index 5e53623dab3b36a15f32f25f0fd77bdd4973bfa0..8307b6e63ee5c6996ef2a3821aad4484ccd1dec5 100644 (file)
define ("DEBUG_SI", 256); /*! Debug level for communication with gosa-si */
define ("DEBUG_MAIL", 512); /*! Debug level for all about mail (mailAccounts, imap, sieve etc.) */
define ("DEBUG_FAI", 1024); // FAI (incomplete)
+define ("DEBUG_RPC", 2048); /*! Debug level for communication with remote procedures */
+
+// Define shadow states
+define ("POSIX_ACCOUNT_EXPIRED", 1);
+define ("POSIX_WARN_ABOUT_EXPIRATION", 2);
+define ("POSIX_FORCE_PASSWORD_CHANGE", 4);
+define ("POSIX_DISALLOW_PASSWORD_CHANGE", 8);
/* Rewrite german 'umlauts' and spanish 'accents'
to get better results */
* */
function DEBUG($level, $line, $function, $file, $data, $info="")
{
- if (session::global_get('debugLevel') & $level){
- $output= "DEBUG[$level] ";
- if ($function != ""){
- $output.= "($file:$function():$line) - $info: ";
- } else {
- $output.= "($file:$line) - $info: ";
- }
- echo $output;
- if (is_array($data)){
- print_a($data);
- } else {
- echo "'$data'";
+ global $config;
+ $debugLevel = 0;
+ if($config instanceOf config){
+ $debugLevel = $config->get_cfg_value('core', 'debugLevel');
+ }
+ if ($debugLevel & $level){
+ $output= "DEBUG[$level] ";
+ if ($function != ""){
+ $output.= "($file:$function():$line) - $info: ";
+ } else {
+ $output.= "($file:$line) - $info: ";
+ }
+ echo $output;
+ if (is_array($data)){
+ print_a($data);
+ } else {
+ echo "'$data'";
+ }
+ echo "<br>";
}
- echo "<br>";
- }
}
}
-/*! \brief Test if account is about to expire
+/*! \brief Checks the posixAccount status by comparing the shadow attributes.
*
- * \param string 'userdn' the DN of the user
- * \param string 'username' the username
- * \return int Can be one of the following values:
- * - 1 the account is locked
- * - 2 warn the user that the password is about to expire and he should change
- * his password
- * - 3 force the user to change his password
- * - 4 user should not be able to change his password
- * */
-function ldap_expired_account($config, $userdn, $username)
+ * @param Object The GOsa configuration object.
+ * @param String The 'dn' of the user to test the account status for.
+ * @param String The 'uid' of the user we're going to test.
+ * @return Const
+ * POSIX_ACCOUNT_EXPIRED - If the account is expired.
+ * POSIX_WARN_ABOUT_EXPIRATION - If the account is going to expire.
+ * POSIX_FORCE_PASSWORD_CHANGE - The password has to be changed.
+ * POSIX_DISALLOW_PASSWORD_CHANGE - The password cannot be changed right now.
+ *
+ *
+ *
+ * shadowLastChange
+ * |
+ * |---- shadowMin ---> | <-- shadowMax --
+ * | | |
+ * |------- shadowWarning -> |
+ * |-- shadowInactive --> DEACTIVATED
+ * |
+ * EXPIRED
+ *
+ */
+function ldap_expired_account($config, $userdn, $uid)
{
+ // Skip this for the admin account, we do not want to lock him out.
