fix some ppolicy criteria evaluation (#119)

ltb-project · Sep 11, 2024 · 0647b3a · 0647b3a
1 parent afc8ec8
commit 0647b3a
Show file tree

Hide file tree

Showing 6 changed files with 37 additions and 11 deletions.
diff --git a/.gitignore b/.gitignore
@@ -6,4 +6,5 @@ docs/_build
 composer.lock
 tests/.phpunit.result.cache
 htdocs/js/ppolicy.js
+htdocs/css/ppolicy.css
 templates/policy.tpl
diff --git a/conf/config.inc.php b/conf/config.inc.php
@@ -137,12 +137,8 @@
 $pwd_special_chars = "^a-zA-Z0-9";
 # Forbidden characters
 #$pwd_forbidden_chars = "@%";
-# Don't reuse the same password as currently
-$pwd_no_reuse = true;
 # Check that password is different than login
 $pwd_diff_login = true;
-# Check new passwords differs from old one - minimum characters count
-$pwd_diff_last_min_chars = 0;
 # Forbidden words which must not appear in the password
 $pwd_forbidden_words = array();
 # Forbidden ldap fields

diff --git a/htdocs/index.php b/htdocs/index.php
@@ -82,9 +82,9 @@
     "pwd_min_digit"             => $pwd_min_digit,
     "pwd_min_special"           => $pwd_min_special,
     "pwd_special_chars"         => $pwd_special_chars,
+    "pwd_no_reuse"              => false, # old password not available
     "pwd_forbidden_chars"       => $pwd_forbidden_chars,
-    "pwd_no_reuse"              => $pwd_no_reuse,
-    "pwd_diff_last_min_chars"   => $pwd_diff_last_min_chars,
+    "pwd_diff_last_min_chars"   => 0, # old password not available
     "pwd_diff_login"            => $pwd_diff_login,
     "pwd_complexity"            => $pwd_complexity,
     "use_pwnedpasswords"        => $use_pwnedpasswords,

diff --git a/htdocs/resetpassword.php b/htdocs/resetpassword.php
@@ -57,17 +57,46 @@
             }
         }
 
+        # save LDAP modifications to apply in $entry variable
         $entry["userPassword"] = $password;
         if ( $pwdreset === "true" ) {
             $entry["pwdReset"] = "TRUE";
         }
 
+        # Get current entry first
+        $entries_search = $ldapInstance->search_with_scope("base", $dn, '(objectClass=*)');
+        $errno = ldap_errno($ldap);
+        if ( $errno ) {
+            $result = "ldaperror";
+            error_log("LDAP - Search error $errno  (".ldap_error($ldap).")");
+        }
+        $entry_search = ldap_first_entry($ldap, $entries_search);
+        $entry_array = ldap_get_attributes($ldap, $entry_search);
+        # Get identifier attribute
+        $identifiers = ldap_get_values( $ldap,
+                                        $entry_search,
+                                        $attributes_map['identifier']['attribute']
+                                      );
+        $identifier = $identifiers[0];
+        if ( !isset($identifier) || $identifier == "" ) {
+            $result = "ldaperror";
+            error_log("LDAP - Unable to find identifier for LDAP entry ".
+                      var_export($entry_array, true));
+        }
+
         #==============================================================================
         # Check password strength
         #==============================================================================
-        # TODO: get login first to prevent password = login
-        # TODO: get ldap entry first, to prevent pwd_forbidden_ldap_fields in password
-        $result = \Ltb\Ppolicy::check_password_strength( $password, "", $pwd_policy_config, "", array(), array() );
+        if( $result != "ldaperror" )
+        {
+            $result = \Ltb\Ppolicy::check_password_strength( $password,
+                                                             "",
+                                                             $pwd_policy_config,
+                                                             $identifier,
+                                                             $entry_array,
+                                                             array()
+                                                           );
+        }
 
         if( $result === "")
         {

diff --git a/htdocs/search.php b/htdocs/search.php
@@ -10,7 +10,7 @@
     require_once("../conf/config.inc.php");
     require __DIR__ . '/../vendor/autoload.php';
 
-    $filter_escape_chars = null;
+    $filter_escape_chars = "";
     if (!$search_use_substring_match) { $filter_escape_chars = "*"; }
 
     $search_query = ldap_escape($_POST["search"], $filter_escape_chars, LDAP_ESCAPE_FILTER);

diff --git a/templates/display.tpl b/templates/display.tpl
@@ -21,7 +21,7 @@
                 {if !({$entry.$attribute.0}) && ! $show_undef}
                     {continue}
                 {/if}
-                    <tr>
+                    <tr id="info_{$item}">
                         <th class="text-center">
                             <i class="fa fa-fw fa-{$faclass}"></i>
                         </th>