Index: app/controllers/account_controller.rb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- app/controllers/account_controller.rb (revision 1cadb0037ce575d4c504c0c2407ac2793750a906) +++ app/controllers/account_controller.rb (revision ) @@ -70,12 +70,23 @@ return end if request.post? + if @user.isExternal? + if @user.newExternalPassword(params[:new_password], params[:new_password_confirmation]) + @token.destroy + flash[:notice] = l(:notice_account_password_updated) + redirect_to signin_path + return + else + flash[:error] = l(:notice_external_password_error) + end + else - @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] - if @user.save - @token.destroy - flash[:notice] = l(:notice_account_password_updated) - redirect_to signin_path - return + @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] + if @user.save + @token.destroy + flash[:notice] = l(:notice_account_password_updated) + redirect_to signin_path + return + end end end render :template => "account/password_recovery" Index: app/controllers/my_controller.rb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- app/controllers/my_controller.rb (revision 1cadb0037ce575d4c504c0c2407ac2793750a906) +++ app/controllers/my_controller.rb (revision ) @@ -100,13 +100,25 @@ elsif params[:password] == params[:new_password] flash.now[:error] = l(:notice_new_password_must_be_different) else + + if @user.isExternal? + if @user.changeExternalPassword(params[:password],params[:new_password], params[:new_password_confirmation]) + session[:ctime] = Time.now.change(:usec => 0).utc.to_i + flash[:notice] = l(:notice_account_password_updated) + redirect_to my_account_path + else + flash[:error] = l(:notice_external_password_error) + end + else - @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] - @user.must_change_passwd = false - if @user.save + @user.password, @user.password_confirmation = params[:new_password], params[:new_password_confirmation] + @user.must_change_passwd = false + if @user.save - # The session token was destroyed by the password change, generate a new one - session[:tk] = @user.generate_session_token + # Reset the session creation time to not log out this session on next + # request due to ApplicationController#force_logout_if_password_changed + session[:ctime] = User.current.passwd_changed_on.utc.to_i - flash[:notice] = l(:notice_account_password_updated) - redirect_to my_account_path + flash[:notice] = l(:notice_account_password_updated) + redirect_to my_account_path + end end end end Index: app/helpers/auth_sources_helper.rb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- app/helpers/auth_sources_helper.rb (revision 1cadb0037ce575d4c504c0c2407ac2793750a906) +++ app/helpers/auth_sources_helper.rb (revision ) @@ -21,4 +21,11 @@ def auth_source_partial_name(auth_source) "form_#{auth_source.class.name.underscore}" end + + module Encryption + # Return an array of password encryptions + def self.encryptiontypes + ["MD5","SSHA","CLEAR"] + end + end end Index: config/locales/en.yml IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- config/locales/en.yml (revision 1cadb0037ce575d4c504c0c2407ac2793750a906) +++ config/locales/en.yml (revision ) @@ -1169,3 +1169,6 @@ description_date_from: Enter start date description_date_to: Enter end date text_repository_identifier_info: 'Only lower case letters (a-z), numbers, dashes and underscores are allowed.
Once saved, the identifier cannot be changed.' + notice_external_password_error: Error changing external password. + field_password_encryption: Encryption + field_enabled_passwd: Enabled password changing Index: app/views/auth_sources/_form_auth_source_ldap.html.erb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- app/views/auth_sources/_form_auth_source_ldap.html.erb (revision 1cadb0037ce575d4c504c0c2407ac2793750a906) +++ app/views/auth_sources/_form_auth_source_ldap.html.erb (revision ) @@ -14,6 +14,7 @@

<%= f.text_area :filter, :size => 60, :label => :field_auth_source_ldap_filter %>

<%= f.text_field :timeout, :size => 4 %>

<%= f.check_box :onthefly_register, :label => :field_onthefly %>

+

<%= f.check_box :enabled_passwd, :label => :field_enabled_passwd %>

<%=l(:label_attribute_plural)%> @@ -21,4 +22,5 @@

<%= f.text_field :attr_firstname, :size => 20 %>

<%= f.text_field :attr_lastname, :size => 20 %>

<%= f.text_field :attr_mail, :size => 20 %>

+

<%= f.select :password_encryption, AuthSourcesHelper::Encryption.encryptiontypes %>