+ if($uid == 'admin') return(0);
+
$ldap= $config->get_ldap_link();
+ $ldap->cd($config->current['BASE']);
$ldap->cat($userdn);
$attrs= $ldap->fetch();
-
- /* default value no errors */
- $expired = 0;
-
- $sExpire = 0;
- $sLastChange = 0;
- $sMax = 0;
- $sMin = 0;
- $sInactive = 0;
- $sWarning = 0;
-
- $current= date("U");
-
- $current= floor($current /60 /60 /24);
-
- /* special case of the admin, should never been locked */
- /* FIXME should allow any name as user admin */
- if($username != "admin")
- {
+ $current= floor(date("U") /60 /60 /24);
- if(isset($attrs['shadowExpire'][0])){
- $sExpire= $attrs['shadowExpire'][0];
- } else {
- $sExpire = 0;
- }
-
- if(isset($attrs['shadowLastChange'][0])){
- $sLastChange= $attrs['shadowLastChange'][0];
- } else {
- $sLastChange = 0;
- }
-
- if(isset($attrs['shadowMax'][0])){
- $sMax= $attrs['shadowMax'][0];
- } else {
- $smax = 0;
- }
+ // Fetch required attributes
+ foreach(array('shadowExpire','shadowLastChange','shadowMax','shadowMin',
+ 'shadowInactive','shadowWarning') as $attr){
+ $$attr = (isset($attrs[$attr][0]))? $attrs[$attr][0] : null;
+ }
- if(isset($attrs['shadowMin'][0])){
- $sMin= $attrs['shadowMin'][0];
- } else {
- $sMin = 0;
- }
-
- if(isset($attrs['shadowInactive'][0])){
- $sInactive= $attrs['shadowInactive'][0];
- } else {
- $sInactive = 0;
- }
-
- if(isset($attrs['shadowWarning'][0])){
- $sWarning= $attrs['shadowWarning'][0];
- } else {
- $sWarning = 0;
- }
-
- /* is the account locked */
- /* shadowExpire + shadowInactive (option) */
- if($sExpire >0){
- if($current >= ($sExpire+$sInactive)){
- return(1);
+
+ // Check if the account has expired.
+ // ---------------------------------
+ // An account is locked/expired once its expiration date has reached (shadowExpire).
+ // If the optional attribute (shadowInactive) is set, we've to postpone
+ // the account expiration by the amount of days specified in (shadowInactive).
+ if($shadowExpire != null && $shadowExpire >= $current){
+
+ // The account seems to be expired, but we've to check 'shadowInactive' additionally.
+ // ShadowInactive specifies an amount of days we've to reprieve the user.
+ // It some kind of x days' grace.
+ if($shadowInactive == null || $current > $shadowExpire + $shadowInactive){
+
+ // Finally we've detect that the account is deactivated.
+ return(POSIX_ACCOUNT_EXPIRED);
}
- }
-
- /* the user should be warned to change is password */
- if((($sExpire >0) && ($sWarning >0)) && ($sExpire >= $current)){
- if (($sExpire - $current) < $sWarning){
- return(2);
+ }
+
+ // The users password is going to expire.
+ // --------------------------------------
+ // We've to warn the user in the case of an expiring account.
+ // An account is going to expire when it reaches its expiration date (shadowExpire).
+ // The user has to be warned, if the days left till expiration, match the
+ // configured warning period (shadowWarning)
+ // --> shadowWarning: Warn x days before account expiration.
+ if($shadowExpire != null && $shadowWarning != null){
+
+ // Check if the account is still active and not already expired.
+ if($shadowExpire >= $current){
+
+ // Check if we've to warn the user by comparing the remaining
+ // number of days till expiration with the configured amount
+ // of days in shadowWarning.
+ if(($shadowExpire - $current) <= $shadowWarning){
+ return(POSIX_WARN_ABOUT_EXPIRATION);
+ }
}
- }
-
- /* force user to change password */
- if(($sLastChange >0) && ($sMax) >0){
- if($current >= ($sLastChange+$sMax)){
- return(3);
+ }
+
+ // -- I guess this is the correct detection, isn't it?
+ if($shadowLastChange != null && $shadowWarning != null && $shadowMax != null){
+ $daysRemaining = ($shadowLastChange + $shadowMax) - $current ;
+ if($daysRemaining > 0 && $daysRemaining <= $shadowWarning){
+ return(POSIX_WARN_ABOUT_EXPIRATION);
}
- }
-
- /* the user should not be able to change is password */
- if(($sLastChange >0) && ($sMin >0)){
- if (($sLastChange + $sMin) >= $current){
- return(4);
+ }
+
+
+ // Check if we've to force the user to change his password.
+ // --------------------------------------------------------
+ // A password change is enforced when the password is older than
+ // the configured amount of days (shadowMax).
+ // The age of the current password (shadowLastChange) plus the maximum
+ // amount amount of days (shadowMax) has to be smaller than the
+ // current timestamp.
