forked from extern/egroupware
* Univention: fix not working password change (setting Kerberos credentials)
This commit is contained in:
parent
a0dd857792
commit
d432ef7f84
@ -255,4 +255,92 @@ class Univention extends Ldap
|
|||||||
//return true;
|
//return true;
|
||||||
return file_exists(self::DIRECTORY_MANAGER_BIN) && is_executable(self::DIRECTORY_MANAGER_BIN);
|
return file_exists(self::DIRECTORY_MANAGER_BIN) && is_executable(self::DIRECTORY_MANAGER_BIN);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* changes password in LDAP
|
||||||
|
*
|
||||||
|
* If $old_passwd is given, the password change is done binded as user and NOT with the
|
||||||
|
* "root" dn given in the configurations.
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id account id of user whose passwd should be changed
|
||||||
|
* @param boolean $update_lastchange =true
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id=0, $update_lastchange=true)
|
||||||
|
{
|
||||||
|
if (!self::available())
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
if (!$account_id)
|
||||||
|
{
|
||||||
|
$username = $GLOBALS['egw_info']['user']['account_lid'];
|
||||||
|
}
|
||||||
|
else
|
||||||
|
{
|
||||||
|
$username = Api\Translation::convert($GLOBALS['egw']->accounts->id2name($account_id),
|
||||||
|
Api\Translation::charset(),'utf-8');
|
||||||
|
}
|
||||||
|
if ($this->debug) error_log(__METHOD__."('$old_passwd','$new_passwd',$account_id, $update_lastchange) username='$username'");
|
||||||
|
|
||||||
|
$filter = str_replace(array('%user','%domain'),array($username,$GLOBALS['egw_info']['user']['domain']),
|
||||||
|
$GLOBALS['egw_info']['server']['ldap_search_filter'] ? $GLOBALS['egw_info']['server']['ldap_search_filter'] : '(uid=%user)');
|
||||||
|
|
||||||
|
$ds = $ds_admin = Api\Ldap::factory();
|
||||||
|
$sri = ldap_search($ds, $GLOBALS['egw_info']['server']['ldap_context'], $filter);
|
||||||
|
$allValues = ldap_get_entries($ds, $sri);
|
||||||
|
|
||||||
|
if ($update_lastchange)
|
||||||
|
{
|
||||||
|
// ToDo: $entry['shadowlastchange'] = round((time()-date('Z')) / (24*3600));
|
||||||
|
}
|
||||||
|
|
||||||
|
$dn = $allValues[0]['dn'];
|
||||||
|
|
||||||
|
if($old_passwd) // if old password given (not called by admin) --> bind as that user to change the pw
|
||||||
|
{
|
||||||
|
try {
|
||||||
|
$ds = Api\Ldap::factory(true, '', $dn, $old_passwd);
|
||||||
|
}
|
||||||
|
catch (Api\Exception\NoPermission $e) {
|
||||||
|
unset($e);
|
||||||
|
return false; // wrong old user password
|
||||||
|
}
|
||||||
|
}
|
||||||
|
$ssh = null;//'/usr/bin/ssh -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" -i /var/lib/egroupware/id_rsa root@10.44.22.194';
|
||||||
|
$config = $this->frontend->config && $this->frontend->config['ldap_context'] ?
|
||||||
|
$this->frontend->config : $GLOBALS['egw_info']['server'];
|
||||||
|
|
||||||
|
$params = array(
|
||||||
|
'users/user','modify',
|
||||||
|
'--binddn', $config['ldap_root_dn'],
|
||||||
|
'--bindpwd', 5=>$config['ldap_root_pw'],
|
||||||
|
'--dn', $dn,
|
||||||
|
'--set', 'password='.$new_passwd,
|
||||||
|
);
|
||||||
|
if ($old_passwd)
|
||||||
|
{
|
||||||
|
$params[] = '--set';
|
||||||
|
$params[] = 'pwdChangeNextLogin=0';
|
||||||
|
}
|
||||||
|
$cmd = self::DIRECTORY_MANAGER_BIN.' '.implode(' ', array_map('escapeshellarg', $params));
|
||||||
|
if (isset($ssh)) $cmd = $ssh.' bash -c "\\"'.$cmd.'\\""';
|
||||||
|
$output_arr = $ret = $matches = null;
|
||||||
|
exec($cmd, $output_arr, $ret);
|
||||||
|
$output = implode("\n", $output_arr);
|
||||||
|
if ($ret || !preg_match('/^Object modified: ((uid|cn)=.*)$/mui', $output, $matches))
|
||||||
|
{
|
||||||
|
$params[5] = '********'; // mask out password!
