From 723bc4d4361e7217f00bc3358bf6beb61b9d9ba0 Mon Sep 17 00:00:00 2001 From: Regis Houssin Date: Wed, 4 Oct 2017 11:22:41 +0200 Subject: [PATCH] NEW add ldap_rename for avoid password if ldap key changed --- htdocs/adherents/class/adherent.class.php | 2 +- htdocs/core/class/ldap.class.php | 86 ++++++++++++++++--- ...interface_50_modLdap_Ldapsynchro.class.php | 8 +- htdocs/user/class/user.class.php | 6 +- 4 files changed, 83 insertions(+), 19 deletions(-) diff --git a/htdocs/adherents/class/adherent.class.php b/htdocs/adherents/class/adherent.class.php index ab771df9429..d90b34d884b 100644 --- a/htdocs/adherents/class/adherent.class.php +++ b/htdocs/adherents/class/adherent.class.php @@ -2023,7 +2023,7 @@ class Adherent extends CommonObject if (! empty($conf->global->LDAP_MEMBER_FIELD_PASSWORD_CRYPTED)) $info[$conf->global->LDAP_MEMBER_FIELD_PASSWORD_CRYPTED] = dol_hash($this->pass, 4); // Create OpenLDAP MD5 password (TODO add type of encryption) } // Set LDAP password if possible - else + else if ($conf->global->LDAP_SERVER_PROTOCOLVERSION !== '3') // If ldap key is modified and LDAPv3 we use ldap_rename function for avoid lose encrypt password { if (! empty($conf->global->DATABASE_PWD_ENCRYPTED)) { diff --git a/htdocs/core/class/ldap.class.php b/htdocs/core/class/ldap.class.php index 00630321b26..396bcb5941a 100644 --- a/htdocs/core/class/ldap.class.php +++ b/htdocs/core/class/ldap.class.php @@ -402,10 +402,10 @@ class Ldap * Add a LDAP entry * Ldap object connect and bind must have been done * - * @param string $dn DN entry key - * @param array $info Attributes array + * @param string $dn DN entry key + * @param array $info Attributes array * @param User $user Objet user that create - * @return int <0 if KO, >0 if OK + * @return int <0 if KO, >0 if OK */ function add($dn, $info, $user) { @@ -458,7 +458,7 @@ class Ldap * * @param string $dn DN entry key * @param array $info Attributes array - * @param string $user Objet user that modify + * @param User $user Objet user that modify * @return int <0 if KO, >0 if OK */ function modify($dn, $info, $user) @@ -504,17 +504,69 @@ class Ldap } } + /** + * Rename a LDAP entry + * Ldap object connect and bind must have been done + * + * @param string $dn Old DN entry key (uid=qqq,ou=xxx,dc=aaa,dc=bbb) (before update) + * @param string $newrdn New RDN entry key (uid=qqq) + * @param string $newparent New parent (ou=xxx,dc=aaa,dc=bbb) + * @param bool $deleteoldrdn If TRUE the old RDN value(s) is removed, else the old RDN value(s) is retained as non-distinguished values of the entry. + * @param User $user Objet user that modify + * @return int <0 if KO, >0 if OK + */ + function rename($dn, $newrdn, $newparent, $deleteoldrdn = true, $user) + { + global $conf; + + dol_syslog(get_class($this)."::modify dn=".$dn." newrdn=".$newrdn." newparent=".$newparent." deleteoldrdn=".($deleteoldrdn?1:0)); + + // Check parameters + if (! $this->connection) + { + $this->error="NotConnected"; + return -2; + } + if (! $this->bind) + { + $this->error="NotConnected"; + return -3; + } + + // Encode to LDAP page code + $dn=$this->convFromOutputCharset($dn,$this->ldapcharset); + $newrdn=$this->convFromOutputCharset($newrdn,$this->ldapcharset); + $newparent=$this->convFromOutputCharset($newparent,$this->ldapcharset); + + //print_r($info); + $result=@ldap_rename($this->connection, $dn, $newrdn, $newparent, $deleteoldrdn); + + if ($result) + { + dol_syslog(get_class($this)."::rename successfull", LOG_DEBUG); + return 1; + } + else + { + $this->error=@ldap_error($this->connection); + dol_syslog(get_class($this)."::rename failed: ".