From 9c6ea38bba5784ffa61211d19b7552b08ce42f14 Mon Sep 17 00:00:00 2001 From: David Coutadeur Date: Tue, 21 Sep 2021 19:52:14 +0200 Subject: [PATCH] add more logs for ldap binding (ppolicy extended response code) + remove loadPP (#2620) --- .../lib/Lemonldap/NG/Portal/Lib/LDAP.pm | 5 +- .../lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm | 79 +++++++++---------- 2 files changed, 38 insertions(+), 46 deletions(-) diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm index 43b8ad8b7e..ca26c3b28a 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/LDAP.pm @@ -54,9 +54,6 @@ sub newLdap { if ( $msg->code ) { $self->logger->error( 'LDAP test has failed: ' . $msg->error ); } - elsif ( $self->{conf}->{ldapPpolicyControl} and not $ldap->loadPP() ) { - $self->logger->error("LDAP password policy error"); - } return $ldap; } @@ -132,7 +129,7 @@ sub getUser { $self->validateLdap; return PE_LDAPCONNECTFAILED unless $self->ldap; - $self->bind(); + return PE_LDAPERROR unless $self->bind(); my $mesg = $self->ldap->search( base => $self->conf->{ldapBase}, diff --git a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm index e507f947cc..d741a7a22c 100644 --- a/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm +++ b/lemonldap-ng-portal/lib/Lemonldap/NG/Portal/Lib/Net/LDAP.pm @@ -7,6 +7,7 @@ use Net::LDAP; #inherits use Net::LDAP::Util qw(escape_filter_value); use base qw(Net::LDAP); use Lemonldap::NG::Portal::Main::Constants ':all'; +use Net::LDAP::Control::PasswordPolicy; use Encode; use Unicode::String qw(utf8); use Scalar::Util 'weaken'; @@ -14,14 +15,6 @@ use IO::Socket::Timeout; use utf8; our $VERSION = '2.1.0'; -our $ppLoaded = 0; - -BEGIN { - eval { - require threads::shared; - threads::shared::share($ppLoaded); - }; -} # INITIALIZATION @@ -135,7 +128,40 @@ sub bind { }; print STDERR "$@\n" if ($@); } + + if ( $self->{conf}->{ldapPpolicyControl} ) { + my $pp = Net::LDAP::Control::PasswordPolicy->new(); + $args{control} = [$pp]; + } + $mesg = $self->SUPER::bind( $dn, %args ); + + if ( $mesg->code ) { + my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1"); + # Check for ppolicy error + my $pp_error = $resp->pp_error; + if ( defined $pp_error ) { + my $ppolicy_error = [ + "password expired", + "account locked", + "change after reset", + "password mod not allowed", + "supply old password", + "insufficient password quality", + "password too short", + "password too young", + "password in history", + ]->[$pp_error]; + + $self->{portal}->logger->error( "Error when binding to LDAP server: ". $mesg->error. + " | extended ppolicy control response error: ".$ppolicy_error ); + } + else + { + $self->{portal}->logger( $mesg->error." | unknown ppolicy control response error" ); + } + } + } else { $mesg = $self->SUPER::bind(); @@ -143,6 +169,7 @@ sub bind { return $mesg; } + ## @method Net::LDAP::Message unbind() # Reimplementation of Net::LDAP::unbind() to force call to disconnect() # @return Net::LDAP::Message @@ -158,30 +185,6 @@ sub unbind { return $mesg; } -## @method private boolean loadPP () -# Load Net::LDAP::Control::PasswordPolicy -# @return true if succeed. -sub loadPP { - my $self = shift; - return 1 if ($ppLoaded); - - # Minimal version of Net::LDAP required - if ( $Net::LDAP::VERSION < 0.38 ) { - die( -"Module Net::LDAP is too old for password policy, please install version 0.38 or higher" - ); - } - - # Require Perl module - eval { require Net::LDAP::Control::PasswordPolicy }; - if ($@) { - $self->{portal}->logger->error( - "Module Net::LDAP::Control::PasswordPolicy not found in @INC"); - return 0; - } - $ppLoaded = 1; -} - ## @method protected int userBind(string dn, hash args) # Call bind() with dn/password and return # @param $dn LDAP distinguish name @@ -638,16 +641,8 @@ sub ldap { $self->{ldap}->unbind; } else { - if ( $self->{ldapPpolicyControl} - and not $self->{ldap}->loadPP() ) - { - $self->logger->error("LDAP password policy error"); - $self->{ldap}->unbind; - } - else { - $self->{flags}->{ldapActive} = 1; - return $self->{ldap}; - } + $self->{flags}->{ldapActive} = 1; + return $self->{ldap}; } } else { -- GitLab