From becedf3d19f7ac1400ac02be3c9e8b1b3aac24bf Mon Sep 17 00:00:00 2001 From: David Coutadeur Date: Thu, 25 Apr 2024 20:06:43 +0200 Subject: [PATCH 1/2] fix ldap_exop_passwd and ldap_parse_result functions to pass args by reference (#14) --- src/Ltb/PhpLDAP.php | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/Ltb/PhpLDAP.php b/src/Ltb/PhpLDAP.php index caf2149..7582502 100644 --- a/src/Ltb/PhpLDAP.php +++ b/src/Ltb/PhpLDAP.php @@ -76,7 +76,7 @@ public static function ldap_modify_batch(...$args) return ldap_modify_batch(...$args); } - public static function ldap_exop_passwd(...$args) + public static function ldap_exop_passwd(&...$args) { return ldap_exop_passwd(...$args); } @@ -86,7 +86,7 @@ public static function ldap_mod_replace_ext(...$args) return ldap_mod_replace_ext(...$args); } - public static function ldap_parse_result(...$args) + public static function ldap_parse_result(&...$args) { return ldap_parse_result(...$args); } From 482a57a76f6ee3633a91e624f56f060bd17f26d5 Mon Sep 17 00:00:00 2001 From: David Coutadeur Date: Fri, 26 Apr 2024 11:58:58 +0200 Subject: [PATCH 2/2] add integration test for testing modify_attributes_using_ppolicy (#14) --- tests/IntegrationTests/IntegrationTest.php | 79 ++++++++++++++++++++-- 1 file changed, 72 insertions(+), 7 deletions(-) diff --git a/tests/IntegrationTests/IntegrationTest.php b/tests/IntegrationTests/IntegrationTest.php index 1ea4c3d..f7942f3 100644 --- a/tests/IntegrationTests/IntegrationTest.php +++ b/tests/IntegrationTests/IntegrationTest.php @@ -15,6 +15,9 @@ final class IntegrationTest extends TestCase public $attributes = array("cn"); public $context = "dc=fusioniam,dc=org"; + public $adminDN = "cn=lemonldapng,ou=dsa,o=admin,dc=fusioniam,dc=org"; + public $adminPW = "secret"; + public $user_branch = "ou=users,o=acme,dc=fusioniam,dc=org"; public $ldap_entry_dn1 = "uid=test,ou=users,o=acme,dc=fusioniam,dc=org"; public $ldap_entry1 = [ @@ -23,7 +26,18 @@ final class IntegrationTest extends TestCase "sn" => "test", "uid" => "test", "userPassword" => "secret", - "mail" => array("test1@domain.com", "test2@domain.com") + "mail" => array("test1@domain.com", "test2@domain.com"), + "pwdPolicySubentry" => "cn=ppolicy1,ou=ppolicies,o=acme,dc=fusioniam,dc=org" + ]; + public $ppolicy_branch = "ou=ppolicies,o=acme,dc=fusioniam,dc=org"; + public $ldap_ppolicy_dn1 = "cn=ppolicy1,ou=ppolicies,o=acme,dc=fusioniam,dc=org"; + public $ldap_ppolicy1 = [ + "objectclass" => array("organizationalRole", "pwdPolicy"), + "cn" => array("ppolicy1"), + "pwdAttribute" => "userPassword", + "pwdAllowUserChange" => "TRUE", + "pwdInHistory" => "5", + "pwdLockout" => "TRUE" ]; /* @@ -49,6 +63,7 @@ protected function setUp(): void if( $info["count"] == 0) { // if it does not exist, add the entry + $r = ldap_add($ldap, $this->ldap_ppolicy_dn1, $this->ldap_ppolicy1); $r = ldap_add($ldap, $this->ldap_entry_dn1, $this->ldap_entry1); } } @@ -78,6 +93,7 @@ protected function tearDown(): void { // if it exists, delete the entry $r = ldap_delete($ldap, $this->ldap_entry_dn1); + $r = ldap_delete($ldap, $this->ldap_ppolicy_dn1); } } @@ -92,7 +108,7 @@ public function test_ldap_get_first_available_value(): void ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); // binding to ldap server - $ldapbind = ldap_bind($ldap, $this->managerDN, $this->managerPW); + $ldapbind = ldap_bind($ldap, $this->adminDN, $this->adminPW); // search for added entry $sr = ldap_search($ldap, $this->ldap_entry_dn1, "(objectClass=*)", $this->attributes); @@ -112,7 +128,7 @@ public function test_ldap_get_mail_for_notification(): void ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); // binding to ldap server - $ldapbind = ldap_bind($ldap, $this->managerDN, $this->managerPW); + $ldapbind = ldap_bind($ldap, $this->adminDN, $this->adminPW); // search for added entry $sr = ldap_search($ldap, $this->ldap_entry_dn1, "(objectClass=*)", $GLOBALS['mail_attributes']); @@ -130,8 +146,8 @@ public function test_connect(): void $ldapInstance = new \Ltb\Ldap( $this->host, false, - $this->managerDN, - $this->managerPW, + $this->adminDN, + $this->adminPW, 10, null, null, @@ -149,8 +165,8 @@ public function test_get_list(): void $ldapInstance = new \Ltb\Ldap( $this->host, false, - $this->managerDN, - $this->managerPW, + $this->adminDN, + $this->adminPW, 10, $this->user_branch, 0, @@ -167,4 +183,53 @@ public function test_get_list(): void } + public function test_modify_attributes_using_ppolicy_failure(): void + { + + $userdata1 = [ # first modification => accepted + "userPassword" => "secret2", + ]; + $userdata2 = [ # second modification => refused because already present in history + "userPassword" => "secret", + ]; + + + $ldapInstance = new \Ltb\Ldap( + $this->host, + false, + $this->adminDN, + $this->adminPW, + 10, + $this->user_branch, + 0, + null + ); + + list($ldap, $msg) = $ldapInstance->connect(); + + + # Modify the password a first time + list($error_code, $error_msg, $ppolicy_error_code) = + $ldapInstance->modify_attributes_using_ppolicy( + $this->ldap_entry_dn1, + $userdata1 + ); + + $this->assertEquals(0, $error_code, 'Weird error code returned while modifying userPassword'); + $this->assertEquals('', $error_msg, 'Weird msg returned while modifying userPassword'); + $this->assertFalse($ppolicy_error_code, 'Weird ppolicy_error_code returned while modifying userPassword'); + + # Modify the password a second time with failure + list($error_code, $error_msg, $ppolicy_error_code) = + $ldapInstance->modify_attributes_using_ppolicy( + $this->ldap_entry_dn1, + $userdata2 + ); + + $this->assertEquals(19, $error_code, 'Weird error code returned in modify_attributes_using_ppolicy with failure'); + $this->assertEquals('Password is in history of old passwords', $error_msg, 'Weird msg returned in modify_attributes_using_ppolicy with failure'); + $this->assertEquals(8, $ppolicy_error_code, 'Weird ppolicy_error_code returned in modify_attributes_using_ppolicy with failure'); + + } + }