dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7c0e6a2d00
lemonldap-ng/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm

799 lines
26 KiB
Perl
Raw Normal View History

Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
##@file
# Extends Net::LDAP
package Lemonldap::NG::Portal::Lib::Net::LDAP;
use strict;
use Net::LDAP; #inherits
use Net::LDAP::Util qw(escape_filter_value);
use base qw(Net::LDAP);
use Lemonldap::NG::Portal::Main::Constants ':all';
use Encode;
use Unicode::String qw(utf8);
use Scalar::Util 'weaken';
Fix DN encoding issue in LDAP password modification (#1540)
2018-11-14 10:15:28 +01:00
use utf8;
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
Merge branch 'v2.0' (fix versions)
2019-09-03 23:14:45 +02:00
our $VERSION = '2.1.0';
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
our $ppLoaded = 0;
BEGIN {
eval {
require threads::shared;
threads::shared::share($ppLoaded);
};
}
# INITIALIZATION
# Build a Net::LDAP object using parameters issued from $portal
sub new {
my ( $class, $args ) = @_;
my $portal = $args->{p} or die "$class : p argument required !";
my $conf = $args->{conf} or die "$class : conf argument required !";
my $self;
my $useTls = 0;
my $tlsParam;
my @servers = ();
foreach my $server ( split /[\s,]+/, $conf->{ldapServer} ) {
if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
$useTls = 1;
$server = $1;
$tlsParam = $2 || "";
}
else {
$useTls = 0;
}
push @servers, $server;
}
$self = Net::LDAP->new(
\@servers,
onerror => undef,
( $conf->{ldapPort} ? ( port => $conf->{ldapPort} ) : () ),
( $conf->{ldapTimeout} ? ( timeout => $conf->{ldapTimeout} ) : () ),
( $conf->{ldapVersion} ? ( version => $conf->{ldapVersion} ) : () ),
( $conf->{ldapRaw} ? ( raw => $conf->{ldapRaw} ) : () ),
( $conf->{caFile} ? ( cafile => $conf->{caFile} ) : () ),
( $conf->{caPath} ? ( capath => $conf->{caPath} ) : () ),
);
unless ($self) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$portal->logger->error($@);
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return 0;
}
bless $self, $class;
if ($useTls) {
my %h = split( /[&=]/, $tlsParam );
$h{cafile} = $conf->{caFile} if ( $conf->{caFile} );
$h{capath} = $conf->{caPath} if ( $conf->{caPath} );
my $mesg = $self->start_tls(%h);
if ( $mesg->code ) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$portal->logger->error('StartTLS failed');
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return 0;
}
}
$self->{portal} = $portal;
$self->{conf} = $conf;
weaken $self->{portal};
# Setting default LDAP password storage encoding to utf-8
return $self;
}
# RUNNING METHODS
## @method Net::LDAP::Message bind(string dn, hash args)
# Reimplementation of Net::LDAP::bind(). Connection is done :
# - with $dn and $args->{password} as dn/password if defined,
# - or with Lemonldap::NG account,
# - or with an anonymous bind.
# @param $dn LDAP distinguish name
# @param %args See Net::LDAP(3) manpage for more
# @return Net::LDAP::Message
sub bind {
my ( $self, $dn, %args ) = @_;
Fix DN encoding issue in LDAP password modification (#1540)
2018-11-14 10:15:28 +01:00
Avoid warning msg
2018-11-23 23:05:05 +01:00
$self->{portal}->logger->debug("Call bind for $dn") if $dn;
Fix DN encoding issue in LDAP password modification (#1540)
2018-11-14 10:15:28 +01:00
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
my $mesg;
unless ($dn) {
$dn = $self->{conf}->{managerDn};
$args{password} =
decode( 'utf-8', $self->{conf}->{managerPassword} );
}
if ( $dn && $args{password} ) {
if ( $self->{conf}->{ldapPwdEnc} ne 'utf-8' ) {
eval {
my $tmp = encode(
$self->{conf}->{ldapPwdEnc},
decode( 'utf-8', $args{password} )
);
$args{password} = $tmp;
};
print STDERR "$@\n" if ($@);
}
$mesg = $self->SUPER::bind( $dn, %args );
}
else {
$mesg = $self->SUPER::bind();
}
return $mesg;
}
## @method Net::LDAP::Message unbind()
# Reimplementation of Net::LDAP::unbind() to force call to disconnect()
# @return Net::LDAP::Message
sub unbind {
my $self = shift;
my $ldap_uri = $self->uri;
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->debug("Unbind and disconnect from $ldap_uri");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
my $mesg = $self->SUPER::unbind();
$self->SUPER::disconnect();
return $mesg;