+ if($shadowLastChange != null && $shadowMax != null){
+
+ // Check if we've an outdated password.
+ if($current >= ($shadowLastChange + $shadowMax)){
+ return(POSIX_FORCE_PASSWORD_CHANGE);
+ }
+ }
+
+
+ // Check if we've to freeze the users password.
+ // --------------------------------------------
+ // Once a user has changed his password, he cannot change it again
+ // for a given amount of days (shadowMin).
+ // We should not allow to change the password within GOsa too.
+ if($shadowLastChange != null && $shadowMin != null){
+
+ // Check if we've an outdated password.
+ if(($shadowLastChange + $shadowMin) >= $current){
+ return(POSIX_DISALLOW_PASSWORD_CHANGE);
}
- }
}
- return($expired);
+
+ return(0);
}
+
/*! \brief Add a lock for object(s)
*
* Adds a lock by the specified user for one ore multiple objects.
if (tests::is_id($_POST['new_limit']) &&
isset($_POST['action']) && $_POST['action']=="newlimit"){
- session::global_set('size_limit', validate($_POST['new_limit']));
+ session::global_set('size_limit', get_post('new_limit'));
session::set('size_ignore', FALSE);
}
* */
function check_command($cmdline)
{
+ return(TRUE);
$cmd= preg_replace("/ .*$/", "", $cmdline);
/* Check if command exists in filesystem */
{
global $config;
+ // Strip out non ascii chars
+ foreach($attributes as $name => $value){
+ $value = iconv('UTF-8', 'US-ASCII//TRANSLIT', $value);
+ $value = preg_replace('/[^(\x20-\x7F)]*/','',$value);
+ $attributes[$name] = $value;
+ }
+
/* Search for keys and fill the variables array with all
possible values for that key. */
$part= "";
msg_dialog::display(_("Internal error"), sprintf(_("File %s cannot be deleted!"), bold($directory."/".$file)), ERROR_DIALOG);
// This should never be reached
}
- } elseif(is_dir($directory."/".$file) &&
- is_writable($directory."/".$file)) {
- // Just recursively delete it
- rmdirRecursive($directory."/".$file);
- }
+ }
}
// We should now create a fresh revision file
clean_smarty_compile_dir($directory);
if($rfc2307bis && isset($tmp['posixGroup']['STRUCTURAL'])){
$checks['posixGroup']['STATUS'] = FALSE;
- $checks['posixGroup']['MSG'] = _("RFC 2307bis group schema is enabled, but the current LDAP configuration does not support it!");
- $checks['posixGroup']['INFO'] = _("To use RFC 2307bis groups, the objectClass 'posixGroup' must be AUXILIARY.");
+ $checks['posixGroup']['MSG'] = _("RFC2307bis schema is enabled, but the current LDAP configuration does not support it!");
+ $checks['posixGroup']['INFO'] = _("To use RFC2307bis groups, the objectClass 'posixGroup' must be AUXILIARY.");
}
if(!$rfc2307bis && !isset($tmp['posixGroup']['STRUCTURAL'])){
$checks['posixGroup']['STATUS'] = FALSE;
- $checks['posixGroup']['MSG'] = _("RFC 2307bis group schema is disabled, but the current LDAP configuration supports it!");
+ $checks['posixGroup']['MSG'] = _("RFC2307bis schema is disabled, but the current LDAP configuration supports it!");
$checks['posixGroup']['INFO'] = _("To correct this, the objectClass 'posixGroup' must be STRUCTURAL.");
}
}
@@ -2866,19 +2899,75 @@ function get_languages($languages_in_own_language = FALSE,$strip_region_tag = FA
* \return string
* */
function get_post($name)
+{
+ if(!isset($_POST[$name])){
+ trigger_error("Requested POST value (".$name.") does not exists, you should add a check to prevent this message.");
+ return(FALSE);
+ }
+
+ // Handle Posted Arrays
+ $tmp = array();
+ if(is_array($_POST[$name]) && !is_string($_POST[$name])){
+ foreach($_POST[$name] as $key => $val){
+ if(get_magic_quotes_gpc()){
+ $val = stripcslashes($val);
+ }
+ $tmp[$key] = $val;
+ }
+ return($tmp);
+ }else{
+
+ if(get_magic_quotes_gpc()){
+ $val = stripcslashes($_POST[$name]);
+ }else{
+ $val = $_POST[$name];
+ }
+ }
+ return($val);
+}
+
+
+/*! \brief Returns contents of the given POST variable and check magic quotes settings
+ *
+ * Depending on the magic quotes settings this returns a stripclashed'ed version of
+ * a certain POST variable.
