From 328a285575e0c6069665439cd7ab16142984fac6 Mon Sep 17 00:00:00 2001 From: Srdjan Date: Fri, 23 Aug 2013 20:02:53 +1200 Subject: [PATCH] bug 9611: use hash_password() and checkpw_* for LDAP logins instead of md5 hash Test: * LDAP: - Turn on LDAP auth in koha-config.xml. Set "update" in your server config to 1 - Change user's password on LDAP - Login to Koha using LDAP - Koha password should be updated, to check - Turn off LDAP auth in koha-config.xml - You should be ble to log in with the new password I do not have a LDAP facility, so I cheated. I ran perl -e 'use C4::Auth_with_ldap; C4::Auth_with_ldap::_do_changepassword("srdjan", 1000022259, "srdjan");' and was able to change the password. Signed-off-by: Bernardo Gonzalez Kriegel Work as described. Test 1) change to 1 2) copy/paste sample config from perldoc C4/Auth_with_ldap 3) using sample script was able to change password, use (userid, borrowernumber, newpass) as arguments 4) checked with OPAC and in database Signed-off-by: Kyle M Hall Signed-off-by: Galen Charlton --- C4/Auth_with_ldap.pm | 64 ++++++++++++++++++++++---------------------- 1 file changed, 32 insertions(+), 32 deletions(-) diff --git a/C4/Auth_with_ldap.pm b/C4/Auth_with_ldap.pm index 0efeb95dca..c26990e966 100644 --- a/C4/Auth_with_ldap.pm +++ b/C4/Auth_with_ldap.pm @@ -19,13 +19,14 @@ package C4::Auth_with_ldap; use strict; #use warnings; FIXME - Bug 2505 -use Digest::MD5 qw(md5_base64); +use Carp; use C4::Debug; use C4::Context; use C4::Members qw(AddMember changepassword); use C4::Members::Attributes; use C4::Members::AttributeTypes; +use C4::Auth qw(hash_password checkpw_internal); use List::MoreUtils qw( any ); use Net::LDAP; use Net::LDAP::Filter; @@ -257,44 +258,43 @@ sub exists_local { } sub _do_changepassword { - my ($userid, $borrowerid, $digest) = @_; + my ($userid, $borrowerid, $password) = @_; + + my $digest = hash_password($password); + $debug and print STDERR "changing local password for borrowernumber=$borrowerid to '$digest'\n"; changepassword($userid, $borrowerid, $digest); - # Confirm changes - my $sth = C4::Context->dbh->prepare("SELECT password,cardnumber FROM borrowers WHERE borrowernumber=? "); - $sth->execute($borrowerid); - if ($sth->rows) { - my ($md5password, $cardnum) = $sth->fetchrow; - ($digest eq $md5password) and return $cardnum; - warn "Password mismatch after update to cardnumber=$cardnum (borrowernumber=$borrowerid)"; - return; - } - die "Unexpected error after password update to userid/borrowernumber: $userid / $borrowerid."; + my ($ok, $cardnum) = checkpw_internal(C4::Context->dbh, $userid, $password); + return $cardnum if $ok; + + warn "Password mismatch after update to borrowernumber=$borrowerid"; + return; } sub update_local { - my $userid = shift or return; - my $digest = md5_base64(shift) or return; - my $borrowerid = shift or return; - my $borrower = shift or return; - my @keys = keys %$borrower; - my $dbh = C4::Context->dbh; - my $query = "UPDATE borrowers\nSET " . - join(',', map {"$_=?"} @keys) . - "\nWHERE borrowernumber=? "; - my $sth = $dbh->prepare($query); - if ($debug) { - print STDERR $query, "\n", - join "\n", map {"$_ = '" . $borrower->{$_} . "'"} @keys; - print STDERR "\nuserid = $userid\n"; - } - $sth->execute( - ((map {$borrower->{$_}} @keys), $borrowerid) - ); + my $userid = shift or croak "No userid"; + my $password = shift or croak "No password"; + my $borrowerid = shift or croak "No borrowerid"; + my $borrower = shift or croak "No borrower record"; + + my @keys = keys %$borrower; + my $dbh = C4::Context->dbh; + my $query = "UPDATE borrowers\nSET " . + join(',', map {"$_=?"} @keys) . + "\nWHERE borrowernumber=? "; + my $sth = $dbh->prepare($query); + if ($debug) { + print STDERR $query, "\n", + join "\n", map {"$_ = '" . $borrower->{$_} . "'"} @keys; + print STDERR "\nuserid = $userid\n"; + } + $sth->execute( + ((map {$borrower->{$_}} @keys), $borrowerid) + ); - # MODIFY PASSWORD/LOGIN - _do_changepassword($userid, $borrowerid, $digest); + # MODIFY PASSWORD/LOGIN + _do_changepassword($userid, $borrowerid, $password); } 1; -- 2.39.5