diff --git a/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html b/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html
index e3585d993..7a0f25fbb 100644
--- a/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html
+++ b/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html
@@ -1533,6 +1533,16 @@ level1Key => { level2Key => 'value' },
Yes |
+
+
+ Change password as user |
+
+ ldapChangePasswordAsUser |
+
+ 1.0 |
+
+ Yes |
+
DBI
diff --git a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
index 656bb6167..1a07d68e8 100644
--- a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
+++ b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
@@ -278,8 +278,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
Signed Authentication Request: set to On to require signed
authentication request. Off by default.
- Protocol: Protocol support enumeration string. Do not change.
-
Signing Key: load your public key file.
@@ -305,10 +303,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
Default: will this binding be used by default for authentication
response
- Index: Do not change.
-
- Binding: SAML2 binding string. Do not change.
-
Location: Access Point for SSO request and response. Change this
value to fit your portal URL.
diff --git a/build/lemonldap-ng/doc/4.7-LDAP-password-backend.html b/build/lemonldap-ng/doc/4.7-LDAP-password-backend.html
index bfb1c0562..79fbc7655 100644
--- a/build/lemonldap-ng/doc/4.7-LDAP-password-backend.html
+++ b/build/lemonldap-ng/doc/4.7-LDAP-password-backend.html
@@ -97,11 +97,23 @@ passwordDB => LDAP,
You can also set these:
- - ldapSetPassword: set to '1' to use the LDAP extended operation
- "password modify" instead of standard modify operation.
+ - ldapPpolicyControl: set to '1' to
+ use LDAP password policy.
- - mailLDAPFilter: filter to use with user submitted email. By
- default:
+ - ldapSetPassword: set to '1' to use
+ the LDAP extended operation "password modify" instead of standard modify
+ operation.
+
+ - ldapChangePasswordAsUser: set to '1'
+ to perfom password modification with credentials of connected user. This
+ requires to active the portalRequireOldPassword option too.
+
+ - portalRequireOldPassword: set to '1'
+ to require old password when changing the password.
+
+ - mailLDAPFilter: filter to use with
+ user submitted email. By default:
diff --git a/modules/lemonldap-ng-manager/example/skins/default/manager.js b/modules/lemonldap-ng-manager/example/skins/default/manager.js
index 0fcf0bcca..b49434785 100644
--- a/modules/lemonldap-ng-manager/example/skins/default/manager.js
+++ b/modules/lemonldap-ng-manager/example/skins/default/manager.js
@@ -367,9 +367,9 @@ function passworddbParams(id) {
currentId=id;
$('#authOptions').hide();
formateSelect('authText',[
- 'DBI:Database (DBI)',
- 'LDAP:LDAP',
- 'Null:None'
+ 'DBI=Database (DBI)',
+ 'LDAP=LDAP',
+ 'Null=None'
],lmdata(id));
display('authParams',lmtext(id));
}
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
index c6bd83825..6af012468 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@@ -236,9 +236,13 @@ sub struct {
},
ldapPassword => {
- _nodes => [qw(ldapPpolicyControl ldapSetPassword)],
+ _nodes => [
+ qw(ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser)
+ ],
ldapPpolicyControl => 'bool:/ldapPpolicyControl',
ldapSetPassword => 'bool:/ldapSetPassword',
+ ldapChangePasswordAsUser =>
+ 'bool:/ldapChangePasswordAsUser',
},
},
@@ -794,6 +798,7 @@ sub testStruct {
},
ldapPpolicyControl => $boolean,
ldapSetPassword => $boolean,
+ ldapChangePasswordAsUser => $boolean,
mailLDAPFilter => $testNotDefined,
LDAPFilter => $testNotDefined,
AuthLDAPFilter => $testNotDefined,
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
index 6ca014749..335c2892a 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@@ -97,6 +97,7 @@ sub en {