+ *
+ * \param string 'name' the POST var to return ($_POST[$name])
+ * \return string
+ * */
+function get_binary_post($name)
{
if(!isset($_POST[$name])){
trigger_error("Requested POST value (".$name.") does not exists, you should add a check to prevent this message.");
return(FALSE);
}
+ $p = str_replace('\0', '', $_POST[$name]);
if(get_magic_quotes_gpc()){
- return(stripcslashes(validate($_POST[$name])));
+ return(stripcslashes($p));
}else{
- return(validate($_POST[$name]));
+ return($_POST[$p]);
}
}
+function set_post($value)
+{
+ // Take care of array, recursivly convert each array entry.
+ if(is_array($value)){
+ foreach($value as $key => $val){
+ $value[$key] = set_post($val);
+ }
+ return($value);
+ }
+
+ // Do not touch boolean values, we may break them.
+ if($value === TRUE || $value === FALSE ) return($value);
+
+ // Return a fixed string which can then be used in HTML fields without
+ // breaking the layout or the values. This allows to use '"<> in input fields.
+ return(htmlentities($value, ENT_QUOTES, 'utf-8'));
+}
+
/*! \brief Return class name in correct case */
function get_correct_class_name($cls)
}
-/*! \brief Change the password of a given DN
- *
- * Change the password of a given DN with the specified hash.
- *
- * \param string 'dn' the DN whose password shall be changed
- * \param string 'password' the password
- * \param int mode
- * \param string 'hash' which hash to use to encrypt it, default is empty
- * for cleartext storage.
- * \return boolean TRUE on success FALSE on error
+/*! \brief Change the password for a given object ($dn).
+ * This method uses the specified hashing method to generate a new password
+ * for the object and it also takes care of sambaHashes, if enabled.
+ * Finally the postmodify hook of the class 'user' will be called, if it is set.
+ *
+ * @param String The DN whose password shall be changed.
+ * @param String The new password.
+ * @param Boolean Skip adding samba hashes to the target (sambaNTPassword,sambaLMPassword)
+ * @param String The hashin method to use, default is the global configured default.
+ * @param String The users old password, this allows script based rollback mechanisms,
+ * the prehook will then be called witch switched newPassword/oldPassword.
+ * @return Boolean TRUE on success else FALSE.
*/
-function change_password ($dn, $password, $mode=0, $hash= "")
+function change_password ($dn, $password, $mode=FALSE, $hash= "", $old_password = "", &$message = "")
{
- global $config;
- $newpass= "";
-
- /* Convert to lower. Methods are lowercase */
- $hash= strtolower($hash);
-
- // Get all available encryption Methods
-
- // NON STATIC CALL :)
- $methods = new passwordMethod(session::get('config'),$dn);
- $available = $methods->get_available_methods();
-
- // read current password entry for $dn, to detect the encryption Method
- $ldap = $config->get_ldap_link();
- $ldap->cat ($dn, array("shadowLastChange", "userPassword", "uid"));
- $attrs = $ldap->fetch ();
-
- /* Is ensure that clear passwords will stay clear */
- if($hash == "" && isset($attrs['userPassword'][0]) && !preg_match ("/^{([^}]+)}(.+)/", $attrs['userPassword'][0])){
- $hash = "clear";
- }
-
- // Detect the encryption Method
- if ( (isset($attrs['userPassword'][0]) && preg_match ("/^{([^}]+)}(.+)/", $attrs['userPassword'][0], $matches)) || $hash != ""){
+ global $config;
+ $newpass= "";
- /* Check for supported algorithm */
+ // Not sure, why this is here, but maybe some encryption methods require it.
mt_srand((double) microtime()*1000000);
- /* Extract used hash */
- if ($hash == ""){
- $test = passwordMethod::get_method($attrs['userPassword'][0],$dn);
- } else {
- $test = new $available[$hash]($config,$dn);
- $test->set_hash($hash);
- }
+ // Get a list of all available password encryption methods.
