diff --git a/htdocs/conf/conf.php.example b/htdocs/conf/conf.php.example
index b8e77d86036..43ecd458a49 100644
--- a/htdocs/conf/conf.php.example
+++ b/htdocs/conf/conf.php.example
@@ -177,11 +177,11 @@ $dolibarr_main_authentication='dolibarr';
# $dolibarr_main_auth_ldap_port='389';
# $dolibarr_main_auth_ldap_version='3';
# $dolibarr_main_auth_ldap_servertype='openldap'; # openldap, activedirectory or egroupware
-# $dolibarr_main_auth_ldap_login_attribute='loginfield'; # uid or samaccountname for active directory
-# $dolibarr_main_auth_ldap_dn=''; # Ex: ou=users,dc=my-domain,dc=com
-# $dolibarr_main_auth_ldap_filter = '' # Ex: &(uid=%1%)(isMemberOf=cn=Sales,ou=Groups,dc=opencsi,dc=com)
-# $dolibarr_main_auth_ldap_admin_login=''; # Required only if anonymous bind disabled
-# $dolibarr_main_auth_ldap_admin_pass=''; # Required only if anonymous bind disabled
+# $dolibarr_main_auth_ldap_login_attribute='loginfield'; # Ex: uid or samaccountname for active directory
+# $dolibarr_main_auth_ldap_dn='ou=users,dc=my-domain,dc=com'; # Ex: ou=users,dc=my-domain,dc=com
+# $dolibarr_main_auth_ldap_filter = ''; # If defined, two previous parameters are not used to find a user into LDAP. Ex: &(uid=%1%)(isMemberOf=cn=Sales,ou=Groups,dc=opencsi,dc=com).
+# $dolibarr_main_auth_ldap_admin_login=''; # Required only if anonymous bind disabled. Ex: cn=admin,dc=example,dc=com
+# $dolibarr_main_auth_ldap_admin_pass=''; # Required only if anonymous bind disabled. Ex: secret
# $dolibarr_main_auth_ldap_debug='false';
diff --git a/htdocs/includes/login/functions_ldap.php b/htdocs/includes/login/functions_ldap.php
index 7deb2211617..d7d1a9d5118 100644
--- a/htdocs/includes/login/functions_ldap.php
+++ b/htdocs/includes/login/functions_ldap.php
@@ -39,6 +39,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
global $dolibarr_main_auth_ldap_version,$dolibarr_main_auth_ldap_servertype;
global $dolibarr_main_auth_ldap_login_attribute,$dolibarr_main_auth_ldap_dn;
global $dolibarr_main_auth_ldap_admin_login,$dolibarr_main_auth_ldap_admin_pass;
+ global $dolibarr_main_auth_ldap_filter;
global $dolibarr_main_auth_ldap_debug;
if (! function_exists("ldap_connect"))
@@ -88,7 +89,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
print "DEBUG: uid/samacountname=".$ldapuserattr.", dn=".$ladpdn.", Admin:".$ldap->searchUser.", Pass:".$ldap->searchPassword."\n";
}
- $resultCheckUserDN=false;
+ $resultFetchLdapUser=0;
// Define $userSearchFilter
$userSearchFilter = "";
@@ -106,8 +107,8 @@ function check_user_password_ldap($usertotest,$passwordtotest)
if ($result)
{
$resultFetchLdapUser = $ldap->fetch($usertotest,$userSearchFilter);
- // On stop si le mot de passe ldap doit etre modifie sur le domaine
- if ($resultFetchLdapUser == 1 && $ldap->pwdlastset == 0)
+ //dol_syslog('functions_ldap::check_user_password_ldap resultFetchLdapUser='.$resultFetchLdapUser);
+ if ($resultFetchLdapUser > 0 && $ldap->pwdlastset == 0) // If ok but password need to be reset
{
dol_syslog('functions_ldap::check_user_password_ldap '.$usertotest.' must change password next logon');
if ($ldapdebug) print "DEBUG: User ".$usertotest." must change password
\n";
@@ -117,21 +118,18 @@ function check_user_password_ldap($usertotest,$passwordtotest)
$_SESSION["dol_loginmesg"]=$langs->trans("YouMustChangePassNextLogon",$usertotest,$ldap->domainFQDN);
return '';
}
- else
- {
- $resultCheckUserDN = $ldap->checkPass($usertotest,$passwordtotest); // $ldap->ldapUserDN is defined if ok
- }
}
$ldap->close();
}
// Forge LDAP user and password to test with them
- $ldap->searchUser=$ldapuserattr."=".$usertotest.",".$ldapdn;
- if ($resultCheckUserDN) $ldap->searchUser = $ldap->ldapUserDN;
+ $ldap->searchUser=$ldapuserattr."=".$usertotest.",".$ldapdn; // Default dn
+ if ($resultFetchLdapUser) $ldap->searchUser = $ldap->ldapUserDN;
$ldap->searchPassword=$passwordtotest;
// Test with this->seachUser and this->searchPassword
- $result=$ldap->connect_bind();
+ //print $ldap->searchUser.'-'.$ldap->searchPassword;exit;
+ $result=$ldap->connect_bind();
if ($result > 0)
{
if ($result == 2)
@@ -144,7 +142,7 @@ function check_user_password_ldap($usertotest,$passwordtotest)
{
// On charge les attributs du user ldap
if ($ldapdebug) print "DEBUG: login ldap = ".$login."