headers => 'HTTP Headers',
https => 'Default value for https parameter',
ldapBase => 'Users search base',
+ ldapChangePasswordAsUser => 'Change as user',
ldapConnection => 'Connection',
ldapFilters => 'Filters',
LDAPFilter => 'Default filter',
@@ -306,6 +307,7 @@ sub fr {
headers => 'En-têtes HTTP',
https => 'Valeur par défaut du paramètre https',
ldapBase => 'Base de recherche des utilisateurs',
+ ldapChangePasswordAsUser => 'Changement en tant qu\'utilisateur',
ldapConnection => 'Connexion',
ldapFilters => 'Filtres',
LDAPFilter => 'Filtre par défaut',
diff --git a/modules/lemonldap-ng-portal/META.yml b/modules/lemonldap-ng-portal/META.yml
index 9998d6e7e..df525f5c7 100644
--- a/modules/lemonldap-ng-portal/META.yml
+++ b/modules/lemonldap-ng-portal/META.yml
@@ -35,3 +35,4 @@ recommends:
Net::OpenID::Consumer: 0
Net::OpenID::Server: 0
Net::Twitter: 0
+ Lasso: 0
diff --git a/modules/lemonldap-ng-portal/Makefile.PL b/modules/lemonldap-ng-portal/Makefile.PL
index ad5a1a99b..6521191dd 100644
--- a/modules/lemonldap-ng-portal/Makefile.PL
+++ b/modules/lemonldap-ng-portal/Makefile.PL
@@ -13,6 +13,7 @@ WriteMakefile(
'Net::OpenID::Server' => 0,
'MIME::Lite' => 0,
'Net::Twitter' => 0,
+ 'Lasso' => 0,
},
},
BUILD_REQUIRES => { 'IO::String' => 0, },
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
index dd4a9619c..1e504ccdf 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
@@ -13,7 +13,7 @@ use strict;
our @EXPORT = qw(ldap);
-our $VERSION = '0.2';
+our $VERSION = '0.3';
## @cmethod Lemonldap::NG::Portal::_LDAP new(Lemonldap::NG::Portal::Simple portal)
# Build a Net::LDAP object using parameters issued from $portal
@@ -97,7 +97,16 @@ sub loadPP {
my $self = shift;
return 1 if ($ppLoaded);
- # require Perl module
+ # Minimal version of Net::LDAP required
+ eval { use Net::LDAP 0.38 };
+ if ($@) {
+ $self->{portal}->lmLog(
+ "Module Net::LDAP is too old for password policy, please install version 0.38 or higher",
+ 'error' );
+ return 0;
+ }
+
+ # Require Perl module
eval { require Net::LDAP::Control::PasswordPolicy };
if ($@) {
$self->{portal}->lmLog(
@@ -198,6 +207,13 @@ sub userModifyPassword {
if ( $self->{portal}->{ldapSetPassword} ) {
+ # Bind as user if oldpassword and ldapChangePasswordAsUser
+ if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
+
+ $mesg = $self->bind( $dn, password => $oldpassword );
+ return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
+ }
+
# Use SetPassword extended operation
use Net::LDAP::Extension::SetPassword;
$mesg =
@@ -222,8 +238,9 @@ sub userModifyPassword {
$mesg = $self->bind( $dn, password => $oldpassword );
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
- # Rebind as Manager
- $self->bind();
+ # Rebind as Manager only if user is not granted to change its password
+ $self->bind()
+ unless $self->{portal}->{ldapChangePasswordAsUser};
}
# Use standard modification
@@ -245,6 +262,13 @@ sub userModifyPassword {
if ( $self->{portal}->{ldapSetPassword} ) {
+ # Bind as user if oldpassword and ldapChangePasswordAsUser
+ if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
+
+ $mesg = $self->bind( $dn, password => $oldpassword );
+ return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
+ }
+
# Use SetPassword extended operation
# Warning: need a patch on Perl-LDAP
# See http://groups.google.com/group/perl.ldap/browse_thread/thread/5703a41ccb17b221/377a68f872cc2bb4?lnk=gst&q=setpassword#377a68f872cc2bb4
@@ -273,8 +297,9 @@ sub userModifyPassword {
$mesg = $self->bind( $dn, password => $oldpassword );
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
- # Rebind as Manager
- $self->bind();
+ # Rebind as Manager only if user is not granted to change its password
+ $self->bind()
+ unless $self->{portal}->{ldapChangePasswordAsUser};
}
# Use standard modification