restore ldap_password_pr

Signed-off-by: Roger Szabo <roger.szabo@web.de>

remove notification part

Signed-off-by: Roger Szabo <roger.szabo@web.de>

blizzz comments

Signed-off-by: Roger Szabo <roger.szabo@web.de>

morris comment

Signed-off-by: Roger Szabo <roger.szabo@web.de>

improved error message for changing password

Signed-off-by: Roger Szabo <roger.szabo@web.de>

blizz comments 20161013

Signed-off-by: Roger Szabo <roger.szabo@web.de>

Signed-off-by: Roger Szabo <roger.szabo@web.de>

Adjust HintException usage

Signed-off-by: Roger Szabo <roger.szabo@web.de>

Signed-off-by: Roger Szabo <roger.szabo@web.de>

7 files changed, 118 insertions, 5 deletions

diff --git a/apps/user_ldap/lib/Access.php b/apps/user_ldap/lib/Access.php
index e7facd80ae0..f06f76bb910 100644
--- a/apps/user_ldap/lib/Access.php
+++ b/apps/user_ldap/lib/Access.php
@@ -40,6 +40,8 @@
 
 namespace OCA\User_LDAP;
 
+use OC\HintException;
+use OCA\User_LDAP\Exceptions\ConstraintViolationException;
 use OCA\User_LDAP\User\IUserTools;
 use OCA\User_LDAP\User\Manager;
 use OCA\User_LDAP\User\OfflineUser;
@@ -221,6 +223,30 @@ class Access extends LDAPUtility implements IUserTools {
 		\OCP\Util::writeLog('user_ldap', 'Requested attribute '.$attr.' not found for '.$dn, \OCP\Util::DEBUG);
 		return false;
 	}
+	
+	/**
+	 * Set password for an LDAP user identified by a DN
+	 * @param string $userDN the user in question
+	 * @param string $password the new password
+	 * @return bool
+	 */
+	public function setPassword($userDN, $password) {
+		if(intval($this->connection->turnOnPasswordChange) !== 1) {
+			throw new \Exception('LDAP password changes are disabled.');
+		}
+		$cr = $this->connection->getConnectionResource();
+		if(!$this->ldap->isResource($cr)) {
+			//LDAP not available
+			\OCP\Util::writeLog('user_ldap', 'LDAP resource not available.', \OCP\Util::DEBUG);
+			return false;
+		}
+		
+		try {
+			return $this->ldap->modReplace($cr, $userDN, $password);
+		} catch(ConstraintViolationException $e) {
+			throw new HintException('Password change rejected.', \OC::$server->getL10N('user_ldap')->t('Password change rejected. Hint: ').$e->getMessage(), $e->getCode());
+		}
+	}
 
 	/**
 	 * checks whether the given attributes value is probably a DN
diff --git a/apps/user_ldap/lib/Configuration.php b/apps/user_ldap/lib/Configuration.php
index 80b353360c3..eb4fcd3fbe6 100644
--- a/apps/user_ldap/lib/Configuration.php
+++ b/apps/user_ldap/lib/Configuration.php
@@ -11,6 +11,7 @@
  * @author Lukas Reschke <lukas@statuscode.ch>
  * @author Morris Jobke <hey@morrisjobke.de>
  * @author Robin McCorkell <robin@mccorkell.me.uk>
+ * @author Roger Szabo <roger.szabo@web.de>
  *
  * @license AGPL-3.0
  *
@@ -90,6 +91,7 @@ class Configuration {
 		'lastJpegPhotoLookup' => null,
 		'ldapNestedGroups' => false,
 		'ldapPagingSize' => null,
+		'turnOnPasswordChange' => false,
 		'ldapDynamicGroupMemberURL' => null,
 	);
 
@@ -449,6 +451,7 @@ class Configuration {
 			'last_jpegPhoto_lookup'             => 0,
 			'ldap_nested_groups'                => 0,
 			'ldap_paging_size'                  => 500,
+			'ldap_turn_on_pwd_change'           => 0,
 			'ldap_experienced_admin'            => 0,
 			'ldap_dynamic_group_member_url'     => '',
 		);
@@ -505,6 +508,7 @@ class Configuration {
 			'last_jpegPhoto_lookup'             => 'lastJpegPhotoLookup',
 			'ldap_nested_groups'                => 'ldapNestedGroups',
 			'ldap_paging_size'                  => 'ldapPagingSize',
+			'ldap_turn_on_pwd_change'           => 'turnOnPasswordChange',
 			'ldap_experienced_admin'            => 'ldapExperiencedAdmin',
 			'ldap_dynamic_group_member_url'     => 'ldapDynamicGroupMemberURL',
 		);
diff --git a/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php
new file mode 100644
index 00000000000..997b01b2d4e
--- /dev/null
+++ b/apps/user_ldap/lib/Exceptions/ConstraintViolationException.php
@@ -0,0 +1,26 @@
+<?php
+/**
+ * @copyright Copyright (c) 2016 Roger Szabo <roger.szabo@web.de>
+ *
+ * @author Roger Szabo <roger.szabo@web.de>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\User_LDAP\Exceptions;
+
+class ConstraintViolationException extends \Exception {}
diff --git a/apps/user_ldap/lib/ILDAPWrapper.php b/apps/user_ldap/lib/ILDAPWrapper.php
index 4fd3b31428a..e2089fa8a47 100644
--- a/apps/user_ldap/lib/ILDAPWrapper.php
+++ b/apps/user_ldap/lib/ILDAPWrapper.php
@@ -163,6 +163,15 @@ interface ILDAPWrapper {
 	 * @return resource|false an LDAP search result resource, false on error
 	 */
 	public function search($link, $baseDN, $filter, $attr, $attrsOnly = 0, $limit = 0);
+	
+	/**
+	 * Replace the value of a userPassword by $password
+	 * @param resource $link LDAP link resource
+	 * @param string $userDN the DN of the user whose password is to be replaced
+	 * @param string $password the new value for the userPassword
+	 * @return bool true on success, false otherwise
+	 */
+	public function modReplace($link, $userDN, $password);
 
