diff --git a/CHANGELOG b/CHANGELOG index ba57d042c..41e6888d1 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Password: Added ldap_exop driver (#4992) - Elastic: Changed read/unread icons (#6636) - Elastic: Changed "Move to..." icon (#6637) - Elastic: Add hide/show for advanced preferences (#6632) diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php index cf0a7f541..65fe965a3 100644 --- a/plugins/password/drivers/ldap.php +++ b/plugins/password/drivers/ldap.php @@ -34,10 +34,11 @@ class rcube_ldap_password { $rcmail = rcmail::get_instance(); require_once 'Net/LDAP2.php'; + require_once __DIR__ . '/ldap_simple.php'; // Building user DN if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) { - $userDN = self::substitute_vars($userDN); + $userDN = rcube_ldap_simple_password::substitute_vars($userDN); } else { $userDN = $this->search_userdn($rcmail); @@ -179,8 +180,8 @@ class rcube_ldap_password return ''; } - $base = self::substitute_vars($rcmail->config->get('password_ldap_search_base')); - $filter = self::substitute_vars($rcmail->config->get('password_ldap_search_filter')); + $base = rcube_ldap_simple_password::substitute_vars($rcmail->config->get('password_ldap_search_base')); + $filter = rcube_ldap_simple_password::substitute_vars($rcmail->config->get('password_ldap_search_filter')); $options = array ( 'scope' => 'sub', 'attributes' => array(), @@ -196,31 +197,4 @@ class rcube_ldap_password return $userDN; } - - /** - * Substitute %login, %name, %domain, %dc in $str - * See plugin config for details - */ - static function substitute_vars($str) - { - $str = str_replace('%login', $_SESSION['username'], $str); - $str = str_replace('%l', $_SESSION['username'], $str); - - $parts = explode('@', $_SESSION['username']); - - if (count($parts) == 2) { - $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string - - $str = str_replace('%name', $parts[0], $str); - $str = str_replace('%n', $parts[0], $str); - $str = str_replace('%dc', $dc, $str); - $str = str_replace('%domain', $parts[1], $str); - $str = str_replace('%d', $parts[1], $str); - } else if ( count($parts) == 1) { - $str = str_replace('%name', $parts[0], $str); - $str = str_replace('%n', $parts[0], $str); - } - - return $str; - } } diff --git a/plugins/password/drivers/ldap_exop.php b/plugins/password/drivers/ldap_exop.php index 307c5f446..a034c95c1 100644 --- a/plugins/password/drivers/ldap_exop.php +++ b/plugins/password/drivers/ldap_exop.php @@ -27,7 +27,9 @@ * along with this program. If not, see http://www.gnu.org/licenses/. */ -class rcube_ldap_exop_password +require_once __DIR__ . '/ldap_simple.php'; + +class rcube_ldap_exop_password extends rcube_ldap_simple_password { private $debug = false; @@ -40,103 +42,24 @@ class rcube_ldap_exop_password 'message' => "ldap_exop_passwd not supported" ), true); - return PASSWORD_CONNECT_ERROR; - } - - $rcmail = rcmail::get_instance(); - - $this->debug = $rcmail->config->get('ldap_debug'); - - $ldap_host = $rcmail->config->get('password_ldap_host', 'localhost'); - $ldap_port = $rcmail->config->get('password_ldap_port', '389'); - - $this->_debug("C: Connect to $ldap_host:$ldap_port"); - - // Connect - if (!$ds = ldap_connect($ldap_host, $ldap_port)) { - $this->_debug("S: NOT OK"); - - rcube::raise_error(array( - 'code' => 100, 'type' => 'ldap', - 'file' => __FILE__, 'line' => __LINE__, - 'message' => "Could not connect to LDAP server" - ), - true); - return PASSWORD_CONNECT_ERROR; + return PASSWORD_ERROR; } - $this->_debug("S: OK"); - - // Set protocol version - ldap_set_option($ds, LDAP_OPT_PROTOCOL_VERSION, - $rcmail->config->get('password_ldap_version', '3')); - - // Start TLS - if ($rcmail->config->get('password_ldap_starttls')) { - if (!ldap_start_tls($ds)) { - ldap_unbind($ds); - return PASSWORD_CONNECT_ERROR; - } + // Connect and bind + $ret = $this->connect($curpass); + if ($ret !== true) { + return $ret; } - // include 'ldap' driver, we share some static methods with it - require_once INSTALL_PATH . 