+ $methods = new passwordMethod(session::get('config'),$dn);
+ $available = $methods->get_available_methods();
- } else {
- // User MD5 by default
- $hash= "md5";
- $test = new $available['md5']($config, $dn);
- }
-
- if($test instanceOf passwordMethod){
-
- $deactivated = $test->is_locked($config,$dn);
+ // Fetch the current object data, to be able to detect the current hashing method
+ // and to be able to rollback changes once has an error occured.
+ $ldap = $config->get_ldap_link();
+ $ldap->cat ($dn, array("shadowLastChange", "userPassword","sambaNTPassword","sambaLMPassword", "uid"));
+ $attrs = $ldap->fetch ();
+ $initialAttrs = $attrs;
+
+ // If no hashing method is enforced, then detect what method we've to use.
+ $hash = strtolower($hash);
+ if(empty($hash)){
+
+ // Do we need clear-text password for this object?
+ if(isset($attrs['userPassword'][0]) && !preg_match ("/^{([^}]+)}(.+)/", $attrs['userPassword'][0])){
+ $hash = "clear";
+ $test = new $available[$hash]($config,$dn);
+ $test->set_hash($hash);
+ }
- /* Feed password backends with information */
- $test->dn= $dn;
- $test->attrs= $attrs;
- $newpass= $test->generate_hash($password);
+ // If we've still no valid hashing method detected, then try to extract if from the userPassword attribute.
+ elseif(isset($attrs['userPassword'][0]) && preg_match ("/^{([^}]+)}(.+)/", $attrs['userPassword'][0], $matches)){
+ $test = passwordMethod::get_method($attrs['userPassword'][0],$dn);
+ $hash = $test->get_hash_name();
+ }
- // Update shadow timestamp?
- if (isset($attrs["shadowLastChange"][0])){
- $shadow= (int)(date("U") / 86400);
- } else {
- $shadow= 0;
+ // No current password was found and no hash is enforced, so we've to use the config default here.
+ $hash = $config->get_cfg_value('core','passwordDefaultHash');
+ $test = new $available[$hash]($config,$dn);
+ $test->set_hash($hash);
+ }else{
+ $test = new $available[$hash]($config,$dn);
+ $test->set_hash($hash);
}
- // Write back modified entry
- $ldap->cd($dn);
- $attrs= array();
-
- // Not for groups
- if ($mode == 0){
- // Create SMB Password
- $attrs= generate_smb_nt_hash($password);
-
- if ($shadow != 0){
- $attrs['shadowLastChange']= $shadow;
- }
- }
+ // We've now a valid password-method-handle and can create the new password hash or don't we?
+ if(!$test instanceOf passwordMethod){
+ $message = _("Cannot detect password hash!");
+ }else{
- $attrs['userPassword']= array();
- $attrs['userPassword']= $newpass;
+ // Feed password backends with object information.
+ $test->dn = $dn;
+ $test->attrs = $attrs;
+ $newpass= $test->generate_hash($password);
+
+ // Do we have to append samba attributes too?