Index: config/environments/production.rb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- config/environments/production.rb (revision 1cadb0037ce575d4c504c0c2407ac2793750a906) +++ config/environments/production.rb (revision ) @@ -22,4 +22,6 @@ # Print deprecation notices to the Rails logger. config.active_support.deprecation = :log + + # config.log_level = :info end Index: app/models/auth_source_ldap.rb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- app/models/auth_source_ldap.rb (revision 1cadb0037ce575d4c504c0c2407ac2793750a906) +++ app/models/auth_source_ldap.rb (revision ) @@ -18,6 +18,8 @@ require 'net/ldap' require 'net/ldap/dn' require 'timeout' +require 'digest' +require 'base64' class AuthSourceLdap < AuthSource NETWORK_EXCEPTIONS = [ @@ -68,7 +70,98 @@ def auth_method_name "LDAP" + end + + def allow_password_changes? + return self.enabled_passwd + end + + def encode_password(clear_password) + chars = ("a".."z").to_a + ("A".."Z").to_a + ("0".."9").to_a + salt = '' + 10.times { |i| salt << chars[rand(chars.size-1)] } + + if self.password_encryption == "MD5" + logger.debug "Encode as md5" + return "{MD5}"+Base64.encode64(Digest::MD5.digest(clear_password)).chomp! + end + if self.password_encryption == "SSHA" + logger.debug "Encode as ssha" + return "{SSHA}"+Base64.encode64(Digest::SHA1.digest(clear_password+salt)+salt).chomp! + end + + if self.password_encryption == "CLEAR" + logger.debug "Encode as cleartype" + return clear_password + end + # + end + + # change password + def change_password(login,password,newPassword) + begin + attrs = get_user_dn(login, password) + if attrs + if self.account.blank? || self.account_password.blank? + logger.debug "Binding with user account" + ldap_con = initialize_ldap_con(attrs[:dn], password) + else + logger.debug "Binding with administrator account" + ldap_con = initialize_ldap_con(self.account, self.account_password) + end + + ops = [ + [:delete, :userPassword, password], + [:add, :userPassword, newPassword] + ] + #return ldap_con.modify :dn => attrs[:dn], :operations => ops + # This is another password change method, probably more common + newPassword = encode_password(newPassword) + # logger.info("NEW PASSWORD #{newPassword}") + if newPassword.blank? + logger.debug "Invaild password" + return false + else + logger.debug "Try to change password" + return ldap_con.replace_attribute attrs[:dn], :userPassword, newPassword + end + end + rescue + return false + end + return false + end + + def lost_password(login,newPassword) + begin + attrs = get_user_dn_nopass(login) + if attrs + ldap_con = initialize_ldap_con(self.account, self.account_password) + return ldap_con.replace_attribute attrs[:dn], :userPassword, encode_password(newPassword) + end + rescue + return false + end + return false + end + + def get_user_dn_nopass(login) + ldap_con = nil + ldap_con = initialize_ldap_con(self.account, self.account_password) + attrs = {} + search_filter = base_filter & Net::LDAP::Filter.eq(self.attr_login, login) + ldap_con.search( :base => self.base_dn, + :filter => search_filter, + :attributes=> search_attributes) do |entry| + if onthefly_register? + attrs = get_user_attributes_from_ldap_entry(entry) + else + attrs = {:dn => entry.dn} + end + logger.debug "DN found for #{login}: #{attrs[:dn]}" if logger && logger.debug? + end + attrs - end + end # Returns true if this source can be searched for users def searchable? Index: app/views/layouts/base.html.erb IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== --- app/views/layouts/base.html.erb (revision 1cadb0037ce575d4c504c0c2407ac2793750a906) +++ app/views/layouts/base.html.erb (revision ) @@ -112,7 +112,7 @@