Merge branch 'army1349-master'

5 years ago · 9d19d5b5d5
parent 0ac2747293 0751c1c8eb
commit 9d19d5b5d5
6 changed files with 207 additions and 101 deletions
--- a/1
+++ b/1
@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================

+- Password: Added ldap_exop driver (#4992)
 - Elastic: Changed read/unread icons (#6636)
 - Elastic: Changed "Move to..." icon (#6637)
 - Elastic: Add hide/show for advanced preferences (#6632)
--- a/plugins/password/README
+++ b/plugins/password/README
@ -48,6 +48,7 @@
 2.1.20. Plesk (Plesk RPC-API)
 2.1.21. Kpasswd
 2.1.22. Modoboa
+ 2.1.23. LDAP - Password Modify Extended Operation (ldap_exop)
 2.2.    Password Strength Drivers
 2.2.1.  Zxcvbn
 3.      Driver API
@ -377,6 +378,14 @@
 See config.inc.php.dist file for configuration description.


+ 2.1.23. LDAP - Password Modify Extended Operation (ldap_exop)
+ -------------------------------------------------------------
+ 
+ Modified version of ldap_simple.
+ Password is changed using ldap_exop_passwd operation.
+ PHP >= 7.2 required.
+ 
+ 
 2.2. Password Strength Drivers
 ------------------------------

--- a/plugins/password/config.inc.php.dist
+++ b/plugins/password/config.inc.php.dist
@ -172,7 +172,7 @@ $config['password_pop_port'] = 106;
 $config['password_saslpasswd_args'] = '';


-// LDAP and LDAP_SIMPLE Driver options
+// LDAP, LDAP_SIMPLE and LDAP_EXOP Driver options
 // -----------------------------------
 // LDAP server name to connect to.
 // You can provide one or several hosts in an array in which case the hosts are tried from left to right.
--- a/plugins/password/drivers/ldap.php
+++ b/plugins/password/drivers/ldap.php
@ -34,10 +34,11 @@ class rcube_ldap_password
    {
        $rcmail = rcmail::get_instance();
        require_once 'Net/LDAP2.php';
+        require_once __DIR__ . '/ldap_simple.php';

        // Building user DN
        if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) {
-            $userDN = self::substitute_vars($userDN);
+            $userDN = rcube_ldap_simple_password::substitute_vars($userDN);
        }
        else {
            $userDN = $this->search_userdn($rcmail);
@ -179,8 +180,8 @@ class rcube_ldap_password
            return '';
        }

-        $base   = self::substitute_vars($rcmail->config->get('password_ldap_search_base'));
-        $filter = self::substitute_vars($rcmail->config->get('password_ldap_search_filter'));
+        $base   = rcube_ldap_simple_password::substitute_vars($rcmail->config->get('password_ldap_search_base'));
+        $filter = rcube_ldap_simple_password::substitute_vars($rcmail->config->get('password_ldap_search_filter'));
        $options = array (
            'scope' => 'sub',
            'attributes' => array(),
@ -196,31 +197,4 @@ class rcube_ldap_password

