Manage reset at next logon message from AD (#513, #LEMONLDAP-409)
This commit is contained in:
parent
5a6054c396
commit
a731fbf66c
|
@ -8,10 +8,23 @@ package Lemonldap::NG::Portal::AuthAD;
|
||||||
use strict;
|
use strict;
|
||||||
|
|
||||||
our $VERSION = '1.3.0';
|
our $VERSION = '1.3.0';
|
||||||
|
use Lemonldap::NG::Portal::Simple;
|
||||||
use base qw(Lemonldap::NG::Portal::AuthLDAP);
|
use base qw(Lemonldap::NG::Portal::AuthLDAP);
|
||||||
|
|
||||||
*_formateFilter = *Lemonldap::NG::Portal::UserDBAD::formateFilter;
|
*_formateFilter = *Lemonldap::NG::Portal::UserDBAD::formateFilter;
|
||||||
|
|
||||||
|
## @apmethod int authInit()
|
||||||
|
# Add specific attributes for search
|
||||||
|
# @return Lemonldap::NG::Portal constant
|
||||||
|
sub authInit {
|
||||||
|
my $self = shift;
|
||||||
|
|
||||||
|
$self->{exportedVars}->{_AD_pwdLastSet} = 'pwdLastSet';
|
||||||
|
$self->{exportedVars}->{_AD_userAccountControl} = 'userAccountControl';
|
||||||
|
|
||||||
|
return $self->SUPER::authInit();
|
||||||
|
}
|
||||||
|
|
||||||
## @apmethod int authenticate()
|
## @apmethod int authenticate()
|
||||||
# Authenticate user by LDAP mechanism.
|
# Authenticate user by LDAP mechanism.
|
||||||
# Check AD specific attribute to get password state.
|
# Check AD specific attribute to get password state.
|
||||||
|
@ -21,8 +34,22 @@ sub authenticate {
|
||||||
|
|
||||||
my $res = $self->SUPER::authenticate;
|
my $res = $self->SUPER::authenticate;
|
||||||
|
|
||||||
# Check specific AD attributes
|
unless ( $res == PE_OK ) {
|
||||||
# TODO
|
|
||||||
|
# Check specific AD attributes
|
||||||
|
my $pls = $self->{entry}->get_value('pwdLastSet');
|
||||||
|
|
||||||
|
# Password must be changed if pwdLastSet 0
|
||||||
|
if ( $pls == 0 ) {
|
||||||
|
$self->lmLog( "[AD] User must change its password", 'debug' );
|
||||||
|
return PE_PP_CHANGE_AFTER_RESET;
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
# Remember password if password reset needed
|
||||||
|
$self->{oldpassword} = $self->{password}
|
||||||
|
if ( $res == PE_PP_CHANGE_AFTER_RESET );
|
||||||
|
|
||||||
return $res;
|
return $res;
|
||||||
}
|
}
|
||||||
|
|
|
@ -248,12 +248,13 @@ sub userModifyPassword {
|
||||||
if ($ad) {
|
if ($ad) {
|
||||||
$ppolicyControl = 0;
|
$ppolicyControl = 0;
|
||||||
$setPassword = 0;
|
$setPassword = 0;
|
||||||
$asUser = 0;
|
|
||||||
$passwordAttribute = "unicodePwd";
|
$passwordAttribute = "unicodePwd";
|
||||||
|
|
||||||
# Encode password for AD
|
# Encode password for AD
|
||||||
$newpassword = utf8( chr(34) . $newpassword . chr(34) )->utf16le();
|
$newpassword = utf8( chr(34) . $newpassword . chr(34) )->utf16le();
|
||||||
|
if ($oldpassword) {
|
||||||
|
$oldpassword = utf8( chr(34) . $oldpassword . chr(34) )->utf16le();
|
||||||
|
}
|
||||||
$self->{portal}->lmLog( "Active Directory mode enabled", 'debug' );
|
$self->{portal}->lmLog( "Active Directory mode enabled", 'debug' );
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -294,27 +295,41 @@ sub userModifyPassword {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if ($requireOldPassword) {
|
|
||||||
|
|
||||||
return PE_MUST_SUPPLY_OLD_PASSWORD if ( !$oldpassword );
|
# AD specific
|
||||||
|
# Change password as user with a delete/add modification
|
||||||
|
if ( $ad and $oldpassword ) {
|
||||||
|
|
||||||
# Check old password with a bind
|
$mesg = $self->modify(
|
||||||
$mesg = $self->bind( $dn, password => $oldpassword );
|
$dn,
|
||||||
if ( $mesg->code != 0 ) {
|
delete => { $passwordAttribute => $oldpassword },
|
||||||
$self->{portal}->lmLog( "Bad old password", 'debug' );
|
add => { $passwordAttribute => $newpassword }
|
||||||
return PE_BADOLDPASSWORD;
|
);
|
||||||
}
|
|
||||||
|
|
||||||
# Rebind as Manager only if user is not granted to change its password
|
|
||||||
$self->bind() unless $asUser;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
# Use standard modification
|
else {
|
||||||
$mesg =
|
if ($requireOldPassword) {
|
||||||
$self->modify( $dn,
|
|
||||||
replace => { $passwordAttribute => $newpassword } );
|
|
||||||
}
|
|
||||||
|
|
||||||
|
return PE_MUST_SUPPLY_OLD_PASSWORD if ( !$oldpassword );
|
||||||
|
|
||||||
|
# Check old password with a bind
|
||||||
|
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||||
|
if ( $mesg->code != 0 ) {
|
||||||
|
$self->{portal}->lmLog( "Bad old password", 'debug' );
|
||||||
|
return PE_BADOLDPASSWORD;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Rebind as Manager only if user is not granted to change its password
|
||||||
|
$self->bind() unless $asUser;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Use standard modification
|
||||||
|
$mesg =
|
||||||
|
$self->modify( $dn,
|
||||||
|
replace => { $passwordAttribute => $newpassword } );
|
||||||
|
}
|
||||||
|
}
|
||||||
$self->{portal}
|
$self->{portal}
|
||||||
->lmLog( "Modification return code: " . $mesg->code, 'debug' );
|
->lmLog( "Modification return code: " . $mesg->code, 'debug' );
|
||||||
return PE_WRONGMANAGERACCOUNT
|
return PE_WRONGMANAGERACCOUNT
|
||||||
|
@ -444,7 +459,9 @@ sub ldap {
|
||||||
$self->lmLog( "LDAP error: " . $mesg->error, 'error' );
|
$self->lmLog( "LDAP error: " . $mesg->error, 'error' );
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if ( $self->{ldapPpolicyControl} and not $self->{ldap}->loadPP() ) {
|
if ( $self->{ldapPpolicyControl}
|
||||||
|
and not $self->{ldap}->loadPP() )
|
||||||
|
{
|
||||||
$self->lmLog( "LDAP password policy error", 'error' );
|
$self->lmLog( "LDAP password policy error", 'error' );
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
|
Loading…
Reference in New Issue
Block a user