From ebb764a3c597744d742eacd73cf958f7f29e2f95 Mon Sep 17 00:00:00 2001
From: dcoutadeur dcoutadeur <david.coutadeur@gmail.com>
Date: Wed, 29 Sep 2021 09:36:58 +0000
Subject: [PATCH] add more logs for ldap binding (ppolicy extended response
 code) + remove loadPP (#2620)

---
 .../lib/Lemonldap/NG/Portal/Lib/LDAP.pm       |  7 +-
 .../lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm   | 83 +++++++++----------
 2 files changed, 41 insertions(+), 49 deletions(-)

diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm
index 218ce3b43..c9b554543 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm
@@ -13,7 +13,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
 
 extends 'Lemonldap::NG::Common::Module';
 
-our $VERSION = '2.0.13';
+our $VERSION = '2.0.14';
 
 # PROPERTIES
 
@@ -54,9 +54,6 @@ sub newLdap {
     if ( $msg->code ) {
         $self->logger->error( 'LDAP test has failed: ' . $msg->error );
     }
-    elsif ( $self->{conf}->{ldapPpolicyControl} and not $ldap->loadPP() ) {
-        $self->logger->error("LDAP password policy error");
-    }
     return $ldap;
 }
 
@@ -132,7 +129,7 @@ sub getUser {
     $self->validateLdap;
     return PE_LDAPCONNECTFAILED unless $self->ldap;
 
-    $self->bind();
+    return PE_LDAPERROR unless $self->bind();
 
     my $mesg = $self->ldap->search(
         base   => $self->conf->{ldapBase},
diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm
index aa37ddac0..e8e52dde0 100644
--- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm
+++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm
@@ -7,21 +7,14 @@ use Net::LDAP;    #inherits
 use Net::LDAP::Util qw(escape_filter_value);
 use base qw(Net::LDAP);
 use Lemonldap::NG::Portal::Main::Constants ':all';
+use Net::LDAP::Control::PasswordPolicy;
 use Encode;
 use Unicode::String qw(utf8);
 use Scalar::Util 'weaken';
 use IO::Socket::Timeout;
 use utf8;
 
-our $VERSION  = '2.0.10';
-our $ppLoaded = 0;
-
-BEGIN {
-    eval {
-        require threads::shared;
-        threads::shared::share($ppLoaded);
-    };
-}
+our $VERSION  = '2.0.14';
 
 # INITIALIZATION
 
@@ -135,7 +128,40 @@ sub bind {
             };
             print STDERR "$@\n" if ($@);
         }
+
+        if ( $self->{conf}->{ldapPpolicyControl} ) {
+            my $pp = Net::LDAP::Control::PasswordPolicy->new();
+            $args{control} = [$pp];
+        }
+
         $mesg = $self->SUPER::bind( $dn, %args );
+
+        if ( $mesg->code ) {
+            my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
+            # Check for ppolicy error
+            my $pp_error = $resp->pp_error if (defined($resp));
+            if ( defined $pp_error ) {
+                my $ppolicy_error = [
+                    "password expired",
+                    "account locked",
+                    "change after reset",
+                    "password mod not allowed",
+                    "supply old password",
+                    "insufficient password quality",
+                    "password too short",
+                    "password too young",
+                    "password in history",
+                ]->[$pp_error];
+
+                $self->{portal}->logger->error( "Error when binding to LDAP server: ". $mesg->error.
+                   " | extended ppolicy control response error: ".$ppolicy_error );
+            }
+            else
+            {
+                $self->{portal}->logger->error( "Error when binding to LDAP server: ". $mesg->error );
+            }
+        }
+
     }
     else {
         $mesg = $self->SUPER::bind();
@@ -143,6 +169,7 @@ sub bind {
     return $mesg;
 }
 
+
 ## @method Net::LDAP::Message unbind()
 # Reimplementation of Net::LDAP::unbind() to force call to disconnect()
 # @return Net::LDAP::Message
@@ -158,30 +185,6 @@ sub unbind {
     return $mesg;
 }
 
-## @method private boolean loadPP ()
-# Load Net::LDAP::Control::PasswordPolicy
-# @return true if succeed.
-sub loadPP {
-    my $self = shift;
-    return 1 if ($ppLoaded);
-
-    # Minimal version of Net::LDAP required
-    if ( $Net::LDAP::VERSION < 0.38 ) {
-        die(
-"Module Net::LDAP is too old for password policy, please install version 0.38 or higher"
-        );
-    }
-
-    # Require Perl module
-    eval { require Net::LDAP::Control::PasswordPolicy };
-    if ($@) {
-        $self->{portal}->logger->error(
-            "Module Net::LDAP::Control::PasswordPolicy not found in @INC");
-        return 0;
-    }
-    $ppLoaded = 1;
-}
-
 ## @method protected int userBind(string dn, hash args)
 # Call bind() with dn/password and return
 # @param $dn LDAP distinguish name
@@ -202,7 +205,7 @@ sub userBind {
         # Get server control response
         my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
 
-        # Return direct unless control resonse
+        # Return direct unless control response
         unless ( defined $resp ) {
             if ( $mesg->code == 49 ) {
                 $self->{portal}->userLogger->warn(
@@ -638,16 +641,8 @@ sub ldap {
             $self->{ldap}->unbind;
         }
         else {
-            if ( $self->{ldapPpolicyControl}
-                and not $self->{ldap}->loadPP() )
-            {
-                $self->logger->error("LDAP password policy error");
-                $self->{ldap}->unbind;
-            }
-            else {
-                $self->{flags}->{ldapActive} = 1;
-                return $self->{ldap};
-            }
+            $self->{flags}->{ldapActive} = 1;
+            return $self->{ldap};
         }
     }
     else {