'plugins/password/drivers/ldap.php'; + if (!ldap_exop_passwd($this->conn, $this->user, $curpass, $passwd)) { + $this->_debug("S: ".ldap_error($this->conn)); - // other plugins might want to modify user DN - $plugin = $rcmail->plugins->exec_hook('password_ldap_bind', array( - 'user_dn' => '', 'conn' => $ds)); + $errno = ldap_errno($this->conn); - // Build user DN - if (!empty($plugin['user_dn'])) { - $user_dn = $plugin['user_dn']; - } - else if ($user_dn = $rcmail->config->get('password_ldap_userDN_mask')) { - $user_dn = rcube_ldap_password::substitute_vars($user_dn); - } - else { - $user_dn = $this->search_userdn($rcmail, $ds); - } + ldap_unbind($this->conn); - if (empty($user_dn)) { - ldap_unbind($ds); - return PASSWORD_CONNECT_ERROR; - } - - // Connection method - switch ($rcmail->config->get('password_ldap_method')) { - case 'admin': - $binddn = $rcmail->config->get('password_ldap_adminDN'); - $bindpw = $rcmail->config->get('password_ldap_adminPW'); - break; - case 'user': - default: - $binddn = $user_dn; - $bindpw = $curpass; - break; - } - - $this->_debug("C: Bind $binddn, pass: **** [" . strlen($bindpw) . "]"); - - // Bind - if (!ldap_bind($ds, $binddn, $bindpw)) { - $this->_debug("S: ".ldap_error($ds)); - - ldap_unbind($ds); - - return PASSWORD_CONNECT_ERROR; - } - - $this->_debug("S: OK"); - - if (!ldap_exop_passwd($ds, $user_dn, $curpass, $passwd)) { - $this->_debug("S: ".ldap_error($ds)); - - $errno = ldap_errno($ds); - - ldap_unbind($ds); - - if ($errno == 0x13) { // LDAP_CONSTRAINT_VIOLATION + if ($errno == 0x13) { return PASSWORD_CONSTRAINT_VIOLATION; } @@ -146,67 +69,8 @@ class rcube_ldap_exop_password $this->_debug("S: OK"); // All done, no error - ldap_unbind($ds); + ldap_unbind($this->conn); return PASSWORD_SUCCESS; } - - /** - * Bind with searchDN and searchPW and search for the user's DN - * Use search_base and search_filter defined in config file - * Return the found DN - */ - function search_userdn($rcmail, $ds) - { - $search_user = $rcmail->config->get('password_ldap_searchDN'); - $search_pass = $rcmail->config->get('password_ldap_searchPW'); - $search_base = $rcmail->config->get('password_ldap_search_base'); - $search_filter = $rcmail->config->get('password_ldap_search_filter'); - - if (empty($search_filter)) { - return false; - } - - $this->_debug("C: Bind " . ($search_user ? $search_user : '[anonymous]')); - - // Bind - if (!ldap_bind($ds, $search_user, $search_pass)) { - $this->_debug("S: ".ldap_error($ds)); - return false; - } - - $this->_debug("S: OK"); - - $search_base = rcube_ldap_password::substitute_vars($search_base); - $search_filter = rcube_ldap_password::substitute_vars($search_filter); - - $this->_debug("C: Search $search_base for $search_filter"); - - // Search for the DN - if (!$sr = ldap_search($ds, $search_base, $search_filter)) { - $this->_debug("S: ".ldap_error($ds)); - return false; - } - - $found = ldap_count_entries($ds, $sr); - - $this->_debug("S: OK [found $found records]"); - - // If no or more entries were found, return false - if ($found != 1) { - return false; - } - - return ldap_get_dn($ds, ldap_first_entry($ds, $sr)); - } - - /** - * Prints debug info to the log - */ - private function _debug($str) - { - if ($this->debug) { - rcube::write_log('ldap', $str); - } - } } diff --git a/plugins/password/drivers/ldap_simple.php b/plugins/password/drivers/ldap_simple.php index 800b4e91a..8e422543b 100644 --- a/plugins/password/drivers/ldap_simple.php +++ b/plugins/password/drivers/ldap_simple.php @@ -7,7 +7,7 @@ * This driver is based on Edouard's LDAP Password Driver, but does not * require PEAR's Net_LDAP2 to be installed * - * @version 2.0 + * @version 2.1 * @author Wout Decre * @author Aleksander Machniak * @@ -30,15 +30,95 @@ class rcube_ldap_simple_password { private $debug = false; + private $user; + private $conn; - function save($curpass, $passwd) + + public function save($curpass, $passwd) { $rcmail = rcmail::get_instance(); - $this->debug = $rcmail->config->get('ldap_debug'); + $lchattr = $rcmail->config->get('password_ldap_lchattr'); + $pwattr = $rcmail->config->get('password_ldap_pwattr', 'userPassword'); + $smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr'); + $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr'); + $samba = $rcmail->config->get('password_ldap_samba'); + $pass_mode = $rcmail->config->get('password_ldap_encodage', 'crypt'); + $crypted_pass = password::hash_password($passwd, $pass_mode); - $ldap_host = $rcmail->config->get('password_ldap_host', 'localhost'); - $ldap_port = $rcmail->config->get('password_ldap_port', '389'); + // Support password_ldap_samba option for backward compat. + if ($samba && !$smbpwattr) { + $smbpwattr = 'sambaNTPassword'; + $smblchattr = 'sambaPwdLastSet'; + } + + // Crypt new password + if (!$crypted_pass) { + return PASSWORD_CRYPT_ERROR; + } + + // Crypt new Samba password + if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) { + return PASSWORD_CRYPT_ERROR; + } + + // Connect and bind + $ret = $this->connect($curpass); + if ($ret !