HPCC-32249 LDAP security manager should use same connection for entir…

…e user create sequence Changed initial creation of LDAP connection to SSL connection if accessing Active Directory type server, otherwise use previous connection type. Pass connection through entire user create process Signed-Off-By: Kenneth Rowland [email protected]
hpcc-systems · Jul 16, 2024 · 2ee6dce · 2ee6dce
1 parent 58924f3
commit 2ee6dce
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 22 deletions.
diff --git a/system/security/LdapSecurity/ldapconnection.cpp b/system/security/LdapSecurity/ldapconnection.cpp
@@ -3226,20 +3226,22 @@ class CLdapClient : implements ILdapClient, public CInterface
         return true;
     }
 
-    virtual bool changePasswordSSL(const char* username, const char* newPassword)
+    virtual bool changePasswordSSL(const char* username, const char* newPassword, LDAP* ld)
     {
         Owned<ILdapConnection> lconn;
-        try
-        {
-            lconn.setown(m_connections->getSSLConnection());
-        }
-        catch(IException*)
+        if (ld == nullptr)
         {
-            throw MakeStringException(-1, "Failed to set user %s's password because of not being able to create an SSL connection to the ldap server. To set an Active Directory user's password from Linux, you need to enable SSL on the Active Directory ldap server", username);
+            try
+            {
+                lconn.setown(m_connections->getSSLConnection());
+            }
+            catch (IException *)
+            {
+                throw MakeStringException(-1, "Failed to set user %s's password because of not being able to create an SSL connection to the ldap server. To set an Active Directory user's password from Linux, you need to enable SSL on the Active Directory ldap server", username);
+            }
+            ld = lconn.get()->getLd();
         }
 
-        LDAP* ld = lconn.get()->getLd();
-
         char        *attribute, **values = NULL;
         LDAPMessage *message;
 
@@ -3347,7 +3349,7 @@ class CLdapClient : implements ILdapClient, public CInterface
             return false;
     }
 
-    virtual bool updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword)
+    virtual bool updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword, LDAP* ld)
     {
         const char* username = user.getName();
         if(!username || !*username)
@@ -3372,10 +3374,10 @@ class CLdapClient : implements ILdapClient, public CInterface
                 throw MakeStringException(-1, "Password not changed, invalid credentials");
         }
 
-        return updateUserPassword(username, newPassword);
+        return updateUserPassword(username, newPassword, ld);
     }
 
-    virtual bool updateUserPassword(const char* username, const char* newPassword)
+    virtual bool updateUserPassword(const char* username, const char* newPassword, LDAP* ld)
     {
         if(!username || !*username)
         {
@@ -3472,7 +3474,7 @@ class CLdapClient : implements ILdapClient, public CInterface
             }
             DBGLOG("Trying changePasswordSSL to change password over regular SSL connection.");
 #endif
-            changePasswordSSL(username, newPassword);
+            changePasswordSSL(username, newPassword, ld);
         }
         else
         {
@@ -3485,7 +3487,7 @@ class CLdapClient : implements ILdapClient, public CInterface
             TIMEVAL timeOut = {m_ldapconfig->getLdapTimeout(),0};
 
             Owned<ILdapConnection> lconn = m_connections->getConnection();
-            LDAP* ld = lconn.get()->getLd();
+            ld = lconn.get()->getLd();
 
             char        *attrs[] = {LDAP_NO_ATTRS, NULL};
             CLDAPMessage searchResult;
@@ -6032,7 +6034,7 @@ class CLdapClient : implements ILdapClient, public CInterface
 