$this->error, LOG_ERR); + return -1; + } + } + /** * Modify a LDAP entry (to use if dn != olddn) * Ldap object connect and bind must have been done * - * @param string $dn DN entry key - * @param array $info Attributes array - * @param User $user Objet user that update - * @param string $olddn Old DN entry key (before update) - * @return int <0 if KO, >0 if OK + * @param string $dn DN entry key + * @param array $info Attributes array + * @param User $user Objet user that update + * @param string $olddn Old DN entry key (before update) + * @param string $newrdn New RDN entry key (uid=qqq) (for ldap_rename) + * @param string $newparent New parent (ou=xxx,dc=aaa,dc=bbb) (for ldap_rename) + * @return int <0 if KO, >0 if OK */ - function update($dn,$info,$user,$olddn) + function update($dn, $info, $user, $olddn, $newrdn=false, $newparent=false) { global $conf; @@ -534,9 +586,17 @@ class Ldap if (! $olddn || $olddn != $dn) { - // If change we make is rename the key of LDAP record, we create new one and if ok, we delete old one. - $result = $this->add($dn, $info, $user); - if ($result > 0 && $olddn && $olddn != $dn) $result = $this->delete($olddn); // If add fails, we do not try to delete old one + if (! empty($olddn) && ! empty($newrdn) && ! empty($newparent) && $conf->global->LDAP_SERVER_PROTOCOLVERSION === '3') + { + // This function currently only works with LDAPv3 + $result = $this->rename($olddn, $newrdn, $newparent, true, $user); + } + else + { + // If change we make is rename the key of LDAP record, we create new one and if ok, we delete old one. + $result = $this->add($dn, $info, $user); + if ($result > 0 && $olddn && $olddn != $dn) $result = $this->delete($olddn); // If add fails, we do not try to delete old one + } } else { diff --git a/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php b/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php index 3443c1a61b4..1e9c2c2ec31 100644 --- a/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php +++ b/htdocs/core/triggers/interface_50_modLdap_Ldapsynchro.class.php @@ -112,8 +112,10 @@ class InterfaceLdapsynchro extends DolibarrTriggers $info=$object->_load_ldap_info(); $dn=$object->_load_ldap_dn($info); + $newrdn=$object->_load_ldap_dn($info,2); + $newparent=$object->_load_ldap_dn($info,1); - $result=$ldap->update($dn,$info,$user,$olddn); + $result=$ldap->update($dn,$info,$user,$olddn,$newrdn,$newparent); } if ($result < 0) $this->error="ErrorLDAP ".$ldap->error; @@ -545,8 +547,10 @@ class InterfaceLdapsynchro extends DolibarrTriggers $info=$object->_load_ldap_info(); $dn=$object->_load_ldap_dn($info); + $newrdn=$object->_load_ldap_dn($info,2); + $newparent=$object->_load_ldap_dn($info,1); - $result=$ldap->update($dn,$info,$user,$olddn); + $result=$ldap->update($dn,$info,$user,$olddn,$newrdn,$newparent); // For member type if (! empty($conf->global->LDAP_MEMBER_TYPE_ACTIVE) && (string) $conf->global->LDAP_MEMBER_TYPE_ACTIVE == '1') diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php index 785a82f5444..86bf790eb0a 100644 --- a/htdocs/user/class/user.class.php +++ b/htdocs/user/class/user.class.php @@ -2262,8 +2262,8 @@ class User extends CommonObject * * @param array $info Info array loaded by _load_ldap_info * @param int $mode 0=Return full DN (uid=qqq,ou=xxx,dc=aaa,dc=bbb) - * 1= - * 2=Return key only (uid=qqq) + * 1=Return parent (ou=xxx,dc=aaa,dc=bbb) + * 2=Return key only (RDN) (uid=qqq) * @return string DN */ function _load_ldap_dn($info,$mode=0) @@ -2344,7 +2344,7 @@ class User extends CommonObject if (! empty($conf->global->LDAP_FIELD_PASSWORD_CRYPTED)) $info[$conf->global->LDAP_FIELD_PASSWORD_CRYPTED] = dol_hash($this->pass, 4); // Create OpenLDAP MD5 password (TODO add type of encryption) } // Set LDAP password if possible - else + else if ($conf->global->LDAP_SERVER_PROTOCOLVERSION !== '3') // If ldap key is modified and LDAPv3 we use ldap_rename function for avoid lose encrypt password { if (! empty($conf->global->DATABASE_PWD_ENCRYPTED)) {