 	/**
 	 * Sets the value of the specified option to be $value
diff --git a/apps/user_ldap/lib/LDAP.php b/apps/user_ldap/lib/LDAP.php
index 74d83e4ab4f..0d491396ee4 100644
--- a/apps/user_ldap/lib/LDAP.php
+++ b/apps/user_ldap/lib/LDAP.php
@@ -9,6 +9,7 @@
  * @author Lukas Reschke <lukas@statuscode.ch>
  * @author Morris Jobke <hey@morrisjobke.de>
  * @author Robin McCorkell <robin@mccorkell.me.uk>
+ * @author Roger Szabo <roger.szabo@web.de>
  *
  * @license AGPL-3.0
  *
@@ -29,6 +30,7 @@
 namespace OCA\User_LDAP;
 
 use OC\ServerNotAvailableException;
+use OCA\User_LDAP\Exceptions\ConstraintViolationException;
 
 class LDAP implements ILDAPWrapper {
 	protected $curFunc = '';
@@ -194,6 +196,16 @@ class LDAP implements ILDAPWrapper {
 
 	/**
 	 * @param LDAP $link
+	 * @param string $userDN
+	 * @param string $password
+	 * @return bool
+	 */
+	public function modReplace($link, $userDN, $password) {
+		return $this->invokeLDAPMethod('mod_replace', $link, $userDN, array('userPassword' => $password));
+	}
+
+	/**
+	 * @param LDAP $link
 	 * @param string $option
 	 * @param int $value
 	 * @return bool|mixed
@@ -288,6 +300,9 @@ class LDAP implements ILDAPWrapper {
 					throw new \Exception('LDAP authentication method rejected', $errorCode);
 				} else if ($errorCode === 1) {
 					throw new \Exception('LDAP Operations error', $errorCode);
+				} else if ($errorCode === 19) {
+					ldap_get_option($this->curArgs[0], LDAP_OPT_ERROR_STRING, $extended_error);
+					throw new ConstraintViolationException(!empty($extended_error)?$extended_error:$errorMsg, $errorCode);
 				} else {
 					\OCP\Util::writeLog('user_ldap',
 										'LDAP error '.$errorMsg.' (' .
diff --git a/apps/user_ldap/lib/User_LDAP.php b/apps/user_ldap/lib/User_LDAP.php
index 9f2468bcc85..8dfde2d8148 100644
--- a/apps/user_ldap/lib/User_LDAP.php
+++ b/apps/user_ldap/lib/User_LDAP.php
@@ -35,6 +35,7 @@
 
 namespace OCA\User_LDAP;
 
+use OC\User\Backend;
 use OC\User\NoUserException;
 use OCA\User_LDAP\Exceptions\NotOnLDAP;
 use OCA\User_LDAP\User\OfflineUser;
@@ -175,6 +176,26 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn
 	}
 
 	/**
+	 * Set password
+	 * @param string $uid The username
+	 * @param string $password The new password
+	 * @return bool
+	 */
+	public function setPassword($uid, $password) {
+		$user = $this->access->userManager->get($uid);
+
+		if(!$user instanceof User) {
+			throw new \Exception('LDAP setPassword: Could not get user object for uid ' . $uid .
+				'. Maybe the LDAP entry has no set display name attribute?');
+		}
+		if($user->getUsername() !== false) {
+			return $this->access->setPassword($user->getDN(), $password);
+		}
+
+		return false;
+	}
+
+	/**
 	 * Get a list of all users
 	 *
 	 * @param string $search
@@ -449,11 +470,12 @@ class User_LDAP extends BackendUtility implements \OCP\IUserBackend, \OCP\UserIn
 	* compared with OC_USER_BACKEND_CREATE_USER etc.
 	*/
 	public function implementsActions($actions) {
-		return (bool)((\OC\User\Backend::CHECK_PASSWORD
-			| \OC\User\Backend::GET_HOME
-			| \OC\User\Backend::GET_DISPLAYNAME
-			| \OC\User\Backend::PROVIDE_AVATAR
-			| \OC\User\Backend::COUNT_USERS)
+		return (bool)((Backend::CHECK_PASSWORD
+			| Backend::GET_HOME
+			| Backend::GET_DISPLAYNAME
+			| Backend::PROVIDE_AVATAR
+			| Backend::COUNT_USERS
+			| ((intval($this->access->connection->turnOnPasswordChange) === 1)?(Backend::SET_PASSWORD):0))
 			& $actions);
 	}
 
diff --git a/apps/user_ldap/lib/User_Proxy.php b/apps/user_ldap/lib/User_Proxy.php
index cced469a7ae..2cdf401880e 100644
--- a/apps/user_ldap/lib/User_Proxy.php
+++ b/apps/user_ldap/lib/User_Proxy.php
@@ -262,6 +262,17 @@ class User_Proxy extends Proxy implements \OCP\IUserBackend, \OCP\UserInterface,
 	public function deleteUser($uid) {
 		return $this->handleRequest($uid, 'deleteUser', array($uid));
 	}
+	
+	/**
+	 * Set password
+	 * @param string $uid The username
+	 * @param string $password The new password
+	 * @return bool
+	 *
+	 */
+	public function setPassword($uid, $password) {
+		return $this->handleRequest($uid, 'setPassword', array($uid, $password));
+	}
 
 	/**
 	 * @return bool