lainwir3d/dolibarr
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix: Si il n'y a pas de lastpwd dfini il ne faut pas faire de test dessus.

Browse Source 
Fix: Si on ne renseigne pas de compte admin, on se contente d'un test de connection simple
Fix: On supprime le code ancien qui cre pb.
This commit is contained in:
Laurent Destailleur 2008-01-25 22:13:25 +00:00
parent 7c5f1c1b66
commit 02c9a57be4
5 changed files with 125 additions and 103 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
htdocs/includes/login/functions_ldap.php
View File

@ -41,8 +41,6 @@ function check_user_password_ldap($usertotest,$passwordtotest)
global $dolibarr_main_auth_ldap_admin_login,$dolibarr_main_auth_ldap_admin_pass;
global $dolibarr_main_auth_ldap_debug;
dolibarr_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest);
if (! function_exists("ldap_connect"))
{
dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP. LDAP functions are disabled on this PHP");
@ -73,7 +71,9 @@ function check_user_password_ldap($usertotest,$passwordtotest)
if ($ldapdebug) print "DEBUG: Logging LDAP steps<br>\n";
// Debut code pour compatibilite (prend info depuis config en base)
// Ne plus utiliser. La config LDAP de connexion doit etre dans le fichier conf.php
// Ne plus utiliser.
// La config LDAP de connexion doit etre dans le fichier conf.php
/*
if (! $ldapuserattr && $conf->ldap->enabled)
{
if ($conf->global->LDAP_SERVER_TYPE == "activedirectory")
@ -92,7 +92,10 @@ function check_user_password_ldap($usertotest,$passwordtotest)
if (! $ldapdn) $ldapdn=$conf->global->LDAP_SERVER_DN;
if (! $ldapadminlogin) $ldapadminlogin=$conf->global->LDAP_ADMIN_DN;
if (! $ldapadminpass) $ldapadminpass=$conf->global->LDAP_ADMIN_PASS;
*/
// Fin code pour compatiblite
dolibarr_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest." admin_login=".$ldapadminlogin);
require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
$ldap=new Ldap();
@ -103,36 +106,45 @@ function check_user_password_ldap($usertotest,$passwordtotest)
$ldap->searchUser=$ldapadminlogin;
$ldap->searchPassword=$ldapadminpass;
if ($ldapdebug) dolibarr_syslog("Authentification LDAP --> Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword);
if ($ldapdebug) dolibarr_syslog("functions_ldap::check_user_password_ldap Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword);
// Code to get user in LDAP (may differ from Dolibarr user)
$result=$ldap->connect_bind();
if ($result)
$resultCheckUserDN=false;
// If admin login provided
// Code to get user in LDAP from an admin connection (may differ from Dolibarr user)
if ($ldapadminlogin)
{
$resultFetchLdapUser = $ldap->fetch($_POST["username"]);
// On stop si le mot de passe ldap doit etre modifie sur le domaine
if ($resultFetchLdapUser == 1 && $ldap->pwdlastset == 0)
$result=$ldap->connect_bind();
if ($result)
{
dolibarr_syslog('functions_ldap::User '.$login.' must change password next logon');
if ($ldapdebug) print "DEBUG: User ".$login." must change password<br>\n";
$ldap->close();
sleep(1);
$langs->load('ldap');
$_SESSION["dol_loginmesg"]=$langs->trans("YouMustChangePassNextLogon",$ldap->domainFQDN);
return $login;
}
else
{
$resultCheckUserDN = $ldap->checkPass($usertotest,$passwordtotest);
$resultFetchLdapUser = $ldap->fetch($_POST["username"]);
// On stop si le mot de passe ldap doit etre modifie sur le domaine
if ($resultFetchLdapUser == 1 && $ldap->pwdlastset == 0)
{
dolibarr_syslog('functions_ldap::check_user_password_ldap '.$_POST["username"].' must change password next logon');
if ($ldapdebug) print "DEBUG: User ".$_POST["username"]." must change password<br>\n";
$ldap->close();
sleep(1);
$langs->load('ldap');
$_SESSION["dol_loginmesg"]=$langs->trans("YouMustChangePassNextLogon",$_POST["username"],$ldap->domainFQDN);
return '';
}
else
{
$resultCheckUserDN = $ldap->checkPass($usertotest,$passwordtotest);
}
}
$ldap->close();
}
$ldap->close();
$ldap->searchUser=$usertotest;
if ($resultCheckUserDN) $ldap->searchUser = $ldap->ldapUserDN;
// Forge LDAP user and password to test from config setup
$ldap->searchUser=$ldapuserattr."=".$usertotest.",".$ldapdn;
$ldap->searchPassword=$passwordtotest;
$result=$ldap->connect_bind(); // Test with this->seachUser and this->searchPassword
if ($resultCheckUserDN) $ldap->searchUser = $ldap->ldapUserDN;
// Test with this->seachUser and this->searchPassword
$result=$ldap->connect_bind();
if ($result > 0)
{
if ($result == 2)
@ -172,7 +184,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
}
if ($result == 1)
{
dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko bad user/password pour '".$_POST["username"]."'");
dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko bad user/password for '".$_POST["username"]."'");
sleep(1);
$langs->load('main');
$langs->load('other');
@ -181,7 +193,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
}
else
{
dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP pour '".$_POST["username"]."'");
dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$_POST["username"]."'");
sleep(1);
$langs->load('main');
$langs->load('other');

