/plugins/authldap/lang/lv/settings.php (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/lang/lv/settings.php b/lib/plugins/authldap/lang/lv/settings.php new file mode 100644 index 000000000..90986e4f1 --- /dev/null +++ b/lib/plugins/authldap/lang/lv/settings.php @@ -0,0 +1,9 @@ + + */ +$lang['starttls'] = 'Lietot TLS savienojumus?'; +$lang['bindpw'] = 'Lietotāja parole'; -- cgit v1.2.3 From 19accab588843292613a1e12b22b773f07b511ba Mon Sep 17 00:00:00 2001 From: Davor Turkalj Date: Thu, 10 Jul 2014 13:46:11 +0200 Subject: translation update --- lib/plugins/authldap/lang/hr/settings.php | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 lib/plugins/authldap/lang/hr/settings.php (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/lang/hr/settings.php b/lib/plugins/authldap/lang/hr/settings.php new file mode 100644 index 000000000..44caeacc8 --- /dev/null +++ b/lib/plugins/authldap/lang/hr/settings.php @@ -0,0 +1,23 @@ + + */ +$lang['server'] = 'Vaš LDAP server. Upišite ili naziv računala (localhost) ili puni URL (ldap://server.tld:389)'; +$lang['port'] = 'LDAP server port, ako gore nije specificiran puni URL.'; +$lang['usertree'] = 'Gdje da nađem korisničke prijave. Npr. ou=People, dc=server, dc=tld'; +$lang['grouptree'] = 'Gdje da nađem korisničke grupe. Npr. ou=Group, dc=server, dc=tld'; +$lang['userfilter'] = 'LDAP filter za pretragu korisničkih prijava. Npr. (&(uid=%{user})(objectClass=posixAccount))'; +$lang['groupfilter'] = 'LDAP filter za pretragu grupa. Npr. (&(objectClass=posixGroup)(|(gidNumber=%{gid})(memberUID=%{user})))'; +$lang['version'] = 'Protokol koji se koristi. Možda će te trebati postaviti na 3'; +$lang['starttls'] = 'Korisni TLS vezu?'; +$lang['referrals'] = 'Da li da slijedim uputnice?'; +$lang['deref'] = 'Kako da razlikujem aliase?'; +$lang['binddn'] = 'DN opcionalnog korisnika ako anonimni korisnik nije dovoljan. Npr. cn=admin, dc=my, dc=home'; +$lang['bindpw'] = 'Lozinka gore navedenog korisnika'; +$lang['userscope'] = 'Ograniči područje za pretragu korisnika'; +$lang['groupscope'] = 'Ograniči područje za pretragu grupa'; +$lang['groupkey'] = 'Članstvo grupa iz svih atributa korisnika (umjesto standardnih AD grupa) npr. grupa iz odjela ili telefonskog broja'; +$lang['debug'] = 'Prikaži dodatne informacije u slučaju greške'; -- cgit v1.2.3 From 6d8e3ea1634ecdd794e663fa1f7c802f2fd8914f Mon Sep 17 00:00:00 2001 From: Stan Date: Sat, 2 Aug 2014 10:06:00 +0200 Subject: translation update --- lib/plugins/authldap/lang/zh-tw/settings.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/lang/zh-tw/settings.php b/lib/plugins/authldap/lang/zh-tw/settings.php index 7e35ef632..e3d85cb87 100644 --- a/lib/plugins/authldap/lang/zh-tw/settings.php +++ b/lib/plugins/authldap/lang/zh-tw/settings.php @@ -1,4 +1,5 @@ Date: Sat, 2 Aug 2014 12:19:38 +0100 Subject: updated dates in info.txt of various plugins and template --- lib/plugins/authldap/plugin.info.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/plugin.info.txt b/lib/plugins/authldap/plugin.info.txt index 0d0b13f65..964fbb994 100644 --- a/lib/plugins/authldap/plugin.info.txt +++ b/lib/plugins/authldap/plugin.info.txt @@ -1,7 +1,7 @@ base authldap author Andreas Gohr email andi@splitbrain.org -date 2013-04-19 +date 2014-05-18 name LDAP Auth Plugin desc Provides user authentication against an LDAP server url http://www.dokuwiki.org/plugin:authldap -- cgit v1.2.3 From c3dd5e61641701501b845f71f894380966d71151 Mon Sep 17 00:00:00 2001 From: Davor Turkalj Date: Mon, 8 Sep 2014 12:56:14 +0200 Subject: translation update --- lib/plugins/authldap/lang/hr/settings.php | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lib/plugins/authldap') diff --git a/lib/plugins/authldap/lang/hr/settings.php b/lib/plugins/authldap/lang/hr/settings.php index 44caeacc8..cb8df7218 100644 --- a/lib/plugins/authldap/lang/hr/settings.php +++ b/lib/plugins/authldap/lang/hr/settings.php @@ -21,3 +21,7 @@ $lang['userscope'] = 'Ograniči područje za pretragu korisnika'; $lang['groupscope'] = 'Ograniči područje za pretragu grupa'; $lang['groupkey'] = 'Članstvo grupa iz svih atributa korisnika (umjesto standardnih AD grupa) npr. grupa iz odjela ili telefonskog broja'; $lang['debug'] = 'Prikaži dodatne informacije u slučaju greške'; +$lang['deref_o_0'] = 'LDAP_DEREF_NEVER'; +$lang['deref_o_1'] = 'LDAP_DEREF_SEARCHING'; +$lang['deref_o_2'] = 'LDAP_DEREF_FINDING'; +$lang['deref_o_3'] = 'LDAP_DEREF_ALWAYS'; -- cgit v1.2.3