Merge branch '2620-ppolicy-binding-v2.0' into 'v2.0'
add more logs for ldap binding (ppolicy extended response code) + remove loadPP (#2620) See merge request lemonldap-ng/lemonldap-ng!227
This commit is contained in:
commit
cc08c992c4
|
@ -13,7 +13,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
|||
|
||||
extends 'Lemonldap::NG::Common::Module';
|
||||
|
||||
our $VERSION = '2.0.13';
|
||||
our $VERSION = '2.0.14';
|
||||
|
||||
# PROPERTIES
|
||||
|
||||
|
@ -54,9 +54,6 @@ sub newLdap {
|
|||
if ( $msg->code ) {
|
||||
$self->logger->error( 'LDAP test has failed: ' . $msg->error );
|
||||
}
|
||||
elsif ( $self->{conf}->{ldapPpolicyControl} and not $ldap->loadPP() ) {
|
||||
$self->logger->error("LDAP password policy error");
|
||||
}
|
||||
return $ldap;
|
||||
}
|
||||
|
||||
|
@ -132,7 +129,7 @@ sub getUser {
|
|||
$self->validateLdap;
|
||||
return PE_LDAPCONNECTFAILED unless $self->ldap;
|
||||
|
||||
$self->bind();
|
||||
return PE_LDAPERROR unless $self->bind();
|
||||
|
||||
my $mesg = $self->ldap->search(
|
||||
base => $self->conf->{ldapBase},
|
||||
|
|
|
@ -7,21 +7,14 @@ use Net::LDAP; #inherits
|
|||
use Net::LDAP::Util qw(escape_filter_value);
|
||||
use base qw(Net::LDAP);
|
||||
use Lemonldap::NG::Portal::Main::Constants ':all';
|
||||
use Net::LDAP::Control::PasswordPolicy;
|
||||
use Encode;
|
||||
use Unicode::String qw(utf8);
|
||||
use Scalar::Util 'weaken';
|
||||
use IO::Socket::Timeout;
|
||||
use utf8;
|
||||
|
||||
our $VERSION = '2.0.10';
|
||||
our $ppLoaded = 0;
|
||||
|
||||
BEGIN {
|
||||
eval {
|
||||
require threads::shared;
|
||||
threads::shared::share($ppLoaded);
|
||||
};
|
||||
}
|
||||
our $VERSION = '2.0.14';
|
||||
|
||||
# INITIALIZATION
|
||||
|
||||
|
@ -135,7 +128,40 @@ sub bind {
|
|||
};
|
||||
print STDERR "$@\n" if ($@);
|
||||
}
|
||||
|
||||
if ( $self->{conf}->{ldapPpolicyControl} ) {
|
||||
my $pp = Net::LDAP::Control::PasswordPolicy->new();
|
||||
$args{control} = [$pp];
|
||||
}
|
||||
|
||||
$mesg = $self->SUPER::bind( $dn, %args );
|
||||
|
||||
if ( $mesg->code ) {
|
||||
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
|
||||
# Check for ppolicy error
|
||||
my $pp_error = $resp->pp_error if (defined($resp));
|
||||
if ( defined $pp_error ) {
|
||||
my $ppolicy_error = [
|
||||
"password expired",
|
||||
"account locked",
|
||||
"change after reset",
|
||||
"password mod not allowed",
|
||||
"supply old password",
|
||||
"insufficient password quality",
|
||||
"password too short",
|
||||
"password too young",
|
||||
"password in history",
|
||||
]->[$pp_error];
|
||||
|
||||
$self->{portal}->logger->error( "Error when binding to LDAP server: ". $mesg->error.
|
||||
" | extended ppolicy control response error: ".$ppolicy_error );
|
||||
}
|
||||
else
|
||||
{
|
||||
$self->{portal}->logger->error( "Error when binding to LDAP server: ". $mesg->error );
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
else {
|
||||
$mesg = $self->SUPER::bind();
|
||||
|
@ -143,6 +169,7 @@ sub bind {
|
|||
return $mesg;
|
||||
}
|
||||
|
||||
|
||||
## @method Net::LDAP::Message unbind()
|
||||
# Reimplementation of Net::LDAP::unbind() to force call to disconnect()
|
||||
# @return Net::LDAP::Message
|
||||
|
@ -158,30 +185,6 @@ sub unbind {
|
|||
return $mesg;
|
||||
}
|
||||
|
||||
## @method private boolean loadPP ()
|
||||
# Load Net::LDAP::Control::PasswordPolicy
|
||||
# @return true if succeed.
|
||||
sub loadPP {
|
||||
my $self = shift;
|
||||
return 1 if ($ppLoaded);
|
||||
|
||||
# Minimal version of Net::LDAP required
|
||||
if ( $Net::LDAP::VERSION < 0.38 ) {
|
||||
die(
|
||||
"Module Net::LDAP is too old for password policy, please install version 0.38 or higher"
|
||||
);
|
||||
}
|
||||
|
||||
# Require Perl module
|
||||
eval { require Net::LDAP::Control::PasswordPolicy };
|
||||
if ($@) {
|
||||
$self->{portal}->logger->error(
|
||||
"Module Net::LDAP::Control::PasswordPolicy not found in @INC");
|
||||
return 0;
|
||||
}
|
||||
$ppLoaded = 1;
|
||||
}
|
||||
|
||||
## @method protected int userBind(string dn, hash args)
|
||||
# Call bind() with dn/password and return
|
||||
# @param $dn LDAP distinguish name
|
||||
|
@ -202,7 +205,7 @@ sub userBind {
|
|||
# Get server control response
|
||||
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
|
||||
|
||||
# Return direct unless control resonse
|
||||
# Return direct unless control response
|
||||
unless ( defined $resp ) {
|
||||
if ( $mesg->code == 49 ) {
|
||||
$self->{portal}->userLogger->warn(
|
||||
|
@ -638,16 +641,8 @@ sub ldap {
|
|||
$self->{ldap}->unbind;
|
||||
}
|
||||
else {
|
||||
if ( $self->{ldapPpolicyControl}
|
||||
and not $self->{ldap}->loadPP() )
|
||||
{
|
||||
$self->logger->error("LDAP password policy error");
|
||||
$self->{ldap}->unbind;
|
||||
}
|
||||
else {
|
||||
$self->{flags}->{ldapActive} = 1;
|
||||
return $self->{ldap};
|
||||
}
|
||||
$self->{flags}->{ldapActive} = 1;
|
||||
return $self->{ldap};
|
||||
}
|
||||
}
|
||||
else {
|
||||
|
|
Loading…
Reference in New Issue
Block a user