Qual: Clean LDAP code

htdocs/conf/conf.php.example

@@ -177,11 +177,11 @@ $dolibarr_main_authentication='dolibarr';
 # $dolibarr_main_auth_ldap_port='389';
 # $dolibarr_main_auth_ldap_version='3';
 # $dolibarr_main_auth_ldap_servertype='openldap';			# openldap, activedirectory or egroupware
-# $dolibarr_main_auth_ldap_login_attribute='loginfield';	# uid or samaccountname for active directory
-# $dolibarr_main_auth_ldap_dn='';							# Ex: ou=users,dc=my-domain,dc=com
-# $dolibarr_main_auth_ldap_filter = ''                      # Ex: &(uid=%1%)(isMemberOf=cn=Sales,ou=Groups,dc=opencsi,dc=com)
-# $dolibarr_main_auth_ldap_admin_login='';					# Required only if anonymous bind disabled
-# $dolibarr_main_auth_ldap_admin_pass='';					# Required only if anonymous bind disabled
+# $dolibarr_main_auth_ldap_login_attribute='loginfield';	   # Ex: uid or samaccountname for active directory
+# $dolibarr_main_auth_ldap_dn='ou=users,dc=my-domain,dc=com';  # Ex: ou=users,dc=my-domain,dc=com
+# $dolibarr_main_auth_ldap_filter = '';                        # If defined, two previous parameters are not used to find a user into LDAP. Ex: &(uid=%1%)(isMemberOf=cn=Sales,ou=Groups,dc=opencsi,dc=com).
+# $dolibarr_main_auth_ldap_admin_login='';					# Required only if anonymous bind disabled. Ex: cn=admin,dc=example,dc=com
+# $dolibarr_main_auth_ldap_admin_pass='';					# Required only if anonymous bind disabled. Ex: secret
 
 # $dolibarr_main_auth_ldap_debug='false';
 

htdocs/includes/login/functions_ldap.php

@@ -39,6 +39,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
 	global $dolibarr_main_auth_ldap_version,$dolibarr_main_auth_ldap_servertype;
 	global $dolibarr_main_auth_ldap_login_attribute,$dolibarr_main_auth_ldap_dn;
 	global $dolibarr_main_auth_ldap_admin_login,$dolibarr_main_auth_ldap_admin_pass;
+	global $dolibarr_main_auth_ldap_filter;
 	global $dolibarr_main_auth_ldap_debug;
 
 	if (! function_exists("ldap_connect"))
@@ -88,7 +89,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
 			print "DEBUG: uid/samacountname=".$ldapuserattr.", dn=".$ladpdn.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword."\n";
 		}
 
-		$resultCheckUserDN=false;
+		$resultFetchLdapUser=0;
 
 		// Define $userSearchFilter
         $userSearchFilter = "";
@@ -106,8 +107,8 @@ function check_user_password_ldap($usertotest,$passwordtotest)
 			if ($result)
 			{
 				$resultFetchLdapUser = $ldap->fetch($usertotest,$userSearchFilter);
-				// On stop si le mot de passe ldap doit etre modifie sur le domaine
-				if ($resultFetchLdapUser == 1 && $ldap->pwdlastset == 0)
+				//dol_syslog('functions_ldap::check_user_password_ldap resultFetchLdapUser='.$resultFetchLdapUser);
+				if ($resultFetchLdapUser > 0 && $ldap->pwdlastset == 0) // If ok but password need to be reset
 				{
 					dol_syslog('functions_ldap::check_user_password_ldap '.$usertotest.' must change password next logon');
 					if ($ldapdebug) print "DEBUG: User ".$usertotest." must change password<br>\n";
@@ -117,21 +118,18 @@ function check_user_password_ldap($usertotest,$passwordtotest)
 					$_SESSION["dol_loginmesg"]=$langs->trans("YouMustChangePassNextLogon",$usertotest,$ldap->domainFQDN);
 					return '';
 				}
-				else
-				{
-					$resultCheckUserDN = $ldap->checkPass($usertotest,$passwordtotest); // $ldap->ldapUserDN is defined if ok
-				}
 			}
 			$ldap->close();
 		}
 
 		// Forge LDAP user and password to test with them
-		$ldap->searchUser=$ldapuserattr."=".$usertotest.",".$ldapdn;
-		if ($resultCheckUserDN) $ldap->searchUser = $ldap->ldapUserDN;
+		$ldap->searchUser=$ldapuserattr."=".$usertotest.",".$ldapdn;  // Default dn
+		if ($resultFetchLdapUser) $ldap->searchUser = $ldap->ldapUserDN;
         $ldap->searchPassword=$passwordtotest;
 
