Merge branch 'army1349-master'

CHANGELOG

@@ -1,6 +1,7 @@
 CHANGELOG Roundcube Webmail
 ===========================
 
+- Password: Added ldap_exop driver (#4992)
 - Elastic: Changed read/unread icons (#6636)
 - Elastic: Changed "Move to..." icon (#6637)
 - Elastic: Add hide/show for advanced preferences (#6632)

plugins/password/README

@@ -48,6 +48,7 @@
  2.1.20. Plesk (Plesk RPC-API)
  2.1.21. Kpasswd
  2.1.22. Modoboa
+ 2.1.23. LDAP - Password Modify Extended Operation (ldap_exop)
  2.2.    Password Strength Drivers
  2.2.1.  Zxcvbn
  3.      Driver API
@@ -377,6 +378,14 @@
  See config.inc.php.dist file for configuration description.
 
 
+ 2.1.23. LDAP - Password Modify Extended Operation (ldap_exop)
+ -------------------------------------------------------------
+
+ Modified version of ldap_simple.
+ Password is changed using ldap_exop_passwd operation.
+ PHP >= 7.2 required.
+
+
  2.2. Password Strength Drivers
  ------------------------------
 

plugins/password/config.inc.php.dist

@@ -172,7 +172,7 @@ $config['password_pop_port'] = 106;
 $config['password_saslpasswd_args'] = '';
 
 
-// LDAP and LDAP_SIMPLE Driver options
+// LDAP, LDAP_SIMPLE and LDAP_EXOP Driver options
 // -----------------------------------
 // LDAP server name to connect to.
 // You can provide one or several hosts in an array in which case the hosts are tried from left to right.

plugins/password/drivers/ldap.php

@@ -34,10 +34,11 @@ public function save($curpass, $passwd)
     {
         $rcmail = rcmail::get_instance();
         require_once 'Net/LDAP2.php';
+        require_once __DIR__ . '/ldap_simple.php';
 
         // Building user DN
         if ($userDN = $rcmail->config->get('password_ldap_userDN_mask')) {
-            $userDN = self::substitute_vars($userDN);
+            $userDN = rcube_ldap_simple_password::substitute_vars($userDN);
         }
         else {
             $userDN = $this->search_userdn($rcmail);
@@ -179,8 +180,8 @@ function search_userdn($rcmail)
             return '';
         }
 
-        $base   = self::substitute_vars($rcmail->config->get('password_ldap_search_base'));
-        $filter = self::substitute_vars($rcmail->config->get('password_ldap_search_filter'));
+        $base   = rcube_ldap_simple_password::substitute_vars($rcmail->config->get('password_ldap_search_base'));
+        $filter = rcube_ldap_simple_password::substitute_vars($rcmail->config->get('password_ldap_search_filter'));
         $options = array (
             'scope' => 'sub',
             'attributes' => array(),
@@ -196,31 +197,4 @@ function search_userdn($rcmail)
 
         return $userDN;
     }
-
-    /**
-     * Substitute %login, %name, %domain, %dc in $str
-     * See plugin config for details
-     */
-    static function substitute_vars($str)
-    {
-        $str = str_replace('%login', $_SESSION['username'], $str);
-        $str = str_replace('%l', $_SESSION['username'], $str);
-
-        $parts = explode('@', $_SESSION['username']);
-
-        if (count($parts) == 2) {
-            $dc = 'dc='.strtr($parts[1], array('.' => ',dc=')); // hierarchal domain string
-
-            $str = str_replace('%name', $parts[0], $str);
-            $str = str_replace('%n', $parts[0], $str);
-            $str = str_replace('%dc', $dc, $str);
-            $str = str_replace('%domain', $parts[1], $str);
-            $str = str_replace('%d', $parts[1], $str);
-        } else if ( count($parts) == 1) {
-            $str = str_replace('%name', $parts[0], $str);
-            $str = str_replace('%n', $parts[0], $str);
-        }
-
-        return $str;
-    }
 }

plugins/password/drivers/ldap_exop.php

@@ -0,0 +1,76 @@
+<?php
+
+/**
+ * LDAP - Password Modify Extended Operation Driver
+ *
+ * Driver for passwords stored in LDAP
+ * This driver is based on Simple LDAP Password Driver, but uses
+ * Password Modify Extended Operation
+ * PHP >= 7.2 required
+ *
+ * @version 1.0
+ * @author Peter Kubica <[email protected]>
+ *
+ * Copyright (C) 2005-2019, The Roundcube Dev Team
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see http://www.gnu.org/licenses/.
+ */
+
+require_once __DIR__ . '/ldap_simple.php';
+
+class rcube_ldap_exop_password extends rcube_ldap_simple_password
+{
+    private $debug = false;
+
+    function save($curpass, $passwd)
+    {
+        if (!function_exists('ldap_exop_passwd')) {
+            rcube::raise_error(array(
+                    'code' => 100, 'type' => 'ldap',
+                    'file' => __FILE__, 'line' => __LINE__,
+                    'message' => "ldap_exop_passwd not supported"
+                ),
+                true);
+
+            return PASSWORD_ERROR;
+        }
+
+        // Connect and bind
+        $ret = $this->connect($curpass);
+        if ($ret !== true) {
+            return $ret;
+        }
+
+        if (!ldap_exop_passwd($this->conn, $this->user, $curpass, $passwd)) {
+            $this->_debug("S: ".ldap_error($this->conn));
+
+            $errno = ldap_errno($this->conn);
+
+            ldap_unbind($this->conn);
+
+            if ($errno == 0x13) {
+                return PASSWORD_CONSTRAINT_VIOLATION;
+            }
+
+            return PASSWORD_CONNECT_ERROR;
+        }
+
+        $this->_debug("S: OK");
+
+        // All done, no error
+        ldap_unbind($this->conn);
+
+        return PASSWORD_SUCCESS;
+    }
+}