diff --git a/htdocs/includes/login/functions_ldap.php b/htdocs/includes/login/functions_ldap.php
index 64c41f041f2..ba54e697d78 100644
--- a/htdocs/includes/login/functions_ldap.php
+++ b/htdocs/includes/login/functions_ldap.php
@@ -41,8 +41,6 @@ function check_user_password_ldap($usertotest,$passwordtotest)
global $dolibarr_main_auth_ldap_admin_login,$dolibarr_main_auth_ldap_admin_pass;
global $dolibarr_main_auth_ldap_debug;
- dolibarr_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest);
-
if (! function_exists("ldap_connect"))
{
dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP. LDAP functions are disabled on this PHP");
@@ -73,7 +71,9 @@ function check_user_password_ldap($usertotest,$passwordtotest)
if ($ldapdebug) print "DEBUG: Logging LDAP steps
\n";
// Debut code pour compatibilite (prend info depuis config en base)
- // Ne plus utiliser. La config LDAP de connexion doit etre dans le fichier conf.php
+ // Ne plus utiliser.
+ // La config LDAP de connexion doit etre dans le fichier conf.php
+ /*
if (! $ldapuserattr && $conf->ldap->enabled)
{
if ($conf->global->LDAP_SERVER_TYPE == "activedirectory")
@@ -92,7 +92,10 @@ function check_user_password_ldap($usertotest,$passwordtotest)
if (! $ldapdn) $ldapdn=$conf->global->LDAP_SERVER_DN;
if (! $ldapadminlogin) $ldapadminlogin=$conf->global->LDAP_ADMIN_DN;
if (! $ldapadminpass) $ldapadminpass=$conf->global->LDAP_ADMIN_PASS;
+ */
// Fin code pour compatiblite
+
+ dolibarr_syslog("functions_ldap::check_user_password_ldap usertotest=".$usertotest." admin_login=".$ldapadminlogin);
require_once(DOL_DOCUMENT_ROOT."/lib/ldap.class.php");
$ldap=new Ldap();
@@ -103,36 +106,45 @@ function check_user_password_ldap($usertotest,$passwordtotest)
$ldap->searchUser=$ldapadminlogin;
$ldap->searchPassword=$ldapadminpass;
- if ($ldapdebug) dolibarr_syslog("Authentification LDAP --> Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword);
+ if ($ldapdebug) dolibarr_syslog("functions_ldap::check_user_password_ldap Server:".join(',',$ldap->server).", Port:".$ldap->serverPort.", Protocol:".$ldap->ldapProtocolVersion.", Type:".$ldap->serverType.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword);
- // Code to get user in LDAP (may differ from Dolibarr user)
- $result=$ldap->connect_bind();
- if ($result)
+ $resultCheckUserDN=false;
+
+ // If admin login provided
+ // Code to get user in LDAP from an admin connection (may differ from Dolibarr user)
+ if ($ldapadminlogin)
{
- $resultFetchLdapUser = $ldap->fetch($_POST["username"]);
- // On stop si le mot de passe ldap doit etre modifie sur le domaine
- if ($resultFetchLdapUser == 1 && $ldap->pwdlastset == 0)
+ $result=$ldap->connect_bind();
+ if ($result)
{
- dolibarr_syslog('functions_ldap::User '.$login.' must change password next logon');
- if ($ldapdebug) print "DEBUG: User ".$login." must change password
\n";
- $ldap->close();
- sleep(1);
- $langs->load('ldap');
- $_SESSION["dol_loginmesg"]=$langs->trans("YouMustChangePassNextLogon",$ldap->domainFQDN);
- return $login;
- }
- else
- {
- $resultCheckUserDN = $ldap->checkPass($usertotest,$passwordtotest);
+ $resultFetchLdapUser = $ldap->fetch($_POST["username"]);
+ // On stop si le mot de passe ldap doit etre modifie sur le domaine
+ if ($resultFetchLdapUser == 1 && $ldap->pwdlastset == 0)
+ {
+ dolibarr_syslog('functions_ldap::check_user_password_ldap '.$_POST["username"].' must change password next logon');
+ if ($ldapdebug) print "DEBUG: User ".$_POST["username"]." must change password
\n";
+ $ldap->close();
+ sleep(1);
+ $langs->load('ldap');
+ $_SESSION["dol_loginmesg"]=$langs->trans("YouMustChangePassNextLogon",$_POST["username"],$ldap->domainFQDN);
+ return '';
+ }
+ else
+ {
+ $resultCheckUserDN = $ldap->checkPass($usertotest,$passwordtotest);
+ }
}
+ $ldap->close();
}
- $ldap->close();
- $ldap->searchUser=$usertotest;
- if ($resultCheckUserDN) $ldap->searchUser = $ldap->ldapUserDN;
+ // Forge LDAP user and password to test from config setup
+ $ldap->searchUser=$ldapuserattr."=".$usertotest.",".$ldapdn;
$ldap->searchPassword=$passwordtotest;
- $result=$ldap->connect_bind(); // Test with this->seachUser and this->searchPassword
+ if ($resultCheckUserDN) $ldap->searchUser = $ldap->ldapUserDN;
+
+ // Test with this->seachUser and this->searchPassword
+ $result=$ldap->connect_bind();
if ($result > 0)
{
if ($result == 2)
@@ -172,7 +184,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
}
if ($result == 1)
{
- dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko bad user/password pour '".$_POST["username"]."'");
+ dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko bad user/password for '".$_POST["username"]."'");
sleep(1);
$langs->load('main');
$langs->load('other');
@@ -181,7 +193,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
}
else
{
- dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP pour '".$_POST["username"]."'");
+ dolibarr_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$_POST["username"]."'");
sleep(1);
$langs->load('main');
$langs->load('other');
diff --git a/htdocs/langs/en_US/ldap.lang b/htdocs/langs/en_US/ldap.lang
index ba81fbd567b..1678dd92679 100644
--- a/htdocs/langs/en_US/ldap.lang
+++ b/htdocs/langs/en_US/ldap.lang
@@ -1,6 +1,6 @@
# Dolibarr language file - en_US - ldap
DomainPassword=Password for domain
-YouMustChangePassNextLogon=You must change your password on the domain %s
+YouMustChangePassNextLogon=Password for user %s on the domain %s must be changed.