 		// Test with this->seachUser and this->searchPassword
-		$result=$ldap->connect_bind();
+        //print $ldap->searchUser.'-'.$ldap->searchPassword;exit;
+        $result=$ldap->connect_bind();
 		if ($result > 0)
 		{
 			if ($result == 2)
@@ -144,7 +142,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
 				{
 					// On charge les attributs du user ldap
 					if ($ldapdebug) print "DEBUG: login ldap = ".$login."<br>\n";
-					$ldap->fetch($login,$userSearchFilter);
+					$resultFetchLdapUser = $ldap->fetch($login,$userSearchFilter);
 
 					if ($ldapdebug) print "DEBUG: UACF = ".join(',',$ldap->uacf)."<br>\n";
 					if ($ldapdebug) print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset,'day')."<br>\n";
@@ -180,7 +178,21 @@ function check_user_password_ldap($usertotest,$passwordtotest)
 		}
 		else
 		{
-			dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$usertotest."'");
+            /* Login failed. Return false, together with the error code and text from
+             ** the LDAP server. The common error codes and reasons are listed below :
+             ** (for iPlanet, other servers may differ)
+             ** 19 - Account locked out (too many invalid login attempts)
+             ** 32 - User does not exist
+             ** 49 - Wrong password
+             ** 53 - Account inactive (manually locked out by administrator)
+             */
+            dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$usertotest."'");
+		    if ($this->connection)    // If connection ok but bind ko
+		    {
+                $this->ldapErrorCode = ldap_errno($this->connection);
+                $this->ldapErrorText = ldap_error($this->connection);
+                dol_syslog("unctions_ldap::check_user_password_ldap ".$this->ldapErrorText);
+		    }
 			sleep(1);
 			$langs->load('main');
 			$langs->load('other');

htdocs/includes/triggers/interface_modLdap_Ldapsynchro.class.php

@@ -159,6 +159,33 @@ class InterfaceLdapsynchro
         elseif ($action == 'USER_NEW_PASSWORD')
         {
             dol_syslog("Trigger '".$this->name."' for action '$action' launched by ".__FILE__.". id=".$object->id);
+            if ($conf->ldap->enabled && $conf->global->LDAP_SYNCHRO_ACTIVE == 'dolibarr2ldap')
+            {
+                $ldap=new Ldap();
+                $ldap->connect_bind();
+
+                $oldinfo=$object->oldcopy->_load_ldap_info();
+                $olddn=$object->oldcopy->_load_ldap_dn($oldinfo);
+
+                // Verify if entry exist
+                $container=$object->oldcopy->_load_ldap_dn($oldinfo,1);
+                $search = "(".$object->oldcopy->_load_ldap_dn($oldinfo,2).")";
+                $records=$ldap->search($container,$search);
+                if (sizeof($records) && $records['count'] == 0)
+                {
+                    $olddn = '';
+                }
+
+                $info=$object->_load_ldap_info();
+                $dn=$object->_load_ldap_dn($info);
+
+                $result=$ldap->update($dn,$info,$user,$olddn);
+                if ($result < 0)
+                {
+                    $this->error="ErrorLDAP"." ".$ldap->error;
+                }
+                return $result;
+            }
         }
         elseif ($action == 'USER_ENABLEDISABLE')
         {

htdocs/lib/ldap.class.php

@@ -389,52 +389,6 @@ class Ldap
 	}
 
 
-
-	/**
-	 * 		\brief		Checks a username and password - does this by logging on to the
-	 * 					server as a user - specified in the DN. There are several reasons why
-	 * 					this login could fail - these are listed below.
-	 *		\return		uname		Username to check
-	 *		\return		pass		Password to check
-	 *		\return		boolean		true=check pass ok, falses=check pass failed
-	 */
-	function checkPass($uname,$pass)
-	{
-		/* Construct the full DN, eg:-
-		 ** "uid=username, ou=People, dc=orgname,dc=com"
-		 */
-		if ($this->serverType == "activedirectory") {
-			// FQDN domain
-			$domain = str_replace('dc=','',$this->domain);
-			$domain = str_replace(',','.',$domain);
-			$checkDn = "$uname@$domain";
-		} else {
-			$checkDn = $this->getUserIdentifier()."=".$uname.", ".$this->setDn(true);
-		}
-		// Try and connect...
-		$this->result = @ldap_bind( $this->connection,$checkDn,$pass);
-		if ( $this->result) {
-			// Connected OK - login credentials are fine!
-			$this->ldapUserDN = $checkDn;
-			return true;
-		} else {
-			/* Login failed. Return false, together with the error code and text from
-			 ** the LDAP server. The common error codes and reasons are listed below :
-			 ** (for iPlanet, other servers may differ)
-			 ** 19 - Account locked out (too many invalid login attempts)
-			 ** 32 - User does not exist
-			 ** 49 - Wrong password
-			 ** 53 - Account inactive (manually locked out by administrator)
-			 */
-			$this->ldapErrorCode = ldap_errno( $this->connection);
-			$this->ldapErrorText = ldap_error( $this->connection);
-			$this->ldapDebugDomain = $domain;
-			$this->ldapDebugDN = $checkDn;
-			return false;
-		}
-	}
-
-
 	/**
 	 * 	\brief		Add a LDAP entry
 	 *	\param		dn			DN entry key
@@ -1166,22 +1120,25 @@ class Ldap
 			$this->bindauth($this->searchUser, $this->searchPassword);
 		}
 
