add more logs for ldap binding (ppolicy extended response code) + remove loadPP (#2620)
This commit is contained in:
parent
7bfedfe9a9
commit
ebb764a3c5
|
@ -13,7 +13,7 @@ use Lemonldap::NG::Portal::Main::Constants qw(
|
||||||
|
|
||||||
extends 'Lemonldap::NG::Common::Module';
|
extends 'Lemonldap::NG::Common::Module';
|
||||||
|
|
||||||
our $VERSION = '2.0.13';
|
our $VERSION = '2.0.14';
|
||||||
|
|
||||||
# PROPERTIES
|
# PROPERTIES
|
||||||
|
|
||||||
|
@ -54,9 +54,6 @@ sub newLdap {
|
||||||
if ( $msg->code ) {
|
if ( $msg->code ) {
|
||||||
$self->logger->error( 'LDAP test has failed: ' . $msg->error );
|
$self->logger->error( 'LDAP test has failed: ' . $msg->error );
|
||||||
}
|
}
|
||||||
elsif ( $self->{conf}->{ldapPpolicyControl} and not $ldap->loadPP() ) {
|
|
||||||
$self->logger->error("LDAP password policy error");
|
|
||||||
}
|
|
||||||
return $ldap;
|
return $ldap;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -132,7 +129,7 @@ sub getUser {
|
||||||
$self->validateLdap;
|
$self->validateLdap;
|
||||||
return PE_LDAPCONNECTFAILED unless $self->ldap;
|
return PE_LDAPCONNECTFAILED unless $self->ldap;
|
||||||
|
|
||||||
$self->bind();
|
return PE_LDAPERROR unless $self->bind();
|
||||||
|
|
||||||
my $mesg = $self->ldap->search(
|
my $mesg = $self->ldap->search(
|
||||||
base => $self->conf->{ldapBase},
|
base => $self->conf->{ldapBase},
|
||||||
|
|
|
@ -7,21 +7,14 @@ use Net::LDAP; #inherits
|
||||||
use Net::LDAP::Util qw(escape_filter_value);
|
use Net::LDAP::Util qw(escape_filter_value);
|
||||||
use base qw(Net::LDAP);
|
use base qw(Net::LDAP);
|
||||||
use Lemonldap::NG::Portal::Main::Constants ':all';
|
use Lemonldap::NG::Portal::Main::Constants ':all';
|
||||||
|
use Net::LDAP::Control::PasswordPolicy;
|
||||||
use Encode;
|
use Encode;
|
||||||
use Unicode::String qw(utf8);
|
use Unicode::String qw(utf8);
|
||||||
use Scalar::Util 'weaken';
|
use Scalar::Util 'weaken';
|
||||||
use IO::Socket::Timeout;
|
use IO::Socket::Timeout;
|
||||||
use utf8;
|
use utf8;
|
||||||
|
|
||||||
our $VERSION = '2.0.10';
|
our $VERSION = '2.0.14';
|
||||||
our $ppLoaded = 0;
|
|
||||||
|
|
||||||
BEGIN {
|
|
||||||
eval {
|
|
||||||
require threads::shared;
|
|
||||||
threads::shared::share($ppLoaded);
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
# INITIALIZATION
|
# INITIALIZATION
|
||||||
|
|
||||||
|
@ -135,7 +128,40 @@ sub bind {
|
||||||
};
|
};
|
||||||
print STDERR "$@\n" if ($@);
|
print STDERR "$@\n" if ($@);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if ( $self->{conf}->{ldapPpolicyControl} ) {
|
||||||
|
my $pp = Net::LDAP::Control::PasswordPolicy->new();
|
||||||
|
$args{control} = [$pp];
|
||||||
|
}
|
||||||
|
|
||||||
$mesg = $self->SUPER::bind( $dn, %args );
|
$mesg = $self->SUPER::bind( $dn, %args );
|
||||||
|
|
||||||
|
if ( $mesg->code ) {
|
||||||
|
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
|
||||||
|
# Check for ppolicy error
|
||||||
|
my $pp_error = $resp->pp_error if (defined($resp));
|
||||||
|
if ( defined $pp_error ) {
|
||||||
|
my $ppolicy_error = [
|
||||||
|
"password expired",
|
||||||
|
"account locked",
|
||||||
|
"change after reset",
|
||||||
|
"password mod not allowed",
|
||||||
|
"supply old password",
|
||||||
|
"insufficient password quality",
|
||||||
|
"password too short",
|
||||||
|
"password too young",
|
||||||
|
"password in history",
|
||||||
|
]->[$pp_error];
|
||||||
|
|
||||||
|
$self->{portal}->logger->error( "Error when binding to LDAP server: ". $mesg->error.
