2008-12-26 20:18:23 +01:00
|
|
|
##@file
|
|
|
|
|
# LDAP authentication backend file
|
|
|
|
|
|
|
|
|
|
##@class
|
|
|
|
|
# LDAP authentication backend class
|
2008-06-06 14:42:35 +02:00
|
|
|
package Lemonldap::NG::Portal::AuthLDAP;
|
|
|
|
|
|
|
|
|
|
use Lemonldap::NG::Portal::Simple;
|
2009-02-14 16:21:58 +01:00
|
|
|
use Lemonldap::NG::Portal::_LDAP; #link protected ldap
|
2008-11-24 15:06:54 +01:00
|
|
|
use Lemonldap::NG::Portal::_WebForm;
|
2009-02-14 16:21:58 +01:00
|
|
|
use Lemonldap::NG::Portal::UserDBLDAP; #inherits
|
2008-06-06 14:42:35 +02:00
|
|
|
|
2008-12-25 09:04:33 +01:00
|
|
|
our $VERSION = '0.2';
|
2008-12-03 17:43:31 +01:00
|
|
|
use base qw(Lemonldap::NG::Portal::_WebForm);
|
2008-06-06 14:42:35 +02:00
|
|
|
|
2009-02-14 16:21:58 +01:00
|
|
|
## @method private Lemonldap::NG::Portal::_LDAP ldap()
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return Lemonldap::NG::Portal::_LDAP object
|
2008-10-05 20:42:50 +02:00
|
|
|
sub ldap {
|
|
|
|
|
my $self = shift;
|
2009-02-14 16:21:58 +01:00
|
|
|
return $self->{ldap} if ( ref( $self->{ldap} ) );
|
|
|
|
|
if ( $self->{ldap} = Lemonldap::NG::Portal::_LDAP->new($self)
|
|
|
|
|
and my $mesg = $self->{ldap}->bind )
|
|
|
|
|
{
|
|
|
|
|
return $self->{ldap} if ( $mesg->code == 0 );
|
|
|
|
|
$self->lmLog( "LDAP error : " . $mesg->error, 'error' );
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
$self->lmLog( "LDAP error : $@", 'error' );
|
2008-10-07 22:15:48 +02:00
|
|
|
}
|
2009-02-14 16:21:58 +01:00
|
|
|
return 0;
|
2008-10-05 20:42:50 +02:00
|
|
|
}
|
|
|
|
|
|
2008-12-03 17:43:31 +01:00
|
|
|
*_formateFilter = *Lemonldap::NG::Portal::UserDBLDAP::formateFilter;
|
2009-02-14 16:21:58 +01:00
|
|
|
*_search = *Lemonldap::NG::Portal::UserDBLDAP::search;