\n";
- $ldap->fetch($login,$userSearchFilter);
+ $resultFetchLdapUser = $ldap->fetch($login,$userSearchFilter);
if ($ldapdebug) print "DEBUG: UACF = ".join(',',$ldap->uacf)."
\n";
if ($ldapdebug) print "DEBUG: pwdLastSet = ".dol_print_date($ldap->pwdlastset,'day')."
\n";
@@ -180,7 +178,21 @@ function check_user_password_ldap($usertotest,$passwordtotest)
}
else
{
- dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$usertotest."'");
+ /* Login failed. Return false, together with the error code and text from
+ ** the LDAP server. The common error codes and reasons are listed below :
+ ** (for iPlanet, other servers may differ)
+ ** 19 - Account locked out (too many invalid login attempts)
+ ** 32 - User does not exist
+ ** 49 - Wrong password
+ ** 53 - Account inactive (manually locked out by administrator)
+ */
+ dol_syslog("functions_ldap::check_user_password_ldap Authentification ko failed to connect to LDAP for '".$usertotest."'");
+ if ($this->connection) // If connection ok but bind ko
+ {
+ $this->ldapErrorCode = ldap_errno($this->connection);
+ $this->ldapErrorText = ldap_error($this->connection);
+ dol_syslog("unctions_ldap::check_user_password_ldap ".$this->ldapErrorText);
+ }
sleep(1);
$langs->load('main');
$langs->load('other');
diff --git a/htdocs/includes/triggers/interface_modLdap_Ldapsynchro.class.php b/htdocs/includes/triggers/interface_modLdap_Ldapsynchro.class.php
index fe844ea261a..38947e60790 100644
--- a/htdocs/includes/triggers/interface_modLdap_Ldapsynchro.class.php
+++ b/htdocs/includes/triggers/interface_modLdap_Ldapsynchro.class.php
@@ -159,6 +159,33 @@ class InterfaceLdapsynchro
elseif ($action == 'USER_NEW_PASSWORD')
{
dol_syslog("Trigger '".$this->name."' for action '$action' launched by ".__FILE__.". id=".$object->id);
+ if ($conf->ldap->enabled && $conf->global->LDAP_SYNCHRO_ACTIVE == 'dolibarr2ldap')
+ {
+ $ldap=new Ldap();
+ $ldap->connect_bind();
+
+ $oldinfo=$object->oldcopy->_load_ldap_info();
+ $olddn=$object->oldcopy->_load_ldap_dn($oldinfo);
+
+ // Verify if entry exist
+ $container=$object->oldcopy->_load_ldap_dn($oldinfo,1);
+ $search = "(".$object->oldcopy->_load_ldap_dn($oldinfo,2).")";
+ $records=$ldap->search($container,$search);
+ if (sizeof($records) && $records['count'] == 0)
+ {
+ $olddn = '';
+ }
+
+ $info=$object->_load_ldap_info();
+ $dn=$object->_load_ldap_dn($info);
+
+ $result=$ldap->update($dn,$info,$user,$olddn);
+ if ($result < 0)
+ {
+ $this->error="ErrorLDAP"." ".$ldap->error;
+ }
+ return $result;
+ }
}
elseif ($action == 'USER_ENABLEDISABLE')
{
diff --git a/htdocs/lib/ldap.class.php b/htdocs/lib/ldap.class.php
index 056a969443f..6858741a16f 100644
--- a/htdocs/lib/ldap.class.php
+++ b/htdocs/lib/ldap.class.php
@@ -389,52 +389,6 @@ class Ldap
}
-
- /**
- * \brief Checks a username and password - does this by logging on to the
- * server as a user - specified in the DN. There are several reasons why
- * this login could fail - these are listed below.
- * \return uname Username to check
- * \return pass Password to check
- * \return boolean true=check pass ok, falses=check pass failed
- */
- function checkPass($uname,$pass)
- {
- /* Construct the full DN, eg:-
- ** "uid=username, ou=People, dc=orgname,dc=com"
- */
- if ($this->serverType == "activedirectory") {
- // FQDN domain
- $domain = str_replace('dc=','',$this->domain);
- $domain = str_replace(',','.',$domain);
- $checkDn = "$uname@$domain";
- } else {
- $checkDn = $this->getUserIdentifier()."=".$uname.", ".$this->setDn(true);
- }
- // Try and connect...