}
## @method private boolean loadPP ()
# Load Net::LDAP::Control::PasswordPolicy
# @return true if succeed.
sub loadPP {
my $self = shift;
return 1 if ($ppLoaded);
# Minimal version of Net::LDAP required
if ( $Net::LDAP::VERSION < 0.38 ) {
die(
"Module Net::LDAP is too old for password policy, please install version 0.38 or higher"
);
}
# Require Perl module
eval { require Net::LDAP::Control::PasswordPolicy };
if ($@) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->error(
"Module Net::LDAP::Control::PasswordPolicy not found in @INC");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return 0;
}
$ppLoaded = 1;
}
## @method protected int userBind(string dn, hash args)
# Call bind() with dn/password and return
# @param $dn LDAP distinguish name
# @param %args See Net::LDAP(3) manpage for more
# @return Lemonldap::NG portal error code
sub userBind {
my $self = shift;
Avoid info() wrapper (#595)
2017-02-07 18:57:19 +01:00
my $req = shift;
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
if ( $self->{conf}->{ldapPpolicyControl} ) {
# Create Control object
my $pp = Net::LDAP::Control::PasswordPolicy->new();
# Bind with user credentials
my $mesg = $self->bind( @_, control => [$pp] );
# Get server control response
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
# Return direct unless control resonse
unless ( defined $resp ) {
if ( $mesg->code == 49 ) {
Replace userNotice/Error... by userLogger (#857)
2017-02-15 15:16:59 +01:00
$self->{portal}->userLogger->warn("Bad password");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADCREDENTIALS;
}
Better logs in case of a LDAP error
2019-09-30 17:19:57 +02:00
elsif ( $mesg->code == 0 ) {
return PE_OK;
}
else {
$self->{portal}->logger->error( "Bind failed with error "
. $mesg->code . ": "
. $mesg->error );
return PE_LDAPERROR;
}
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
}
# Check for ppolicy error
my $pp_error = $resp->pp_error;
if ( defined $pp_error ) {
Replace userNotice/Error... by userLogger (#857)
2017-02-15 15:16:59 +01:00
$self->{portal}->userLogger->error(
tidy with new conf
2019-02-07 09:27:56 +01:00
"Password policy error $pp_error for " . $req->user );
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return [
PE_PP_PASSWORD_EXPIRED,
PE_PP_ACCOUNT_LOCKED,
PE_PP_CHANGE_AFTER_RESET,
PE_PP_PASSWORD_MOD_NOT_ALLOWED,
PE_PP_MUST_SUPPLY_OLD_PASSWORD,
PE_PP_INSUFFICIENT_PASSWORD_QUALITY,
PE_PP_PASSWORD_TOO_SHORT,
PE_PP_PASSWORD_TOO_YOUNG,
PE_PP_PASSWORD_IN_HISTORY,
]->[$pp_error];
}
elsif ( $mesg->code == 0 ) {
# Get expiration warning and graces
if ( $resp->grace_authentications_remaining ) {
Add some debug logs for ppolicy (#2113)
2020-03-10 10:50:02 +01:00
$self->{portal}->logger->debug(
"LDAP password policy - grace authentications remaining: "
. $resp->grace_authentications_remaining );
Add unit test and fix code for ppolicy grace (#1691)
2019-04-01 09:58:56 +02:00
$req->info(
Fix for #1691
2019-04-01 06:52:21 +02:00
$self->{portal}->loadTemplate(
Use user skin in loadTemplate (Fixes: #1828)
2019-06-28 13:40:56 +02:00
$req,
Move some HTML fragments to templates (#1302)
2017-10-10 13:04:40 +02:00
'ldapPpGrace',
params => {
number => $resp->grace_authentications_remaining
}
)
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
);
}
if ( $resp->time_before_expiration ) {
Add some debug logs for ppolicy (#2113)
2020-03-10 10:50:02 +01:00
$self->{portal}->logger->debug(
"LDAP password policy - time before expiration: "
. $resp->time_before_expiration );
Move some HTML fragments to templates (#1302)
2017-10-10 13:04:40 +02:00
$req->info(
Fix for #1691
2019-04-01 06:52:21 +02:00
$self->{portal}->loadTemplate(
Use user skin in loadTemplate (Fixes: #1828)
2019-06-28 13:40:56 +02:00
$req,
Move some HTML fragments to templates (#1302)
2017-10-10 13:04:40 +02:00
'simpleInfo',
params => {
Use the correct message for ppolicy time before expiration (#2113)
2020-03-10 11:16:43 +01:00
trspan => 'pwdWillExpire,'
Format parameters for trspan (#2113)
2020-03-10 11:28:04 +01:00
. join(
',',
$self->convertSec(
$resp->time_before_expiration
)
Move some HTML fragments to templates (#1302)
2017-10-10 13:04:40 +02:00
)
}
)
);
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
}
return PE_OK;
}
}
else {
my $mesg = $self->bind(@_);
if ( $mesg->code == 0 ) {
return PE_OK;
}
Do not show password change prompt when AD password is incorrect (#2007)
2019-11-13 18:10:58 +01:00
else {
$req->data->{ldapError} = $mesg->error;
}
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
}
Error in warn msg (#595)
2017-12-18 11:17:52 +01:00
$self->{portal}->userLogger->warn("Bad password for $req->{user}");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADCREDENTIALS;
