LDAP.pm 23.1 KB
Newer Older
Xavier Guimard's avatar
Xavier Guimard committed
1 2 3 4 5 6 7 8 9 10 11 12
##@file
# Extends Net::LDAP
package Lemonldap::NG::Portal::Lib::Net::LDAP;

use strict;
use Net::LDAP;    #inherits
use Net::LDAP::Util qw(escape_filter_value);
use base qw(Net::LDAP);
use Lemonldap::NG::Portal::Main::Constants ':all';
use Encode;
use Unicode::String qw(utf8);
use Scalar::Util 'weaken';
13
use utf8;
Xavier Guimard's avatar
Xavier Guimard committed
14

Xavier Guimard's avatar
Xavier Guimard committed
15
our $VERSION  = '2.0.2';
Xavier Guimard's avatar
Xavier Guimard committed
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
our $ppLoaded = 0;

BEGIN {
    eval {
        require threads::shared;
        threads::shared::share($ppLoaded);
    };
}

# INITIALIZATION

# Build a Net::LDAP object using parameters issued from $portal
sub new {
    my ( $class, $args ) = @_;
    my $portal = $args->{p}    or die "$class : p argument required !";
    my $conf   = $args->{conf} or die "$class : conf argument required !";
    my $self;
    my $useTls = 0;
    my $tlsParam;
    my @servers = ();
    foreach my $server ( split /[\s,]+/, $conf->{ldapServer} ) {

        if ( $server =~ m{^ldap\+tls://([^/]+)/?\??(.*)$} ) {
            $useTls   = 1;
            $server   = $1;
            $tlsParam = $2 || "";
        }
        else {
            $useTls = 0;
        }
        push @servers, $server;
    }
    $self = Net::LDAP->new(
        \@servers,
        onerror => undef,
        ( $conf->{ldapPort}    ? ( port    => $conf->{ldapPort} )    : () ),
        ( $conf->{ldapTimeout} ? ( timeout => $conf->{ldapTimeout} ) : () ),
        ( $conf->{ldapVersion} ? ( version => $conf->{ldapVersion} ) : () ),
        ( $conf->{ldapRaw}     ? ( raw     => $conf->{ldapRaw} )     : () ),
        ( $conf->{caFile}      ? ( cafile  => $conf->{caFile} )      : () ),
        ( $conf->{caPath}      ? ( capath  => $conf->{caPath} )      : () ),
    );
    unless ($self) {
59
        $portal->logger->error($@);
Xavier Guimard's avatar
Xavier Guimard committed
60 61 62 63 64 65 66 67 68
        return 0;
    }
    bless $self, $class;
    if ($useTls) {
        my %h = split( /[&=]/, $tlsParam );
        $h{cafile} = $conf->{caFile} if ( $conf->{caFile} );
        $h{capath} = $conf->{caPath} if ( $conf->{caPath} );
        my $mesg = $self->start_tls(%h);
        if ( $mesg->code ) {
69
            $portal->logger->error('StartTLS failed');
Xavier Guimard's avatar
Xavier Guimard committed
70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92
            return 0;
        }
    }
    $self->{portal} = $portal;
    $self->{conf}   = $conf;
    weaken $self->{portal};

    # Setting default LDAP password storage encoding to utf-8
    return $self;
}

# RUNNING METHODS

## @method Net::LDAP::Message bind(string dn, hash args)
# Reimplementation of Net::LDAP::bind(). Connection is done :
# - with $dn and $args->{password} as dn/password if defined,
# - or with Lemonldap::NG account,
# - or with an anonymous bind.
# @param $dn LDAP distinguish name
# @param %args See Net::LDAP(3) manpage for more
# @return Net::LDAP::Message
sub bind {
    my ( $self, $dn, %args ) = @_;
93

Christophe Maudoux's avatar
Christophe Maudoux committed
94
    $self->{portal}->logger->debug("Call bind for $dn") if $dn;
95

