From 75fb843af731782f0d939849fe58d395ae4ddd0b Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 14 May 2019 11:02:35 +0200 Subject: [PATCH 1/3] Disambiguate user by mail If ldap_search returns multiple entries for a given username (ie. $ldap_login_attribute is not unique), then check all users and their mail addresses for verifying user input. --- pages/sendtoken.php | 56 ++++++++++++++++++++++++--------------------- 1 file changed, 30 insertions(+), 26 deletions(-) diff --git a/pages/sendtoken.php b/pages/sendtoken.php index 202aad422..390165549 100644 --- a/pages/sendtoken.php +++ b/pages/sendtoken.php @@ -93,39 +93,43 @@ } else { # Get user DN - $entry = ldap_first_entry($ldap, $search); - $userdn = ldap_get_dn($ldap, $entry); + $entries = ldap_get_entries($ldap, $search); - if( !$userdn ) { + if( $entries['count'] == 0 ) { $result = "badcredentials"; error_log("LDAP - User $login not found"); } else { - # Compare mail values - $mailValues = ldap_get_values($ldap, $entry, $mail_attribute); - unset($mailValues["count"]); $match = 0; + foreach($entries as $entry) { + # Compare mail values + $mailValues = $entry[$mail_attribute]; + unset($mailValues["count"]); + + if (!$mail_address_use_ldap) { + # Match with user submitted values + foreach ($mailValues as $mailValue) { + if (strcasecmp($mail_attribute, "proxyAddresses") == 0) { + $mailValue = str_ireplace("smtp:", "", $mailValue); + } + if (strcasecmp($mail, $mailValue) == 0) { + $match = 1; + break; + } + } + } else { + # Use first available mail adress in ldap + if(count($mailValues) > 0) { + $mailValue = $mailValues[0]; + if (strcasecmp($mail_attribute, "proxyAddresses") == 0) { + $mailValue = str_ireplace("smtp:", "", $mailValue); + } + $mail = $mailValue; + $match = true; + break; + } + } - if (!$mail_address_use_ldap) { - # Match with user submitted values - foreach ($mailValues as $mailValue) { - if (strcasecmp($mail_attribute, "proxyAddresses") == 0) { - $mailValue = str_ireplace("smtp:", "", $mailValue); - } - if (strcasecmp($mail, $mailValue) == 0) { - $match = 1; - } - } - } else { - # Use first available mail adress in ldap - if(count($mailValues) > 0) { - $mailValue = $mailValues[0]; - if (strcasecmp($mail_attribute, "proxyAddresses") == 0) { - $mailValue = str_ireplace("smtp:", "", $mailValue); - } - $mail = $mailValue; - $match = true; - } } if (!$match) { From e44fb00ecac20e40c072700682844943aff142d1 Mon Sep 17 00:00:00 2001 From: Matthias Date: Tue, 14 May 2019 11:06:46 +0200 Subject: [PATCH 2/3] fix indentation --- pages/sendtoken.php | 41 ++++++++++++++++++++--------------------- 1 file changed, 20 insertions(+), 21 deletions(-) diff --git a/pages/sendtoken.php b/pages/sendtoken.php index 390165549..5358db270 100644 --- a/pages/sendtoken.php +++ b/pages/sendtoken.php @@ -102,34 +102,33 @@ $match = 0; foreach($entries as $entry) { - # Compare mail values - $mailValues = $entry[$mail_attribute]; - unset($mailValues["count"]); + # Compare mail values + $mailValues = $entry[$mail_attribute]; + unset($mailValues["count"]); - if (!$mail_address_use_ldap) { + if (!