UserMustChangePassNextLogon=User must change password on the domain %s
LdapUacf_NORMAL_ACCOUNT=User account
LdapUacf_DONT_EXPIRE_PASSWORD=Password never expires
diff --git a/htdocs/langs/fr_FR/ldap.lang b/htdocs/langs/fr_FR/ldap.lang
index 2b9f35ef150..823a253efff 100644
--- a/htdocs/langs/fr_FR/ldap.lang
+++ b/htdocs/langs/fr_FR/ldap.lang
@@ -1,6 +1,6 @@
# Dolibarr language file - fr_FR - ldap
DomainPassword=Mot de passe du domaine
-YouMustChangePassNextLogon=Vous devez modifier votre mot de passe sur le domaine %s
+YouMustChangePassNextLogon=Le mot de passe de %s sur le domaine %s doit etre modifié.
UserMustChangePassNextLogon=L'utilisateur doit modifier son mot de passe sur le domaine %s
LdapUacf_NORMAL_ACCOUNT=Compte utilisateur
LdapUacf_DONT_EXPIRE_PASSWORD=Le mot de passe n'expire jamais
diff --git a/htdocs/lib/ldap.class.php b/htdocs/lib/ldap.class.php
index 1f21c488dee..d91b1786e98 100644
--- a/htdocs/lib/ldap.class.php
+++ b/htdocs/lib/ldap.class.php
@@ -435,9 +435,12 @@ class Ldap
/**
- * Checks a username and password - does this by logging on to the
- * server as a user - specified in the DN. There are several reasons why
- * this login could fail - these are listed below.
+ * \brief Checks a username and password - does this by logging on to the
+ * server as a user - specified in the DN. There are several reasons why
+ * this login could fail - these are listed below.
+ * \return uname Username to check
+ * \return pass Password to check
+ * \return boolean true=check pass ok, falses=check pass failed
*/
function checkPass($uname,$pass)
{
@@ -450,7 +453,7 @@ class Ldap
$domain = eregi_replace(',','.',$domain);
$checkDn = "$uname@$domain";
} else {
- $checkDn = $this->getUserIdentifier() . "=$uname, " . $this->setDn(true);
+ $checkDn = $this->getUserIdentifier()."=".$uname.", ".$this->setDn(true);
}
// Try and connect...