Xavier Guimard's avatar
Xavier Guimard committed
96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127
    my $mesg;
    unless ($dn) {
        $dn = $self->{conf}->{managerDn};
        $args{password} =
          decode( 'utf-8', $self->{conf}->{managerPassword} );
    }
    if ( $dn && $args{password} ) {
        if ( $self->{conf}->{ldapPwdEnc} ne 'utf-8' ) {
            eval {
                my $tmp = encode(
                    $self->{conf}->{ldapPwdEnc},
                    decode( 'utf-8', $args{password} )
                );
                $args{password} = $tmp;
            };
            print STDERR "$@\n" if ($@);
        }
        $mesg = $self->SUPER::bind( $dn, %args );
    }
    else {
        $mesg = $self->SUPER::bind();
    }
    return $mesg;
}

## @method Net::LDAP::Message unbind()
# Reimplementation of Net::LDAP::unbind() to force call to disconnect()
# @return Net::LDAP::Message
sub unbind {
    my $self     = shift;
    my $ldap_uri = $self->uri;

128
    $self->{portal}->logger->debug("Unbind and disconnect from $ldap_uri");
Xavier Guimard's avatar
Xavier Guimard committed
129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152

    my $mesg = $self->SUPER::unbind();
    $self->SUPER::disconnect();

    return $mesg;
}

## @method private boolean loadPP ()
# Load Net::LDAP::Control::PasswordPolicy
# @return true if succeed.
sub loadPP {
    my $self = shift;
    return 1 if ($ppLoaded);

    # Minimal version of Net::LDAP required
    if ( $Net::LDAP::VERSION < 0.38 ) {
        die(
"Module Net::LDAP is too old for password policy, please install version 0.38 or higher"
        );
    }

    # Require Perl module
    eval { require Net::LDAP::Control::PasswordPolicy };
    if ($@) {
153 154
        $self->{portal}->logger->error(
            "Module Net::LDAP::Control::PasswordPolicy not found in @INC");
Xavier Guimard's avatar
Xavier Guimard committed
155 156 157 158 159 160 161 162 163 164 165 166
        return 0;
    }
    $ppLoaded = 1;
}

## @method protected int userBind(string dn, hash args)
# Call bind() with dn/password and return
# @param $dn LDAP distinguish name
# @param %args See Net::LDAP(3) manpage for more
# @return Lemonldap::NG portal error code
sub userBind {
    my $self = shift;
Xavier Guimard's avatar
Xavier Guimard committed
167
    my $req  = shift;
Xavier Guimard's avatar
Xavier Guimard committed
168 169 170 171 172 173 174 175 176 177 178 179 180 181 182

    if ( $self->{conf}->{ldapPpolicyControl} ) {

        # Create Control object
        my $pp = Net::LDAP::Control::PasswordPolicy->new();

        # Bind with user credentials
        my $mesg = $self->bind( @_, control => [$pp] );

        # Get server control response
        my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");

        # Return direct unless control resonse
        unless ( defined $resp ) {
            if ( $mesg->code == 49 ) {
183
                $self->{portal}->userLogger->warn("Bad password");
Xavier Guimard's avatar
Xavier Guimard committed
184 185 186 187 188 189 190 191
                return PE_BADCREDENTIALS;
            }
            return ( $mesg->code == 0 ? PE_OK : PE_LDAPERROR );
        }

        # Check for ppolicy error
        my $pp_error = $resp->pp_error;
        if ( defined $pp_error ) {
192
            $self->{portal}->userLogger->error(
Xavier Guimard's avatar
Xavier Guimard committed
193
                "Password policy error $pp_error for " . $req->user );
Xavier Guimard's avatar
Xavier Guimard committed
194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211
            return [
                PE_PP_PASSWORD_EXPIRED,
                PE_PP_ACCOUNT_LOCKED,
                PE_PP_CHANGE_AFTER_RESET,
                PE_PP_PASSWORD_MOD_NOT_ALLOWED,
                PE_PP_MUST_SUPPLY_OLD_PASSWORD,
                PE_PP_INSUFFICIENT_PASSWORD_QUALITY,
                PE_PP_PASSWORD_TOO_SHORT,
                PE_PP_PASSWORD_TOO_YOUNG,
                PE_PP_PASSWORD_IN_HISTORY,
            ]->[$pp_error];
        }
        elsif ( $mesg->code == 0 ) {