|
||||||
|
$cmd = self::DIRECTORY_MANAGER_BIN.' '.implode(' ', array_map('escapeshellarg', $params));
|
||||||
|
throw new Api\Exception\WrongUserinput($cmd."\nreturned\n".$output);
|
||||||
|
}
|
||||||
|
if($old_passwd) // if old password given (not called by admin) update the password in the session
|
||||||
|
{
|
||||||
|
// using time() is sufficient to represent the current time, we do not need the timestamp written to the storage
|
||||||
|
Api\Cache::setSession('phpgwapi','auth_alpwchange_val',time());
|
||||||
|
}
|
||||||
|
return $new_passwd;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
43
api/src/Auth/Univention.php
Normal file
43
api/src/Auth/Univention.php
Normal file
@ -0,0 +1,43 @@
|
|||||||
|
<?php
|
||||||
|
/**
|
||||||
|
* API - Auth Univention LDAP backend
|
||||||
|
*
|
||||||
|
* @link http://www.egroupware.org
|
||||||
|
* @author Ralf Becker <rb@stylite.de>
|
||||||
|
*
|
||||||
|
* @license http://opensource.org/licenses/gpl-license.php GPL - GNU General Public License
|
||||||
|
* @package api
|
||||||
|
* @subpackage auth
|
||||||
|
*/
|
||||||
|
|
||||||
|
namespace EGroupware\Api\Auth;
|
||||||
|
|
||||||
|
use EGroupware\Api;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Univention LDAP Backend for auth
|
||||||
|
*
|
||||||
|
* This backend is mostly identical to LDAP backend and need to be configured in the same way.
|
||||||
|
*
|
||||||
|
* Only difference is that passwords are changed via univention-directory-manager CLI program,
|
||||||
|
* to generate necesary hashes and Kerberos stuff.
|
||||||
|
*/
|
||||||
|
class Univention extends Ldap
|
||||||
|
{
|
||||||
|
/**
|
||||||
|
* changes password in LDAP
|
||||||
|
*
|
||||||
|
* If $old_passwd is given, the password change is done binded as user and NOT with the
|
||||||
|
* "root" dn given in the configurations.
|
||||||
|
*
|
||||||
|
* @param string $old_passwd must be cleartext or empty to not to be checked
|
||||||
|
* @param string $new_passwd must be cleartext
|
||||||
|
* @param int $account_id account id of user whose passwd should be changed
|
||||||
|
* @param boolean $update_lastchange =true
|
||||||
|
* @return boolean true if password successful changed, false otherwise
|
||||||
|
*/
|
||||||
|
function change_password($old_passwd, $new_passwd, $account_id=0, $update_lastchange=true)
|
||||||
|
{
|
||||||
|
return Api\Accounts::getInstance()->backend->change_password($old_passwd, $new_passwd, $account_id, $update_lastchange);
|
||||||
|
}
|
||||||
|
}
|
@ -167,7 +167,6 @@ else // do the migration
|
|||||||
if ($_POST['migrate'])
|
if ($_POST['migrate'])
|
||||||
{
|
{
|
||||||
Api\Config::save_value('account_repository', $GLOBALS['egw_info']['server']['account_repository']=$to, 'phpgwapi');
|
Api\Config::save_value('account_repository', $GLOBALS['egw_info']['server']['account_repository']=$to, 'phpgwapi');
|
||||||
if ($to == 'univention') $to = 'ldap'; // there is no auth type "univention", just "ldap"
|
|
||||||
if (empty($GLOBALS['egw_info']['server']['auth_type']) || $GLOBALS['egw_info']['server']['auth_type'] == $from)
|
if (empty($GLOBALS['egw_info']['server']['auth_type']) || $GLOBALS['egw_info']['server']['auth_type'] == $from)
|
||||||
{
|
{
|
||||||
Api\Config::save_value('auth_type', $GLOBALS['egw_info']['server']['auth_type']=$to, 'phpgwapi');
|
Api\Config::save_value('auth_type', $GLOBALS['egw_info']['server']['auth_type']=$to, 'phpgwapi');
|
||||||
|
Loading…
Reference in New Issue
Block a user