$this->result = @ldap_bind( $this->connection,$checkDn,$pass);
@@ -864,81 +867,90 @@ class Ldap
/**
- * \brief Récupère les attributs de l'utilisateur
- * \param $user Utilisateur ldap à lire
+ * \brief Récupère les attributs de l'utilisateur
+ * \param $user Utilisateur ldap à lire
+ * \return int >0 if ok, <0 if ko
*/
function fetch($user)
- {
- // Perform the search and get the entry handles
+ {
+ // Perform the search and get the entry handles
- // if the directory is AD, then bind first with the search user first
- if ($this->serverType == "activedirectory") {
- $this->bindauth($this->searchUser, $this->searchPassword);
- }
- $userIdentifier = $this->getUserIdentifier();
+ // if the directory is AD, then bind first with the search user first
+ if ($this->serverType == "activedirectory") {
+ $this->bindauth($this->searchUser, $this->searchPassword);
+ }
+ $userIdentifier = $this->getUserIdentifier();
- $filter = '('.$this->filter.'('.$userIdentifier.'='.$user.'))';
-
- $i = 0;
- $searchDN = $this->people;
-
- $result = '';
-
- while ($i <= 2)
- {
- $this->result = @ldap_search($this->connection, $searchDN, $filter);
-
- if ($this->result)
- {
- $result = @ldap_get_entries( $this->connection, $this->result);
- }
- else
- {
- $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
- return -1;
- }
-
- if (!$result)
- {
- // Si pas de résultat on cherche dans le domaine
- $searchDN = $this->domain;
- $i++;
- }
- else
- {
- $i++;
- $i++;
- }
- }
+ $filter = '('.$this->filter.'('.$userIdentifier.'='.$user.'))';
+
+ $i = 0;
+ $searchDN = $this->people;
+
+ $result = '';
+
+ while ($i <= 2)
+ {
+ $this->result = @ldap_search($this->connection, $searchDN, $filter);
+
+ if ($this->result)
+ {
+ $result = @ldap_get_entries($this->connection, $this->result);
+ //var_dump($result);
+ }
+ else
+ {
+ $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
+ return -1;
+ }
+
+ if (!$result)
+ {
+ // Si pas de résultat on cherche dans le domaine
+ $searchDN = $this->domain;
+ $i++;
+ }
+ else
+ {
+ $i++;
+ $i++;
+ }
+ }
- if (! $result)
- {
- $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
- return -1;
- }
- else
- {
- $this->name = $this->ldap_utf8_decode($result[0][$this->attr_name][0]);
- $this->firstname = $this->ldap_utf8_decode($result[0][$this->attr_firstname][0]);
- $this->login = $this->ldap_utf8_decode($result[0][$userIdentifier][0]);
- $this->phone = $this->ldap_utf8_decode($result[0][$this->attr_phone][0]);
- $this->fax = $this->ldap_utf8_decode($result[0][$this->attr_fax][0]);
- $this->mail = $this->ldap_utf8_decode($result[0][$this->attr_mail][0]);
- $this->mobile = $this->ldap_utf8_decode($result[0][$this->attr_mobile][0]);
+ if (! $result)
+ {
+ $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
+ return -1;
+ }
+ else
+ {
+ $this->name = $this->ldap_utf8_decode($result[0][$this->attr_name][0]);
+ $this->firstname = $this->ldap_utf8_decode($result[0][$this->attr_firstname][0]);
+ $this->login = $this->ldap_utf8_decode($result[0][$userIdentifier][0]);
+ $this->phone = $this->ldap_utf8_decode($result[0][$this->attr_phone][0]);
+ $this->fax = $this->ldap_utf8_decode($result[0][$this->attr_fax][0]);
+ $this->mail = $this->ldap_utf8_decode($result[0][$this->attr_mail][0]);
+ $this->mobile = $this->ldap_utf8_decode($result[0][$this->attr_mobile][0]);
- $this->uacf = $this->parseUACF($this->ldap_utf8_decode($result[0]["useraccountcontrol"][0]));
- $this->pwdlastset = ($result[0]["pwdlastset"][0] != 0)?$this->convert_time($this->ldap_utf8_decode($result[0]["pwdlastset"][0])):0;
- if (!$this->name && !$this->login) $this->pwdlastset = -1;
- $this->badpwdtime = $this->convert_time($this->ldap_utf8_decode($result[0]["badpasswordtime"][0]));
-
- // FQDN domain
- $domain = eregi_replace('dc=','',$this->domain);
- $domain = eregi_replace(',','.',$domain);
- $this->domainFQDN = $domain;
+ $this->uacf = $this->parseUACF($this->ldap_utf8_decode($result[0]["useraccountcontrol"][0]));
+ if (isset($result[0]["pwdlastset"][0])) // If expiration on password exists
+ {
+ $this->pwdlastset = ($result[0]["pwdlastset"][0] != 0)?$this->convert_time($this->ldap_utf8_decode($result[0]["pwdlastset"][0])):0;
+ }
+ else
+ {
+ $this->pwdlastset = -1;
+ }
+ if (!$this->name && !$this->login) $this->pwdlastset = -1;
+ $this->badpwdtime = $this->convert_time($this->ldap_utf8_decode($result[0]["badpasswordtime"][0]));
+
+ // FQDN domain
+ $domain = eregi_replace('dc=','',$this->domain);
+ $domain = eregi_replace(',','.',$domain);
+ $this->domainFQDN = $domain;
- ldap_free_result($this->result);
- return 1;
- }
+ ldap_free_result($this->result);
+ return 1;
+ }
}
diff --git a/htdocs/user/perms.php b/htdocs/user/perms.php
index cd73693ddd0..b831271472f 100644
--- a/htdocs/user/perms.php
+++ b/htdocs/user/perms.php
@@ -202,8 +202,6 @@ print '| '.$langs->trans("Firstname").' | ';
print ''.$fuser->prenom.' | ';
print "
\n";
-print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules"));
-
print '
';
print info_admin($langs->trans("WarningOnlyPermissionOfActivatedModules"));