        return $userDN;
    }
-
-    /**
-     * Substitute %login, %name, %domain, %dc in $str
-     * See plugin config for details
-     */
-    static function substitute_vars($str)
-    {
-        $str = str_replace('%login', $_SESSION['username'], $str);
-        $str = str_replace('%l', $_SESSION['username'], $str);
-
-        $parts = explode('@', $_SESSION['username']);
-
-        if (count($parts) == 2) {
-            $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string
-
-            $str = str_replace('%name', $parts[0], $str);
-            $str = str_replace('%n', $parts[0], $str);
-            $str = str_replace('%dc', $dc, $str);
-            $str = str_replace('%domain', $parts[1], $str);
-            $str = str_replace('%d', $parts[1], $str);
-        } else if ( count($parts) == 1) {
-            $str = str_replace('%name', $parts[0], $str);
-            $str = str_replace('%n', $parts[0], $str);
-        }
-
-        return $str;
-    }
 }
--- a/plugins/password/drivers/ldap_exop.php
+++ b/plugins/password/drivers/ldap_exop.php
@ -0,0 +1,76 @@
+<?php
+
+/**
+ * LDAP - Password Modify Extended Operation Driver
+ *
+ * Driver for passwords stored in LDAP
+ * This driver is based on Simple LDAP Password Driver, but uses
+ * Password Modify Extended Operation
+ * PHP >= 7.2 required
+ *
+ * @version 1.0
+ * @author Peter Kubica <peter@kubica.ch>
+ *
+ * Copyright (C) 2005-2019, The Roundcube Dev Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+
+require_once __DIR__ . '/ldap_simple.php';
+
+class rcube_ldap_exop_password extends rcube_ldap_simple_password
+{
+    private $debug = false;
+
+    function save($curpass, $passwd)
+    {
+        if (!function_exists('ldap_exop_passwd')) {
+            rcube::raise_error(array(
+                    'code' => 100, 'type' => 'ldap',
+                    'file' => __FILE__, 'line' => __LINE__,
+                    'message' => "ldap_exop_passwd not supported"
+                ),
+                true);
+
+            return PASSWORD_ERROR;
+        }
+
+        // Connect and bind
+        $ret = $this->connect($curpass);
+        if ($ret !== true) {
+            return $ret;
+        }
+
+        if (!ldap_exop_passwd($this->conn, $this->user, $curpass, $passwd)) {
+            $this->_debug("S: ".ldap_error($this->conn));
+
+            $errno = ldap_errno($this->conn);
+
+            ldap_unbind($this->conn);
+
+            if ($errno == 0x13) {
+                return PASSWORD_CONSTRAINT_VIOLATION;
+            }
+
+            return PASSWORD_CONNECT_ERROR;
+        }
+
+        $this->_debug("S: OK");
+
+        // All done, no error
+        ldap_unbind($this->conn);
+
+        return PASSWORD_SUCCESS;
+    }
+}
--- a/plugins/password/drivers/ldap_simple.php
+++ b/plugins/password/drivers/ldap_simple.php
@ -7,7 +7,7 @@
 * This driver is based on Edouard's LDAP Password Driver, but does not
 * require PEAR's Net_LDAP2 to be installed
 *
- * @version 2.0
+ * @version 2.1
 * @author Wout Decre <wout@canodus.be>
 * @author Aleksander Machniak <machniak@kolabsys.com>
 *
@ -30,15 +30,95 @@
 class rcube_ldap_simple_password
 {
    private $debug = false;
+    private $user;
+    private $conn;

-    function save($curpass, $passwd)
+
+    public function save($curpass, $passwd)
    {
        $rcmail = rcmail::get_instance();

-        $this->debug = $rcmail->config->get('ldap_debug');
+        $lchattr      = $rcmail->config->get('password_ldap_lchattr');
+        $pwattr       = $rcmail->config->get('password_ldap_pwattr', 'userPassword');
+        $smbpwattr    = $rcmail->config->get('password_ldap_samba_pwattr');
+        $smblchattr   = $rcmail->config->get('password_ldap_samba_lchattr');
+        $samba        = $rcmail->config->get('password_ldap_samba');
+        $pass_mode    = $rcmail->config->get('password_ldap_encodage', 'crypt');
+        $crypted_pass = password::hash_password($passwd, $pass_mode);

-        $ldap_host = $rcmail->config->get('password_ldap_host', 'localhost');
-        $ldap_port = $rcmail->config->get('password_ldap_port', '389');
+        // Support password_ldap_samba option for backward compat.
+        if ($samba && !$smbpwattr) {
+            $smbpwattr  = 'sambaNTPassword';
+            $smblchattr = 'sambaPwdLastSet';
+        }
+
+        // Crypt new password
+        if (!$crypted_pass) {
+            return PASSWORD_CRYPT_ERROR;
+        }
+
+        // Crypt new Samba password
+        if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) {
+            return PASSWORD_CRYPT_ERROR;
+        }
+
+        // Connect and bind
+        $ret = $this->connect($curpass);
+        if ($ret !== true) {
+            return $ret;
+        }
+
+        $entry[$pwattr] = $crypted_pass;
+
+        // Update PasswordLastChange Attribute if desired
+        if ($lchattr) {
+            $entry[$lchattr] = (int)(time() / 86400);
+        }
+
+        // Update Samba password
+        if ($smbpwattr) {
+            $entry[$smbpwattr] = $samba_pass;
+        }
+
+        // Update Samba password last change
+        if ($smblchattr) {
+            $entry[$smblchattr] = time();
+        }
+
+        $this->_debug("C: Modify $user_dn: " . print_r($entry, true));
+
+        if (!ldap_modify($this->conn, $this->user, $entry)) {
+            $this->_debug("S: ".ldap_error($this->conn));
+
+            $errno = ldap_errno($this->conn);
+
+            ldap_unbind($this->conn);
+
+            if ($errno == 0x13) {
+                return PASSWORD_CONSTRAINT_VIOLATION;
+            }
+
+            return PASSWORD_CONNECT_ERROR;
+        }
+
+        $this->_debug("S: OK");
+
+        // All done, no error
+        ldap_unbind($this->conn);
+
+        return PASSWORD_SUCCESS;
+    }
+
+    /**
+     * Connect and bind to LDAP server
+     */
+    function connect($curpass)
+    {
+        $rcmail = rcmail::get_instance();
+
+        $this->debug = $rcmail->config->get('ldap_debug');
+        $ldap_host   = $rcmail->config->get('password_ldap_host', 'localhost');
+        $ldap_port   = $rcmail->config->get('password_ldap_port', '389');

