LDAP: option to change the password as user (and not as managerDn)
This commit is contained in:
parent
857d421b1e
commit
bac76b680d
|
@ -1533,6 +1533,16 @@ level1Key => { level2Key => 'value' },
|
||||||
|
|
||||||
<td>Yes</td>
|
<td>Yes</td>
|
||||||
</tr>
|
</tr>
|
||||||
|
|
||||||
|
<tr class="table-even">
|
||||||
|
<td>Change password as user</td>
|
||||||
|
|
||||||
|
<td>ldapChangePasswordAsUser</td>
|
||||||
|
|
||||||
|
<td>1.0</td>
|
||||||
|
|
||||||
|
<td>Yes</td>
|
||||||
|
</tr>
|
||||||
</table>
|
</table>
|
||||||
|
|
||||||
<h4 class="heading-1-1-1"><span id="HDBI">DBI</span></h4><br />
|
<h4 class="heading-1-1-1"><span id="HDBI">DBI</span></h4><br />
|
||||||
|
|
|
@ -278,8 +278,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
||||||
<li>Signed Authentication Request: set to On to require signed
|
<li>Signed Authentication Request: set to On to require signed
|
||||||
authentication request. Off by default.</li>
|
authentication request. Off by default.</li>
|
||||||
|
|
||||||
<li>Protocol: Protocol support enumeration string. Do not change.</li>
|
|
||||||
|
|
||||||
<li>Signing Key: load your public key file.</li>
|
<li>Signing Key: load your public key file.</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
|
@ -305,10 +303,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
||||||
<li>Default: will this binding be used by default for authentication
|
<li>Default: will this binding be used by default for authentication
|
||||||
response</li>
|
response</li>
|
||||||
|
|
||||||
<li>Index: Do not change.</li>
|
|
||||||
|
|
||||||
<li>Binding: SAML2 binding string. Do not change.</li>
|
|
||||||
|
|
||||||
<li>Location: Access Point for SSO request and response. Change this
|
<li>Location: Access Point for SSO request and response. Change this
|
||||||
value to fit your portal URL.</li>
|
value to fit your portal URL.</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
|
@ -97,11 +97,23 @@ passwordDB => LDAP,
|
||||||
You can also set these:
|
You can also set these:
|
||||||
|
|
||||||
<ul class="star">
|
<ul class="star">
|
||||||
<li>ldapSetPassword: set to '1' to use the LDAP extended operation
|
<li><strong class="strong">ldapPpolicyControl</strong>: set to '1' to
|
||||||
"password modify" instead of standard modify operation.</li>
|
use LDAP password policy.</li>
|
||||||
|
|
||||||
<li>mailLDAPFilter: filter to use with user submitted email. By
|
<li><strong class="strong">ldapSetPassword</strong>: set to '1' to use
|
||||||
default:</li>
|
the LDAP extended operation "password modify" instead of standard modify
|
||||||
|
operation.</li>
|
||||||
|
|
||||||
|
<li><strong class="strong">ldapChangePasswordAsUser</strong>: set to '1'
|
||||||
|
to perfom password modification with credentials of connected user. This
|
||||||
|
requires to active the <strong class=
|
||||||
|
"strong">portalRequireOldPassword</strong> option too.</li>
|
||||||
|
|
||||||
|
<li><strong class="strong">portalRequireOldPassword</strong>: set to '1'
|
||||||
|
to require old password when changing the password.</li>
|
||||||
|
|
||||||
|
<li><strong class="strong">mailLDAPFilter</strong>: filter to use with
|
||||||
|
user submitted email. By default:</li>
|
||||||
</ul>
|
</ul>
|
||||||
|
|
||||||
<div class="code">
|
<div class="code">
|
||||||
|
|
|
@ -367,9 +367,9 @@ function passworddbParams(id) {
|
||||||
currentId=id;
|
currentId=id;
|
||||||
$('#authOptions').hide();
|
$('#authOptions').hide();
|
||||||
formateSelect('authText',[
|
formateSelect('authText',[
|
||||||