$mail_address_use_ldap) { # Match with user submitted values foreach ($mailValues as $mailValue) { - if (strcasecmp($mail_attribute, "proxyAddresses") == 0) { - $mailValue = str_ireplace("smtp:", "", $mailValue); - } - if (strcasecmp($mail, $mailValue) == 0) { - $match = 1; - break; - } + if (strcasecmp($mail_attribute, "proxyAddresses") == 0) { + $mailValue = str_ireplace("smtp:", "", $mailValue); + } + if (strcasecmp($mail, $mailValue) == 0) { + $match = 1; + break; + } } - } else { + } else { # Use first available mail adress in ldap if(count($mailValues) > 0) { - $mailValue = $mailValues[0]; - if (strcasecmp($mail_attribute, "proxyAddresses") == 0) { - $mailValue = str_ireplace("smtp:", "", $mailValue); - } - $mail = $mailValue; - $match = true; - break; + $mailValue = $mailValues[0]; + if (strcasecmp($mail_attribute, "proxyAddresses") == 0) { + $mailValue = str_ireplace("smtp:", "", $mailValue); + } + $mail = $mailValue; + $match = true; + break; } - } - + } } if (!$match) { From 5e31942160a43b1eb858969e676653f3f8138cee Mon Sep 17 00:00:00 2001 From: Matthias Date: Wed, 15 May 2019 11:19:18 +0200 Subject: [PATCH 3/3] Couple of improvements: * Fix breaking foreach loop over mails * Store user data in session on sendtoken * Retrieve user data from session on resetbytoken * Use `$ldap_login_attribute` to retrieve the username from user data * `$ldap_filter_reset` for ldap search on sendtoken (allow non-unique search criteria) * Add message type for login field on sendtoken --- conf/config.inc.php | 1 + lang/ca.inc.php | 3 +- lang/cn.inc.php | 3 +- lang/cs.inc.php | 3 +- lang/de.inc.php | 3 +- lang/ee.inc.php | 3 +- lang/el.inc.php | 3 +- lang/en.inc.php | 3 +- lang/es.inc.php | 3 +- lang/fr.inc.php | 3 +- lang/hu.inc.php | 3 +- lang/it.inc.php | 3 +- lang/ja.inc.php | 3 +- lang/nb-NO.inc.php | 3 +- lang/nl.inc.php | 3 +- lang/pl.inc.php | 3 +- lang/pt-BR.inc.php | 3 +- lang/pt-PT.inc.php | 3 +- lang/ru.inc.php | 3 +- lang/sk.inc.php | 3 +- lang/sl.inc.php | 3 +- lang/sv.inc.php | 3 +- lang/tr.inc.php | 3 +- lang/uk.inc.php | 3 +- lang/zh-CN.inc.php | 3 +- lang/zh-TW.inc.php | 3 +- pages/resetbytoken.php | 84 +++++++++++------------------------------- pages/sendtoken.php | 13 ++++--- 28 files changed, 80 insertions(+), 93 deletions(-) diff --git a/conf/config.inc.php b/conf/config.inc.php index 522736b55..a83db9c76 100644 --- a/conf/config.inc.php +++ b/conf/config.inc.php @@ -42,6 +42,7 @@ $ldap_login_attribute = "uid"; $ldap_fullname_attribute = "cn"; $ldap_filter = "(&(objectClass=person)($ldap_login_attribute={login}))"; +$ldap_filter_reset = $ldap_filter; # Active Directory mode # true: use unicodePwd as password field diff --git a/lang/ca.inc.php b/lang/ca.inc.php index 95cdcf034..828ec80ca 100644 --- a/lang/ca.inc.php +++ b/lang/ca.inc.php @@ -38,7 +38,8 @@ $messages['badcredentials'] = "El nom d'usuari o la contrasenya són incorrectes"; $messages['passworderror'] = "El servidor ha refusat la contrasenya"; $messages['title'] = "Autoservei de canvi de contrasenyes"; -$messages['login'] = "Nom d'usuari"; +$messages['login'] = "Nom d'usuari"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Contrasenya anterior"; $messages['newpassword'] = "Contrasenya nova"; $messages['confirmpassword'] = "Confirmeu la nova contrasenya"; diff --git a/lang/cn.inc.php b/lang/cn.inc.php index a20352999..8057fbb89 100644 --- a/lang/cn.inc.php +++ b/lang/cn.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "用户名或密码不正确"; $messages['passworderror'] = "密码被拒"; $messages['title'] = "统一登录平台自助改密"; -$messages['login'] = "用户名"; +$messages['login'] = "用户名"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "旧密码"; $messages['newpassword'] = "新密码"; $messages['confirmpassword'] = "新密码"; diff --git a/lang/cs.inc.php b/lang/cs.inc.php index 9fc429238..f80580ab3 100644 --- a/lang/cs.inc.php +++ b/lang/cs.