            # Get expiration warning and graces
            if ( $resp->grace_authentications_remaining ) {

                # TODO
212
                $self->info(
Xavier Guimard's avatar
Xavier Guimard committed
213
                    $self->{portal}->loadTemplate(
214 215 216 217 218
                        'ldapPpGrace',
                        params => {
                            number => $resp->grace_authentications_remaining
                        }
                    )
Xavier Guimard's avatar
Xavier Guimard committed
219 220 221 222
                );
            }

            if ( $resp->time_before_expiration ) {
223
                $req->info(
Xavier Guimard's avatar
Xavier Guimard committed
224
                    $self->{portal}->loadTemplate(
225 226 227 228 229 230 231 232 233
                        'simpleInfo',
                        params => {
                            trspan => 'authRemaining,'
                              . $self->convertSec(
                                $resp->time_before_expiration
                              )
                        }
                    )
                );
Xavier Guimard's avatar
Xavier Guimard committed
234 235 236 237 238 239 240 241 242 243 244
            }

            return PE_OK;
        }
    }
    else {
        my $mesg = $self->bind(@_);
        if ( $mesg->code == 0 ) {
            return PE_OK;
        }
    }
Xavier Guimard's avatar
Xavier Guimard committed
245
    $self->{portal}->userLogger->warn("Bad password for $req->{user}");
Xavier Guimard's avatar
Xavier Guimard committed
246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265
    return PE_BADCREDENTIALS;
}

## @method int userModifyPassword(string dn, string newpassword, string oldpassword, boolean ad)
# Change user's password.
# @param $dn DN
# @param $newpassword New password
# @param $oldpassword Current password
# @param $ad Active Directory mode
# @return Lemonldap::NG::Portal constant
sub userModifyPassword {
    my ( $self, $dn, $newpassword, $oldpassword, $ad ) = @_;
    my $ppolicyControl     = $self->{conf}->{ldapPpolicyControl};
    my $setPassword        = $self->{conf}->{ldapSetPassword};
    my $asUser             = $self->{conf}->{ldapChangePasswordAsUser};
    my $requireOldPassword = $self->{conf}->{portalRequireOldPassword};
    my $passwordAttribute  = "userPassword";
    my $err;
    my $mesg;

266 267 268
    utf8::downgrade($dn);
    $self->{portal}->logger->debug("Call modify password for $dn");

Xavier Guimard's avatar
Xavier Guimard committed
269 270 271 272 273 274 275 276 277 278 279 280
    # Adjust configuration for AD
    if ($ad) {
        $ppolicyControl    = 0;
        $setPassword       = 0;
        $passwordAttribute = "unicodePwd";

        # Encode password for AD
        $newpassword = utf8( chr(34) . $newpassword . chr(34) )->utf16le();
        if ( $oldpassword and $asUser ) {
            $oldpassword =
              utf8( chr(34) . $oldpassword . chr(34) )->utf16le();
        }
281
        $self->{portal}->logger->debug("Active Directory mode enabled");
Xavier Guimard's avatar
Xavier Guimard committed
282 283 284 285 286 287 288 289 290 291 292 293 294

    }

    # First case: no ppolicy
    if ( !$ppolicyControl ) {

        if ($setPassword) {

            # Bind as user if oldpassword and ldapChangePasswordAsUser
            if ( $oldpassword and $asUser ) {

                $mesg = $self->bind( $dn, password => $oldpassword );
                if ( $mesg->code != 0 ) {
295
                    $self->{portal}->userLogger->notice("Bad old password");
Xavier Guimard's avatar
Xavier Guimard committed
296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315
                    return PE_BADOLDPASSWORD;
                }
            }

