dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

LDAP: option to change the password as user (and not as managerDn)

Browse Source
This commit is contained in:
Clément Oudot 2010-03-24 10:00:52 +00:00
parent 857d421b1e
commit bac76b680d
9 changed files with 70 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
build/lemonldap-ng/doc/4.1-Configuration-parameter-list.html
View File

@ -1533,6 +1533,16 @@ level1Key => { level2Key => 'value' },
<td>Yes</td> <td>Yes</td>
</tr> </tr>
<tr class="table-even">
<td>Change password as user</td>
<td>ldapChangePasswordAsUser</td>
<td>1.0</td>
<td>Yes</td>
</tr>
</table> </table>
<h4 class="heading-1-1-1"><span id="HDBI">DBI</span></h4><br /> <h4 class="heading-1-1-1"><span id="HDBI">DBI</span></h4><br />

6
build/lemonldap-ng/doc/4.5-SAML-authentication-backend.html
View File

@ -278,8 +278,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
<li>Signed Authentication Request: set to On to require signed <li>Signed Authentication Request: set to On to require signed
authentication request. Off by default.</li> authentication request. Off by default.</li>
<li>Protocol: Protocol support enumeration string. Do not change.</li>
<li>Signing Key: load your public key file.</li> <li>Signing Key: load your public key file.</li>
</ul> </ul>
@ -305,10 +303,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
<li>Default: will this binding be used by default for authentication <li>Default: will this binding be used by default for authentication
response</li> response</li>
<li>Index: Do not change.</li>
<li>Binding: SAML2 binding string. Do not change.</li>
<li>Location: Access Point for SSO request and response. Change this <li>Location: Access Point for SSO request and response. Change this
value to fit your portal URL.</li> value to fit your portal URL.</li>
</ul> </ul>

20
build/lemonldap-ng/doc/4.7-LDAP-password-backend.html
View File

@ -97,11 +97,23 @@ passwordDB =&gt; LDAP,
You can also set these: You can also set these:
<ul class="star"> <ul class="star">
<li>ldapSetPassword: set to '1' to use the LDAP extended operation <li><strong class="strong">ldapPpolicyControl</strong>: set to '1' to
"password modify" instead of standard modify operation.</li> use LDAP password policy.</li>
<li>mailLDAPFilter: filter to use with user submitted email. By <li><strong class="strong">ldapSetPassword</strong>: set to '1' to use
default:</li> the LDAP extended operation "password modify" instead of standard modify
operation.</li>
<li><strong class="strong">ldapChangePasswordAsUser</strong>: set to '1'
to perfom password modification with credentials of connected user. This
requires to active the <strong class=
"strong">portalRequireOldPassword</strong> option too.</li>
<li><strong class="strong">portalRequireOldPassword</strong>: set to '1'
to require old password when changing the password.</li>
<li><strong class="strong">mailLDAPFilter</strong>: filter to use with
user submitted email. By default:</li>
</ul> </ul>
<div class="code"> <div class="code">

6
modules/lemonldap-ng-manager/example/skins/default/manager.js
View File

@ -367,9 +367,9 @@ function passworddbParams(id) {
currentId=id; currentId=id;
$('#authOptions').hide(); $('#authOptions').hide();
formateSelect('authText',[ formateSelect('authText',[
'DBI:Database (DBI)', 'DBI=Database (DBI)',
'LDAP:LDAP', 'LDAP=LDAP',
'Null:None' 'Null=None'
],lmdata(id)); ],lmdata(id));
display('authParams',lmtext(id)); display('authParams',lmtext(id));
} }

7
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_Struct.pm
View File

@ -236,9 +236,13 @@ sub struct {
}, },
ldapPassword => { ldapPassword => {
_nodes => [qw(ldapPpolicyControl ldapSetPassword)], _nodes => [
qw(ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser)
],
ldapPpolicyControl => 'bool:/ldapPpolicyControl', ldapPpolicyControl => 'bool:/ldapPpolicyControl',
ldapSetPassword => 'bool:/ldapSetPassword', ldapSetPassword => 'bool:/ldapSetPassword',
ldapChangePasswordAsUser =>
'bool:/ldapChangePasswordAsUser',
}, },
}, },
@ -794,6 +798,7 @@ sub testStruct {
}, },
ldapPpolicyControl => $boolean, ldapPpolicyControl => $boolean,
ldapSetPassword => $boolean, ldapSetPassword => $boolean,
ldapChangePasswordAsUser => $boolean,
mailLDAPFilter => $testNotDefined, mailLDAPFilter => $testNotDefined,
LDAPFilter => $testNotDefined, LDAPFilter => $testNotDefined,
AuthLDAPFilter => $testNotDefined, AuthLDAPFilter => $testNotDefined,