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Zadali jste špatné jméno nebo heslo"; $messages['passworderror'] = "Heslo bylo odmítnuto serverem LDAP"; $messages['title'] = "Změna hesla"; -$messages['login'] = "Přihlašovací jméno"; +$messages['login'] = "Přihlašovací jméno"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Staré heslo"; $messages['newpassword'] = "Nové heslo"; $messages['confirmpassword'] = "Potvrďte"; diff --git a/lang/de.inc.php b/lang/de.inc.php index 371d6363c..690a131fc 100644 --- a/lang/de.inc.php +++ b/lang/de.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Login oder Passwort inkorrekt"; $messages['passworderror'] = "Passwort wurde vom LDAP nicht akzeptiert"; $messages['title'] = "Passwortverwaltung"; -$messages['login'] = "Login"; +$messages['login'] = "Login"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Altes Passwort"; $messages['newpassword'] = "Neues Passwort"; $messages['confirmpassword'] = "Bestätigen"; diff --git a/lang/ee.inc.php b/lang/ee.inc.php index dbeb1bf57..c4dfe809e 100644 --- a/lang/ee.inc.php +++ b/lang/ee.inc.php @@ -40,7 +40,8 @@ $messages['passworderror'] = "Parooli muudatus lükati tagasi LDAP kataloogi poolt"; $messages['sshkeyerror'] = "SSH võtme muudatus lükati tagasi LDAP kataloogi poolt"; $messages['title'] = "Iseteenindus"; -$messages['login'] = "Kasutajanimi"; +$messages['login'] = "Kasutajanimi"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Vana parool"; $messages['newpassword'] = "Uus parool"; $messages['confirmpassword'] = "Kinnita uus parool"; diff --git a/lang/el.inc.php b/lang/el.inc.php index 82dd8cfd7..3c05a6922 100644 --- a/lang/el.inc.php +++ b/lang/el.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Το όνομα χρήστη ή ο κωδικός είναι λάθος"; $messages['passworderror'] = "Ο κωδικός δεν έγινε δεκτός από την υπηρεσία καταλόγου"; $messages['title'] = "Αλλαγή/Ανάκτηση Κωδικού"; -$messages['login'] = "Όνομα χρήστη"; +$messages['login'] = "Όνομα χρήστη"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Ισχύων κωδικός"; $messages['newpassword'] = "Νέος κωδικός"; $messages['confirmpassword'] = "Επιβεβαίωση"; diff --git a/lang/en.inc.php b/lang/en.inc.php index 295500d4a..3e9fef8ea 100644 --- a/lang/en.inc.php +++ b/lang/en.inc.php @@ -38,7 +38,8 @@ $messages['passworderror'] = "Password was refused by the LDAP directory"; $messages['sshkeyerror'] = "SSH Key was refused by the LDAP directory"; $messages['title'] = "Self service password"; -$messages['login'] = "Login"; +$messages['login'] = "Login"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Old password"; $messages['newpassword'] = "New password"; $messages['confirmpassword'] = "Confirm"; diff --git a/lang/es.inc.php b/lang/es.inc.php index 4ac2433c7..827e60913 100644 --- a/lang/es.inc.php +++ b/lang/es.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Su nombre de usuario o su contraseña es incorrecta"; $messages['passworderror'] = "Su contraseña fue rechazada"; $messages['title'] = "Autoservicio de cambio de contraseñas"; -$messages['login'] = "Nombre de usuario"; +$messages['login'] = "Nombre de usuario"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Contraseña anterior"; $messages['newpassword'] = "Contraseña nueva"; $messages['confirmpassword'] = "Confirme contraseña nueva"; diff --git a/lang/fr.inc.php b/lang/fr.inc.php index 6ff7e4ad2..c636467b5 100644 --- a/lang/fr.inc.php +++ b/lang/fr.