        $this->_debug("C: Connect to $ldap_host:$ldap_port");

@ -70,9 +150,6 @@ class rcube_ldap_simple_password
            }
        }

-        // include 'ldap' driver, we share some static methods with it
-        require_once INSTALL_PATH . 'plugins/password/drivers/ldap.php';
-
        // other plugins might want to modify user DN
        $plugin = $rcmail->plugins->exec_hook('password_ldap_bind', array(
            'user_dn' => '', 'conn' => $ds));
@ -106,30 +183,6 @@ class rcube_ldap_simple_password
            break;
        }

-        $lchattr      = $rcmail->config->get('password_ldap_lchattr');
-        $pwattr       = $rcmail->config->get('password_ldap_pwattr', 'userPassword');
-        $smbpwattr    = $rcmail->config->get('password_ldap_samba_pwattr');
-        $smblchattr   = $rcmail->config->get('password_ldap_samba_lchattr');
-        $samba        = $rcmail->config->get('password_ldap_samba');
-        $pass_mode    = $rcmail->config->get('password_ldap_encodage', 'crypt');
-        $crypted_pass = password::hash_password($passwd, $pass_mode);
-
-        // Support password_ldap_samba option for backward compat.
-        if ($samba && !$smbpwattr) {
-            $smbpwattr  = 'sambaNTPassword';
-            $smblchattr = 'sambaPwdLastSet';
-        }
-
-        // Crypt new password
-        if (!$crypted_pass) {
-            return PASSWORD_CRYPT_ERROR;
-        }
-
-        // Crypt new Samba password
-        if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) {
-            return PASSWORD_CRYPT_ERROR;
-        }
-
        $this->_debug("C: Bind $binddn, pass: **** [" . strlen($bindpw) . "]");

        // Bind
@ -143,45 +196,10 @@ class rcube_ldap_simple_password

        $this->_debug("S: OK");

-        $entry[$pwattr] = $crypted_pass;
-
-        // Update PasswordLastChange Attribute if desired
-        if ($lchattr) {
-            $entry[$lchattr] = (int)(time() / 86400);
-        }
-
-        // Update Samba password
-        if ($smbpwattr) {
-            $entry[$smbpwattr] = $samba_pass;
-        }
+        $this->conn = $ds;
+        $this->user = $user_dn;

-        // Update Samba password last change
-        if ($smblchattr) {
-            $entry[$smblchattr] = time();
-        }
-
-        $this->_debug("C: Modify $user_dn: " . print_r($entry, true));
-
-        if (!ldap_modify($ds, $user_dn, $entry)) {
-            $this->_debug("S: ".ldap_error($ds));
-
-            $errno = ldap_errno($ds);
-
-            ldap_unbind($ds);
-
-            if ($errno == 0x13) {   // LDAP_CONSTRAINT_VIOLATION
-                return PASSWORD_CONSTRAINT_VIOLATION;
-            }
-
-            return PASSWORD_CONNECT_ERROR;
-        }
-
-        $this->_debug("S: OK");
-
-        // All done, no error
-        ldap_unbind($ds);
-
-        return PASSWORD_SUCCESS;
+        return true;
    }

    /**
@ -233,6 +251,34 @@ class rcube_ldap_simple_password
        return ldap_get_dn($ds, ldap_first_entry($ds, $sr));
    }

+    /**
+     * Substitute %login, %name, %domain, %dc in $str
+     * See plugin config for details
+     */
+    public static function substitute_vars($str)
+    {
+        $str = str_replace('%login', $_SESSION['username'], $str);
+        $str = str_replace('%l', $_SESSION['username'], $str);
+
+        $parts = explode('@', $_SESSION['username']);
+
+        if (count($parts) == 2) {
+            $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string
+
+            $str = str_replace('%name', $parts[0], $str);
+            $str = str_replace('%n', $parts[0], $str);
+            $str = str_replace('%dc', $dc, $str);
+            $str = str_replace('%domain', $parts[1], $str);
+            $str = str_replace('%d', $parts[1], $str);
+        }
+        else if ( count($parts) == 1) {
+            $str = str_replace('%name', $parts[0], $str);
+            $str = str_replace('%n', $parts[0], $str);
+        }
+
+        return $str;
+    }
+
    /**
     * Prints debug info to the log
     */