diff --git a/CHANGELOG b/CHANGELOG index ba57d042c..41e6888d1 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,6 +1,7 @@ CHANGELOG Roundcube Webmail =========================== +- Password: Added ldap_exop driver (#4992) - Elastic: Changed read/unread icons (#6636) - Elastic: Changed "Move to..." icon (#6637) - Elastic: Add hide/show for advanced preferences (#6632) diff --git a/plugins/password/README b/plugins/password/README index 476abb082..50f97995e 100644 --- a/plugins/password/README +++ b/plugins/password/README @@ -48,6 +48,7 @@ 2.1.20. Plesk (Plesk RPC-API) 2.1.21. Kpasswd 2.1.22. Modoboa + 2.1.23. LDAP - Password Modify Extended Operation (ldap_exop) 2.2. Password Strength Drivers 2.2.1. Zxcvbn 3. Driver API @@ -377,6 +378,14 @@ See config.inc.php.dist file for configuration description. + 2.1.23. LDAP - Password Modify Extended Operation (ldap_exop) + ------------------------------------------------------------- + + Modified version of ldap_simple. + Password is changed using ldap_exop_passwd operation. + PHP >= 7.2 required. + + 2.2. Password Strength Drivers ------------------------------ diff --git a/plugins/password/config.inc.php.dist b/plugins/password/config.inc.php.dist index 6aee86029..aaa497f33 100644 --- a/plugins/password/config.inc.php.dist +++ b/plugins/password/config.inc.php.dist @@ -172,7 +172,7 @@ $config['password_pop_port'] = 106; $config['password_saslpasswd_args'] = ''; -// LDAP and LDAP_SIMPLE Driver options +// LDAP, LDAP_SIMPLE and LDAP_EXOP Driver options // ----------------------------------- // LDAP server name to connect to. // You can provide one or several hosts in an array in which case the hosts are tried from left to right. diff --git a/plugins/password/drivers/ldap.php b/plugins/password/drivers/ldap.php index cf0a7f541..65fe965a3 100644 --- a/plugins/password/drivers/ldap.php +++ b/plugins/password/drivers/ldap.php @@ -34,10 +34,11 @@ class rcube_ldap_password { $rcmail = rcmail::get_instance(); require_once 'Net/LDAP2.php'; + require_once __DIR__ . '/ldap_simple.php'; // Building user DN if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) { - $userDN = self::substitute_vars($userDN); + $userDN = rcube_ldap_simple_password::substitute_vars($userDN); } else { $userDN = $this->search_userdn($rcmail); @@ -179,8 +180,8 @@ class rcube_ldap_password return ''; } - $base = self::substitute_vars($rcmail->config->get('password_ldap_search_base')); - $filter = self::substitute_vars($rcmail->config->get('password_ldap_search_filter')); + $base = rcube_ldap_simple_password::substitute_vars($rcmail->config->get('password_ldap_search_base')); + $filter = rcube_ldap_simple_password::substitute_vars($rcmail->config->get('password_ldap_search_filter')); $options = array ( 'scope' => 'sub', 'attributes' => array(), @@ -196,31 +197,4 @@ class rcube_ldap_password return $userDN; } - - /** - * Substitute %login, %name, %domain, %dc in $str - * See plugin config for details - */ - static function substitute_vars($str) - { - $str = str_replace('%login', $_SESSION['username'], $str); - $str = str_replace('%l', $_SESSION['username'], $str); - - $parts = explode('@', $_SESSION['username']); - - if (count($parts) == 2) { - $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string - - $str = str_replace('%name', $parts[0], $str); - $str = str_replace('%n', $parts[0], $str); - $str = str_replace('%dc', $dc, $str); - $str = str_replace('%domain', $parts[1], $str); - $str = str_replace('%d', $parts[1], $str); - } else if ( count($parts) == 1) { - $str = str_replace('%name', $parts[0], $str); - $str = str_replace('%n', $parts[0], $str); - } - - return $str; - } } diff --git a/plugins/password/drivers/ldap_exop.php b/plugins/password/drivers/ldap_exop.php new file