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Identifiant ou mot de passe incorrect"; $messages['passworderror'] = "Le mot de passe a été refusé"; $messages['title'] = "Gestion du mot de passe"; -$messages['login'] = "Identifiant"; +$messages['login'] = "Identifiant"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Ancien mot de passe"; $messages['newpassword'] = "Nouveau mot de passe"; $messages['confirmpassword'] = "Confirmation"; diff --git a/lang/hu.inc.php b/lang/hu.inc.php index c620b4f6b..2aa5018de 100644 --- a/lang/hu.inc.php +++ b/lang/hu.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "A felhasználónév vagy a jelszó nem megfelelő!"; $messages['passworderror'] = "A jelszó megváltoztatását visszautasította az LDAP szolgáltatás"; $messages['title'] = "Önkiszolgáló jelszókezelő"; -$messages['login'] = "Felhasználónév"; +$messages['login'] = "Felhasználónév"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Régi jelszó"; $messages['newpassword'] = "Új jelszó"; $messages['confirmpassword'] = "Új jelszó ismét"; diff --git a/lang/it.inc.php b/lang/it.inc.php index 3b8e5b316..c1550fdaf 100644 --- a/lang/it.inc.php +++ b/lang/it.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Login o password non corretti"; $messages['passworderror'] = "Password rifiutata dalla directory LDAP"; $messages['title'] = "Self service password"; -$messages['login'] = "Login"; +$messages['login'] = "Login"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Vecchia password"; $messages['newpassword'] = "Nuova password"; $messages['confirmpassword'] = "Conferma"; diff --git a/lang/ja.inc.php b/lang/ja.inc.php index 223eb4924..5f23594e3 100644 --- a/lang/ja.inc.php +++ b/lang/ja.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "ログインIDかパスワードが間違っています"; $messages['passworderror'] = "パスワードはLDAPディレクトリーに拒否されました"; $messages['title'] = "Self service password"; -$messages['login'] = "ログインID"; +$messages['login'] = "ログインID"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "現在のパスワード"; $messages['newpassword'] = "新しいパスワード"; $messages['confirmpassword'] = "新しいパスワードの確認"; diff --git a/lang/nb-NO.inc.php b/lang/nb-NO.inc.php index 2bf468225..866eea7b8 100644 --- a/lang/nb-NO.inc.php +++ b/lang/nb-NO.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Passord eller Brukernavn er feil"; $messages['passworderror'] = "Passordet var ikke godtatt av LDAP katalogen"; $messages['title'] = "Self service passord"; -$messages['login'] = "Brukernavn"; +$messages['login'] = "Brukernavn"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Gammelt passord"; $messages['newpassword'] = "Nytt passord"; $messages['confirmpassword'] = "Bekreft"; diff --git a/lang/nl.inc.php b/lang/nl.inc.php index 11ce31193..6d1c54dbb 100644 --- a/lang/nl.inc.php +++ b/lang/nl.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Gebruikersnaam of wachtwoord onjuist"; $messages['passworderror'] = "Wachtwoord niet geaccepteerd door de LDAP directory"; $messages['title'] = "Wachtwoord Self Service"; -$messages['login'] = "Gebruikersnaam"; +$messages['login'] = "Gebruikersnaam"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Huidige wachtwoord"; $messages['newpassword'] = "Nieuwe wachtwoord"; $messages['confirmpassword'] = "Bevestigen"; diff --git a/lang/pl.inc.php b/lang/pl.inc.php index 5b805d609..40714863e 100644 --- a/lang/pl.inc.php +++ b/lang/pl.