            # Use SetPassword extended operation
            require Net::LDAP::Extension::SetPassword;
            $mesg =
              ($oldpassword)
              ? $self->set_password(
                user      => $dn,
                oldpasswd => $oldpassword,
                newpasswd => $newpassword
              )
              : $self->set_password(
                user      => $dn,
                newpasswd => $newpassword
              );

            # Catch the "Unwilling to perform" error
            if ( $mesg->code == 53 ) {
316
                $self->{portal}->userLogger->notice("Bad old password");
Xavier Guimard's avatar
Xavier Guimard committed
317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353
                return PE_BADOLDPASSWORD;
            }
        }
        else {

            # AD specific
            # Change password as user with a delete/add modification
            if ( $ad and $oldpassword and $asUser ) {
                $mesg = $self->modify(
                    $dn,
                    changes => [
                        delete => [ $passwordAttribute => $oldpassword ],
                        add    => [ $passwordAttribute => $newpassword ]
                    ]
                );
            }

            else {
                if ($requireOldPassword) {

                    return PE_MUST_SUPPLY_OLD_PASSWORD if ( !$oldpassword );

                    # Check old password with a bind
                    $mesg = $self->bind( $dn, password => $oldpassword );

                    # For AD password expiration to work:
                    # ppolicy must be desactivated,
                    # and "change as user" must be desactivated
                    if ($ad) {
                        if ( $mesg->error =~ /LdapErr: .* data ([^,]+),.*/ ) {

# extended data message code:
# 532: password expired (but provided password is correct)
# 773: must change password at next connection (but provided password is correct)
# 52e: password is incorrect
                            unless ( ( $1 eq '532' ) || ( $1 eq '773' ) ) {
                                $self->{portal}
354
                                  ->userLogger->warn("Bad old password");
Xavier Guimard's avatar
Xavier Guimard committed
355 356 357 358 359 360 361 362 363 364
                                return PE_BADOLDPASSWORD;
                            }
                        }

                   # if error message has not been catched, then it IS a success
                    }
                    else
                    {   # this is not AD, a 0 error code means good old password
                        if ( $mesg->code != 0 ) {
                            $self->{portal}
365
                              ->userLogger->warn('Bad old password');
Xavier Guimard's avatar
Xavier Guimard committed
366 367 368 369 370 371 372 373 374 375 376 377 378 379 380
                            return PE_BADOLDPASSWORD;
                        }
                    }

          # Rebind as Manager only if user is not granted to change its password
                    $self->bind() unless $asUser;
                }

                # Use standard modification
                $mesg =
                  $self->modify( $dn,
                    replace => { $passwordAttribute => $newpassword } );
            }
        }
        $self->{portal}
381
          ->logger->debug( 'Modification return code: ' . $mesg->code );
Xavier Guimard's avatar
Xavier Guimard committed
382 383 384 385 386 387 388
        return PE_WRONGMANAGERACCOUNT
          if ( $mesg->code == 50 || $mesg->code == 8 );
        return PE_PP_INSUFFICIENT_PASSWORD_QUALITY
          if ( $mesg->code == 53 && $ad );
        return PE_PP_PASSWORD_MOD_NOT_ALLOWED
          if ( $mesg->code == 19 && $ad );
        return PE_LDAPERROR unless ( $mesg->code == 0 );
389
        $self->{portal}->userLogger->notice("Password changed $dn");
Xavier Guimard's avatar
Xavier Guimard committed
390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414

        # Rebind as manager for next LDAP operations if we were bound as user
        $self->bind() if $asUser;

        return PE_PASSWORD_OK;
    }
    else {

        # Create Control object
        my $pp = Net::LDAP::Control::PasswordPolicy->new;

        if ($setPassword) {

            # Bind as user if oldpassword and ldapChangePasswordAsUser
            if ( $oldpassword and $asUser ) {

                $mesg = $self->bind(
                    $dn,
                    password => $oldpassword,
                    control  => [$pp]
                );
                my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");

                unless ( defined $bind_resp ) {
                    if ( $mesg->code != 0 ) {
415
                        $self->{portal}->logger->debug("Bad old password");
Xavier Guimard's avatar
Xavier Guimard committed
416 417 418 419 420 421 422 423 424 425 426
                        return PE_BADOLDPASSWORD;
                    }
                }
                else {

