LDAP: option to change the password as user (and not as managerDn)
This commit is contained in:
parent
857d421b1e
commit
bac76b680d
|
@ -1533,6 +1533,16 @@ level1Key => { level2Key => 'value' },
|
|||
|
||||
<td>Yes</td>
|
||||
</tr>
|
||||
|
||||
<tr class="table-even">
|
||||
<td>Change password as user</td>
|
||||
|
||||
<td>ldapChangePasswordAsUser</td>
|
||||
|
||||
<td>1.0</td>
|
||||
|
||||
<td>Yes</td>
|
||||
</tr>
|
||||
</table>
|
||||
|
||||
<h4 class="heading-1-1-1"><span id="HDBI">DBI</span></h4><br />
|
||||
|
|
|
@ -278,8 +278,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
|||
<li>Signed Authentication Request: set to On to require signed
|
||||
authentication request. Off by default.</li>
|
||||
|
||||
<li>Protocol: Protocol support enumeration string. Do not change.</li>
|
||||
|
||||
<li>Signing Key: load your public key file.</li>
|
||||
</ul>
|
||||
|
||||
|
@ -305,10 +303,6 @@ $ openssl rsa -pubout -in private_key.pem -out public_key.pem
|
|||
<li>Default: will this binding be used by default for authentication
|
||||
response</li>
|
||||
|
||||
<li>Index: Do not change.</li>
|
||||
|
||||
<li>Binding: SAML2 binding string. Do not change.</li>
|
||||
|
||||
<li>Location: Access Point for SSO request and response. Change this
|
||||
value to fit your portal URL.</li>
|
||||
</ul>
|
||||
|
|
|
@ -97,11 +97,23 @@ passwordDB => LDAP,
|
|||
You can also set these:
|
||||
|
||||
<ul class="star">
|
||||
<li>ldapSetPassword: set to '1' to use the LDAP extended operation
|
||||
"password modify" instead of standard modify operation.</li>
|
||||
<li><strong class="strong">ldapPpolicyControl</strong>: set to '1' to
|
||||
use LDAP password policy.</li>
|
||||
|
||||
<li>mailLDAPFilter: filter to use with user submitted email. By
|
||||
default:</li>
|
||||
<li><strong class="strong">ldapSetPassword</strong>: set to '1' to use
|
||||
the LDAP extended operation "password modify" instead of standard modify
|
||||
operation.</li>
|
||||
|
||||
<li><strong class="strong">ldapChangePasswordAsUser</strong>: set to '1'
|
||||
to perfom password modification with credentials of connected user. This
|
||||
requires to active the <strong class=
|
||||
"strong">portalRequireOldPassword</strong> option too.</li>
|
||||
|
||||
<li><strong class="strong">portalRequireOldPassword</strong>: set to '1'
|
||||
to require old password when changing the password.</li>
|
||||
|
||||
<li><strong class="strong">mailLDAPFilter</strong>: filter to use with
|
||||
user submitted email. By default:</li>
|
||||
</ul>
|
||||
|
||||
<div class="code">
|
||||
|
|
|
@ -367,9 +367,9 @@ function passworddbParams(id) {
|
|||
currentId=id;
|
||||
$('#authOptions').hide();
|
||||
formateSelect('authText',[
|
||||
'DBI:Database (DBI)',
|
||||
'LDAP:LDAP',
|
||||
'Null:None'
|
||||
'DBI=Database (DBI)',
|
||||
'LDAP=LDAP',
|
||||
'Null=None'
|
||||
],lmdata(id));
|
||||
display('authParams',lmtext(id));
|
||||
}
|
||||
|
|
|
@ -236,9 +236,13 @@ sub struct {
|
|||
},
|
||||
|
||||
ldapPassword => {
|
||||
_nodes => [qw(ldapPpolicyControl ldapSetPassword)],
|
||||
_nodes => [
|
||||
qw(ldapPpolicyControl ldapSetPassword ldapChangePasswordAsUser)
|
||||
],
|
||||
ldapPpolicyControl => 'bool:/ldapPpolicyControl',
|
||||
ldapSetPassword => 'bool:/ldapSetPassword',
|
||||
ldapChangePasswordAsUser =>
|
||||
'bool:/ldapChangePasswordAsUser',
|
||||
},
|
||||
|
||||
},
|
||||
|
@ -794,6 +798,7 @@ sub testStruct {
|
|||
},
|
||||
ldapPpolicyControl => $boolean,
|
||||
ldapSetPassword => $boolean,
|
||||
ldapChangePasswordAsUser => $boolean,
|
||||
mailLDAPFilter => $testNotDefined,
|
||||
LDAPFilter => $testNotDefined,
|
||||
AuthLDAPFilter => $testNotDefined,
|
||||
|
|
|
@ -97,6 +97,7 @@ sub en {
|
|||