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Login lub hasło nie są poprawne"; $messages['passworderror'] = "Hasło zostało odrzucone przez bazę LDAP"; $messages['title'] = "Samodzielna zmiana hasła"; -$messages['login'] = "Login"; +$messages['login'] = "Login"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Stare hasło"; $messages['newpassword'] = "Nowe hasło"; $messages['confirmpassword'] = "Potwierdź"; diff --git a/lang/pt-BR.inc.php b/lang/pt-BR.inc.php index 75d82c16f..7d6e6381b 100644 --- a/lang/pt-BR.inc.php +++ b/lang/pt-BR.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Login ou senha incorretos"; $messages['passworderror'] = "A senha foi recusada pelo Diretório LDAP"; $messages['title'] = "Serviço de senha"; -$messages['login'] = "Login"; +$messages['login'] = "Login"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Senha atual"; $messages['newpassword'] = "Senha nova"; $messages['confirmpassword'] = "Confirma"; diff --git a/lang/pt-PT.inc.php b/lang/pt-PT.inc.php index 775ba6e02..ecca09925 100644 --- a/lang/pt-PT.inc.php +++ b/lang/pt-PT.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Username ou password incorretos."; $messages['passworderror'] = "A password foi recusada pelo LDAP."; $messages['title'] = "Alteração de Password"; -$messages['login'] = "Username"; +$messages['login'] = "Username"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Password actual"; $messages['newpassword'] = "Password nova"; $messages['confirmpassword'] = "Confirma password"; diff --git a/lang/ru.inc.php b/lang/ru.inc.php index cb5f744a3..79703a679 100644 --- a/lang/ru.inc.php +++ b/lang/ru.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Проверьте правильность написания логина или пароля"; $messages['passworderror'] = "Ваш пароль отклонен LDAP directory"; $messages['title'] = "Self service password"; -$messages['login'] = "Логин"; +$messages['login'] = "Логин"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Ваш старый пароль"; $messages['newpassword'] = "Ваш новый пароль"; $messages['confirmpassword'] = "Подтвердить"; diff --git a/lang/sk.inc.php b/lang/sk.inc.php index f595d0e7e..d143325e3 100644 --- a/lang/sk.inc.php +++ b/lang/sk.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Prihlasovacie meno alebo heslo je nesprávne"; $messages['passworderror'] = "Heslo bolo odmietnuté LDAP adresári"; $messages['title'] = "Zmena hesla"; -$messages['login'] = "Prihlasovacie meno"; +$messages['login'] = "Prihlasovacie meno"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Staré heslo"; $messages['newpassword'] = "Nové heslo"; $messages['confirmpassword'] = "Nové heslo (ešte raz)"; diff --git a/lang/sl.inc.php b/lang/sl.inc.php index 0e8d30499..604f264af 100644 --- a/lang/sl.inc.php +++ b/lang/sl.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Napačno uporabniško ime ali geslo"; $messages['passworderror'] = "Strežnik LDAP je zavrnil geslo"; $messages['title'] = "Spreminjanje gesla"; -$messages['login'] = "Uporabniško ime"; +$messages['login'] = "Uporabniško ime"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Staro geslo"; $messages['newpassword'] = "Novo geslo"; $messages['confirmpassword'] = "Potrdite novo geslo"; diff --git a/lang/sv.inc.php b/lang/sv.inc.php index 6ccb2614f..2ea6f4c79 100644 --- a/lang/sv.inc.php +++ b/lang/sv.