}
## @method int userModifyPassword(string dn, string newpassword, string oldpassword, boolean ad)
# Change user's password.
# @param $dn DN
# @param $newpassword New password
# @param $oldpassword Current password
# @param $ad Active Directory mode
# @return Lemonldap::NG::Portal constant
sub userModifyPassword {
my ( $self, $dn, $newpassword, $oldpassword, $ad ) = @_;
my $ppolicyControl = $self->{conf}->{ldapPpolicyControl};
my $setPassword = $self->{conf}->{ldapSetPassword};
my $asUser = $self->{conf}->{ldapChangePasswordAsUser};
my $requireOldPassword = $self->{conf}->{portalRequireOldPassword};
my $passwordAttribute = "userPassword";
my $err;
my $mesg;
Fix DN encoding issue in LDAP password modification (#1540)
2018-11-14 10:15:28 +01:00
utf8::downgrade($dn);
$self->{portal}->logger->debug("Call modify password for $dn");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
# Adjust configuration for AD
if ($ad) {
$ppolicyControl = 0;
$setPassword = 0;
$passwordAttribute = "unicodePwd";
# Encode password for AD
$newpassword = utf8( chr(34) . $newpassword . chr(34) )->utf16le();
if ( $oldpassword and $asUser ) {
$oldpassword =
utf8( chr(34) . $oldpassword . chr(34) )->utf16le();
}
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->debug("Active Directory mode enabled");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
}
# First case: no ppolicy
if ( !$ppolicyControl ) {
if ($setPassword) {
# Bind as user if oldpassword and ldapChangePasswordAsUser
if ( $oldpassword and $asUser ) {
$mesg = $self->bind( $dn, password => $oldpassword );
if ( $mesg->code != 0 ) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->userLogger->notice("Bad old password");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADOLDPASSWORD;
}
}
# Use SetPassword extended operation
require Net::LDAP::Extension::SetPassword;
$mesg =
($oldpassword)
? $self->set_password(
user => $dn,
oldpasswd => $oldpassword,
newpasswd => $newpassword
)
: $self->set_password(
user => $dn,
newpasswd => $newpassword
);
# Catch the "Unwilling to perform" error
if ( $mesg->code == 53 ) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->userLogger->notice("Bad old password");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADOLDPASSWORD;
}
}
else {
# AD specific
# Change password as user with a delete/add modification
if ( $ad and $oldpassword and $asUser ) {
$mesg = $self->modify(
$dn,
changes => [
delete => [ $passwordAttribute => $oldpassword ],
add => [ $passwordAttribute => $newpassword ]
]
);
}
else {
if ($requireOldPassword) {
return PE_MUST_SUPPLY_OLD_PASSWORD if ( !$oldpassword );
# Check old password with a bind
$mesg = $self->bind( $dn, password => $oldpassword );
# For AD password expiration to work:
# ppolicy must be desactivated,
# and "change as user" must be desactivated
if ($ad) {
if ( $mesg->error =~ /LdapErr: .* data ([^,]+),.*/ ) {
# extended data message code:
# 532: password expired (but provided password is correct)
# 773: must change password at next connection (but provided password is correct)
# 52e: password is incorrect
unless ( ( $1 eq '532' ) || ( $1 eq '773' ) ) {
$self->{portal}
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
->userLogger->warn("Bad old password");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADOLDPASSWORD;
}
}
# if error message has not been catched, then it IS a success
}
else
{ # this is not AD, a 0 error code means good old password
if ( $mesg->code != 0 ) {
$self->{portal}
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
->userLogger->warn('Bad old password');
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADOLDPASSWORD;
}
}
# Rebind as Manager only if user is not granted to change its password
$self->bind() unless $asUser;
}
# Use standard modification
$mesg =
$self->modify( $dn,
replace => { $passwordAttribute => $newpassword } );
}
}
$self->{portal}
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
->logger->debug( 'Modification return code: ' . $mesg->code );
Check error message from ITDS (#1619)
2019-09-05 17:14:44 +02:00
$self->{portal}
