Do not rely on exop_passwd but check rootDSE for support and fallback to mod_replace

susnux · susnux · commit 281282629f1a · 2022-10-17T11:01:17.000+02:00
This should fix AD support

Signed-off-by: Ferdinand Thiessen &lt;rpm@fthiessen.de&gt;
diff --git a/lib/LDAPUserManager.php b/lib/LDAPUserManager.php
@@ -87,7 +87,7 @@ public function __construct(IUserManager $userManager, IUserSession $userSession
 	 * compared with OC_USER_BACKEND_CREATE_USER etc.
 	 */
 	public function respondToActions() {
-		$setPassword = function_exists('ldap_exop_passwd') && !$this->ldapConnect->hasPasswordPolicy()
+		$setPassword = $this->canSetPassword(null) && !$this->ldapConnect->hasPasswordPolicy()
 			? Backend::SET_PASSWORD
 			: 0;
 
@@ -247,29 +247,8 @@ public function createUser($username, $password) {
 			throw new \Exception('Cannot create user: ' . ldap_error($connection), ldap_errno($connection));
 		}
 
-		// Set password through ldap password exop, if supported
 		if ($this->respondToActions() & Backend::SET_PASSWORD) {
-			try {
-				$ret = ldap_exop_passwd($connection, $newUserDN, '', $password);
-				if ($ret === false) {
-					$message = 'ldap_exop_passwd failed, falling back to ldap_mod_replace to to set password for new user';
-					$this->logger->log(ILogger::DEBUG, $message, [
-						'app' => Application::APP_ID,
-					]);
-
-					// Fallback to `userPassword` in case the server does not support exop_passwd
-					$ret = ldap_mod_replace($connection, $newUserDN, ['userPassword' => $password]);
-					if ($ret === false) {
-						$message = 'Failed to set password for new user {dn}';
-						$this->logger->log(ILogger::ERROR, $message, [
-							'app' => Application::APP_ID,
-							'dn' => $newUserDN,
-						]);
-					}
-				}
-			} catch (\Exception $e) {
-				$this->logger->logException($e, ['app' => Application::APP_ID]);
-			}
+			$this->setPassword($username, $password, $connection);
 		}
 		return $ret ? $newUserDN : false;
 	}
@@ -355,30 +334,82 @@ public function deleteUser($uid): bool {
 		return $res;
 	}
 
+	/**
+	 * checks whether the user is allowed to change their password in Nextcloud
+	 *
+	 * @param string $uid the Nextcloud user name
+	 * @return boolean either the user can or cannot
+	 */
+	public function canSetPassword($uid) {
+		return $this->configuration->hasPasswordPermission();
+	}
+
+	/**
+	 * checks whether the LDAP server supports the passwd exop
+	 *
+	 * @param LDAP\Connection $connection LDAP connection to check
+	 * @return boolean either the user can or cannot
+	 */
+	public function canUseExopPasswd($connection) {
+		$ret = ldap_read($connection, '', '(objectclass=*)', ['supportedExtension']);
+		if ($ret === false) {
+			return false;
+		}
+		$ret = ldap_first_entry($connection, $ret);
+		if ($ret === false) {
+			return false;
+		}
+
+		$values = ldap_get_values($connection, $ret, 'supportedExtension');
+		return ($values !== false) && in_array('1.3.6.1.4.1.4203.1.11.1', $values['supportedExtension']);
+	}
+
 	/**
 	 * Set password
 	 *
 	 * @param string $uid The username
 	 * @param string $password The new password
+	 * @param LDAP\Connection $connection LDAP connection or null to create one
 	 * @return bool
 	 *
 	 * Change the password of a user
 	 */
-	public function setPassword($uid, $password) {
-		if (!function_exists('ldap_exop_passwd')) {
-			// since PHP 7.2 – respondToActions checked this already, this
-			// method should not be called. Double check due to public scope.
-			// This method can be removed when Nextcloud 16 compat is dropped.
-			return false;
+	public function setPassword($uid, $password, $connection = null) {
+		if (is_null($connection)) {
+			$connection = $this->ldapProvider->getLDAPConnection($uid);
 		}
+		
 		try {
-			$cr = $this->ldapProvider->getLDAPConnection($uid);
 			$userDN = $this->getUserDN($uid);
-			return ldap_exop_passwd($cr, $userDN, '', $password);
+			$ret = false;
+
+			// try ldap_exop_passwd first
+			if ($this->canUseExopPasswd($connection)) {
+				$ret = ldap_exop_passwd($connection, $userDN, '', $password);
+				if ($ret === false) {
+					$message = 'ldap_exop_passwd failed, falling back to ldap_mod_replace to to set password for new user';
+					$this->logger->log(ILogger::DEBUG, $message, [
+						'app' => Application::APP_ID,
+					]);
+				}
+			}
+
+			// Fallback to `userPassword` in case the server does not support exop_passwd
+			if ($ret === false) {
+				$ret = ldap_mod_replace($connection, $userDN, ['userPassword' => $password]);
+				if ($ret === false) {
+					$message = 'Failed to set password for user {dn}';
+					$this->logger->log(ILogger::ERROR, $message, [
+						'app' => Application::APP_ID,
+						'dn' => $userDN,
+					]);
+				}
+			}
+			return $ret;
 		} catch (\Exception $e) {
 			$this->logger->logException($e, ['app' => Application::APP_ID]);
+			return false;
 		}
-		return false;
 	}
 