-		$searchDN = $this->people;
+		$searchDN = $this->people;    // TODO Why searching in people then domain ?
 
 		$result = '';
 		$i=0;
 		while ($i <= 2)
 		{
+		    dol_syslog("Ldap::fetch search with searchDN=".$searchDN." filter=".$filter);
 			$this->result = @ldap_search($this->connection, $searchDN, $filter);
 			if ($this->result)
 			{
 				$result = @ldap_get_entries($this->connection, $this->result);
-				//var_dump($result);
+				dol_syslog("Ldap::fetch search found");
+				//var_dump($result);exit;
 			}
 			else
 			{
-				$this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
-				return -1;
+			    $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
+                dol_syslog("Ldap::fetch search not found");
+			    return -1;
 			}
 
 			if (! $result)
@@ -1228,6 +1185,10 @@ class Ldap
 			$domain = str_replace(',','.',$domain);
 			$this->domainFQDN = $domain;
 
+			// Set ldapUserDn (each user can have a different dn)
+            //var_dump($result[0]['dn']);exit;
+			$this->ldapUserDN=$result[0]['dn'];
+
 			ldap_free_result($this->result);
 			return 1;
 		}
@@ -1236,31 +1197,6 @@ class Ldap
 
 	// 2.6 helper methods
 
-	/**
-	 * Sets and returns the appropriate dn, based on whether there
-	 * are values in $this->people and $this->groups.
-	 *
-	 * @param boolean specifies whether to build a groups dn or a people dn
-	 * @return string if true ou=$this->people,$this->dn, else ou=$this->groups,$this->dn
-	 */
-	function setDn($peopleOrGroups) {
-
-		if ($peopleOrGroups) {
-			if ( isset($this->people) && (dol_strlen($this->people) > 0) ) {
-				$checkDn = "ou=" .$this->people. ", " .$this->dn;
-			}
-		} else {
-			if ( isset($this->groups) && (dol_strlen($this->groups) > 0) ) {
-				$checkDn = "ou=" .$this->groups. ", " .$this->dn;
-			}
-		}
-
-		if ( !isset($checkDn) ) {
-			$checkDn = $this->dn;
-		}
-		return $checkDn;
-	}
-
 	/**
 	 * Returns the correct user identifier to use, based on the ldap server type
 	 */

htdocs/user/class/user.class.php

@@ -977,7 +977,7 @@ class User extends CommonObject
 	}
 
 	/**
-	 *  	Update a user into databse (except password)
+	 *  	Update a user into databse (and also password if this->pass is defined)
 	 *		@param		user				User qui fait la mise a jour
 	 *    	@param      notrigger			1 ne declenche pas les triggers, 0 sinon
 	 *		@param		nosyncmember		0=Synchronize linked member (standard info), 1=Do not synchronize linked member

htdocs/user/fiche.php

@@ -305,14 +305,15 @@ if ($_POST["action"] == 'update' && ! $_POST["cancel"])
 				}
 			}
 
+			/* Already included into update function
 			if ($ret >= 0 && ! sizeof($edituser->errors) && isset($_POST["password"]) && $_POST["password"] !='')
 			{
-				$ret=$edituser->setPassword($user,$_POST["password"]);
+				$ret=$edituser->setPassword($user,$_POST["password"],0,1);
 				if ($ret < 0)
 				{
 					$message.='<div class="error">'.$edituser->error.'</div>';
 				}
-			}
+			} */
 
 			if ($ret >=0 && ! sizeof($edituser->errors))
 			{