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Lösenord eller Användarnamn är felaktiga"; $messages['passworderror'] = "Lösenordet godtogs inte av LDAPkatalogen"; $messages['title'] = "Self service password"; -$messages['login'] = "Användarnamn"; +$messages['login'] = "Användarnamn"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Nuvarande lösenord"; $messages['newpassword'] = "Nytt lösenord"; $messages['confirmpassword'] = "Bekräfta nytt lösenord"; diff --git a/lang/tr.inc.php b/lang/tr.inc.php index ee24bffca..c27a49a65 100644 --- a/lang/tr.inc.php +++ b/lang/tr.inc.php @@ -36,7 +36,8 @@ $messages['badcredentials'] = "Kullanıcı adı ya da parola hatalı"; $messages['passworderror'] = "Parola LDAP dizini tarafından reddedildi"; $messages['title'] = "Self servis parola"; -$messages['login'] = "Kullanıcı adı"; +$messages['login'] = "Kullanıcı adı"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Eski parola"; $messages['newpassword'] = "Yeni parola"; $messages['confirmpassword'] = "Onayla"; diff --git a/lang/uk.inc.php b/lang/uk.inc.php index b5f5f3eb7..90e61dadb 100644 --- a/lang/uk.inc.php +++ b/lang/uk.inc.php @@ -37,7 +37,8 @@ $messages['badcredentials'] = "Перевірте правильність написання логіна або пароля"; $messages['passworderror'] = "Ваш пароль відхилено LDAP директорією"; $messages['title'] = "Self service password"; -$messages['login'] = "Логін"; +$messages['login'] = "Логін"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "Ваш старий пароль"; $messages['newpassword'] = "Ваш новий пароль"; $messages['confirmpassword'] = "Підтвердити"; diff --git a/lang/zh-CN.inc.php b/lang/zh-CN.inc.php index b906ffa3b..268d61b49 100644 --- a/lang/zh-CN.inc.php +++ b/lang/zh-CN.inc.php @@ -38,7 +38,8 @@ $messages['passworderror'] = "密码被 LDAP 服务器拒绝"; $messages['sshkeyerror'] = "SSH 密钥被 LDAP 服务器拒绝"; $messages['title'] = "自助密码服务"; -$messages['login'] = "用户名"; +$messages['login'] = "用户名"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "旧密码"; $messages['newpassword'] = "新密码"; $messages['confirmpassword'] = "重复输入"; diff --git a/lang/zh-TW.inc.php b/lang/zh-TW.inc.php index 090ef305a..54d95b9f1 100644 --- a/lang/zh-TW.inc.php +++ b/lang/zh-TW.inc.php @@ -38,7 +38,8 @@ $messages['passworderror'] = "密碼被 LDAP 伺服器拒絶"; $messages['sshkeyerror'] = "SSH 金鑰被 LDAP 伺服器拒絶"; $messages['title'] = "自助密碼服務"; -$messages['login'] = "帳號"; +$messages['login'] = "帳號"; // coheres with $ldap_filter +$messages['login_reset'] = $messages['login']; // coheres with $ldap_filter_reset $messages['oldpassword'] = "舊密碼"; $messages['newpassword'] = "新密碼"; $messages['confirmpassword'] = "確認密碼"; diff --git a/pages/resetbytoken.php b/pages/resetbytoken.php index c1c02f5e8..a0d2b2eff 100644 --- a/pages/resetbytoken.php +++ b/pages/resetbytoken.php @@ -64,9 +64,11 @@ session_id($tokenid); session_name("token"); session_start(); - $login = $_SESSION['login']; - - if ( !$login ) { + $entry = $_SESSION['entry']; + $mail = $_SESSION['mail']; + $login = $entry[$ldap_login_attribute][0]; + $userdn = $entry['dn']; + if ( !$entry ) { $result = "tokennotvalid"; error_log("Unable to open session $tokenid"); } else { @@ -101,10 +103,20 @@ } #============================================================================== -# Find user +# Check and register new passord #============================================================================== +# Match new and confirm password if ( $result === "" ) { + if ( $newpassword != $confirmpassword ) { $result="nomatch"; } +} +# Check password strength +if ( $result === "" ) { + $result = check_password_strength( $newpassword, "", $pwd_policy_config, $login ); +} + +# Change password +if ($result === "") { # Connect to LDAP $ldap = ldap_connect($ldap_url); ldap_set_option($ldap, LDAP_OPT_PROTOCOL_VERSION, 3); @@ -128,67 +140,13 @@ error_log("LDAP - Bind error $errno (".ldap_error($ldap).")"); } } else { - - # Search for user - $ldap_filter = str_replace("{login}", $login, $ldap_filter); - $search = ldap_search($ldap, $ldap_base, $ldap_filter); - - $errno = ldap_errno($ldap); - if ( $errno ) { - $result = "ldaperror"; - error_log("LDAP - Search error $errno (".ldap_error($ldap).")"); - } else { - - # Get user DN - $entry = ldap_first_entry($ldap, $search); - $userdn = ldap_get_dn($ldap, $entry); - - if( !