- $this->result = @ldap_bind( $this->connection,$checkDn,$pass);
- if ( $this->result) {
- // Connected OK - login credentials are fine!
- $this->ldapUserDN = $checkDn;
- return true;
- } else {
- /* Login failed. Return false, together with the error code and text from
- ** the LDAP server. The common error codes and reasons are listed below :
- ** (for iPlanet, other servers may differ)
- ** 19 - Account locked out (too many invalid login attempts)
- ** 32 - User does not exist
- ** 49 - Wrong password
- ** 53 - Account inactive (manually locked out by administrator)
- */
- $this->ldapErrorCode = ldap_errno( $this->connection);
- $this->ldapErrorText = ldap_error( $this->connection);
- $this->ldapDebugDomain = $domain;
- $this->ldapDebugDN = $checkDn;
- return false;
- }
- }
-
-
/**
* \brief Add a LDAP entry
* \param dn DN entry key
@@ -1166,22 +1120,25 @@ class Ldap
$this->bindauth($this->searchUser, $this->searchPassword);
}
- $searchDN = $this->people;
+ $searchDN = $this->people; // TODO Why searching in people then domain ?
$result = '';
$i=0;
while ($i <= 2)
{
+ dol_syslog("Ldap::fetch search with searchDN=".$searchDN." filter=".$filter);
$this->result = @ldap_search($this->connection, $searchDN, $filter);
if ($this->result)
{
$result = @ldap_get_entries($this->connection, $this->result);
- //var_dump($result);
+ dol_syslog("Ldap::fetch search found");
+ //var_dump($result);exit;
}
else
{
- $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
- return -1;
+ $this->error = ldap_errno($this->connection)." ".ldap_error($this->connection);
+ dol_syslog("Ldap::fetch search not found");
+ return -1;
}
if (! $result)
@@ -1228,6 +1185,10 @@ class Ldap
$domain = str_replace(',','.',$domain);
$this->domainFQDN = $domain;
+ // Set ldapUserDn (each user can have a different dn)
+ //var_dump($result[0]['dn']);exit;
+ $this->ldapUserDN=$result[0]['dn'];
+
ldap_free_result($this->result);
return 1;
}
@@ -1236,31 +1197,6 @@ class Ldap
// 2.6 helper methods
- /**
- * Sets and returns the appropriate dn, based on whether there
- * are values in $this->people and $this->groups.
- *
- * @param boolean specifies whether to build a groups dn or a people dn
- * @return string if true ou=$this->people,$this->dn, else ou=$this->groups,$this->dn
- */
- function setDn($peopleOrGroups) {
-
- if ($peopleOrGroups) {
- if ( isset($this->people) && (dol_strlen($this->people) > 0) ) {
- $checkDn = "ou=" .$this->people. ", " .$this->dn;
- }
- } else {
- if ( isset($this->groups) && (dol_strlen($this->groups) > 0) ) {
- $checkDn = "ou=" .$this->groups. ", " .$this->dn;
- }
- }
-
- if ( !isset($checkDn) ) {
- $checkDn = $this->dn;
- }
- return $checkDn;
- }
-
/**
* Returns the correct user identifier to use, based on the ldap server type
*/
diff --git a/htdocs/user/class/user.class.php b/htdocs/user/class/user.class.php
index fa7e33137ee..91af3e6fc32 100644
--- a/htdocs/user/class/user.class.php
+++ b/htdocs/user/class/user.class.php
@@ -977,7 +977,7 @@ class User extends CommonObject
}
/**
- * Update a user into databse (except password)
+ * Update a user into databse (and also password if this->pass is defined)
* @param user User qui fait la mise a jour
* @param notrigger 1 ne declenche pas les triggers, 0 sinon
* @param nosyncmember 0=Synchronize linked member (standard info), 1=Do not synchronize linked member
diff --git a/htdocs/user/fiche.php b/htdocs/user/fiche.php
index 63827162a55..4f97f468243 100644
--- a/htdocs/user/fiche.php
+++ b/htdocs/user/fiche.php
@@ -305,14 +305,15 @@ if ($_POST["action"] == 'update' && ! $_POST["cancel"])
}
}
+ /* Already included into update function
if ($ret >= 0 && ! sizeof($edituser->errors) && isset($_POST["password"]) && $_POST["password"] !='')
{
- $ret=$edituser->setPassword($user,$_POST["password"]);
+ $ret=$edituser->setPassword($user,$_POST["password"],0,1);
if ($ret < 0)
{
$message.=''.$edituser->error.'
';
}
- }
+ } */
if ($ret >=0 && ! sizeof($edituser->errors))
{