2
modules/lemonldap-ng-manager/lib/Lemonldap/NG/Manager/_i18n.pm
View File

@ -97,6 +97,7 @@ sub en {
headers => 'HTTP Headers', headers => 'HTTP Headers',
https => 'Default value for https parameter', https => 'Default value for https parameter',
ldapBase => 'Users search base', ldapBase => 'Users search base',
ldapChangePasswordAsUser => 'Change as user',
ldapConnection => 'Connection', ldapConnection => 'Connection',
ldapFilters => 'Filters', ldapFilters => 'Filters',
LDAPFilter => 'Default filter', LDAPFilter => 'Default filter',
@ -306,6 +307,7 @@ sub fr {
headers => 'En-têtes HTTP', headers => 'En-têtes HTTP',
https => 'Valeur par défaut du paramètre https', https => 'Valeur par défaut du paramètre https',
ldapBase => 'Base de recherche des utilisateurs', ldapBase => 'Base de recherche des utilisateurs',
ldapChangePasswordAsUser => 'Changement en tant qu\'utilisateur',
ldapConnection => 'Connexion', ldapConnection => 'Connexion',
ldapFilters => 'Filtres', ldapFilters => 'Filtres',
LDAPFilter => 'Filtre par défaut', LDAPFilter => 'Filtre par défaut',

1
modules/lemonldap-ng-portal/META.yml
View File

@ -35,3 +35,4 @@ recommends:
Net::OpenID::Consumer: 0 Net::OpenID::Consumer: 0
Net::OpenID::Server: 0 Net::OpenID::Server: 0
Net::Twitter: 0 Net::Twitter: 0
Lasso: 0

1
modules/lemonldap-ng-portal/Makefile.PL
View File

@ -13,6 +13,7 @@ WriteMakefile(
'Net::OpenID::Server' => 0, 'Net::OpenID::Server' => 0,
'MIME::Lite' => 0, 'MIME::Lite' => 0,
'Net::Twitter' => 0, 'Net::Twitter' => 0,
'Lasso' => 0,
}, },
}, },
BUILD_REQUIRES => { 'IO::String' => 0, }, BUILD_REQUIRES => { 'IO::String' => 0, },

37
modules/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/_LDAP.pm
View File

@ -13,7 +13,7 @@ use strict;
our @EXPORT = qw(ldap); our @EXPORT = qw(ldap);
our $VERSION = '0.2'; our $VERSION = '0.3';
## @cmethod Lemonldap::NG::Portal::_LDAP new(Lemonldap::NG::Portal::Simple portal) ## @cmethod Lemonldap::NG::Portal::_LDAP new(Lemonldap::NG::Portal::Simple portal)
# Build a Net::LDAP object using parameters issued from $portal # Build a Net::LDAP object using parameters issued from $portal
@ -97,7 +97,16 @@ sub loadPP {
my $self = shift; my $self = shift;
return 1 if ($ppLoaded); return 1 if ($ppLoaded);
# require Perl module # Minimal version of Net::LDAP required
eval { use Net::LDAP 0.38 };
if ($@) {
$self->{portal}->lmLog(
"Module Net::LDAP is too old for password policy, please install version 0.38 or higher",
'error' );
return 0;
}
# Require Perl module
eval { require Net::LDAP::Control::PasswordPolicy }; eval { require Net::LDAP::Control::PasswordPolicy };
if ($@) { if ($@) {
$self->{portal}->lmLog( $self->{portal}->lmLog(
@ -198,6 +207,13 @@ sub userModifyPassword {
if ( $self->{portal}->{ldapSetPassword} ) { if ( $self->{portal}->{ldapSetPassword} ) {
# Bind as user if oldpassword and ldapChangePasswordAsUser
if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
$mesg = $self->bind( $dn, password => $oldpassword );
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
}
# Use SetPassword extended operation # Use SetPassword extended operation
use Net::LDAP::Extension::SetPassword; use Net::LDAP::Extension::SetPassword;
$mesg = $mesg =
@ -222,8 +238,9 @@ sub userModifyPassword {
$mesg = $self->bind( $dn, password => $oldpassword ); $mesg = $self->bind( $dn, password => $oldpassword );
return PE_BADOLDPASSWORD if ( $mesg->code != 0 ); return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
# Rebind as Manager # Rebind as Manager only if user is not granted to change its password
$self->bind(); $self->bind()
unless $self->{portal}->{ldapChangePasswordAsUser};
} }
# Use standard modification # Use standard modification
@ -245,6 +262,13 @@ sub userModifyPassword {
if ( $self->{portal}->{ldapSetPassword} ) { if ( $self->{portal}->{ldapSetPassword} ) {
# Bind as user if oldpassword and ldapChangePasswordAsUser
if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
$mesg = $self->bind( $dn, password => $oldpassword );
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
}
# Use SetPassword extended operation # Use SetPassword extended operation
# Warning: need a patch on Perl-LDAP # Warning: need a patch on Perl-LDAP
# See http://groups.google.com/group/perl.ldap/browse_thread/thread/5703a41ccb17b221/377a68f872cc2bb4?lnk=gst&q=setpassword#377a68f872cc2bb4 # See http://groups.google.com/group/perl.ldap/browse_thread/thread/5703a41ccb17b221/377a68f872cc2bb4?lnk=gst&q=setpassword#377a68f872cc2bb4
@ -273,8 +297,9 @@ sub userModifyPassword {
$mesg = $self->bind( $dn, password => $oldpassword ); $mesg = $self->bind( $dn, password => $oldpassword );
return PE_BADOLDPASSWORD if ( $mesg->code != 0 ); return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
# Rebind as Manager # Rebind as Manager only if user is not granted to change its password
$self->bind(); $self->bind()
unless $self->{portal}->{ldapChangePasswordAsUser};
} }
# Use standard modification # Use standard modification