lemonldap-ng/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/LDAP.pm

package Lemonldap::NG::Portal::Auth::LDAP;

use strict;
use Mouse;
use Lemonldap::NG::Portal::Main::Constants qw(
  PE_OK
  PE_DONE
  PE_ERROR
  PE_LDAPCONNECTFAILED
  PE_PP_ACCOUNT_LOCKED
  PE_PP_PASSWORD_EXPIRED
  PE_PP_CHANGE_AFTER_RESET
);

our $VERSION = '2.0.14';

# Inheritance: UserDB::LDAP provides all needed ldap functions
extends qw(
  Lemonldap::NG::Portal::Lib::LDAP
  Lemonldap::NG::Portal::Auth::_WebForm
);

sub init {
    my ($self) = @_;
    return (  $self->Lemonldap::NG::Portal::Auth::_WebForm::init
          and $self->Lemonldap::NG::Portal::Lib::LDAP::init );
}

has authnLevel => (
    is      => 'rw',
    lazy    => 1,
    default => sub {
        $_[0]->conf->{ldapAuthnLevel};
    }
);

# RUNNING METHODS

sub authenticate {
    my ( $self, $req ) = @_;

    # Set the dn unless done before
    unless ( $req->data->{dn} ) {
        if ( my $tmp = $self->getUser($req) ) {
            eval { $self->setSecurity($req) };
            $self->logger->warn($@) if ($@);
            return $tmp;
        }
    }

    unless ( $req->data->{password} ) {
        $self->p->{user} = $req->userData->{_dn} = $req->data->{dn};
        unless ( $self->p->{_passwordDB} ) {
            $self->logger->error('No password database configured, aborting');
            return PE_ERROR;
        }
        my $res = $self->p->{_passwordDB}->_modifyPassword( $req, 1 );

        # Refresh entry
        if ( $self->p->{_userDB}->getUser($req) != PE_OK ) {
            $self->logger->error(
                "Unable to refresh entry for " . $self->p->{user} );
        }

        $req->data->{noerror} = 1;
        $self->setSecurity($req);

        # Security: never create session here
        return $res || PE_DONE;
    }

    $self->validateLdap;

    unless ( $self->ldap ) {
        return PE_LDAPCONNECTFAILED;
    }

    my $res =
      $self->ldap->userBind( $req, $req->data->{dn},
        password => $req->data->{password} );
    $self->setSecurity($req) if ( $res > PE_OK );

    # Remember password if password reset needed
    if (
        $res == PE_PP_CHANGE_AFTER_RESET
        or (    $res == PE_PP_PASSWORD_EXPIRED
            and $self->conf->{ldapAllowResetExpiredPassword} )
      )
    {
        $req->data->{oldpassword} = $req->data->{password};    # Fix 2377
        $req->data->{noerror}     = 1;
        $self->setSecurity($req);
    }

    return $res;

}

sub authLogout {
    return PE_OK;
}

# Define which error codes will stop Combination process
# @param res error code
# @return result 1 if stop is needed
sub stop {
    my ( $self, $res ) = @_;

    return 1
      if ( $res == PE_PP_PASSWORD_EXPIRED
        or $res == PE_PP_ACCOUNT_LOCKED
        or $res == PE_PP_CHANGE_AFTER_RESET );
    return 0;
}

1;
LDAP in progress (#595) 2016-05-01 09:30:21 +02:00			`package Lemonldap::NG::Portal::Auth::LDAP;`

			`use strict;`
			`use Mouse;`
Call PasswordDB::LDAP if unauth user requests changing password (#1639) 2019-02-11 15:40:27 +01:00			`use Lemonldap::NG::Portal::Main::Constants qw(`
			`PE_OK`
			`PE_DONE`
			`PE_ERROR`
			`PE_LDAPCONNECTFAILED`
Reintroduce stop() method in LDAP/AD backends (#2660) 2022-02-01 16:11:16 +01:00			`PE_PP_ACCOUNT_LOCKED`
Call PasswordDB::LDAP if unauth user requests changing password (#1639) 2019-02-11 15:40:27 +01:00			`PE_PP_PASSWORD_EXPIRED`
Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-08 13:14:41 +01:00			`PE_PP_CHANGE_AFTER_RESET`
Call PasswordDB::LDAP if unauth user requests changing password (#1639) 2019-02-11 15:40:27 +01:00			`);`
LDAP in progress (#595) 2016-05-01 09:30:21 +02:00
Fix versions 2022-02-03 11:20:47 +01:00			`our $VERSION = '2.0.14';`
LDAP in progress (#595) 2016-05-01 09:30:21 +02:00
LDAP in progress (#595) 2016-05-02 12:30:23 +02:00			`# Inheritance: UserDB::LDAP provides all needed ldap functions`
Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-08 13:14:41 +01:00			`extends qw(`
			`Lemonldap::NG::Portal::Lib::LDAP`
			`Lemonldap::NG::Portal::Auth::_WebForm`
			`);`
Rearrange LDAP (#595) 2017-01-15 14:18:01 +01:00
			`sub init {`
			`my ($self) = @_;`
Avoid little warning (#595) 2017-01-27 23:40:17 +01:00			`return ( $self->Lemonldap::NG::Portal::Auth::_WebForm::init`
			`and $self->Lemonldap::NG::Portal::Lib::LDAP::init );`
Rearrange LDAP (#595) 2017-01-15 14:18:01 +01:00			`}`
LDAP in progress (#595) 2016-05-01 09:30:21 +02:00
Use ldapAuthnLevel and dbiAuthnLevel in portal (#1648) 2019-02-11 11:55:51 +01:00			`has authnLevel => (`
			`is => 'rw',`
			`lazy => 1,`
			`default => sub {`
			`$_[0]->conf->{ldapAuthnLevel};`
			`}`
			`);`

