2016-05-01 09:30:21 +02:00
|
|
|
package Lemonldap::NG::Portal::Auth::LDAP;
|
|
|
|
|
|
|
|
use strict;
|
|
|
|
use Mouse;
|
2019-02-11 15:40:27 +01:00
|
|
|
use Lemonldap::NG::Portal::Main::Constants qw(
|
|
|
|
PE_OK
|
|
|
|
PE_DONE
|
|
|
|
PE_ERROR
|
|
|
|
PE_LDAPCONNECTFAILED
|
2022-02-01 16:11:16 +01:00
|
|
|
PE_PP_ACCOUNT_LOCKED
|
2019-02-11 15:40:27 +01:00
|
|
|
PE_PP_PASSWORD_EXPIRED
|
2020-11-08 13:14:41 +01:00
|
|
|
PE_PP_CHANGE_AFTER_RESET
|
2019-02-11 15:40:27 +01:00
|
|
|
);
|
2016-05-01 09:30:21 +02:00
|
|
|
|
2022-02-03 11:20:47 +01:00
|
|
|
our $VERSION = '2.0.14';
|
2016-05-01 09:30:21 +02:00
|
|
|
|
2016-05-02 12:30:23 +02:00
|
|
|
# Inheritance: UserDB::LDAP provides all needed ldap functions
|
2020-11-08 13:14:41 +01:00
|
|
|
extends qw(
|
|
|
|
Lemonldap::NG::Portal::Lib::LDAP
|
|
|
|
Lemonldap::NG::Portal::Auth::_WebForm
|
|
|
|
);
|
2017-01-15 14:18:01 +01:00
|
|
|
|
|
|
|
sub init {
|
|
|
|
my ($self) = @_;
|
2017-01-27 23:40:17 +01:00
|
|
|
return ( $self->Lemonldap::NG::Portal::Auth::_WebForm::init
|
|
|
|
and $self->Lemonldap::NG::Portal::Lib::LDAP::init );
|
2017-01-15 14:18:01 +01:00
|
|
|
}
|
2016-05-01 09:30:21 +02:00
|
|
|
|
2019-02-11 11:55:51 +01:00
|
|
|
has authnLevel => (
|
|
|
|
is => 'rw',
|
|
|
|
lazy => 1,
|
|
|
|
default => sub {
|
|
|
|
$_[0]->conf->{ldapAuthnLevel};
|
|
|
|
}
|
|
|
|
);
|
|
|
|
|
2016-06-09 20:40:20 +02:00
|
|
|
# RUNNING METHODS
|
|
|
|
|
2016-05-01 09:30:21 +02:00
|
|
|
sub authenticate {
|
2016-05-04 13:38:49 +02:00
|
|
|
my ( $self, $req ) = @_;
|
2016-05-01 09:30:21 +02:00
|
|
|
|
|
|
|
# Set the dn unless done before
|
2018-07-05 22:56:16 +02:00
|
|
|
unless ( $req->data->{dn} ) {
|
2019-06-17 21:14:37 +02:00
|
|
|
if ( my $tmp = $self->getUser($req) ) {
|
|
|
|
eval { $self->setSecurity($req) };
|
|
|
|
$self->logger->warn($@) if ($@);
|
2016-05-01 09:30:21 +02:00
|
|
|
return $tmp;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2019-02-11 15:40:27 +01:00
|
|
|
unless ( $req->data->{password} ) {
|
|
|
|
$self->p->{user} = $req->userData->{_dn} = $req->data->{dn};
|
2019-03-07 18:22:16 +01:00
|
|
|
unless ( $self->p->{_passwordDB} ) {
|
2019-02-11 15:40:27 +01:00
|
|
|
$self->logger->error('No password database configured, aborting');
|
|
|
|
return PE_ERROR;
|
|
|
|
}
|
|
|
|
my $res = $self->p->{_passwordDB}->_modifyPassword( $req, 1 );
|
|
|
|
|
2019-03-27 09:59:22 +01:00
|
|
|
# Refresh entry
|
2019-03-29 11:53:52 +01:00
|
|
|
if ( $self->p->{_userDB}->getUser($req) != PE_OK ) {
|
|
|
|
$self->logger->error(
|
|
|
|
"Unable to refresh entry for " . $self->p->{user} );
|
|
|
|
}
|
2019-03-27 09:59:22 +01:00
|
|
|
|
2019-04-02 11:12:33 +02:00
|
|
|
$req->data->{noerror} = 1;
|
|
|
|
$self->setSecurity($req);
|
|
|
|
|
2019-02-11 15:40:27 +01:00
|
|
|
# Security: never create session here
|
|
|
|
return $res || PE_DONE;
|
|
|
|
}
|
2019-10-01 19:17:31 +02:00
|
|
|
|
|
|
|
$self->validateLdap;
|
|
|
|
|
|
|
|
unless ( $self->ldap ) {
|
|
|
|
return PE_LDAPCONNECTFAILED;
|
|
|
|
}
|
|
|
|
|
2016-05-01 09:30:21 +02:00
|
|
|
my $res =
|
2019-10-01 19:17:31 +02:00
|
|
|
$self->ldap->userBind( $req, $req->data->{dn},
|
2018-07-05 22:56:16 +02:00
|
|
|
password => $req->data->{password} );
|
2019-06-05 15:25:50 +02:00
|
|
|
$self->setSecurity($req) if ( $res > PE_OK );
|
2016-05-01 09:30:21 +02:00
|
|
|
|
|
|
|
# Remember password if password reset needed
|
2019-02-06 18:33:42 +01:00
|
|
|
if (
|
2016-05-11 15:04:40 +02:00
|
|
|
$res == PE_PP_CHANGE_AFTER_RESET
|
|
|
|
or ( $res == PE_PP_PASSWORD_EXPIRED
|
|
|
|
and $self->conf->{ldapAllowResetExpiredPassword} )
|
2019-02-06 18:33:42 +01:00
|
|
|
)
|
|
|
|
{
|
2020-11-08 13:14:41 +01:00
|
|
|
$req->data->{oldpassword} = $req->data->{password}; # Fix 2377
|
2019-02-06 18:33:42 +01:00
|
|
|
$req->data->{noerror} = 1;
|
2019-02-08 10:46:06 +01:00
|
|
|
$self->setSecurity($req);
|
2019-02-06 18:33:42 +01:00
|
|
|
}
|
2016-05-01 09:30:21 +02:00
|
|
|
|
|
|
|
return $res;
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
sub authLogout {
|
2020-11-08 13:14:41 +01:00
|
|
|
return PE_OK;
|
2016-05-01 09:30:21 +02:00
|
|
|
}
|
|
|
|
|
2022-02-01 16:11:16 +01:00
|
|
|
# Define which error codes will stop Combination process
|
|
|
|
# @param res error code
|
|
|
|
# @return result 1 if stop is needed
|
|
|
|
sub stop {
|
|
|
|
my ( $self, $res ) = @_;
|
|
|
|
|
|
|
|
return 1
|
|
|
|
if ( $res == PE_PP_PASSWORD_EXPIRED
|
|
|
|
or $res == PE_PP_ACCOUNT_LOCKED
|
|
|
|
or $res == PE_PP_CHANGE_AFTER_RESET );
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-05-01 09:30:21 +02:00
|
|
|
1;
|