|
||||||
|
" | extended ppolicy control response error: ".$ppolicy_error );
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$self->{portal}->logger->error( "Error when binding to LDAP server: ". $mesg->error );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
$mesg = $self->SUPER::bind();
|
$mesg = $self->SUPER::bind();
|
||||||
|
@ -143,6 +169,7 @@ sub bind {
|
||||||
return $mesg;
|
return $mesg;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
## @method Net::LDAP::Message unbind()
|
## @method Net::LDAP::Message unbind()
|
||||||
# Reimplementation of Net::LDAP::unbind() to force call to disconnect()
|
# Reimplementation of Net::LDAP::unbind() to force call to disconnect()
|
||||||
# @return Net::LDAP::Message
|
# @return Net::LDAP::Message
|
||||||
|
@ -158,30 +185,6 @@ sub unbind {
|
||||||
return $mesg;
|
return $mesg;
|
||||||
}
|
}
|
||||||
|
|
||||||
## @method private boolean loadPP ()
|
|
||||||
# Load Net::LDAP::Control::PasswordPolicy
|
|
||||||
# @return true if succeed.
|
|
||||||
sub loadPP {
|
|
||||||
my $self = shift;
|
|
||||||
return 1 if ($ppLoaded);
|
|
||||||
|
|
||||||
# Minimal version of Net::LDAP required
|
|
||||||
if ( $Net::LDAP::VERSION < 0.38 ) {
|
|
||||||
die(
|
|
||||||
"Module Net::LDAP is too old for password policy, please install version 0.38 or higher"
|
|
||||||
);
|
|
||||||
}
|
|
||||||
|
|
||||||
# Require Perl module
|
|
||||||
eval { require Net::LDAP::Control::PasswordPolicy };
|
|
||||||
if ($@) {
|
|
||||||
$self->{portal}->logger->error(
|
|
||||||
"Module Net::LDAP::Control::PasswordPolicy not found in @INC");
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
$ppLoaded = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
## @method protected int userBind(string dn, hash args)
|
## @method protected int userBind(string dn, hash args)
|
||||||
# Call bind() with dn/password and return
|
# Call bind() with dn/password and return
|
||||||
# @param $dn LDAP distinguish name
|
# @param $dn LDAP distinguish name
|
||||||
|
@ -202,7 +205,7 @@ sub userBind {
|
||||||
# Get server control response
|
# Get server control response
|
||||||
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
|
my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");
|
||||||
|
|
||||||
# Return direct unless control resonse
|
# Return direct unless control response
|
||||||
unless ( defined $resp ) {
|
unless ( defined $resp ) {
|
||||||
if ( $mesg->code == 49 ) {
|
if ( $mesg->code == 49 ) {
|
||||||
$self->{portal}->userLogger->warn(
|
$self->{portal}->userLogger->warn(
|
||||||
|
@ -637,19 +640,11 @@ sub ldap {
|
||||||
$self->logger->error( "LDAP error: " . $mesg->error );
|
$self->logger->error( "LDAP error: " . $mesg->error );
|
||||||
$self->{ldap}->unbind;
|
$self->{ldap}->unbind;
|
||||||
}
|
}
|
||||||
else {
|
|
||||||
if ( $self->{ldapPpolicyControl}
|
|
||||||
and not $self->{ldap}->loadPP() )
|
|
||||||
{
|
|
||||||
$self->logger->error("LDAP password policy error");
|
|
||||||
$self->{ldap}->unbind;
|
|
||||||
}
|
|
||||||
else {
|
else {
|
||||||
$self->{flags}->{ldapActive} = 1;
|
$self->{flags}->{ldapActive} = 1;
|
||||||
return $self->{ldap};
|
return $self->{ldap};
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
|
||||||
else {
|
else {
|
||||||
$self->logger->error("LDAP error: $@");
|
$self->logger->error("LDAP error: $@");
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue
Block a user