+ // - sambaNTPassword / sambaLMPassword
+ $tmp = $config->get_cfg_value('core','sambaHashHook');
+ $attrs= array();
+ if (!$mode && !empty($tmp)){
+ $attrs= generate_smb_nt_hash($password);
+ $shadow = (isset($attrs["shadowLastChange"][0]))?(int)(date("U") / 86400):0;
+ if ($shadow != 0){
+ $attrs['shadowLastChange']= $shadow;
+ }
+ }
- $ldap->modify($attrs);
+ // Write back the new password hash
+ $ldap->cd($dn);
+ $attrs['userPassword']= $newpass;
- /* Read ! if user was deactivated */
- if($deactivated){
- $test->lock_account($config,$dn);
- }
+ // Prepare a special attribute list, which will be used for event hook calls
+ $attrsEvent = array();
+ foreach($initialAttrs as $name => $value){
+ if(!is_numeric($name))
+ $attrsEvent[$name] = escapeshellarg($value[0]);
+ }
+ $attrsEvent['dn'] = escapeshellarg($initialAttrs['dn']);
+ foreach($attrs as $name => $value){
+ $attrsEvent[$name] = escapeshellarg($value);
+ }
+ $attrsEvent['current_password'] = escapeshellarg($old_password);
+ $attrsEvent['new_password'] = escapeshellarg($password);
+
+ // Call the premodify hook now
+ $passwordPlugin = new password($config,$dn);
+ plugin::callHook($passwordPlugin, 'PREMODIFY', $attrsEvent, $output,$retCode,$error, $directlyPrintError = FALSE);
+ if($retCode === 0 && count($output)){
+ $message = sprintf(_("Pre-event hook reported a problem: %s. Password change canceled!"),implode($output));
+ return(FALSE);
+ }
- new log("modify","users/passwordMethod",$dn,array_keys($attrs),$ldap->get_error());
+ // Perform ldap operations
+ $ldap->modify($attrs);
- if (!$ldap->success()) {
- msg_dialog::display(_("LDAP error"), msgPool::ldaperror($ldap->get_error(), $dn, LDAP_MOD, ERROR_DIALOG));
- } else {
+ // Check if the object was locked before, if it was, lock it again!
+ $deactivated = $test->is_locked($config,$dn);
+ if($deactivated){
+ $test->lock_account($config,$dn);
+ }
- /* Run backend method for change/create */
- if(!$test->set_password($password)){
- return(FALSE);
- }
+ // Check if everything went fine and then call the post event hooks.
+ // If an error occures, then try to rollback the complete actions done.
+ $preRollback = FALSE;
+ $ldapRollback = FALSE;
+ $success = TRUE;
+ if (!$ldap->success()) {
+ new log("modify","users/passwordMethod",$dn,array(),"Password change - ldap modifications! - FAILED");
+ $success =FALSE;
+ $message = msgPool::ldaperror($ldap->get_error(), $dn, LDAP_MOD);
+ $preRollback =TRUE;
+ } else {
- /* Find postmodify entries for this class */
- $command= $config->get_cfg_value("password","postmodify");
+ // Now call the passwordMethod change mechanism.
+ if(!$test->set_password($password)){
+ $ldapRollback = TRUE;
+ $preRollback =TRUE;
+ $success = FALSE;
+ new log("modify","users/passwordMethod",$dn,array(),"Password change - set_password! - FAILED");
+ $message = _("Password change failed!");
+ }else{
+
+ // Execute the password hook
+ plugin::callHook($passwordPlugin, 'POSTMODIFY', $attrsEvent, $output,$retCode,$error, $directlyPrintError = FALSE);
+ if($retCode === 0){
+ if(count($output)){
+ new log("modify","users/passwordMethod",$dn,array(),"Password change - Post modify hook reported! - FAILED!");
+ $message = sprintf(_("Post-event hook reported a problem: %s. Password change canceled!"),implode($output));
+ $ldapRollback = TRUE;
+ $preRollback = TRUE;
+ $success = FALSE;
+ }else{
+ #new log("modify","users/passwordMethod",$dn,array(),"Password change - successfull!");
+ }
+ }else{
+ $ldapRollback = TRUE;
+ $preRollback = TRUE;
+ $success = FALSE;
+ new log("modify","users/passwordMethod",$dn,array(),"Password change - postmodify hook execution! - FAILED");
+ new log("modify","users/passwordMethod",$dn,array(),$error);
+
+ // Call password method again and send in old password to
+ // keep the database consistency
+ $test->set_password($old_password);
+ }
+ }
+ }
- if ($command != ""){
- /* Walk through attribute list */
- $command= preg_replace("/%userPassword/", $password, $command);
- $command= preg_replace("/%dn/", $dn, $command);
+ // Setting the password in the ldap database or further operation failed, we should now execute
+ // the plugins pre-event hook, using switched passwords, new/old password.
+ // This ensures that passwords which were set outside of GOsa, will be reset to its
+ // starting value.
