ltb-project · coudot · Oct 13, 2023 · Jan 5, 2023 · Jan 24, 2023 · Aug 18, 2023
diff --git a/.gitignore b/.gitignore
@@ -0,0 +1 @@
+/vendor/
diff --git a/composer.json b/composer.json
@@ -0,0 +1,5 @@
+{
+ "require": {
+ "ltb-project/ldap": "v0.1.0"
+ }
+}
diff --git a/composer.lock b/composer.lock
diff --git a/htdocs/change.php b/htdocs/change.php
@@ -21,8 +21,6 @@
 
 # This page is called to change password
 
-require_once("../lib/LtbAttributeValue_class.php");
-
 #==============================================================================
 # POST parameters
 #==============================================================================
@@ -69,125 +67,105 @@
 if ( $result === "" ) {
 
  # Connect to LDAP
- $ldap = ldap_connect($ldap_url);
- ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3);
- ldap_set_option($ldap, LDAP_OPT_REFERRALS, 0);
- if ( $ldap_starttls && !ldap_start_tls($ldap) ) {
- $result = "ldaperror";
- error_log("LDAP - Unable to use StartTLS");
- } else {
-
- # Bind
- if ( isset($ldap_binddn) && isset($ldap_bindpw) ) {
- $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
- } elseif ( isset($ldap_krb5ccname) ) {
- putenv("KRB5CCNAME=".$ldap_krb5ccname);
- $bind = ldap_sasl_bind($ldap, NULL, NULL, 'GSSAPI') or error_log('Failed to GSSAPI bind.');
- } else {
- $bind = ldap_bind($ldap);
- }
+ $ldap_connection = \Ltb\Ldap::connect($ldap_url, $ldap_starttls, $ldap_binddn, $ldap_bindpw, $ldap_network_timeout, $ldap_krb5ccname);
+
+ $ldap = $ldap_connection[0];
+ $result = $ldap_connection[1];
 
- if ( !$bind ) {
+ if ($ldap) {
+
+ # Search for user
+ $ldap_filter = str_replace("{login}", $login, $ldap_filter);
+ $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+
+ $errno = ldap_errno($ldap);
+ if ( $errno ) {
  $result = "ldaperror";
- $errno = ldap_errno($ldap);
- if ( $errno ) {
- error_log("LDAP - Bind error $errno (".ldap_error($ldap).")");
- }
+ error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
  } else {
 
- # Search for user
- $ldap_filter = str_replace("{login}", $login, $ldap_filter);
- $search = ldap_search($ldap, $ldap_base, $ldap_filter);
+ # Get user DN
+ $entry = ldap_first_entry($ldap, $search);
 
- $errno = ldap_errno($ldap);
- if ( $errno ) {
- $result = "ldaperror";
- error_log("LDAP - Search error $errno (".ldap_error($ldap).")");
+ if( !$entry ) {
+ $result = "badcredentials";
+ error_log("LDAP - User $login not found");
  } else {
+ # Get user email for notification
+ if ($notify_on_change) {
+ $mail = \Ltb\AttributeValue::ldap_get_mail_for_notification($ldap, $entry);
+ }
 
- # Get user DN
- $entry = ldap_first_entry($ldap, $search);
+ # Check objectClass to allow samba and shadow updates
+ $ocValues = ldap_get_values($ldap, $entry, 'objectClass');
+ if ( !in_array( 'sambaSamAccount', $ocValues ) and !in_array( 'sambaSAMAccount', $ocValues ) ) {
+ $samba_mode = false;
+ }
+ if ( !in_array( 'shadowAccount', $ocValues ) ) {
+ $shadow_options['update_shadowLastChange'] = false;
+ $shadow_options['update_shadowExpire'] = false;
+ }
 
- if( !$entry ) {
- $result = "badcredentials";
- error_log("LDAP - User $login not found");
- } else {
- # Get user email for notification
- if ($notify_on_change) {
- $mail = LtbAttributeValue::ldap_get_mail_for_notification($ldap, $entry);
- }
+ $userdn = ldap_get_dn($ldap, $entry);
+ $entry_array = ldap_get_attributes($ldap, $entry);
+ $entry_array['dn'] = $userdn;
 