->logger->debug( 'Modification return error: ' . $mesg->error );
# Manage specific errors for IBM Tivoli DS
Use conf as HASH key (#1619)
2019-09-05 17:16:55 +02:00
if ( $self->{conf}->{ldapITDS} ) {
Check error message from ITDS (#1619)
2019-09-05 17:14:44 +02:00
my $itds_code = $self->getITDSError($mesg);
return $itds_code unless ( $itds_code == PE_PASSWORD_OK );
}
# Manage specific errors for Active Directory
if ($ad) {
return PE_PP_INSUFFICIENT_PASSWORD_QUALITY
if ( $mesg->code == 53 );
return PE_PP_PASSWORD_MOD_NOT_ALLOWED
if ( $mesg->code == 19 );
}
# Standard errors
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_WRONGMANAGERACCOUNT
if ( $mesg->code == 50 || $mesg->code == 8 );
Better logs in case of a LDAP error
2019-09-30 17:19:57 +02:00
unless ( $mesg->code == 0 ) {
$self->{portal}
->logger->error( "Password modification failed with LDAP error "
. $mesg->code . ": "
. $mesg->error );
return PE_LDAPERROR;
}
Check error message from ITDS (#1619)
2019-09-05 17:14:44 +02:00
$self->{portal}->userLogger->notice("Password changed for $dn");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
# Rebind as manager for next LDAP operations if we were bound as user
$self->bind() if $asUser;
return PE_PASSWORD_OK;
}
else {
# Create Control object
my $pp = Net::LDAP::Control::PasswordPolicy->new;
if ($setPassword) {
# Bind as user if oldpassword and ldapChangePasswordAsUser
if ( $oldpassword and $asUser ) {
$mesg = $self->bind(
$dn,
password => $oldpassword,
control => [$pp]
);
my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
unless ( defined $bind_resp ) {
if ( $mesg->code != 0 ) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->debug("Bad old password");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADOLDPASSWORD;
}
}
else {
# Check if password is expired
my $pp_error = $bind_resp->pp_error;
if ( defined $pp_error
and $pp_error == 0
and $self->{conf}->{ldapAllowResetExpiredPassword} )
{
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->debug(
"Password is expired but user is allowed to change it"
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
);
}
else {
if ( $mesg->code != 0 ) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->debug("Bad old password");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADOLDPASSWORD;
}
}
}
}
# Use SetPassword extended operation
# Warning: need a patch on Perl-LDAP
# See http://groups.google.com/group/perl.ldap/browse_thread/thread/5703a41ccb17b221/377a68f872cc2bb4?lnk=gst&q=setpassword#377a68f872cc2bb4
use Net::LDAP::Extension::SetPassword;
$mesg =
($oldpassword)
? $self->set_password(
user => $dn,
oldpasswd => $oldpassword,
newpasswd => $newpassword,
control => [$pp]
)
: $self->set_password(
user => $dn,
newpasswd => $newpassword,
control => [$pp]
);
# Catch the "Unwilling to perform" error
if ( $mesg->code == 53 ) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->debug("Bad old password");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADOLDPASSWORD;
}
}
else {
if ($oldpassword) {
# Check old password with a bind
$mesg = $self->bind(
$dn,
password => $oldpassword,
control => [$pp]
);
my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
unless ( defined $bind_resp ) {
if ( $mesg->code != 0 ) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->debug("Bad old password");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADOLDPASSWORD;
}
}
else {
# Check if password is expired
my $pp_error = $bind_resp->pp_error;
if ( defined $pp_error
and $pp_error == 0
and $self->{conf}->{ldapAllowResetExpiredPassword} )
{
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->debug(
"Password is expired but user is allowed to change it"
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
);
}
else {
if ( $mesg->code != 0 ) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->{portal}->logger->debug("Bad old password");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_BADOLDPASSWORD;
}
}
}
# Rebind as Manager only if user is not granted to change its password
$self->bind()
unless $asUser;
}
# Use standard modification
$mesg = $self->modify(
$dn,