+ if($preRollback){
+ new log("modify","users/passwordMethod",$dn,array(),"Rolling back premodify hook!");
+ $oldpass= $test->generate_hash($old_password);
+ $attrsEvent['current_password'] = escapeshellarg($password);
+ $attrsEvent['new_password'] = escapeshellarg($old_password);
+ foreach(array("userPassword","sambaNTPassword","sambaLMPassword") as $attr){
+ if(isset($initialAttrs[$attr][0])) $attrsEvent[$attr] = $initialAttrs[$attr][0];
+ }
+
+ plugin::callHook($passwordPlugin, 'PREMODIFY', $attrsEvent, $output,$retCode,$error, $directlyPrintError = FALSE);
+ if($retCode === 0 && count($output)){
+ $message = sprintf(_("Pre-event hook reported a problem: %s. Password change canceled!"),implode($output));
+ new log("modify","users/passwordMethod",$dn,array(),"Rolling back premodify hook! - FAILED!");
+ }
+ }
+
+ // We've written the password to the ldap database, but executing the postmodify hook failed.
+ // Now, we've to rollback all password related ldap operations.
+ if($ldapRollback){
+ new log("modify","users/passwordMethod",$dn,array(),"Rolling back ldap modifications!");
+ $attrs = array();
+ foreach(array("userPassword","sambaNTPassword","sambaLMPassword") as $attr){
+ if(isset($initialAttrs[$attr][0])) $attrs[$attr] = $initialAttrs[$attr][0];
+ }
+ $ldap->cd($dn);
+ $ldap->modify($attrs);
+ if(!$ldap->success()){
+ $message = msgPool::ldaperror($ldap->get_error(), $dn, LDAP_MOD);
+ new log("modify","users/passwordMethod",$dn,array(),"Rolling back ldap modifications! - FAILED");
+ }
+ }
- if (check_command($command)){
- @DEBUG (DEBUG_SHELL, __LINE__, __FUNCTION__, __FILE__, $command, "Execute");
- exec($command);
- } else {
- $message= sprintf(_("Command %s specified as post modify action for plugin %s does not exist!"), bold($command), bold("password"));
- msg_dialog::display(_("Configuration error"), $message, ERROR_DIALOG);
+ // Log action.
+ if($success){
+ stats::log('global', 'global', array('users'), $action = 'change_password', $amount = 1, 0, $test->get_hash());
+ new log("modify","users/passwordMethod",$dn,array(),"Password change - successfull!");
+ }else{
+ new log("modify","users/passwordMethod",$dn,array(),"Password change - FAILED!");
}
- }
+
+ return($success);
}
- return(TRUE);
- }
}
{
global $config;
- # Try to use gosa-si?
- if ($config->get_cfg_value("core","gosaSupportURI") != ""){
+ // First try to retrieve values via RPC
+ if ($config->get_cfg_value("core","gosaRpcServer") != ""){
+
+ $rpc = $config->getRpcHandle();
+ $hash = $rpc->mksmbhash($password);
+ if(!$rpc->success()){
+ msg_dialog::display(_("Error"),msgPool::rpcError($rpc->get_error()),ERROR_DIALOG);
+ return("");
+ }
+
+ }elseif ($config->get_cfg_value("core","gosaSupportURI") != ""){
+
+ // Try using gosa-si
$res= gosaSupportDaemon::send("gosa_gen_smb_hash", "GOSA", array("password" => $password), TRUE);
if (isset($res['XML']['HASH'])){
$hash= $res['XML']['HASH'];
return ("");
}
} else {
- $tmp= $config->get_cfg_value("core",'sambaHashHook')." ".escapeshellarg($password);
+ $tmp = $config->get_cfg_value("core",'sambaHashHook');
+ $tmp = preg_replace("/%userPassword/", escapeshellarg($password), $tmp);
+ $tmp = preg_replace("/%password/", escapeshellarg($password), $tmp);
@DEBUG (DEBUG_LDAP, __LINE__, __FUNCTION__, __FILE__, $tmp, "Execute");
exec($tmp, $ar);
while($attrs = $ldap->fetch()){
$new_attrs = array("accessTo" => array());
$dn = $attrs['dn'];
- for($i = 0 ; $i < $attrs['objectClass']['count']; $i++){
- $new_attrs['objectClass'][] = $attrs['objectClass'][$i];
- }
for($i = 0 ; $i < $attrs['accessTo']['count']; $i++){
if($attrs['accessTo'][$i] == $from){
if(!empty($to)){