- # Check objectClass to allow samba and shadow updates
- $ocValues = ldap_get_values($ldap, $entry, 'objectClass');
- if ( !in_array( 'sambaSamAccount', $ocValues ) and !in_array( 'sambaSAMAccount', $ocValues ) ) {
- $samba_mode = false;
- }
- if ( !in_array( 'shadowAccount', $ocValues ) ) {
- $shadow_options['update_shadowLastChange'] = false;
- $shadow_options['update_shadowExpire'] = false;
+ # Bind with old password
+ $bind = ldap_bind($ldap, $userdn, $oldpassword);
+ if ( !$bind ) {
+ $result = "badcredentials";
+ $errno = ldap_errno($ldap);
+ if ( $errno ) {
+ error_log("LDAP - Bind user error $errno (".ldap_error($ldap).")");
  }
-
- $userdn = ldap_get_dn($ldap, $entry);
- $entry_array = ldap_get_attributes($ldap, $entry);
- $entry_array['dn'] = $userdn;
-
- # Bind with old password
- $bind = ldap_bind($ldap, $userdn, $oldpassword);
- if ( !$bind ) {
- $result = "badcredentials";
- $errno = ldap_errno($ldap);
- if ( $errno ) {
- error_log("LDAP - Bind user error $errno (".ldap_error($ldap).")");
- }
- if ( ($errno == 49) && $ad_mode ) {
- if ( ldap_get_option($ldap, 0x0032, $extended_error) ) {
- error_log("LDAP - Bind user extended_error $extended_error (".ldap_error($ldap).")");
- $extended_error = explode(', ', $extended_error);
- if ( strpos($extended_error[2], '773') or strpos($extended_error[0], 'NT_STATUS_PASSWORD_MUST_CHANGE') ) {
- error_log("LDAP - Bind user password needs to be changed");
- $who_change_password = "manager";
- $result = "";
- }
- if ( ( strpos($extended_error[2], '532') or strpos($extended_error[0], 'NT_STATUS_ACCOUNT_EXPIRED') ) and $ad_options['change_expired_password'] ) {
- error_log("LDAP - Bind user password is expired");
- $who_change_password = "manager";
- $result = "";
- }
- unset($extended_error);
+ if ( ($errno == 49) && $ad_mode ) {
+ if ( ldap_get_option($ldap, 0x0032, $extended_error) ) {
+ error_log("LDAP - Bind user extended_error $extended_error (".ldap_error($ldap).")");
+ $extended_error = explode(', ', $extended_error);
+ if ( strpos($extended_error[2], '773') or strpos($extended_error[0], 'NT_STATUS_PASSWORD_MUST_CHANGE') ) {
+ error_log("LDAP - Bind user password needs to be changed");
+ $who_change_password = "manager";
+ $result = "";
  }
- }
- }
- if ( $result === "" ) {
- # Rebind as Manager if needed
- if ( $who_change_password == "manager" ) {
- $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
+  if ( ( strpos($extended_error[2], '532') or strpos($extended_error[0], 'NT_STATUS_ACCOUNT_EXPIRED') ) and $ad_options['change_expired_password'] ) {
+  error_log("LDAP - Bind user password is expired");
+  $who_change_password = "manager";
+  $result = "";
+  }
+ unset($extended_error);
  }
  }
  }
-
- if ( $use_ratelimit ) {
- if ( ! allowed_rate($login,$_SERVER[$client_ip_header],$rrl_config) ) {
- $result = "throttle";
- error_log("LDAP - User $login too fast");
+ if ( !$result ) {
+ # Rebind as Manager if needed
+ if ( $who_change_password == "manager" ) {
+ $bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
  }
  }
+ }
 
+ if ( $use_ratelimit ) {
+ if ( ! allowed_rate($login,$_SERVER[$client_ip_header],$rrl_config) ) {
+ $result = "throttle";
+ error_log("LDAP - User $login too fast");
+ }
  }
+
  }
  }
 }
 
 #==============================================================================
 # Check password strength
 #==============================================================================
-if ( $result === "" ) {
+if ( !$result ) {
  $result = check_password_strength( $newpassword, $oldpassword, $pwd_policy_config, $login, $entry_array );
 }
 
 #==============================================================================
 # Change password
 #==============================================================================
-if ( $result === "" ) {
+if ( !$result ) {
  if ( isset($prehook) ) {
  $command = hook_command($prehook, $login, $newpassword, $oldpassword, $prehook_password_encodebase64);
  exec($command, $prehook_output, $prehook_return);