                    # Check if password is expired
                    my $pp_error = $bind_resp->pp_error;
                    if (    defined $pp_error
                        and $pp_error == 0
                        and $self->{conf}->{ldapAllowResetExpiredPassword} )
                    {
427 428
                        $self->{portal}->logger->debug(
"Password is expired but user is allowed to change it"
Xavier Guimard's avatar
Xavier Guimard committed
429 430 431 432
                        );
                    }
                    else {
                        if ( $mesg->code != 0 ) {
433
                            $self->{portal}->logger->debug("Bad old password");
Xavier Guimard's avatar
Xavier Guimard committed
434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459
                            return PE_BADOLDPASSWORD;
                        }
                    }
                }
            }

# Use SetPassword extended operation
# Warning: need a patch on Perl-LDAP
# See http://groups.google.com/group/perl.ldap/browse_thread/thread/5703a41ccb17b221/377a68f872cc2bb4?lnk=gst&q=setpassword#377a68f872cc2bb4
            use Net::LDAP::Extension::SetPassword;
            $mesg =
              ($oldpassword)
              ? $self->set_password(
                user      => $dn,
                oldpasswd => $oldpassword,
                newpasswd => $newpassword,
                control   => [$pp]
              )
              : $self->set_password(
                user      => $dn,
                newpasswd => $newpassword,
                control   => [$pp]
              );

            # Catch the "Unwilling to perform" error
            if ( $mesg->code == 53 ) {
460
                $self->{portal}->logger->debug("Bad old password");
Xavier Guimard's avatar
Xavier Guimard committed
461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476
                return PE_BADOLDPASSWORD;
            }
        }
        else {
            if ($oldpassword) {

                # Check old password with a bind
                $mesg = $self->bind(
                    $dn,
                    password => $oldpassword,
                    control  => [$pp]
                );
                my ($bind_resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");

                unless ( defined $bind_resp ) {
                    if ( $mesg->code != 0 ) {
477
                        $self->{portal}->logger->debug("Bad old password");
Xavier Guimard's avatar
Xavier Guimard committed
478 479 480 481 482 483 484 485 486 487 488
                        return PE_BADOLDPASSWORD;
                    }
                }
                else {

                    # Check if password is expired
                    my $pp_error = $bind_resp->pp_error;
                    if (    defined $pp_error
                        and $pp_error == 0
                        and $self->{conf}->{ldapAllowResetExpiredPassword} )
                    {
489 490
                        $self->{portal}->logger->debug(
"Password is expired but user is allowed to change it"
Xavier Guimard's avatar
Xavier Guimard committed
491 492 493 494
                        );
                    }
                    else {
                        if ( $mesg->code != 0 ) {
495
                            $self->{portal}->logger->debug("Bad old password");
Xavier Guimard's avatar
Xavier Guimard committed
496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517
                            return PE_BADOLDPASSWORD;
                        }
                    }
                }

          # Rebind as Manager only if user is not granted to change its password
                $self->bind()
                  unless $asUser;
            }

            # Use standard modification
            $mesg = $self->modify(
                $dn,
                replace => { $passwordAttribute => $newpassword },
                control => [$pp]
            );
        }

        # Get server control response
        my ($resp) = $mesg->control("1.3.6.1.4.1.42.2.27.8.5.1");

        $self->{portal}
518
          ->logger->debug( "Modification return code: " . $mesg->code );
Xavier Guimard's avatar
Xavier Guimard committed
519 520 521 522
        return PE_WRONGMANAGERACCOUNT
          if ( $mesg->code == 50 || $mesg->code == 8 );
        if ( $mesg->code == 0 ) {
            $self->{portal}
523
              ->userLogger->notice("Password changed $self->{portal}->{user}");
Xavier Guimard's avatar
Xavier Guimard committed
524 525 526 527 528 529 530 531 532 533

