ltb-project#126: Attempting password change with userDN which refusin…

…g pwd that exist in pwdHistory.
Worteks · Aug 8, 2024 · 38a1b8a · 38a1b8a
1 parent 7a39be8
commit 38a1b8a
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 7 deletions.
diff --git a/htdocs/index.php b/htdocs/index.php
@@ -164,6 +164,7 @@
 } else {
     $audit_admin = "anonymous";
 }
+$smarty->assign("audit_admin", $audit_admin);
 
 #==============================================================================
 # Route to page

diff --git a/htdocs/resetpassword.php b/htdocs/resetpassword.php
@@ -26,6 +26,12 @@
     $result = "passwordrequired";
 }
 
+if (isset($_POST["oldpassword"]) and $_POST["oldpassword"]) {
+    $oldpassword = $_POST["oldpassword"];
+} else {
+    $result = "oldpasswordrequired";
+}
+
 if (isset($_POST["pwdreset"]) and $_POST["pwdreset"]) {
     $pwdreset = $_POST["pwdreset"];
 }
@@ -37,6 +43,18 @@
     require_once("../lib/hook.inc.php");
 
     # Connect to LDAP
+    if ($audit_admin === "anonymous") {
+        $ldapInstance = new \Ltb\Ldap(
+            $ldap_url,
+            $ldap_starttls,
+            $dn,
+            $oldpassword,
+            isset($ldap_network_timeout) ? $ldap_network_timeout : null,
+            null,
+            null,
+            null
+        );
+    }
     $ldap_connection = $ldapInstance->connect();
 
     $ldap = $ldap_connection[0];
@@ -77,12 +95,18 @@
         if ( $prehook_return > 0 and !$ignore_prehook_return) {
             $result = "passwordrefused";
         } else {
-            $modification = ldap_mod_replace($ldap, $dn, $entry);
-            $errno = ldap_errno($ldap);
-            if ( $errno ) {
-                $result = "passwordrefused";
-            } else {
-                $result = "passwordchanged";
+            $modification = ldap_mod_replace_ext($ldap, $dn, $entry);
+            $userdn = $dn;
+            $errcode = $errmsg = $refs =  null;
+            if (ldap_parse_result($ldap, $modification, $errcode, $userdn, $errmsg, $refs)) {
+                $errno = ldap_errno($ldap);
+                if ( $errmsg ) {
+                    $result = "passwordreused";
+                } else if ( $errno ) {
+                    $result = "passwordrefused";
+                } else {
+                    $result = "passwordchanged";
+                }
             }
         }
 
@@ -103,7 +127,7 @@
         #==============================================================================
         if ($result === "passwordchanged") {
 
-            if ($notify_on_change) {
+            if (isset($notify_on_change) && $notify_on_change) {
                 # Search for user
                 $attributes = $mail_attributes;
                 $attributes[] = $mail_username_attribute;

diff --git a/lang/en.inc.php b/lang/en.inc.php
@@ -74,13 +74,16 @@
 $messages['newpassword'] = "New password";
 $messages['noentriesfound'] = "No entries found";
 $messages['notdefined'] = "Not defined";
+$messages['oldpassword'] = "Old password";
+$messages['oldpasswordrequired'] = "Please enter the old password";
 $messages['password'] = "Password";
 $messages['passwordchanged'] = "Password changed";
 $messages['passwordexpired'] = "Password is expired";
 $messages['passwordinvalid'] = "Authentication has failed";
 $messages['passwordok'] = "Authentication succeeds!";
 $messages['passwordrefused'] = "Password was refused";
 $messages['passwordrequired'] = "Please enter the password";
+$messages['passwordreused'] = "Password was reused";
 $messages['resetpassword'] = "Reset password";
 $messages['search'] = "Search";
 $messages['searchrequired'] = "Please enter your search";

diff --git a/templates/display.tpl b/templates/display.tpl
@@ -149,12 +149,18 @@
              <div class="card-body">
 
                  <form id="resetpassword" method="post" action="index.php?page=resetpassword">
+                    {if $resetpasswordresult eq 'oldpasswordrequired'}
+                    <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$msg_oldpasswordrequired}</div>
+                    {/if}
                      {if $resetpasswordresult eq 'passwordrequired'}
                      <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$msg_passwordrequired}</div>
                      {/if}
                      {if $resetpasswordresult eq 'passwordrefused'}
                      <div class="alert alert-danger"><i class="fa fa-fw fa-exclamation-triangle"></i> {$msg_passwordrefused}</div>
                      {/if}
+                     {if $resetpasswordresult eq 'passwordreused'}
+                     <div class="alert alert-danger"><i class="fa fa-fw fa-exclamation-triangle"></i> {$msg_passwordreused}</div>
+                     {/if}
                      {if $resetpasswordresult eq 'passwordchanged'}
                      <div class="alert alert-success"><i class="fa fa-fw fa-check"></i> {$msg_passwordchanged}</div>
                      {/if}
@@ -165,6 +171,12 @@
                      <div class="alert alert-warning"><i class="fa fa-fw fa-exclamation-triangle"></i> {$posthookresult}</div>
                      {/if}
                      <input type="hidden" name="dn" value="{$dn}" />
+                     {if $audit_admin eq 'anonymous'}
+                     <div class="input-group mb-3">
+                        <span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
+                        <input type="password" name="oldpassword" id="oldpassword" autocomplete="old-password" class="form-control" placeholder="{$msg_oldpassword}" />
+                     </div>
+                     {/if}
                      <div class="input-group mb-3">
                         <span class="input-group-text"><i class="fa fa-fw fa-lock"></i></span>
                         {if $fake_password_inputs}