== true) { + return $ret; + } + + $entry[$pwattr] = $crypted_pass; + + // Update PasswordLastChange Attribute if desired + if ($lchattr) { + $entry[$lchattr] = (int)(time() / 86400); + } + + // Update Samba password + if ($smbpwattr) { + $entry[$smbpwattr] = $samba_pass; + } + + // Update Samba password last change + if ($smblchattr) { + $entry[$smblchattr] = time(); + } + + $this->_debug("C: Modify $user_dn: " . print_r($entry, true)); + + if (!ldap_modify($this->conn, $this->user, $entry)) { + $this->_debug("S: ".ldap_error($this->conn)); + + $errno = ldap_errno($this->conn); + + ldap_unbind($this->conn); + + if ($errno == 0x13) { + return PASSWORD_CONSTRAINT_VIOLATION; + } + + return PASSWORD_CONNECT_ERROR; + } + + $this->_debug("S: OK"); + + // All done, no error + ldap_unbind($this->conn); + + return PASSWORD_SUCCESS; + } + + /** + * Connect and bind to LDAP server + */ + function connect($curpass) + { + $rcmail = rcmail::get_instance(); + + $this->debug = $rcmail->config->get('ldap_debug'); + $ldap_host = $rcmail->config->get('password_ldap_host', 'localhost'); + $ldap_port = $rcmail->config->get('password_ldap_port', '389'); $this->_debug("C: Connect to $ldap_host:$ldap_port"); @@ -70,9 +150,6 @@ class rcube_ldap_simple_password } } - // include 'ldap' driver, we share some static methods with it - require_once INSTALL_PATH . 'plugins/password/drivers/ldap.php'; - // other plugins might want to modify user DN $plugin = $rcmail->plugins->exec_hook('password_ldap_bind', array( 'user_dn' => '', 'conn' => $ds)); @@ -106,30 +183,6 @@ class rcube_ldap_simple_password break; } - $lchattr = $rcmail->config->get('password_ldap_lchattr'); - $pwattr = $rcmail->config->get('password_ldap_pwattr', 'userPassword'); - $smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr'); - $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr'); - $samba = $rcmail->config->get('password_ldap_samba'); - $pass_mode = $rcmail->config->get('password_ldap_encodage', 'crypt'); - $crypted_pass = password::hash_password($passwd, $pass_mode); - - // Support password_ldap_samba option for backward compat. - if ($samba && !$smbpwattr) { - $smbpwattr = 'sambaNTPassword'; - $smblchattr = 'sambaPwdLastSet'; - } - - // Crypt new password - if (!$crypted_pass) { - return PASSWORD_CRYPT_ERROR; - } - - // Crypt new Samba password - if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) { - return PASSWORD_CRYPT_ERROR; - } - $this->_debug("C: Bind $binddn, pass: **** [" . strlen($bindpw) . "]"); // Bind @@ -143,45 +196,10 @@ class rcube_ldap_simple_password $this->_debug("S: OK"); - $entry[$pwattr] = $crypted_pass; - - // Update PasswordLastChange Attribute if desired - if ($lchattr) { - $entry[$lchattr] = (int)(time() / 86400); - } - - // Update Samba password - if ($smbpwattr) { - $entry[$smbpwattr] = $samba_pass; - } + $this->conn = $ds; + $this->user = $user_dn; - // Update Samba password last change - if ($smblchattr) { - $entry[$smblchattr] = time(); - } - - $this->_debug("C: Modify $user_dn: " . print_r($entry, true)); - - if (!ldap_modify($ds, $user_dn, $entry)) { - $this->_debug("S: ".ldap_error($ds)); - - $errno = ldap_errno($ds); - - ldap_unbind($ds); - - if ($errno == 0x13) { // LDAP_CONSTRAINT_VIOLATION - return PASSWORD_CONSTRAINT_VIOLATION; - } - - return PASSWORD_CONNECT_ERROR; - } - - $this->_debug("S: OK"); - - // All done, no error - ldap_unbind($ds); - - return PASSWORD_SUCCESS; + return true; } /** @@ -233,6 +251,34 @@ class rcube_ldap_simple_password return ldap_get_dn($ds, ldap_first_entry($ds, $sr)); } + /** + * Substitute %login, %name, %domain, %dc in $str + * See plugin config for details + */ + public static function substitute_vars($str) + { + $str = str_replace('%login', $_SESSION['username'], $str); + $str = str_replace('%l', $_SESSION['username'], $str); + + $parts = explode('@', $_SESSION['username']); + + if (count($parts) == 2) { + $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string + + $str = str_replace('%name', $parts[0], $str); + $str = str_replace('%n', $parts[0], $str); + $str = str_replace('%dc', $dc, $str); + $str = str_replace('%domain', $parts[1], $str); + $str = str_replace('%d', $parts[1], $str); + } + else if ( count($parts) == 1) { + $str = str_replace('%name', $parts[0], $str); + $str = str_replace('%n', $parts[0], $str); + } + + return $str; + } + /** * Prints debug info to the log */