password plugin: better error message on constraint violation (#5727)

If the password policy on the ldap server is violated when changing
password, report error as "constraint violation" instead of the
misleading "connection error".

Only tested with OpenLDAP (v2.4).

plugins/password/drivers/ldap_simple.php

@@ -165,8 +165,14 @@ class rcube_ldap_simple_password
         if (!ldap_modify($ds, $user_dn, $entry)) {
             $this->_debug("S: ".ldap_error($ds));
 
+            $errno = ldap_errno($ds);
+
             ldap_unbind($ds);
 
+            if ($errno == 0x13) {   // LDAP_CONSTRAINT_VIOLATION
+                return PASSWORD_CONSTRAINT_VIOLATION;
+            }
+
             return PASSWORD_CONNECT_ERROR;
         }
 

plugins/password/localization/en_US.inc

@@ -39,4 +39,4 @@ $messages['passwinhistory'] = 'This password has already been used previously.';
 $messages['samepasswd'] = 'New password have to be different from the old one.';
 $messages['passwdexpirewarning'] = 'Warning! Your password will expire soon, change it before $expirationdatetime.';
 $messages['passwdexpired'] = 'Your password has expired, you have to change it now!';
-
+$messages['passwdconstraintviolation'] = 'Password constraint violation. Password probably to weak.';

plugins/password/password.php

@@ -25,6 +25,7 @@ define('PASSWORD_CRYPT_ERROR', 1);
 define('PASSWORD_ERROR', 2);
 define('PASSWORD_CONNECT_ERROR', 3);
 define('PASSWORD_IN_HISTORY', 4);
+define('PASSWORD_CONSTRAINT_VIOLATION', 5);
 define('PASSWORD_SUCCESS', 0);
 
 /**
@@ -351,6 +352,9 @@ class password extends rcube_plugin
             case PASSWORD_IN_HISTORY:
                 $reason = $this->gettext('passwdinhistory');
                 break;
+            case PASSWORD_CONSTRAINT_VIOLATION:
+                $reason = $this->gettext('passwdconstraintviolation');
+                break;
             case PASSWORD_ERROR:
             default:
                 $reason = $this->gettext('internalerror');