 	/**
diff --git a/lib/Service/Configuration.php b/lib/Service/Configuration.php
@@ -48,6 +48,10 @@ public function hasAvatarPermission(): bool {
 		return $this->config->getAppValue('ldap_write_support', 'hasAvatarPermission', '1') === '1';
 	}
 
+	public function hasPasswordPermission(): bool {
+		return $this->config->getAppValue('ldap_write_support', 'hasPasswordPermission', '1') === '1';
+	}
+
 	public function getUserTemplate() {
 		return $this->config->getAppValue(
 			Application::APP_ID,
diff --git a/lib/Settings/Admin.php b/lib/Settings/Admin.php
@@ -61,6 +61,7 @@ public function getForm() {
 				'createRequireActorFromLdap' => $this->config->isLdapActorRequired(),
 				'createPreventFallback' => $this->config->isPreventFallback(),
 				'hasAvatarPermission' => $this->config->hasAvatarPermission(),
+				'hasPasswordPermission' => $this->config->hasPasswordPermission(),
 				'newUserRequireEmail' => $this->config->isRequireEmail(),
 				'newUserGenerateUserID' => $this->config->isGenerateUserId(),
 			]
diff --git a/src/components/AdminSettings.vue b/src/components/AdminSettings.vue
@@ -44,6 +44,10 @@
 				@change.stop.prevent="toggleSwitch('hasAvatarPermission', !switches.hasAvatarPermission)">
 				{{ t('ldap_write_support', 'Allow users to set their avatar') }}
 			</ActionCheckbox>
+			<ActionCheckbox :checked="switches.hasPasswordPermission"
+				@change.stop.prevent="toggleSwitch('hasPasswordPermission', !switches.hasPasswordPermission)">
+				{{ t('ldap_write_support', 'Allow users to set their password') }}
+			</ActionCheckbox>
 		</ul>
 		<h3>{{ t('ldap_write_support', 'User template') }}</h3>
 		<p>{{ t('ldap_write_support', 'LDIF template for creating users. Following placeholders may be used') }}</p>

Original file line number	Diff line number	Diff line change
`@@ -61,6 +61,7 @@ public function getForm() {`
`61`	`61`	`'createRequireActorFromLdap' => $this->config->isLdapActorRequired(),`
`62`	`62`	`'createPreventFallback' => $this->config->isPreventFallback(),`
`63`	`63`	`'hasAvatarPermission' => $this->config->hasAvatarPermission(),`
	`64`	`+ 'hasPasswordPermission' => $this->config->hasPasswordPermission(),`
`64`	`65`	`'newUserRequireEmail' => $this->config->isRequireEmail(),`
`65`	`66`	`'newUserGenerateUserID' => $this->config->isGenerateUserId(),`
`66`	`67`	`]`