blizz comments 20161013

Signed-off-by: Roger Szabo <roger.szabo@web.de>
nextcloud · Oct 14, 2016 · 632493b · 632493b
1 parent 5cd4d56
commit 632493b
Show file tree

Hide file tree

Showing 5 changed files with 21 additions and 13 deletions.
diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
@@ -40,6 +40,8 @@
 
 namespace OCA\User_LDAP;
 
+use OC\HintException;
+use OCA\User_LDAP\Exceptions\ConstraintViolationException;
 use OCA\User_LDAP\User\IUserTools;
 use OCA\User_LDAP\User\Manager;
 use OCA\User_LDAP\User\OfflineUser;
@@ -225,7 +227,7 @@ public function readAttribute($dn, $attr, $filter = 'objectClass=*') {
  /**
  * Set password for an LDAP user identified by a DN
  * @param string $userDN the user in question
- * @param LDAP $password the new password
+ * @param string $password the new password
  * @return bool
  */
  public function setPassword($userDN, $password) {
@@ -239,7 +241,11 @@ public function setPassword($userDN, $password) {
  return false;
  }
 
- return $this->ldap->modReplace($cr, $userDN, $password);
+ try {
+ return $this->ldap->modReplace($cr, $userDN, $password);
+ } catch(ConstraintViolationException $e) {
+ throw new HintException(\OC::$server->getL10N('user_ldap')->t('Password change rejected.'), $e->getMessage(), $e->getCode());
+ }
  }
 
  /**

diff --git a/apps/user_ldap/lib/ILDAPWrapper.php b/apps/user_ldap/lib/ILDAPWrapper.php
@@ -163,6 +163,15 @@ public function read($link, $baseDN, $filter, $attr);
  * @return resource|false an LDAP search result resource, false on error
  */
  public function search($link, $baseDN, $filter, $attr, $attrsOnly = 0, $limit = 0);
+
+ /**
+ * Replace the value of a userPassword by $password
+ * @param resource $link LDAP link resource
+ * @param string $userDN the DN of the user whose password is to be replaced
+ * @param string $password the new value for the userPassword
+ * @return bool true on success, false otherwise
+ */
+ public function modReplace($link, $userDN, $password);
 
  /**
  * Sets the value of the specified option to be $value

diff --git a/apps/user_ldap/lib/LDAP.php b/apps/user_ldap/lib/LDAP.php
@@ -30,7 +30,6 @@
 namespace OCA\User_LDAP;
 
 use OC\ServerNotAvailableException;
-use OC\HintException;
 use OCA\User_LDAP\Exceptions\ConstraintViolationException;
 
 class LDAP implements ILDAPWrapper {
@@ -202,11 +201,7 @@ public function search($link, $baseDN, $filter, $attr, $attrsOnly = 0, $limit =
  * @return bool
  */
  public function modReplace($link, $userDN, $password) {
- try {
- return $this->invokeLDAPMethod('mod_replace', $link, $userDN, array('userPassword' => $password));
- } catch(ConstraintViolationException $e) {
- throw new HintException('Password change rejected. Hint: '.$e->getMessage(), '', $e->getCode());
- }
+ return $this->invokeLDAPMethod('mod_replace', $link, $userDN, array('userPassword' => $password));
  }
 
  /**

diff --git a/apps/user_ldap/lib/User_LDAP.php b/apps/user_ldap/lib/User_LDAP.php
@@ -182,12 +182,10 @@ public function checkPassword($uid, $password) {
  * @return bool
  */
  public function setPassword($uid, $password) {
- $ldapRecord = $this->getLDAPUserByLoginName($uid);
- $dn = $ldapRecord['dn'][0];
- $user = $this->access->userManager->get($dn);
+ $user = $this->access->userManager->get($uid);
 
  if(!$user instanceof User) {
- throw new \Exception('LDAP setPassword: Could not get user object for DN ' . $dn .
+ throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid .
  '. Maybe the LDAP entry has no set display name attribute?');
  }
  if($user->getUsername() !== false) {

diff --git a/apps/user_ldap/templates/settings.php b/apps/user_ldap/templates/settings.php
@@ -101,7 +101,7 @@
  <p><label for="ldap_dynamic_group_member_url"><?php p($l->t('Dynamic Group Member URL'));?></label><input type="text" id="ldap_dynamic_group_member_url" name="ldap_dynamic_group_member_url" title="<?php p($l->t('The LDAP attribute that on group objects contains an LDAP search URL that determines what objects belong to the group. (An empty setting disables dynamic group membership functionality.)'));?>" data-default="<?php p($_['ldap_dynamic_group_member_url_default']); ?>" /></p>
  <p><label for="ldap_nested_groups"><?php p($l->t('Nested Groups'));?></label><input type="checkbox" id="ldap_nested_groups" name="ldap_nested_groups" value="1" data-default="<?php p($_['ldap_nested_groups_default']); ?>" title="<?php p($l->t('When switched on, groups that contain groups are supported. (Only works if the group member attribute contains DNs.)'));?>" /></p>
  <p><label for="ldap_paging_size"><?php p($l->t('Paging chunksize'));?></label><input type="number" id="ldap_paging_size" name="ldap_paging_size" title="<?php p($l->t('Chunksize used for paged LDAP searches that may return bulky results like user or group enumeration. (Setting it 0 disables paged LDAP searches in those situations.)'));?>" data-default="<?php p($_['ldap_paging_size_default']); ?>" /></p>
- <p><label for="ldap_turn_on_pwd_change"><?php p($l->t('Enable LDAP password changes per user'));?></label><span class="inlinetable"><span class="tablerow left"><input type="checkbox" id="ldap_turn_on_pwd_change" name="ldap_turn_on_pwd_change" value="1" data-default="<?php p($_['ldap_turn_on_pwd_change_default']); ?>" title="<?php p($l->t('Allow LDAP users to change their password and allow Super Administrators and Group Administrators to change the password of their LDAP users. Only works when access control policies are configured accordingly on the LDAP server. As passwords are sent in plaintext to the LDAP server, transport encryption must be used and password hashing should be configured on the LDAP server.'));?>" /><span class="tablecell">(New password is sent as plain text to LDAP)</span></span>
+ <p><label for="ldap_turn_on_pwd_change"><?php p($l->t('Enable LDAP password changes per user'));?></label><span class="inlinetable"><span class="tablerow left"><input type="checkbox" id="ldap_turn_on_pwd_change" name="ldap_turn_on_pwd_change" value="1" data-default="<?php p($_['ldap_turn_on_pwd_change_default']); ?>" title="<?php p($l->t('Allow LDAP users to change their password and allow Super Administrators and Group Administrators to change the password of their LDAP users. Only works when access control policies are configured accordingly on the LDAP server. As passwords are sent in plaintext to the LDAP server, transport encryption must be used and password hashing should be configured on the LDAP server.'));?>" /><span class="tablecell"><?php p($l->t('(New password is sent as plain text to LDAP)'));?></span></span>
  </span><br/></p>
  </div>
  <h3><?php p($l->t('Special Attributes'));?></h3>