replace => { $passwordAttribute => $newpassword },
control => [$pp]
);
}
# Get server control response
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
$self->{portal}
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
->logger->debug( "Modification return code: " . $mesg->code );
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_WRONGMANAGERACCOUNT
if ( $mesg->code == 50 || $mesg->code == 8 );
if ( $mesg->code == 0 ) {
$self->{portal}
Replace userNotice/Error... by userLogger (#857)
2017-02-15 15:16:59 +01:00
->userLogger->notice("Password changed $self->{portal}->{user}");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
# Rebind as manager for next LDAP operations if we were bound as user
$self->bind() if $asUser;
return PE_PASSWORD_OK;
}
if ( defined $resp ) {
my $pp_error = $resp->pp_error;
if ( defined $pp_error ) {
Tidy
2017-02-19 12:51:58 +01:00
$self->{portal}
->logger->error("Password policy error $pp_error");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return [
PE_PP_PASSWORD_EXPIRED,
PE_PP_ACCOUNT_LOCKED,
PE_PP_CHANGE_AFTER_RESET,
PE_PP_PASSWORD_MOD_NOT_ALLOWED,
PE_PP_MUST_SUPPLY_OLD_PASSWORD,
PE_PP_INSUFFICIENT_PASSWORD_QUALITY,
PE_PP_PASSWORD_TOO_SHORT,
PE_PP_PASSWORD_TOO_YOUNG,
PE_PP_PASSWORD_IN_HISTORY,
]->[$pp_error];
}
}
else {
Better logs in case of a LDAP error
2019-09-30 17:19:57 +02:00
$self->{portal}->logger->error(
"Missing PPolicy control from server response. Code: "
. $mesg->code );
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
return PE_LDAPERROR;
}
}
}
## @method protected Lemonldap::NG::Portal::_LDAP ldap()
# @return Lemonldap::NG::Portal::_LDAP object
sub ldap {
my $self = shift;
return $self->{ldap}
if ( ref( $self->{ldap} )
and $self->{flags}->{ldapActive} );
if ( $self->{ldap} = Lemonldap::NG::Portal::_LDAP->new($self)
and my $mesg = $self->{ldap}->bind )
{
if ( $mesg->code != 0 ) {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->logger->error( "LDAP error: " . $mesg->error );
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
$self->{ldap}->unbind;
}
else {
if ( $self->{ldapPpolicyControl}
and not $self->{ldap}->loadPP() )
{
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->logger->error("LDAP password policy error");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
$self->{ldap}->unbind;
}
else {
$self->{flags}->{ldapActive} = 1;
return $self->{ldap};
}
}
}
else {
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
$self->logger->error("LDAP error: $@");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
}
return 0;
}
Prevent duplicate group search (#1356)
2018-01-15 12:27:10 +01:00
## @method string searchGroups(string base, string key, string value, string attributes, hashref dupcheck)
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
# Get groups from LDAP directory
# @param base LDAP search base
# @param key Attribute name in group containing searched value
# @param value Searched value
# @param attributes to get from found groups (array ref)
Prevent duplicate group search (#1356)
2018-01-15 12:27:10 +01:00
# @param dupcheck to get from found groups (hash ref)
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
# @return hashRef groups
sub searchGroups {
Prevent duplicate group search (#1356)
2018-01-15 12:27:10 +01:00
my ( $self, $base, $key, $value, $attributes, $dupcheck ) = @_;
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
Prevent duplicate group search (#1356)
2018-01-15 12:27:10 +01:00
$dupcheck ||= {};
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
my $groups = {};
# Creating search filter
my $searchFilter =
"(&(objectClass=" . $self->{conf}->{ldapGroupObjectClass} . ")(|";
foreach ( split( $self->{conf}->{multiValuesSeparator}, $value ) ) {
$searchFilter .= "(" . $key . "=" . escape_filter_value($_) . ")";
}
$searchFilter .= "))";
Typo (fixes: #1273)
2017-07-17 21:19:39 +02:00
$self->{portal}->logger->debug("Group search filter: $searchFilter");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
# Search
my $mesg = $self->search(
base => $base,
filter => $searchFilter,
attrs => $attributes,
);
