#!/usr/bin/perl # ############################################################################## # ldappass.cgi # # Modify 2003/3/28 Akira Takahashi akira@kushiro-ct.ac.jp # http://www.kushiro-ct.ac.jp/akira/misc/ldappass.html # # Modify 2003/9/30 # use Crypt::SmbHash Thanks higa@heart-land.jp ############################################################################## # # changepass.pl - A program to allow users to change their passwords # via a web browser. # Terry Davis # # URLs # Net::LDAP - http:// # usermod and this file - http://www.cloudamster.com/cloudmaster/projects # # Release History: # Version 0.1 - initial write # # ToDo: # ... the ToDo section is on the ToDo list... # Limitations: # The password cannot contain single and double quotes.....welcome to quoting hell.... # # Notes: # This code is largely based on work done by Danny Sauer - http://www.cloudamster.com/cloudmaster/projects # His work is not licensed and is marked as 'freely distributable'. # Thank you to Danny for his hard work on the initial work. # ############################################################################## use CGI qw(:standard); use Net::LDAP; use Crypt::SmbHash; # CONFIGURATION SECTION $masterLDAP = "ldap.gcc.kushiro-ct.ac.jp"; $basedn = "dc=kushiro-ct,dc=ac,dc=jp"; $userdn = "ou=People,$basedn"; # $masterPw = ""; # $masterDN = "cn=Manager,$basedn"; # $ldap_path = "/usr/bin"; # $ldap_opts = "-x "; # $ldappasswd = "$ldap_path/ldappasswd $ldap_opts -h $masterLDAP -D '$masterDN' -w '$masterPw'"; # END CONFIGURATION # DONT EDIT ANYTHING BELOW THIS LINE $logtag = "Login:"; $passtag = "Current password:"; $npasstag1 = "New password:"; $npasstag2 = "Retype new pasword:"; $error = ""; $color = ""; $stopcolor = ""; if(param()){ nologin() unless ($username = param('login')); nopass() unless ($oldpass = param('oldpass')); nonewpass(1) unless ($newpass1 = param('newpass')); nonewpass(2) unless ($newpass2 = param('newpass2')); verifyuser($username) or die "bad user"; verifypass($username, $oldpass) or die "bad pass"; testnewpass($newpass1, $newpass2) or die "bad new pass"; changepass($username,$oldpass,$newpass1) or die "couldn't change pass"; printsuccess(); }else{ printpage(); } exit(0); sub changepass{ local $user = shift; local $pass = shift; local $newpass = shift; local $dn = "uid=$user,$userdn"; $cpass = "{crypt}" . crypt($newpass,$user) ; my $cpass ; my $lmpassword ; my $ntpassword ; $cpass = "{crypt}" . crypt($newpass,$user) ; ntlmgen $newpass,$lmpassword,$ntpassword ; $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@"; $res = $ldap->bind( $dn , password => $pass ) ; if( $res->code > 0) { $logtag = $color . $logtag . $color; $error = $res->error ; printpage(); return 0; } $mesg = $ldap->modify( $dn, changes => [ replace => [ 'userPassword' => $cpass], replace => [ 'lmPassword' => $lmpassword], replace => [ 'ntPassword' => $ntpassword] ] ); if( $mesg->code > 0) { $logtag = $color . $logtag . $color ; $error = $mesg->error ; printpage(); return 0; } # system "$ldappasswd $dn -s '$newpass' > /dev/null"; # `/usr/bin/sudo /usr/bin/smbpasswd $user "$newpass"`; return 1; # exit(1); } sub verifyuser{ local $user = shift; $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@"; $ldap->bind(); if (0 < $ldap->search(base => $basedn, filter => "(uid=$user)")->count){ return 1; } $logtag = $color . $logtag . $color; $error = "No such user"; printpage(); return 0; } sub verifypass{ $uid = shift; $pass = shift; $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@"; $binddn = "uid=$uid,ou=People,$basedn"; return 1 if( $ldap->bind($binddn, password => $pass) ->code == 0); if($ldap->bind()){ $passtag = $color . $passtag . $color; $error = "Incorrect password"; printpage(); return 0; }else{ print header, start_html(-title=>"LDAP dead"); print h2("
The LDAP server is temporarily unavailable."), p,"Please try again later
"; return 0; } die "Something (or someone) is defective, contact your friendly Systems Administrator"; } sub testnewpass{ $p1 = shift; $p2 = shift; if ($p1 ne $p2){ $npasstag1 = $color . $npasstag1 . $color; $npasstag2 = $color . $npasstag2 . $color; $error = "Passwords don't match ($p1 vs $p2)"; printpage(); return 0; } if ($p1 =~ /"/ ){ $npasstag1 = $color . $npasstag1 . $color; $npasstag2 = $color . $npasstag2 . $color; $error = "Passwords cannot contain double quotes. Sorry"; printpage(); return 0; } if ($p1 =~ /'/ ){ $npasstag1 = $color . $npasstag1 . $color; $npasstag2 = $color . $npasstag2 . $color; $error = "Passwords cannot contain single quotes. Sorry"; printpage(); return 0; } return 1; } sub nologin{ $logtag = $color . $logtag . $color; $error = "You need to enter a Login Name"; printpage(); exit(1); } sub nopass{ $passtag = $color . $passtag . $color; $error = "Please enter your old password"; printpage(); exit(1); } sub nonewpass{ $f=shift; $npasstag1 = $color . $npasstag1 . $color if($f==1); $npasstag2 = $color . $npasstag2 . $color if($f==2); $error = "You need to enter your new password twice" if($f==2); printpage(); exit(1); } sub printpage{ print header, start_html(-title=> "Password Change Page", -author=> 'tdavis\@birddog.com', -BGCOLOR=> 'WHITE'), h3('Password Change Page'), startform(-method=>'POST'), "", "", "
", $logtag, "", textfield(-name=>'login', -default=>$login, -size=>15, -maxlength=>20), "
", $passtag, "", password_field(-name=>'oldpass', -size=>15, -maxlength=>25), "
", $npasstag1, "", password_field(-name=>'newpass', -size=>15, -maxlength=>25), "
", $npasstag2, "", password_field(-name=>'newpass2', -size=>15, -maxlength=>25), "
", submit(-name=>"change"),reset(), "
", "", endform(), "$error", end_html; } sub printsuccess(){ print header, start_html(-title=> "Success", -BGCOLOR=> 'WHITE'), h2("Password Succesfully Changed"), "
", end_html; } # ; --------------------- end of ldappass.cgi -------------------------