headers => 'HTTP Headers',
|
||||
https => 'Default value for https parameter',
|
||||
ldapBase => 'Users search base',
|
||||
ldapChangePasswordAsUser => 'Change as user',
|
||||
ldapConnection => 'Connection',
|
||||
ldapFilters => 'Filters',
|
||||
LDAPFilter => 'Default filter',
|
||||
|
@ -306,6 +307,7 @@ sub fr {
|
|||
headers => 'En-têtes HTTP',
|
||||
https => 'Valeur par défaut du paramètre https',
|
||||
ldapBase => 'Base de recherche des utilisateurs',
|
||||
ldapChangePasswordAsUser => 'Changement en tant qu\'utilisateur',
|
||||
ldapConnection => 'Connexion',
|
||||
ldapFilters => 'Filtres',
|
||||
LDAPFilter => 'Filtre par défaut',
|
||||
|
|
|
@ -35,3 +35,4 @@ recommends:
|
|||
Net::OpenID::Consumer: 0
|
||||
Net::OpenID::Server: 0
|
||||
Net::Twitter: 0
|
||||
Lasso: 0
|
||||
|
|
|
@ -13,6 +13,7 @@ WriteMakefile(
|
|||
'Net::OpenID::Server' => 0,
|
||||
'MIME::Lite' => 0,
|
||||
'Net::Twitter' => 0,
|
||||
'Lasso' => 0,
|
||||
},
|
||||
},
|
||||
BUILD_REQUIRES => { 'IO::String' => 0, },
|
||||
|
|
|
@ -13,7 +13,7 @@ use strict;
|
|||
|
||||
our @EXPORT = qw(ldap);
|
||||
|
||||
our $VERSION = '0.2';
|
||||
our $VERSION = '0.3';
|
||||
|
||||
## @cmethod Lemonldap::NG::Portal::_LDAP new(Lemonldap::NG::Portal::Simple portal)
|
||||
# Build a Net::LDAP object using parameters issued from $portal
|
||||
|
@ -97,7 +97,16 @@ sub loadPP {
|
|||
my $self = shift;
|
||||
return 1 if ($ppLoaded);
|
||||
|
||||
# require Perl module
|
||||
# Minimal version of Net::LDAP required
|
||||
eval { use Net::LDAP 0.38 };
|
||||
if ($@) {
|
||||
$self->{portal}->lmLog(
|
||||
"Module Net::LDAP is too old for password policy, please install version 0.38 or higher",
|
||||
'error' );
|
||||
return 0;
|
||||
}
|
||||
|
||||
# Require Perl module
|
||||
eval { require Net::LDAP::Control::PasswordPolicy };
|
||||
if ($@) {
|
||||
$self->{portal}->lmLog(
|
||||
|
@ -198,6 +207,13 @@ sub userModifyPassword {
|
|||
|
||||
if ( $self->{portal}->{ldapSetPassword} ) {
|
||||
|
||||
# Bind as user if oldpassword and ldapChangePasswordAsUser
|
||||
if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
|
||||
|
||||
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
||||
}
|
||||
|
||||
# Use SetPassword extended operation
|
||||
use Net::LDAP::Extension::SetPassword;
|
||||
$mesg =
|
||||
|
@ -222,8 +238,9 @@ sub userModifyPassword {
|
|||
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
||||
|
||||
# Rebind as Manager
|
||||
$self->bind();
|
||||
# Rebind as Manager only if user is not granted to change its password
|
||||
$self->bind()
|
||||
unless $self->{portal}->{ldapChangePasswordAsUser};
|
||||
}
|
||||
|
||||
# Use standard modification
|
||||
|
@ -245,6 +262,13 @@ sub userModifyPassword {
|
|||
|
||||
if ( $self->{portal}->{ldapSetPassword} ) {
|
||||
|
||||
# Bind as user if oldpassword and ldapChangePasswordAsUser
|
||||
if ( $oldpassword and $self->{ldapChangePasswordAsUser} ) {
|
||||
|
||||
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
||||
}
|
||||
|
||||
# Use SetPassword extended operation
|
||||
# Warning: need a patch on Perl-LDAP
|
||||
# See http://groups.google.com/group/perl.ldap/browse_thread/thread/5703a41ccb17b221/377a68f872cc2bb4?lnk=gst&q=setpassword#377a68f872cc2bb4
|
||||
|
@ -273,8 +297,9 @@ sub userModifyPassword {
|
|||
$mesg = $self->bind( $dn, password => $oldpassword );
|
||||
return PE_BADOLDPASSWORD if ( $mesg->code != 0 );
|
||||
|
||||
# Rebind as Manager
|
||||
$self->bind();
|
||||
# Rebind as Manager only if user is not granted to change its password
|
||||
$self->bind()
|
||||
unless $self->{portal}->{ldapChangePasswordAsUser};
|
||||
}
|
||||
|
||||
# Use standard modification
|
||||
|
|
Loading…
Reference in New Issue
Block a user