# Browse results
if ( $mesg->code() == 0 ) {
foreach my $entry ( $mesg->all_entries ) {
Typo (fixes: #1273)
2017-07-17 21:19:39 +02:00
$self->{portal}
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
->logger->debug( "Matching group " . $entry->dn() . " found" );
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
# If recursive search is activated, do it here
if ( $self->{conf}->{ldapGroupRecursive} ) {
# Get searched value
my $group_value =
$self->getLdapValue( $entry,
$self->{conf}->{ldapGroupAttributeNameGroup} );
# Launch group search
if ($group_value) {
Prevent duplicate group search (#1356)
2018-01-15 12:27:10 +01:00
if ( $dupcheck->{$group_value} ) {
$self->{portal}->logger->debug(
"Disable search for $group_value, as it was already searched"
);
}
else {
$dupcheck->{$group_value} = 1;
$self->{portal}
->logger->debug("Recursive search for $group_value");
my $recursive_groups =
$self->searchGroups( $base, $key, $group_value,
$attributes, $dupcheck );
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
Prevent duplicate group search (#1356)
2018-01-15 12:27:10 +01:00
my %allGroups = ( %$groups, %$recursive_groups )
if ( ref $recursive_groups );
$groups = \%allGroups;
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
Prevent duplicate group search (#1356)
2018-01-15 12:27:10 +01:00
}
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
}
}
# Use first attribute as group name
my $groupName = $entry->get_value( $attributes->[0] );
$groups->{$groupName}->{name} = $groupName;
# Now parse attributes
foreach (@$attributes) {
# Next if group attribute value
next
if ( $_ eq $self->{conf}->{ldapGroupAttributeValueGroup} );
my $data = $entry->get_value( $_, asref => 1 );
if ($data) {
Typo (fixes: #1273)
2017-07-17 21:19:39 +02:00
$self->{portal}
Replace lmLog by logger-> (#857)
2017-02-15 07:41:50 +01:00
->logger->debug("Store values of $_ in group $groupName");
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
$groups->{$groupName}->{$_} = $data;
}
}
}
}
return $groups;
}
## @method string getLdapValue(Net::LDAP::Entry entry, string attribute)
# Get the dn, or the attribute value with a separator for multi-valuated attributes
# @param entry LDAP entry
# @param attribute Attribute name
# @return string value
sub getLdapValue {
my ( $self, $entry, $attribute ) = @_;
return $entry->dn() if ( $attribute eq "dn" );
return join(
$self->{conf}->{multiValuesSeparator},
$entry->get_value($attribute)
);
}
Transform messsage into new form (#595)
2017-01-25 07:05:12 +01:00
# Convert seconds to hours, minutes, seconds
sub convertSec {
my ( $self, $sec ) = @_;
my ( $day, $hrs, $min ) = ( 0, 0, 0 );
# Calculate the minutes
if ( $sec > 60 ) {
$min = $sec / 60, $sec %= 60;
$min = int($min);
}
# Calculate the hours
if ( $min > 60 ) {
$hrs = $min / 60, $min %= 60;
$hrs = int($hrs);
}
# Calculate the days
if ( $hrs > 24 ) {
$day = $hrs / 24, $hrs %= 24;
$day = int($day);
}
# Return the date
return ( $day, $hrs, $min, $sec );
}
Check error message from ITDS (#1619)
2019-09-05 17:14:44 +02:00
## @method int getITDSError(Net::LDAP::Message mesg)
# Check error message to return according error code
# @param mesg Modification return message
# @return portal error code
sub getITDSError {
my ( $self, $mesg ) = @_;
return PE_PP_MUST_SUPPLY_OLD_PASSWORD
if ( $mesg->code == 53 && $mesg->error =~ /Must supply old password/i );
return PE_PP_CHANGE_AFTER_RESET
if ( $mesg->code == 53
&& $mesg->error =~ /Password must be changed after reset/i );
return PE_PP_PASSWORD_MOD_NOT_ALLOWED
if ( $mesg->code == 53
&& $mesg->error =~ /Password may not be modified/i );
return PE_PP_PASSWORD_TOO_YOUNG
if ( $mesg->code == 19 && $mesg->error =~ /Password too young/i );
return PE_PP_PASSWORD_TOO_SHORT
if ( $mesg->code == 19 && $mesg->error =~ /Password too short/i );
return PE_PP_PASSWORD_IN_HISTORY
if ( $mesg->code == 19 && $mesg->error =~ /Password in History/i );
return PE_PP_INSUFFICIENT_PASSWORD_QUALITY if ( $mesg->code == 19 );
return PE_PASSWORD_OK;
}
Rearrange LDAP (#595)
2017-01-15 14:18:01 +01:00
1;
Reference in New Issue Copy Permalink