2
htdocs/langs/en_US/ldap.lang
View File

@ -1,6 +1,6 @@
# Dolibarr language file - en_US - ldap
DomainPassword=Password for domain
YouMustChangePassNextLogon=You must change your password on the domain %s
YouMustChangePassNextLogon=Password for user <b>%s</b> on the domain <b>%s</b> must be changed.
UserMustChangePassNextLogon=User must change password on the domain %s
LdapUacf_NORMAL_ACCOUNT=User account
LdapUacf_DONT_EXPIRE_PASSWORD=Password never expires

2
htdocs/langs/fr_FR/ldap.lang
View File

@ -1,6 +1,6 @@
# Dolibarr language file - fr_FR - ldap
DomainPassword=Mot de passe du domaine
YouMustChangePassNextLogon=Vous devez modifier votre mot de passe sur le domaine %s
YouMustChangePassNextLogon=Le mot de passe de <b>%s</b> sur le domaine <b>%s</b> doit etre modifié.
UserMustChangePassNextLogon=L'utilisateur doit modifier son mot de passe sur le domaine %s
LdapUacf_NORMAL_ACCOUNT=Compte utilisateur
LdapUacf_DONT_EXPIRE_PASSWORD=Le mot de passe n'expire jamais

156
htdocs/lib/ldap.class.php
View File

@ -435,9 +435,12 @@ class Ldap
/**
* Checks a username and password - does this by logging on to the
* server as a user - specified in the DN. There are several reasons why
* this login could fail - these are listed below.
* \brief Checks a username and password - does this by logging on to the
* server as a user - specified in the DN. There are several reasons why
* this login could fail - these are listed below.
* \return uname Username to check
* \return pass Password to check
* \return boolean true=check pass ok, falses=check pass failed
*/
function checkPass($uname,$pass)
{
@ -450,7 +453,7 @@ class Ldap
$domain = eregi_replace(',','.',$domain);
$checkDn = "$uname@$domain";
} else {
$checkDn = $this->getUserIdentifier() . "=$uname, " . $this->setDn(true);
$checkDn = $this->getUserIdentifier()."=".$uname.", ".$this->setDn(true);
}
// Try and connect...
$this->result = @ldap_bind( $this->connection,$checkDn,$pass);
@ -864,81 +867,90 @@ class Ldap
/**
* \brief Récupère les attributs de l'utilisateur
* \param $user Utilisateur ldap à lire
* \brief Récupère les attributs de l'utilisateur
* \param $user Utilisateur ldap à lire
* \return int >0 if ok, <0 if ko
*/
function fetch($user)
{
// Perform the search and get the entry handles
{
// Perform the search and get the entry handles
// if the directory is AD, then bind first with the search user first
if ($this->serverType == "activedirectory") {
$this->bindauth($this->searchUser, $this->searchPassword);
}
$userIdentifier = $this->getUserIdentifier();
// if the directory is AD, then bind first with the search user first
if ($this->serverType == "activedirectory") {
$this->bindauth($this->searchUser, $this->searchPassword);
}
$userIdentifier = $this->getUserIdentifier();
$filter = '('.$this->filter.'('.$userIdentifier.'='.$user.'))';
$i = 0;
$searchDN = $this->people;
$result = '';
while ($i <= 2)
{
$this->result = @ldap_search($this->connection, $searchDN, $filter);
if ($this->result)
{
$result = @ldap_get_entries( $this->connection, $this->result);
}
else
{
$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
return -1;
}
if (!$result)
{
// Si pas de résultat on cherche dans le domaine
$searchDN = $this->domain;
$i++;
}
else
{
$i++;
$i++;
}
}
$filter = '('.$this->filter.'('.$userIdentifier.'='.$user.'))';