           # Rebind as manager for next LDAP operations if we were bound as user
            $self->bind() if $asUser;

            return PE_PASSWORD_OK;
        }

        if ( defined $resp ) {
            my $pp_error = $resp->pp_error;
            if ( defined $pp_error ) {
Xavier Guimard's avatar
Tidy  
Xavier Guimard committed
534 535
                $self->{portal}
                  ->logger->error("Password policy error $pp_error");
Xavier Guimard's avatar
Xavier Guimard committed
536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565
                return [
                    PE_PP_PASSWORD_EXPIRED,
                    PE_PP_ACCOUNT_LOCKED,
                    PE_PP_CHANGE_AFTER_RESET,
                    PE_PP_PASSWORD_MOD_NOT_ALLOWED,
                    PE_PP_MUST_SUPPLY_OLD_PASSWORD,
                    PE_PP_INSUFFICIENT_PASSWORD_QUALITY,
                    PE_PP_PASSWORD_TOO_SHORT,
                    PE_PP_PASSWORD_TOO_YOUNG,
                    PE_PP_PASSWORD_IN_HISTORY,
                ]->[$pp_error];
            }
        }
        else {
            return PE_LDAPERROR;
        }
    }
}

## @method protected Lemonldap::NG::Portal::_LDAP ldap()
# @return Lemonldap::NG::Portal::_LDAP object
sub ldap {
    my $self = shift;
    return $self->{ldap}
      if ( ref( $self->{ldap} )
        and $self->{flags}->{ldapActive} );
    if ( $self->{ldap} = Lemonldap::NG::Portal::_LDAP->new($self)
        and my $mesg = $self->{ldap}->bind )
    {
        if ( $mesg->code != 0 ) {
566
            $self->logger->error( "LDAP error: " . $mesg->error );
Xavier Guimard's avatar
Xavier Guimard committed
567 568 569 570 571 572
            $self->{ldap}->unbind;
        }
        else {
            if ( $self->{ldapPpolicyControl}
                and not $self->{ldap}->loadPP() )
            {
573
                $self->logger->error("LDAP password policy error");
Xavier Guimard's avatar
Xavier Guimard committed
574 575 576 577 578 579 580 581 582
                $self->{ldap}->unbind;
            }
            else {
                $self->{flags}->{ldapActive} = 1;
                return $self->{ldap};
            }
        }
    }
    else {
583
        $self->logger->error("LDAP error: $@");
Xavier Guimard's avatar
Xavier Guimard committed
584 585 586 587
    }
    return 0;
}

588
## @method string searchGroups(string base, string key, string value, string attributes, hashref dupcheck)
Xavier Guimard's avatar
Xavier Guimard committed
589 590 591 592 593
# Get groups from LDAP directory
# @param base LDAP search base
# @param key Attribute name in group containing searched value
# @param value Searched value
# @param attributes to get from found groups (array ref)
594
# @param dupcheck to get from found groups (hash ref)
Xavier Guimard's avatar
Xavier Guimard committed
595 596
# @return hashRef groups
sub searchGroups {
597
    my ( $self, $base, $key, $value, $attributes, $dupcheck ) = @_;
Xavier Guimard's avatar
Xavier Guimard committed
598

599
    $dupcheck ||= {};
Xavier Guimard's avatar
Xavier Guimard committed
600 601 602 603 604 605 606 607 608 609
    my $groups = {};

    # Creating search filter
    my $searchFilter =
      "(&(objectClass=" . $self->{conf}->{ldapGroupObjectClass} . ")(|";
    foreach ( split( $self->{conf}->{multiValuesSeparator}, $value ) ) {
        $searchFilter .= "(" . $key . "=" . escape_filter_value($_) . ")";
    }
    $searchFilter .= "))";

