From bac76b680d61b6690a6d80196172b8f3e5f91dd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Cl=C3=A9ment=20Oudot?= <clement@oodo.net>
Date: Wed, 24 Mar 2010 10:00:52 +0000
Subject: [PATCH] LDAP: option to change the password as user (and not as
 managerDn)

---
 .../doc/4.1-Configuration-parameter-list.html | 10 +++++
 .../doc/4.5-SAML-authentication-backend.html  |  6 ---
 .../doc/4.7-LDAP-password-backend.html        | 20 ++++++++--
 .../example/skins/default/manager.js          |  6 +--
 .../lib/Lemonldap/NG/Manager/_Struct.pm       |  7 +++-
 .../lib/Lemonldap/NG/Manager/_i18n.pm         |  2 +
 modules/lemonldap-ng-portal/META.yml          |  1 +
 modules/lemonldap-ng-portal/Makefile.PL       |  1 +
 .../lib/Lemonldap/NG/Portal/_LDAP.pm          | 37 ++++++++++++++++---
 9 files changed, 70 insertions(+), 20 deletions(-)

diff --git a/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html b/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html
index e3585d993..7a0f25fbb 100644
--- a/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html
+++ b/build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html
@@ -1533,6 +1533,16 @@ level1Key =&gt; { level2Key =&gt; 'value' },
 
         <td>Yes</td>
       </tr>
+
+      <tr class="table-even">
+        <td>Change password as user</td>
+
+        <td>ldapChangePasswordAsUser</td>
+
+        <td>1.0</td>
+
+        <td>Yes</td>
+      </tr>
     </table>
 
     <h4 class="heading-1-1-1"><span id="HDBI">DBI</span></h4><br />
diff --git a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
index 656bb6167..1a07d68e8 100644
--- a/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
+++ b/build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
@@ -278,8 +278,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
       <li>Signed Authentication Request: set to On to require signed
       authentication request. Off by default.</li>
 
-      <li>Protocol: Protocol support enumeration string. Do not change.</li>
-
       <li>Signing Key: load your public key file.</li>
     </ul>
 
@@ -305,10 +303,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
       <li>Default: will this binding be used by default for authentication
       response</li>
 
-      <li>Index: Do not change.</li>
-
-      <li>Binding: SAML2 binding string. Do not change.</li>
-
       <li>Location: Access Point for SSO request and response. Change this
       value to fit your portal URL.</li>
     </ul>
diff --git a/build/lemonldap-ng/doc/4.7-LDAP-password-backend.html b/build/lemonldap-ng/doc/4.7-LDAP-password-backend.html
index bfb1c0562..79fbc7655 100644
--- a/build/lemonldap-ng/doc/4.7-LDAP-password-backend.html
+++ b/build/lemonldap-ng/doc/4.7-LDAP-password-backend.html
@@ -97,11 +97,23 @@ passwordDB =&gt; LDAP,
     You can also set these:
 
     <ul class="star">
-      <li>ldapSetPassword: set to '1' to use the LDAP extended operation
-      "password modify" instead of standard modify operation.</li>
+      <li><strong class="strong">ldapPpolicyControl</strong>: set to '1' to
+      use LDAP password policy.</li>
 
-      <li>mailLDAPFilter: filter to use with user submitted email. By
-      default:</li>
+      <li><strong class="strong">ldapSetPassword</strong>: set to '1' to use
+      the LDAP extended operation "password modify" instead of standard modify
+      operation.</li>
+
+      <li><strong class="strong">ldapChangePasswordAsUser</strong>: set to '1'
+      to perfom password modification with credentials of connected user. This
+      requires to active the <strong class=
+      "strong">portalRequireOldPassword</strong> option too.</li>
+
+      <li><strong class="strong">portalRequireOldPassword</strong>: set to '1'
+      to require old password when changing the password.</li>
+
+      <li><strong class="strong">mailLDAPFilter</strong>: filter to use with
+      user submitted email. By default:</li>
     </ul>
 
     <div class="code">
diff --git a/modules/lemonldap-ng-manager/example/skins/default/manager.js b/modules/lemonldap-ng-manager/example/skins/default/manager.js
index 0fcf0bcca..b49434785 100644
--- a/modules/lemonldap-ng-manager/example/skins/default/manager.js
+++ b/modules/lemonldap-ng-manager/example/skins/default/manager.js
@@ -367,9 +367,9 @@ function passworddbParams(id) {
 	currentId=id;
 	$('#authOptions').hide();
 	formateSelect('authText',[
-		'DBI:Database (DBI)',
-		'LDAP:LDAP',
-		'Null:None'
+		'DBI=Database (DBI)',
+		'LDAP=LDAP',
+		'Null=None'
 		],lmdata(id));
 	display('authParams',lmtext(id));
 }
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
index c6bd83825..6af012468 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
@@ -236,9 +236,13 @@ sub struct {
                     },
 
                     ldapPassword => {
-                        _nodes => [qw(ldapPpolicyControl ldapSetPassword)],
+                        _nodes => [
+                            qw(ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser)
+                        ],
                         ldapPpolicyControl => 'bool:/ldapPpolicyControl',
                         ldapSetPassword    => 'bool:/ldapSetPassword',
+                        ldapChangePasswordAsUser =>
+                          'bool:/ldapChangePasswordAsUser',
                     },
 