Update comments (#595) 2016-06-09 20:40:20 +02:00			`# RUNNING METHODS`

LDAP in progress (#595) 2016-05-01 09:30:21 +02:00			`sub authenticate {`
#595 in progress 2016-05-04 13:38:49 +02:00			`my ( $self, $req ) = @_;`
LDAP in progress (#595) 2016-05-01 09:30:21 +02:00
			`# Set the dn unless done before`
s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`unless ( $req->data->{dn} ) {`
Move LDAP::getUser() to Lib::LDAP (Fixes: #1805) 2019-06-17 21:14:37 +02:00			`if ( my $tmp = $self->getUser($req) ) {`
			`eval { $self->setSecurity($req) };`
			`$self->logger->warn($@) if ($@);`
LDAP in progress (#595) 2016-05-01 09:30:21 +02:00			`return $tmp;`
			`}`
			`}`

Call PasswordDB::LDAP if unauth user requests changing password (#1639) 2019-02-11 15:40:27 +01:00			`unless ( $req->data->{password} ) {`
			`$self->p->{user} = $req->userData->{_dn} = $req->data->{dn};`
Please use our .perltidyrc 2019-03-07 18:22:16 +01:00			`unless ( $self->p->{_passwordDB} ) {`
Call PasswordDB::LDAP if unauth user requests changing password (#1639) 2019-02-11 15:40:27 +01:00			`$self->logger->error('No password database configured, aborting');`
			`return PE_ERROR;`
			`}`
			`my $res = $self->p->{_passwordDB}->_modifyPassword( $req, 1 );`

Refresh entry after password modification (#1654) 2019-03-27 09:59:22 +01:00			`# Refresh entry`
Test return of getUser (#1654) 2019-03-29 11:53:52 +01:00			`if ( $self->p->{_userDB}->getUser($req) != PE_OK ) {`
			`$self->logger->error(`
			`"Unable to refresh entry for " . $self->p->{user} );`
			`}`
Refresh entry after password modification (#1654) 2019-03-27 09:59:22 +01:00
Display password or login template after password modification (#1654) 2019-04-02 11:12:33 +02:00			`$req->data->{noerror} = 1;`
			`$self->setSecurity($req);`

Call PasswordDB::LDAP if unauth user requests changing password (#1639) 2019-02-11 15:40:27 +01:00			`# Security: never create session here`
			`return $res \|\| PE_DONE;`
			`}`
Make Password::LDAP/AD check connection before use (#1909) Also remove a mostly redundant wrapper method in Auth::LDAP 2019-10-01 19:17:31 +02:00
			`$self->validateLdap;`

			`unless ( $self->ldap ) {`
			`return PE_LDAPCONNECTFAILED;`
			`}`

LDAP in progress (#595) 2016-05-01 09:30:21 +02:00			`my $res =`
Make Password::LDAP/AD check connection before use (#1909) Also remove a mostly redundant wrapper method in Auth::LDAP 2019-10-01 19:17:31 +02:00			`$self->ldap->userBind( $req, $req->data->{dn},`
s/datas/data datas => des données data => les données 2018-07-05 22:56:16 +02:00			`password => $req->data->{password} );`
Better fix (#1769) 2019-06-05 15:25:50 +02:00			`$self->setSecurity($req) if ( $res > PE_OK );`
LDAP in progress (#595) 2016-05-01 09:30:21 +02:00
			`# Remember password if password reset needed`
Bypass error screen for LDAP password reset (#1639) 2019-02-06 18:33:42 +01:00			`if (`
Apply patch on new trunk LDAP code (#1011) 2016-05-11 15:04:40 +02:00			`$res == PE_PP_CHANGE_AFTER_RESET`
			`or ( $res == PE_PP_PASSWORD_EXPIRED`
			`and $self->conf->{ldapAllowResetExpiredPassword} )`
Bypass error screen for LDAP password reset (#1639) 2019-02-06 18:33:42 +01:00			`)`
			`{`
Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-08 13:14:41 +01:00			`$req->data->{oldpassword} = $req->data->{password}; # Fix 2377`
Bypass error screen for LDAP password reset (#1639) 2019-02-06 18:33:42 +01:00			`$req->data->{noerror} = 1;`
Add security token when forcing password reset (#1639) 2019-02-08 10:46:06 +01:00			`$self->setSecurity($req);`
Bypass error screen for LDAP password reset (#1639) 2019-02-06 18:33:42 +01:00			`}`
LDAP in progress (#595) 2016-05-01 09:30:21 +02:00
			`return $res;`

			`}`

			`sub authLogout {`
Set user and oldpassword fields into reset password form & Improve unit tests (#2377) 2020-11-08 13:14:41 +01:00			`return PE_OK;`
LDAP in progress (#595) 2016-05-01 09:30:21 +02:00			`}`

Reintroduce stop() method in LDAP/AD backends (#2660) 2022-02-01 16:11:16 +01:00			`# Define which error codes will stop Combination process`
			`# @param res error code`
			`# @return result 1 if stop is needed`
			`sub stop {`
			`my ( $self, $res ) = @_;`

			`return 1`
			`if ( $res == PE_PP_PASSWORD_EXPIRED`
			`or $res == PE_PP_ACCOUNT_LOCKED`
			`or $res == PE_PP_CHANGE_AFTER_RESET );`
			`return 0;`
			`}`

LDAP in progress (#595) 2016-05-01 09:30:21 +02:00			`1;`