$userdn ) { - $result = "badcredentials"; - error_log("LDAP - User $login not found"); - } - - # Check objectClass to allow samba and shadow updates - $ocValues = ldap_get_values($ldap, $entry, 'objectClass'); - if ( !in_array( 'sambaSamAccount', $ocValues ) and !in_array( 'sambaSAMAccount', $ocValues ) ) { - $samba_mode = false; - } - if ( !in_array( 'shadowAccount', $ocValues ) ) { - $shadow_options['update_shadowLastChange'] = false; - $shadow_options['update_shadowExpire'] = false; - } - - # Get user email for notification - if ( $notify_on_change ) { - $mailValues = ldap_get_values($ldap, $entry, $mail_attribute); - if ( $mailValues["count"] > 0 ) { - $mail = $mailValues[0]; + $result = change_password($ldap, $userdn, $newpassword, $ad_mode, $ad_options, $samba_mode, $samba_options, $shadow_options, $hash, $hash_options, "", ""); + if ( $result === "passwordchanged" && isset($posthook) ) { + $command = posthook_command($posthook, $login, $newpassword, null, $posthook_password_encodebase64); + exec($command, $posthook_output, $posthook_return); } } - -}}}} - -#============================================================================== -# Check and register new passord -#============================================================================== -# Match new and confirm password -if ( $result === "" ) { - if ( $newpassword != $confirmpassword ) { $result="nomatch"; } -} - -# Check password strength -if ( $result === "" ) { - $result = check_password_strength( $newpassword, "", $pwd_policy_config, $login ); -} - -# Change password -if ($result === "") { - $result = change_password($ldap, $userdn, $newpassword, $ad_mode, $ad_options, $samba_mode, $samba_options, $shadow_options, $hash, $hash_options, "", ""); - if ( $result === "passwordchanged" && isset($posthook) ) { - $command = posthook_command($posthook, $login, $newpassword, null, $posthook_password_encodebase64); - exec($command, $posthook_output, $posthook_return); - } -} +}} # Delete token if all is ok if ( $result === "passwordchanged" ) { diff --git a/pages/sendtoken.php b/pages/sendtoken.php index 5358db270..fb7179c13 100644 --- a/pages/sendtoken.php +++ b/pages/sendtoken.php @@ -83,7 +83,7 @@ } else { # Search for user - $ldap_filter = str_replace("{login}", $login, $ldap_filter); + $ldap_filter = str_replace("{login}", $login, $ldap_filter_reset); $search = ldap_search($ldap, $ldap_base, $ldap_filter); $errno = ldap_errno($ldap); @@ -114,7 +114,7 @@ } if (strcasecmp($mail, $mailValue) == 0) { $match = 1; - break; + break 2; } } } else { @@ -139,6 +139,8 @@ $result = "mailnomatch"; error_log("Mail not found for user $login"); } + } else { + $login = $entry[$ldap_login_attribute][0]; } }}}}} @@ -155,7 +157,8 @@ session_name("token"); session_start(); - $_SESSION['login'] = $login; + $_SESSION['entry'] = $entry; + $_SESSION['mail'] = $mail; $_SESSION['time'] = time(); if ( $crypt_tokens ) { @@ -237,11 +240,11 @@
- +
- " autocomplete="off" /> + " autocomplete="off" />