mode 100644 index 000000000..a034c95c1 --- /dev/null +++ b/plugins/password/drivers/ldap_exop.php @@ -0,0 +1,76 @@ += 7.2 required + * + * @version 1.0 + * @author Peter Kubica + * + * Copyright (C) 2005-2019, The Roundcube Dev Team + * + * This program is free software: you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program. If not, see http://www.gnu.org/licenses/. + */ + +require_once __DIR__ . '/ldap_simple.php'; + +class rcube_ldap_exop_password extends rcube_ldap_simple_password +{ + private $debug = false; + + function save($curpass, $passwd) + { + if (!function_exists('ldap_exop_passwd')) { + rcube::raise_error(array( + 'code' => 100, 'type' => 'ldap', + 'file' => __FILE__, 'line' => __LINE__, + 'message' => "ldap_exop_passwd not supported" + ), + true); + + return PASSWORD_ERROR; + } + + // Connect and bind + $ret = $this->connect($curpass); + if ($ret !== true) { + return $ret; + } + + if (!ldap_exop_passwd($this->conn, $this->user, $curpass, $passwd)) { + $this->_debug("S: ".ldap_error($this->conn)); + + $errno = ldap_errno($this->conn); + + ldap_unbind($this->conn); + + if ($errno == 0x13) { + return PASSWORD_CONSTRAINT_VIOLATION; + } + + return PASSWORD_CONNECT_ERROR; + } + + $this->_debug("S: OK"); + + // All done, no error + ldap_unbind($this->conn); + + return PASSWORD_SUCCESS; + } +} diff --git a/plugins/password/drivers/ldap_simple.php b/plugins/password/drivers/ldap_simple.php index 800b4e91a..8e422543b 100644 --- a/plugins/password/drivers/ldap_simple.php +++ b/plugins/password/drivers/ldap_simple.php @@ -7,7 +7,7 @@ * This driver is based on Edouard's LDAP Password Driver, but does not * require PEAR's Net_LDAP2 to be installed * - * @version 2.0 + * @version 2.1 * @author Wout Decre * @author Aleksander Machniak * @@ -30,15 +30,95 @@ class rcube_ldap_simple_password { private $debug = false; + private $user; + private $conn; - function save($curpass, $passwd) + + public function save($curpass, $passwd) { $rcmail = rcmail::get_instance(); - $this->debug = $rcmail->config->get('ldap_debug'); + $lchattr = $rcmail->config->get('password_ldap_lchattr'); + $pwattr = $rcmail->config->get('password_ldap_pwattr', 'userPassword'); + $smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr'); + $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr'); + $samba = $rcmail->config->get('password_ldap_samba'); + $pass_mode = $rcmail->config->get('password_ldap_encodage', 'crypt'); + $crypted_pass = password::hash_password($passwd, $pass_mode); - $ldap_host = $rcmail->config->get('password_ldap_host', 'localhost'); - $ldap_port = $rcmail->config->get('password_ldap_port', '389'); + // Support password_ldap_samba option for backward compat. + if ($samba && !$smbpwattr) { + $smbpwattr = 'sambaNTPassword'; + $smblchattr = 'sambaPwdLastSet'; + } + + // Crypt new password + if (!$crypted_pass) { + return PASSWORD_CRYPT_ERROR; + } + + // Crypt new Samba password + if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) { + return PASSWORD_CRYPT_ERROR; + } + + // Connect and bind + $ret = $this->connect($curpass); + if ($ret !== true) { + return $ret; + } + + $entry[$pwattr] = $crypted_pass; + + // Update PasswordLastChange Attribute if desired + if ($lchattr) { + $entry[$lchattr] = (int)(time() / 86400); + } + + // Update Samba password + if ($smbpwattr) { + $entry[$smbpwattr] = $samba_pass; + } + + // Update Samba password last change + if ($smblchattr) { + $entry[$smblchattr] = time(); + } + + $this->_debug("C: Modify $user_dn: " . print_r($entry, true)); + + if (!ldap_modify($this->conn, $this->user, $entry)) { + $this->_debug("S: ".ldap_error($this->conn)); + + $errno = ldap_errno($this->conn); + + ldap_unbind($this->conn); + + if ($errno == 0x13) { + return