Xavier Guimard's avatar
Xavier Guimard committed
610
    $self->{portal}->logger->debug("Group search filter: $searchFilter");
Xavier Guimard's avatar
Xavier Guimard committed
611 612 613 614 615 616 617 618 619 620 621 622 623

    # Search
    my $mesg = $self->search(
        base   => $base,
        filter => $searchFilter,
        attrs  => $attributes,
    );

    # Browse results
    if ( $mesg->code() == 0 ) {

        foreach my $entry ( $mesg->all_entries ) {

Xavier Guimard's avatar
Xavier Guimard committed
624
            $self->{portal}
625
              ->logger->debug( "Matching group " . $entry->dn() . " found" );
Xavier Guimard's avatar
Xavier Guimard committed
626 627 628 629 630 631 632 633 634 635 636 637

            # If recursive search is activated, do it here
            if ( $self->{conf}->{ldapGroupRecursive} ) {

                # Get searched value
                my $group_value =
                  $self->getLdapValue( $entry,
                    $self->{conf}->{ldapGroupAttributeNameGroup} );

                # Launch group search
                if ($group_value) {

638 639 640 641 642 643 644 645 646 647 648 649 650
                    if ( $dupcheck->{$group_value} ) {
                        $self->{portal}->logger->debug(
"Disable search for $group_value, as it was already searched"
                        );
                    }
                    else {
                        $dupcheck->{$group_value} = 1;
                        $self->{portal}
                          ->logger->debug("Recursive search for $group_value");

                        my $recursive_groups =
                          $self->searchGroups( $base, $key, $group_value,
                            $attributes, $dupcheck );
Xavier Guimard's avatar
Xavier Guimard committed
651

652 653 654
                        my %allGroups = ( %$groups, %$recursive_groups )
                          if ( ref $recursive_groups );
                        $groups = \%allGroups;
Xavier Guimard's avatar
Xavier Guimard committed
655

656
                    }
Xavier Guimard's avatar
Xavier Guimard committed
657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673
                }
            }

            # Use first attribute as group name
            my $groupName = $entry->get_value( $attributes->[0] );
            $groups->{$groupName}->{name} = $groupName;

            # Now parse attributes
            foreach (@$attributes) {

                # Next if group attribute value
                next
                  if ( $_ eq $self->{conf}->{ldapGroupAttributeValueGroup} );

                my $data = $entry->get_value( $_, asref => 1 );

                if ($data) {
Xavier Guimard's avatar
Xavier Guimard committed
674
                    $self->{portal}
675
                      ->logger->debug("Store values of $_ in group $groupName");
Xavier Guimard's avatar
Xavier Guimard committed
676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700
                    $groups->{$groupName}->{$_} = $data;
                }
            }
        }
    }

    return $groups;
}

## @method string getLdapValue(Net::LDAP::Entry entry, string attribute)
# Get the dn, or the attribute value with a separator for multi-valuated attributes
# @param entry LDAP entry
# @param attribute Attribute name
# @return string value
sub getLdapValue {
    my ( $self, $entry, $attribute ) = @_;

    return $entry->dn() if ( $attribute eq "dn" );

    return join(
        $self->{conf}->{multiValuesSeparator},
        $entry->get_value($attribute)
    );
}

701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727
# Convert seconds to hours, minutes, seconds
sub convertSec {
    my ( $self, $sec ) = @_;
    my ( $day, $hrs, $min ) = ( 0, 0, 0 );

    # Calculate the minutes
    if ( $sec > 60 ) {
        $min = $sec / 60, $sec %= 60;
        $min = int($min);
    }

    # Calculate the hours
    if ( $min > 60 ) {
        $hrs = $min / 60, $min %= 60;
        $hrs = int($hrs);
    }

    # Calculate the days
    if ( $hrs > 24 ) {
        $day = $hrs / 24, $hrs %= 24;
        $day = int($day);
    }

    # Return the date
    return ( $day, $hrs, $min, $sec );
}

Xavier Guimard's avatar
Xavier Guimard committed
728
1;