From 6e1dc4b20b7ba07b5316f4a39f85cef460b84e03 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= Date: Wed, 11 May 2016 13:04:40 +0000 Subject: [PATCH] Apply patch on new trunk LDAP code (#1011) --- .../lib/Lemonldap/NG/Portal/Auth/LDAP.pm | 6 +- .../lib/Lemonldap/NG/Portal/Lib/LDAP.pm | 75 +++++++++++++++++-- .../lib/Lemonldap/NG/Portal/Main/Display.pm | 6 +- 3 files changed, 76 insertions(+), 11 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/LDAP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/LDAP.pm index b60789ca9..487bff524 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/LDAP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Auth/LDAP.pm @@ -28,7 +28,11 @@ sub authenticate { # Remember password if password reset needed $req->datas->{oldpassword} = $self->{password} - if ( $res == PE_PP_CHANGE_AFTER_RESET ); + if ( + $res == PE_PP_CHANGE_AFTER_RESET + or ( $res == PE_PP_PASSWORD_EXPIRED + and $self->conf->{ldapAllowResetExpiredPassword} ) + ); return $res; diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm index d597062ec..4f87f6caa 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm @@ -393,10 +393,40 @@ sub userModifyPassword { # Bind as user if oldpassword and ldapChangePasswordAsUser if ( $oldpassword and $asUser ) { - $mesg = $self->bind( $dn, password => $oldpassword ); - if ( $mesg->code != 0 ) { - $self->{portal}->lmLog( "Bad old password", 'debug' ); - return PE_BADOLDPASSWORD; + + $mesg = $self->bind( + $dn, + password => $oldpassword, + control => [$pp] + ); + my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1"); + + unless ( defined $bind_resp ) { + if ( $mesg->code != 0 ) { + $self->{portal}->lmLog( "Bad old password", 'debug' ); + return PE_BADOLDPASSWORD; + } + } + else { + + # Check if password is expired + my $pp_error = $bind_resp->pp_error; + if ( defined $pp_error + and $pp_error == 0 + and $self->{conf}->{ldapAllowResetExpiredPassword} ) + { + $self->{portal}->lmLog( +"Password is expired but user is allowed to change it", + 'debug' + ); + } + else { + if ( $mesg->code != 0 ) { + $self->{portal} + ->lmLog( "Bad old password", 'debug' ); + return PE_BADOLDPASSWORD; + } + } } } @@ -428,10 +458,39 @@ sub userModifyPassword { if ($oldpassword) { # Check old password with a bind - $mesg = $self->bind( $dn, password => $oldpassword ); - if ( $mesg->code != 0 ) { - $self->{portal}->lmLog( "Bad old password", 'debug' ); - return PE_BADOLDPASSWORD; + $mesg = $self->bind( + $dn, + password => $oldpassword, + control => [$pp] + ); + my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1"); + + unless ( defined $bind_resp ) { + if ( $mesg->code != 0 ) { + $self->{portal}->lmLog( "Bad old password", 'debug' ); + return PE_BADOLDPASSWORD; + } + } + else { + + # Check if password is expired + my $pp_error = $bind_resp->pp_error; + if ( defined $pp_error + and $pp_error == 0 + and $self->{conf}->{ldapAllowResetExpiredPassword} ) + { + $self->{portal}->lmLog( +"Password is expired but user is allowed to change it", + 'debug' + ); + } + else { + if ( $mesg->code != 0 ) { + $self->{portal} + ->lmLog( "Bad old password", 'debug' ); + return PE_BADOLDPASSWORD; + } + } } # Rebind as Manager only if user is not granted to change its password diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm index c3f492406..d46e5b91e 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Main/Display.pm @@ -207,6 +207,8 @@ sub display { or $req->{error} == PE_PASSWORD_MISMATCH or $req->{error} == PE_BADOLDPASSWORD or $req->{error} == PE_PASSWORDFORMEMPTY + or ( $req->{error} == PE_PP_PASSWORD_EXPIRED + and $self->conf->{ldapAllowResetExpiredPassword} ) ) { %templateParams = ( @@ -221,8 +223,8 @@ sub display { AUTH_LOOP => [], CHOICE_PARAM => $self->conf->{authChoiceParam}, CHOICE_VALUE => $req->{_authChoice}, - OLDPASSWORD => - $self->checkXSSAttack( 'oldpassword', $req->datas->{oldpassword} ) + OLDPASSWORD => $self->checkXSSAttack( 'oldpassword', + $req->datas->{oldpassword} ) ? "" : $req->datas->{oldpassword}, HIDE_OLDPASSWORD => $self->conf->{hideOldPassword},