                 },
@@ -794,6 +798,7 @@ sub testStruct {
         },
         ldapPpolicyControl           => $boolean,
         ldapSetPassword              => $boolean,
+        ldapChangePasswordAsUser     => $boolean,
         mailLDAPFilter               => $testNotDefined,
         LDAPFilter                   => $testNotDefined,
         AuthLDAPFilter               => $testNotDefined,
diff --git a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
index 6ca014749..335c2892a 100644
--- a/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
+++ b/modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
@@ -97,6 +97,7 @@ sub en {
         headers                      => 'HTTP Headers',
         https                        => 'Default value for https parameter',
         ldapBase                     => 'Users search base',
+        ldapChangePasswordAsUser     => 'Change as user',
         ldapConnection               => 'Connection',
         ldapFilters                  => 'Filters',
         LDAPFilter                   => 'Default filter',
@@ -306,6 +307,7 @@ sub fr {
         headers                     => 'En-têtes HTTP',
         https                       => 'Valeur par défaut du paramètre https',
         ldapBase                    => 'Base de recherche des utilisateurs',
+        ldapChangePasswordAsUser    => 'Changement en tant qu\'utilisateur',
         ldapConnection              => 'Connexion',
         ldapFilters                 => 'Filtres',
         LDAPFilter                  => 'Filtre par défaut',
diff --git a/modules/lemonldap-ng-portal/META.yml b/modules/lemonldap-ng-portal/META.yml
index 9998d6e7e..df525f5c7 100644
--- a/modules/lemonldap-ng-portal/META.yml
+++ b/modules/lemonldap-ng-portal/META.yml
@@ -35,3 +35,4 @@ recommends:
     Net::OpenID::Consumer:  0
     Net::OpenID::Server:  0
     Net::Twitter:         0
+    Lasso:                0
diff --git a/modules/lemonldap-ng-portal/Makefile.PL b/modules/lemonldap-ng-portal/Makefile.PL
index ad5a1a99b..6521191dd 100644
--- a/modules/lemonldap-ng-portal/Makefile.PL
+++ b/modules/lemonldap-ng-portal/Makefile.PL
@@ -13,6 +13,7 @@ WriteMakefile(
             'Net::OpenID::Server'   => 0,
             'MIME::Lite'            => 0,
             'Net::Twitter'          => 0,
+            'Lasso'                 => 0,
         },
     },
     BUILD_REQUIRES => { 'IO::String' => 0, },
diff --git a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
index dd4a9619c..1e504ccdf 100644
--- a/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
+++ b/modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
@@ -13,7 +13,7 @@ use strict;
 
 our @EXPORT = qw(ldap);
 
-our $VERSION = '0.2';
+our $VERSION = '0.3';
 
 ## @cmethod Lemonldap::NG::Portal::_LDAP new(Lemonldap::NG::Portal::Simple portal)
 # Build a Net::LDAP object using parameters issued from $portal
@@ -97,7 +97,16 @@ sub loadPP {
     my $self = shift;
     return 1 if ($ppLoaded);
 
-    # require Perl module
+    # Minimal version of Net::LDAP required
+    eval { use Net::LDAP 0.38 };
+    if ($@) {
+        $self->{portal}->lmLog(
+            "Module Net::LDAP is too old for password policy, please install version 0.38 or higher",
+            'error' );
+        return 0;
+    }
+
+    # Require Perl module
     eval { require Net::LDAP::Control::PasswordPolicy };
     if ($@) {
         $self->{portal}->lmLog(
@@ -198,6 +207,13 @@ sub userModifyPassword {
 
         if ( $self->{portal}->{ldapSetPassword} ) {
 
+            # Bind as user if oldpassword and ldapChangePasswordAsUser
+            if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
+
+                $mesg = $self->bind( $dn, password => $oldpassword );
+                return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
+            }
+
             # Use SetPassword extended operation
             use Net::LDAP::Extension::SetPassword;
             $mesg =
@@ -222,8 +238,9 @@ sub userModifyPassword {
                 $mesg = $self->bind( $dn, password => $oldpassword );
                 return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
 
-                # Rebind as Manager
-                $self->bind();
+          # Rebind as Manager only if user is not granted to change its password
+                $self->bind()
+                  unless $self->{portal}->{ldapChangePasswordAsUser};
             }
 
             # Use standard modification
@@ -245,6 +262,13 @@ sub userModifyPassword {
 
         if ( $self->{portal}->{ldapSetPassword} ) {
 
+            # Bind as user if oldpassword and ldapChangePasswordAsUser
+            if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
+
+                $mesg = $self->bind( $dn, password => $oldpassword );
+                return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
+            }
+
 # Use SetPassword extended operation
 # Warning: need a patch on Perl-LDAP
 # See http://groups.google.com/group/perl.ldap/browse_thread/thread/5703a41ccb17b221/377a68f872cc2bb4?lnk=gst&q=setpassword#377a68f872cc2bb4
@@ -273,8 +297,9 @@ sub userModifyPassword {
                 $mesg = $self->bind( $dn, password => $oldpassword );
                 return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
 
-                # Rebind as Manager
-                $self->bind();
+          # Rebind as Manager only if user is not granted to change its password
+                $self->bind()
+                  unless $self->{portal}->{ldapChangePasswordAsUser};
             }
 
             # Use standard modification