'DBI:Database (DBI)',
|
'DBI=Database (DBI)',
|
||||||
'LDAP:LDAP',
|
'LDAP=LDAP',
|
||||||
'Null:None'
|
'Null=None'
|
||||||
],lmdata(id));
|
],lmdata(id));
|
||||||
display('authParams',lmtext(id));
|
display('authParams',lmtext(id));
|
||||||
}
|
}
|
||||||
|
|
|
@ -236,9 +236,13 @@ sub struct {
|
||||||
},
|
},
|
||||||
|
|
||||||
ldapPassword => {
|
ldapPassword => {
|
||||||
_nodes => [qw(ldapPpolicyControl ldapSetPassword)],
|
_nodes => [
|
||||||
|
qw(ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser)
|
||||||
|
],
|
||||||
ldapPpolicyControl => 'bool:/ldapPpolicyControl',
|
ldapPpolicyControl => 'bool:/ldapPpolicyControl',
|
||||||
ldapSetPassword => 'bool:/ldapSetPassword',
|
ldapSetPassword => 'bool:/ldapSetPassword',
|
||||||
|
ldapChangePasswordAsUser =>
|
||||||
|
'bool:/ldapChangePasswordAsUser',
|
||||||
},
|
},
|
||||||
|
|
||||||
},
|
},
|
||||||
|
@ -794,6 +798,7 @@ sub testStruct {
|
||||||
},
|
},
|
||||||
ldapPpolicyControl => $boolean,
|
ldapPpolicyControl => $boolean,
|
||||||
ldapSetPassword => $boolean,
|
ldapSetPassword => $boolean,
|
||||||
|
ldapChangePasswordAsUser => $boolean,
|
||||||
mailLDAPFilter => $testNotDefined,
|
mailLDAPFilter => $testNotDefined,
|
||||||
LDAPFilter => $testNotDefined,
|
LDAPFilter => $testNotDefined,
|
||||||
AuthLDAPFilter => $testNotDefined,
|
AuthLDAPFilter => $testNotDefined,
|
||||||
|
|
|
@ -97,6 +97,7 @@ sub en {
|
||||||
headers => 'HTTP Headers',
|
headers => 'HTTP Headers',
|
||||||
https => 'Default value for https parameter',
|
https => 'Default value for https parameter',
|
||||||
ldapBase => 'Users search base',
|
ldapBase => 'Users search base',
|
||||||
|
ldapChangePasswordAsUser => 'Change as user',
|
||||||
ldapConnection => 'Connection',
|
ldapConnection => 'Connection',
|
||||||
ldapFilters => 'Filters',
|
ldapFilters => 'Filters',
|
||||||
LDAPFilter => 'Default filter',
|
LDAPFilter => 'Default filter',
|
||||||
|
@ -306,6 +307,7 @@ sub fr {
|
||||||
headers => 'En-têtes HTTP',
|
headers => 'En-têtes HTTP',
|
||||||
https => 'Valeur par défaut du paramètre https',
|
https => 'Valeur par défaut du paramètre https',
|
||||||
ldapBase => 'Base de recherche des utilisateurs',
|
ldapBase => 'Base de recherche des utilisateurs',
|
||||||
|
ldapChangePasswordAsUser => 'Changement en tant qu\'utilisateur',
|
||||||
ldapConnection => 'Connexion',
|
ldapConnection => 'Connexion',
|
||||||
ldapFilters => 'Filtres',
|
ldapFilters => 'Filtres',
|
||||||
LDAPFilter => 'Filtre par défaut',
|
LDAPFilter => 'Filtre par défaut',
|
||||||
|
|
|
@ -35,3 +35,4 @@ recommends:
|
||||||
Net::OpenID::Consumer: 0
|
Net::OpenID::Consumer: 0
|
||||||
Net::OpenID::Server: 0
|
Net::OpenID::Server: 0
|
||||||
Net::Twitter: 0
|
Net::Twitter: 0
|
||||||
|
Lasso: 0
|
||||||
|
|
|
@ -13,6 +13,7 @@ WriteMakefile(
|
||||||
'Net::OpenID::Server' => 0,
|
'Net::OpenID::Server' => 0,
|
||||||
'MIME::Lite' => 0,
|
'MIME::Lite' => 0,
|
||||||
'Net::Twitter' => 0,
|
'Net::Twitter' => 0,
|
||||||
|
'Lasso' => 0,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
BUILD_REQUIRES => { 'IO::String' => 0, },
|
BUILD_REQUIRES => { 'IO::String' => 0, },
|
||||||
|
|
|
@ -13,7 +13,7 @@ use strict;
|
||||||
|
|
||||||
our @EXPORT = qw(ldap);
|
our @EXPORT = qw(ldap);
|
||||||
|
|
||||||
our $VERSION = '0.2';
|
our $VERSION = '0.3';
|
||||||
|
|
||||||
## @cmethod Lemonldap::NG::Portal::_LDAP new(Lemonldap::NG::Portal::Simple portal)
|
## @cmethod Lemonldap::NG::Portal::_LDAP new(Lemonldap::NG::Portal::Simple portal)
|
||||||
# Build a Net::LDAP object using parameters issued from $portal
|
