(legacy/ldap) allow local users to be created with random password, solves...

(legacy/ldap) allow local users to be created with random password, solves errors in log when linking groups and leaves the possibility open to allow shell login using ldap in a later stage (currently not supported)

(legacy/ldap) allow local users to be created with random password, solves...
(legacy/ldap) allow local users to be created with random password, solves errors in log when linking groups and leaves the possibility open to allow shell login using ldap in a later stage (currently not supported)
a160f3a2 · Ad Schellevis · 15d88980 · a160f3a2 · a160f3a2
Commit a160f3a2 authored Jul 30, 2015 by Ad Schellevis
Hide whitespace changes
Inline Side-by-side

Showing with 16 additions and 8 deletions

auth.inc src/etc/inc/auth.inc +4 -8

system_usermanager_import_ldap.php src/www/system_usermanager_import_ldap.php +12 -0

No files found.
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -395,14 +395,10 @@ function local_sync_accounts()
 function local_user_set(&$user)
 {
 	if (empty($user['password'])) {
-		if (empty($user['user_dn'])) {
-			// log error for local users, (ldap) server authenticated users should not be created locally
-			// and therefore maybe empty
-			log_error(sprintf(
-				gettext('There is something wrong in your config because user %s password is missing!'),
-				$user['name']
-			));
-		}
+		log_error(sprintf(
+			gettext('There is something wrong in your config because user %s password is missing!'),
+			$user['name']
+		));
 		return;
 	}


--- a/src/www/system_usermanager_import_ldap.php
+++ b/src/www/system_usermanager_import_ldap.php
@@ -31,10 +31,20 @@ require_once("auth.inc");

 function add_local_user($username, $userdn, $userfullname) {
  global $config;
+
+  // generate new random user_password
+  $bytes = openssl_random_pseudo_bytes(50);
+  $user_password = pack('H*',bin2hex($bytes));
+
  foreach ($config['system']['user'] as &$user) {
      if ($user['name'] == $username && $user['name'] != 'root') {
        // link local user to remote server by updating user_dn
        $user['user_dn'] = $userdn;
+        // trash user password when linking to ldap, avoid accidental login
+        // using fall-back local password. User could still reset it's
+        // local password, but only by choice.
+        local_user_set_password($user, $user_password);
+        local_user_set($user);
        return;
      }
  }
@@ -44,8 +54,10 @@ function add_local_user($username, $userdn, $userfullname) {
  $new_user['name'] = $username;
  $new_user['user_dn'] = $userdn;
  $new_user['descr'] = $userfullname;
+  local_user_set_password($new_user, $user_password);
  $new_user['uid'] = $config['system']['nextuid']++;
  $config['system']['user'][] = $new_user;
+  local_user_set($new_user);
 }

 global $config;