|
2008-12-03 17:43:31 +01:00
|
|
|
|
2008-12-28 09:36:52 +01:00
|
|
|
## @method int authenticate()
|
2008-12-26 18:58:48 +01:00
|
|
|
# Authenticate user by LDAP mechanism.
|
2008-12-28 09:36:52 +01:00
|
|
|
# @return Lemonldap::NG::Portal constant
|
2008-06-06 14:42:35 +02:00
|
|
|
sub authenticate {
|
|
|
|
|
my $self = shift;
|
2008-10-07 22:15:48 +02:00
|
|
|
unless ( $self->ldap ) {
|
|
|
|
|
return PE_LDAPCONNECTFAILED;
|
|
|
|
|
}
|
|
|
|
|
|
2008-12-03 17:43:31 +01:00
|
|
|
# Set the dn unless done before
|
2009-02-12 20:48:53 +01:00
|
|
|
unless ( $self->{dn} ) {
|
2008-12-03 17:43:31 +01:00
|
|
|
my $tmp = $self->_subProcess(qw(_formateFilter _search));
|
2009-02-12 20:48:53 +01:00
|
|
|
return $tmp if ($tmp);
|
2008-12-03 17:43:31 +01:00
|
|
|
}
|
|
|
|
|
|
2008-06-06 14:42:35 +02:00
|
|
|
# Check if we use Ppolicy control
|
|
|
|
|
if ( $self->{ldapPpolicyControl} ) {
|
|
|
|
|
|
|
|
|
|
# require Perl module
|
|
|
|
|
eval 'require Net::LDAP::Control::PasswordPolicy';
|
2008-07-18 15:52:11 +02:00
|
|
|
if ($@) {
|
2009-02-14 16:21:58 +01:00
|
|
|
$self->lmLog(
|
|
|
|
|
"Module Net::LDAP::Control::PasswordPolicy not found in @INC",
|
|
|
|
|
'error' );
|
2008-07-18 15:52:11 +02:00
|
|
|
return PE_LDAPERROR;
|
2008-08-08 18:19:16 +02:00
|
|
|
}
|
2008-06-06 14:42:35 +02:00
|
|
|
no strict 'subs';
|
|
|
|
|
|
|
|
|
|
# Create Control object
|
2009-02-14 16:21:58 +01:00
|
|
|
my $pp = Net::LDAP::Control::PasswordPolicy->new();
|
2008-06-06 14:42:35 +02:00
|
|
|
|
|
|
|
|
# Bind with user credentials
|
2008-10-07 22:15:48 +02:00
|
|
|
my $mesg = $self->ldap->bind(
|
2008-06-06 14:42:35 +02:00
|
|
|
$self->{dn},
|
|
|
|
|
password => $self->{password},
|
|
|
|
|
control => [$pp]
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
# Get server control response
|
2008-07-18 15:52:11 +02:00
|
|
|
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
|
2008-06-06 14:42:35 +02:00
|
|
|
|
2008-10-07 22:15:48 +02:00
|
|
|
# Get expiration warning and graces
|
|
|
|
|
$self->{ppolicy}->{time_before_expiration} =
|
|
|
|
|
$resp->time_before_expiration;
|
|
|
|
|
$self->{ppolicy}->{grace_authentications_remaining} =
|
|
|
|
|
$resp->grace_authentications_remaining;
|
2008-09-18 10:34:17 +02:00
|
|
|
|
|
|
|
|
# Get bind response
|
|
|
|
|
return PE_OK if ( $mesg->code == 0 );
|
|
|
|
|
|
2008-06-06 14:42:35 +02:00
|
|
|
if ( defined $resp ) {
|
2008-09-18 10:34:17 +02:00
|
|
|
my $pp_error = $resp->pp_error;
|
2008-06-27 10:49:20 +02:00
|
|
|
if ( defined $pp_error ) {
|
2008-08-08 18:19:16 +02:00
|
|
|
return [
|
|
|
|
|
PE_PP_PASSWORD_EXPIRED,
|
|
|
|
|
PE_PP_ACCOUNT_LOCKED,
|
|
|
|
|
PE_PP_CHANGE_AFTER_RESET,
|
|
|
|
|
PE_PP_PASSWORD_MOD_NOT_ALLOWED,
|
|
|
|
|
PE_PP_MUST_SUPPLY_OLD_PASSWORD,
|
|
|
|
|
PE_PP_INSUFFICIENT_PASSWORD_QUALITY,
|
|
|
|
|
PE_PP_PASSWORD_TOO_SHORT,
|
|
|
|
|
PE_PP_PASSWORD_TOO_YOUNG,
|
|
|
|
|
PE_PP_PASSWORD_IN_HISTORY,
|
|
|
|
|
]->[$pp_error];
|
2008-06-06 14:42:35 +02:00
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return PE_BADCREDENTIALS;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return PE_LDAPERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else {
|
2008-11-21 18:51:52 +01:00
|
|
|
my $mesg =
|
|
|
|
|
$self->ldap->bind( $self->{dn}, password => $self->{password} );
|
|
|
|
|
return PE_BADCREDENTIALS if ( $mesg->code != 0 );
|
2008-06-06 14:42:35 +02:00
|
|
|
}
|
|
|
|
|
$self->{sessionInfo}->{authenticationLevel} = 2;
|
|
|
|
|
PE_OK;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
1;
|