# Build a Net::LDAP object using parameters issued from $portal
|
||||||
|
@ -97,7 +97,16 @@ sub loadPP {
|
||||||
my $self = shift;
|
my $self = shift;
|
||||||
return 1 if ($ppLoaded);
|
return 1 if ($ppLoaded);
|
||||||
|
|
||||||
# require Perl module
|
# Minimal version of Net::LDAP required
|
||||||
|
eval { use Net::LDAP 0.38 };
|
||||||
|
if ($@) {
|
||||||
|
$self->{portal}->lmLog(
|
||||||
|
"Module Net::LDAP is too old for password policy, please install version 0.38 or higher",
|
||||||
|
'error' );
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
# Require Perl module
|
||||||
eval { require Net::LDAP::Control::PasswordPolicy };
|
eval { require Net::LDAP::Control::PasswordPolicy };
|
||||||
if ($@) {
|
if ($@) {
|
||||||
$self->{portal}->lmLog(
|
$self->{portal}->lmLog(
|
||||||
|
@ -198,6 +207,13 @@ sub userModifyPassword {
|
||||||
|
|
||||||
if ( $self->{portal}->{ldapSetPassword} ) {
|
if ( $self->{portal}->{ldapSetPassword} ) {
|
||||||
|
|
||||||
|
# Bind as user if oldpassword and ldapChangePasswordAsUser
|
||||||
|
if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
|
||||||
|
|
||||||
|
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||||
|
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
||||||
|
}
|
||||||
|
|
||||||
# Use SetPassword extended operation
|
# Use SetPassword extended operation
|
||||||
use Net::LDAP::Extension::SetPassword;
|
use Net::LDAP::Extension::SetPassword;
|
||||||
$mesg =
|
$mesg =
|
||||||
|
@ -222,8 +238,9 @@ sub userModifyPassword {
|
||||||
$mesg = $self->bind( $dn, password => $oldpassword );
|
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||||
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
||||||
|
|
||||||
# Rebind as Manager
|
# Rebind as Manager only if user is not granted to change its password
|
||||||
$self->bind();
|
$self->bind()
|
||||||
|
unless $self->{portal}->{ldapChangePasswordAsUser};
|
||||||
}
|
}
|
||||||
|
|
||||||
# Use standard modification
|
# Use standard modification
|
||||||
|
@ -245,6 +262,13 @@ sub userModifyPassword {
|
||||||
|
|
||||||
if ( $self->{portal}->{ldapSetPassword} ) {
|
if ( $self->{portal}->{ldapSetPassword} ) {
|
||||||
|
|
||||||
|
# Bind as user if oldpassword and ldapChangePasswordAsUser
|
||||||
|
if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
|
||||||
|
|
||||||
|
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||||
|
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
||||||
|
}
|
||||||
|
|
||||||
# Use SetPassword extended operation
|
# Use SetPassword extended operation
|
||||||
# Warning: need a patch on Perl-LDAP
|
# Warning: need a patch on Perl-LDAP
|
||||||
# See http://groups.google.com/group/perl.ldap/browse_thread/thread/5703a41ccb17b221/377a68f872cc2bb4?lnk=gst&q=setpassword#377a68f872cc2bb4
|
# See http://groups.google.com/group/perl.ldap/browse_thread/thread/5703a41ccb17b221/377a68f872cc2bb4?lnk=gst&q=setpassword#377a68f872cc2bb4
|
||||||
|
@ -273,8 +297,9 @@ sub userModifyPassword {
|
||||||
$mesg = $self->bind( $dn, password => $oldpassword );
|
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||||
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
||||||
|
|
||||||
# Rebind as Manager
|
# Rebind as Manager only if user is not granted to change its password
|
||||||
$self->bind();
|
$self->bind()
|
||||||
|
unless $self->{portal}->{ldapChangePasswordAsUser};
|
||||||
}
|
}
|
||||||
|
|
||||||
# Use standard modification
|
# Use standard modification
|
||||||
|
|
Loading…
Reference in New Issue
Block a user