         // set the password.
         Owned<ISecUser> tmpuser = new CLdapSecUser(user->getName(), "");
-        if (!updateUserPassword(*tmpuser, user->credentials().getPassword(), nullptr))
+        if (!updateUserPassword(*tmpuser, user->credentials().getPassword(), nullptr, ld))
         {
             DBGLOG("Error updating password for %s",username);
             throw MakeStringException(-1, "Error updating password for %s",username);
@@ -6069,6 +6071,7 @@ class CLdapClient : implements ILdapClient, public CInterface
 
     virtual bool addUser(ISecUser& user)
     {
+        LdapServerType serverType = m_ldapconfig->getServerType();
         const char* username = user.getName();
         if(username == NULL || *username == '\0')
         {
@@ -6111,7 +6114,7 @@ class CLdapClient : implements ILdapClient, public CInterface
         const char* employeeNumber = user.getEmployeeNumber();
 
         StringBuffer dn;
-        if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
+        if(serverType == ACTIVE_DIRECTORY)
         {
             dn.append("cn=").append(fullname).append(",");
         }
@@ -6123,7 +6126,7 @@ class CLdapClient : implements ILdapClient, public CInterface
 
         char* oc_name;
         char* act_fieldname;
-        if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
+        if(serverType == ACTIVE_DIRECTORY)
         {
             oc_name = "User";
             act_fieldname = "sAMAccountName";
@@ -6223,7 +6226,7 @@ class CLdapClient : implements ILdapClient, public CInterface
             attrs[ind++] = &sn_attr;
         attrs[ind++] = &actname_attr;
 
-        if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
+        if(serverType == ACTIVE_DIRECTORY)
         {
             attrs[ind++] = &username_attr;
             attrs[ind++] = &dispname_attr;
@@ -6239,7 +6242,19 @@ class CLdapClient : implements ILdapClient, public CInterface
 
         attrs[ind] = NULL;
 
-        Owned<ILdapConnection> lconn = m_connections->getConnection();
+        //
+        // If the server type is ACTIVE_DIRECTORY, an SSL connection will be needed later to
+        // set the new user password, otherwise a non SSL connection is used.
+        Owned<ILdapConnection> lconn;
+        if(serverType == ACTIVE_DIRECTORY)
+        {
+            lconn.setown(m_connections->getSSLConnection());
+        }
+        else
+        {
+            lconn.setown(m_connections->getConnection());
+        }
+
         LDAP* ld = lconn.get()->getLd();
         int rc = ldap_add_ext_s(ld, (char*)dn.str(), attrs, NULL, NULL);
         if ( rc != LDAP_SUCCESS )
@@ -6256,7 +6271,7 @@ class CLdapClient : implements ILdapClient, public CInterface
             }
         }
 
-        if(m_ldapconfig->getServerType() == ACTIVE_DIRECTORY)
+        if(serverType == ACTIVE_DIRECTORY)
         {
             try
             {

diff --git a/system/security/LdapSecurity/ldapconnection.hpp b/system/security/LdapSecurity/ldapconnection.hpp
@@ -287,9 +287,9 @@ interface ILdapClient : extends IInterface
     virtual void setResourceBasedn(const char* rbasedn, SecResourceType rtype = RT_DEFAULT) = 0;
     virtual ILdapConfig* getLdapConfig() = 0;
     virtual bool userInGroup(const char* userdn, const char* groupdn) = 0;
-    virtual bool updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword = 0) = 0;
+    virtual bool updateUserPassword(ISecUser& user, const char* newPassword, const char* currPassword = 0, LDAP* ld = nullptr) = 0;
     virtual bool updateUser(const char* type, ISecUser& user) = 0;
-    virtual bool updateUserPassword(const char* username, const char* newPassword) = 0;
+    virtual bool updateUserPassword(const char* username, const char* newPassword, LDAP* ld = nullptr) = 0;
     virtual bool getResources(SecResourceType rtype, const char * basedn, const char* prefix, const char* searchstr, IArrayOf<ISecResource>& resources) = 0;
     virtual IPropertyTreeIterator* getResourceIterator(SecResourceType rtype, const char * basedn, const char* prefix,
         const char* resourceName, unsigned extraNameFilter) = 0;