PASSWORD_CONSTRAINT_VIOLATION; + } + + return PASSWORD_CONNECT_ERROR; + } + + $this->_debug("S: OK"); + + // All done, no error + ldap_unbind($this->conn); + + return PASSWORD_SUCCESS; + } + + /** + * Connect and bind to LDAP server + */ + function connect($curpass) + { + $rcmail = rcmail::get_instance(); + + $this->debug = $rcmail->config->get('ldap_debug'); + $ldap_host = $rcmail->config->get('password_ldap_host', 'localhost'); + $ldap_port = $rcmail->config->get('password_ldap_port', '389'); $this->_debug("C: Connect to $ldap_host:$ldap_port"); @@ -70,9 +150,6 @@ class rcube_ldap_simple_password } } - // include 'ldap' driver, we share some static methods with it - require_once INSTALL_PATH . 'plugins/password/drivers/ldap.php'; - // other plugins might want to modify user DN $plugin = $rcmail->plugins->exec_hook('password_ldap_bind', array( 'user_dn' => '', 'conn' => $ds)); @@ -106,30 +183,6 @@ class rcube_ldap_simple_password break; } - $lchattr = $rcmail->config->get('password_ldap_lchattr'); - $pwattr = $rcmail->config->get('password_ldap_pwattr', 'userPassword'); - $smbpwattr = $rcmail->config->get('password_ldap_samba_pwattr'); - $smblchattr = $rcmail->config->get('password_ldap_samba_lchattr'); - $samba = $rcmail->config->get('password_ldap_samba'); - $pass_mode = $rcmail->config->get('password_ldap_encodage', 'crypt'); - $crypted_pass = password::hash_password($passwd, $pass_mode); - - // Support password_ldap_samba option for backward compat. - if ($samba && !$smbpwattr) { - $smbpwattr = 'sambaNTPassword'; - $smblchattr = 'sambaPwdLastSet'; - } - - // Crypt new password - if (!$crypted_pass) { - return PASSWORD_CRYPT_ERROR; - } - - // Crypt new Samba password - if ($smbpwattr && !($samba_pass = password::hash_password($passwd, 'samba'))) { - return PASSWORD_CRYPT_ERROR; - } - $this->_debug("C: Bind $binddn, pass: **** [" . strlen($bindpw) . "]"); // Bind @@ -143,45 +196,10 @@ class rcube_ldap_simple_password $this->_debug("S: OK"); - $entry[$pwattr] = $crypted_pass; - - // Update PasswordLastChange Attribute if desired - if ($lchattr) { - $entry[$lchattr] = (int)(time() / 86400); - } - - // Update Samba password - if ($smbpwattr) { - $entry[$smbpwattr] = $samba_pass; - } + $this->conn = $ds; + $this->user = $user_dn; - // Update Samba password last change - if ($smblchattr) { - $entry[$smblchattr] = time(); - } - - $this->_debug("C: Modify $user_dn: " . print_r($entry, true)); - - if (!ldap_modify($ds, $user_dn, $entry)) { - $this->_debug("S: ".ldap_error($ds)); - - $errno = ldap_errno($ds); - - ldap_unbind($ds); - - if ($errno == 0x13) { // LDAP_CONSTRAINT_VIOLATION - return PASSWORD_CONSTRAINT_VIOLATION; - } - - return PASSWORD_CONNECT_ERROR; - } - - $this->_debug("S: OK"); - - // All done, no error - ldap_unbind($ds); - - return PASSWORD_SUCCESS; + return true; } /** @@ -233,6 +251,34 @@ class rcube_ldap_simple_password return ldap_get_dn($ds, ldap_first_entry($ds, $sr)); } + /** + * Substitute %login, %name, %domain, %dc in $str + * See plugin config for details + */ + public static function substitute_vars($str) + { + $str = str_replace('%login', $_SESSION['username'], $str); + $str = str_replace('%l', $_SESSION['username'], $str); + + $parts = explode('@', $_SESSION['username']); + + if (count($parts) == 2) { + $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string + + $str = str_replace('%name', $parts[0], $str); + $str = str_replace('%n', $parts[0], $str); + $str = str_replace('%dc', $dc, $str); + $str = str_replace('%domain', $parts[1], $str); + $str = str_replace('%d', $parts[1], $str); + } + else if ( count($parts) == 1) { + $str = str_replace('%name', $parts[0], $str); + $str = str_replace('%n', $parts[0], $str); + } + + return $str; + } + /** * Prints debug info to the log */