$i = 0;
$searchDN = $this->people;
$result = '';
while ($i <= 2)
{
$this->result = @ldap_search($this->connection, $searchDN, $filter);
if ($this->result)
{
$result = @ldap_get_entries($this->connection, $this->result);
//var_dump($result);
}
else
{
$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
return -1;
}
if (!$result)
{
// Si pas de résultat on cherche dans le domaine
$searchDN = $this->domain;
$i++;
}
else
{
$i++;
$i++;
}
}
if (! $result)
{
$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
return -1;
}
else
{
$this->name = $this->ldap_utf8_decode($result[0][$this->attr_name][0]);
$this->firstname = $this->ldap_utf8_decode($result[0][$this->attr_firstname][0]);
$this->login = $this->ldap_utf8_decode($result[0][$userIdentifier][0]);
$this->phone = $this->ldap_utf8_decode($result[0][$this->attr_phone][0]);
$this->fax = $this->ldap_utf8_decode($result[0][$this->attr_fax][0]);
$this->mail = $this->ldap_utf8_decode($result[0][$this->attr_mail][0]);
$this->mobile = $this->ldap_utf8_decode($result[0][$this->attr_mobile][0]);
if (! $result)
{
$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
return -1;
}
else
{
$this->name = $this->ldap_utf8_decode($result[0][$this->attr_name][0]);
$this->firstname = $this->ldap_utf8_decode($result[0][$this->attr_firstname][0]);
$this->login = $this->ldap_utf8_decode($result[0][$userIdentifier][0]);
$this->phone = $this->ldap_utf8_decode($result[0][$this->attr_phone][0]);
$this->fax = $this->ldap_utf8_decode($result[0][$this->attr_fax][0]);
$this->mail = $this->ldap_utf8_decode($result[0][$this->attr_mail][0]);
$this->mobile = $this->ldap_utf8_decode($result[0][$this->attr_mobile][0]);
$this->uacf = $this->parseUACF($this->ldap_utf8_decode($result[0]["useraccountcontrol"][0]));
$this->pwdlastset = ($result[0]["pwdlastset"][0] != 0)?$this->convert_time($this->ldap_utf8_decode($result[0]["pwdlastset"][0])):0;
if (!$this->name && !$this->login) $this->pwdlastset = -1;
$this->badpwdtime = $this->convert_time($this->ldap_utf8_decode($result[0]["badpasswordtime"][0]));
// FQDN domain
$domain = eregi_replace('dc=','',$this->domain);
$domain = eregi_replace(',','.',$domain);
$this->domainFQDN = $domain;
$this->uacf = $this->parseUACF($this->ldap_utf8_decode($result[0]["useraccountcontrol"][0]));
if (isset($result[0]["pwdlastset"][0])) // If expiration on password exists
{
$this->pwdlastset = ($result[0]["pwdlastset"][0] != 0)?$this->convert_time($this->ldap_utf8_decode($result[0]["pwdlastset"][0])):0;
}
else
{
$this->pwdlastset = -1;
}
if (!$this->name && !$this->login) $this->pwdlastset = -1;
$this->badpwdtime = $this->convert_time($this->ldap_utf8_decode($result[0]["badpasswordtime"][0]));
// FQDN domain
$domain = eregi_replace('dc=','',$this->domain);
$domain = eregi_replace(',','.',$domain);
$this->domainFQDN = $domain;
ldap_free_result($this->result);
return 1;
}
ldap_free_result($this->result);
return 1;
}
}

2
htdocs/user/perms.php
View File

@ -202,8 +202,6 @@ print '<tr><td width="25%" valign="top">'.$langs->trans("Firstname").'</td>';
print '<td colspan="2">'.$fuser->prenom.'</td>';
print "</tr>\n";
print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules"));
print '</table><br>';
print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules"));