Merge branch '2620-ppolicy-binding-v2.0' into 'v2.0'

add more logs for ldap binding (ppolicy extended response code) + remove loadPP (#2620) See merge request lemonldap-ng/lemonldap-ng!227
2021-09-29 09:36:58 +00:00 · 2021-09-29 09:36:58 +00:00 · cc08c992c4
commit cc08c992c4
parent 89b370df83 ebb764a3c5
2 changed files with 41 additions and 49 deletions
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm
@ -13,7 +13,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(

 extends 'Lemonldap::NG::Common::Module';

-our $VERSION = '2.0.13';
+our $VERSION = '2.0.14';

 # PROPERTIES

@ -54,9 +54,6 @@ sub newLdap {
    if ( $msg->code ) {
        $self->logger->error( 'LDAP test has failed: ' . $msg->error );
    }
-    elsif ( $self->{conf}->{ldapPpolicyControl} and not $ldap->loadPP() ) {
-        $self->logger->error("LDAP password policy error");
-    }
    return $ldap;
 }

@ -132,7 +129,7 @@ sub getUser {
    $self->validateLdap;
    return PE_LDAPCONNECTFAILED unless $self->ldap;

-    $self->bind();
+    return PE_LDAPERROR unless $self->bind();

    my $mesg = $self->ldap->search(
        base   => $self->conf->{ldapBase},
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm
@ -7,21 +7,14 @@ use Net::LDAP;    #inherits
 use Net::LDAP::Util qw(escape_filter_value);
 use base qw(Net::LDAP);
 use Lemonldap::NG::Portal::Main::Constants ':all';
+use Net::LDAP::Control::PasswordPolicy;
 use Encode;
 use Unicode::String qw(utf8);
 use Scalar::Util 'weaken';
 use IO::Socket::Timeout;
 use utf8;

-our $VERSION  = '2.0.10';
-our $ppLoaded = 0;
-
-BEGIN {
-    eval {
-        require threads::shared;
-        threads::shared::share($ppLoaded);
-    };
-}
+our $VERSION  = '2.0.14';

 # INITIALIZATION

@ -135,7 +128,40 @@ sub bind {
            };
            print STDERR "$@\n" if ($@);
        }
+
+        if ( $self->{conf}->{ldapPpolicyControl} ) {
+            my $pp = Net::LDAP::Control::PasswordPolicy->new();
+            $args{control} = [$pp];
+        }
+
        $mesg = $self->SUPER::bind( $dn, %args );
+
+        if ( $mesg->code ) {
+            my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
+            # Check for ppolicy error
+            my $pp_error = $resp->pp_error if (defined($resp));
+            if ( defined $pp_error ) {
+                my $ppolicy_error = [
+                    "password expired",
+                    "account locked",
+                    "change after reset",
+                    "password mod not allowed",
+                    "supply old password",
+                    "insufficient password quality",
+                    "password too short",
+                    "password too young",
+                    "password in history",
+                ]->[$pp_error];
+
+                $self->{portal}->logger->error( "Error when binding to LDAP server: ". $mesg->error.
+                   " | extended ppolicy control response error: ".$ppolicy_error );
+            }
+            else
+            {
+                $self->{portal}->logger->error( "Error when binding to LDAP server: ". $mesg->error );
+            }
+        }
+
    }
    else {
        $mesg = $self->SUPER::bind();
@ -143,6 +169,7 @@ sub bind {
    return $mesg;
 }

+
 ## @method Net::LDAP::Message unbind()
 # Reimplementation of Net::LDAP::unbind() to force call to disconnect()
 # @return Net::LDAP::Message
@ -158,30 +185,6 @@ sub unbind {
    return $mesg;
 }

-## @method private boolean loadPP ()
-# Load Net::LDAP::Control::PasswordPolicy
-# @return true if succeed.
-sub loadPP {
-    my $self = shift;
-    return 1 if ($ppLoaded);
-
-    # Minimal version of Net::LDAP required
-    if ( $Net::LDAP::VERSION < 0.38 ) {
-        die(
-"Module Net::LDAP is too old for password policy, please install version 0.38 or higher"
-        );
-    }
-
-    # Require Perl module
-    eval { require Net::LDAP::Control::PasswordPolicy };
-    if ($@) {
-        $self->{portal}->logger->error(
-            "Module Net::LDAP::Control::PasswordPolicy not found in @INC");
-        return 0;
-    }
-    $ppLoaded = 1;
-}
-
 ## @method protected int userBind(string dn, hash args)
 # Call bind() with dn/password and return
 # @param $dn LDAP distinguish name
@ -202,7 +205,7 @@ sub userBind {
        # Get server control response
        my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");

-        # Return direct unless control resonse
+        # Return direct unless control response
        unless ( defined $resp ) {
            if ( $mesg->code == 49 ) {
                $self->{portal}->userLogger->warn(
@ -638,16 +641,8 @@ sub ldap {
            $self->{ldap}->unbind;
        }
        else {
-            if ( $self->{ldapPpolicyControl}
-                and not $self->{ldap}->loadPP() )
-            {
-                $self->logger->error("LDAP password policy error");
-                $self->{ldap}->unbind;
-            }
-            else {
-                $self->{flags}->{ldapActive} = 1;
-                return $self->{ldap};
-            }
+            $self->{flags}->{ldapActive} = 1;
+            return $self->{ldap};
        }
    }
    else {