#!/usr/bin/perl
##############################################################################
# ldappassadm.cgi
#
#   Modify 2003/3/28 Akira Takahashi akira@kushiro-ct.ac.jp
#   http://www.kushiro-ct.ac.jp/akira/misc/ldappassadm.html
#
#   Modify 2003/9/30
#       use Crypt::SmbHash  Thanks higa@heart-land.jp
##############################################################################
#
# changepass.pl - A program to allow users to change their passwords
#                 via a web browser.
# Terry Davis
# 
# URLs
#       Net::LDAP - http://
#       usermod and this file - http://www.cloudamster.com/cloudmaster/projects
#
# Release History:
#       Version 0.1 - initial write
#
# ToDo:
#       ... the ToDo section is on the ToDo list...
#
# Limitations:
#       The password cannot contain single and double quotes.....welcome to quoting hell....
#
# Notes:
#       This code is largely based on work done by Danny Sauer - http://www.cloudamster.com/cloudmaster/projects
#       His work is not licensed and is marked as 'freely distributable'.
#       Thank you to Danny for his hard work on the initial work.
#
################################################################################

use CGI qw(:standard);
use Net::LDAP;

use Crypt::SmbHash;

# CONFIGURATION SECTION

$masterLDAP = "ldap.gcc.kushiro-ct.ac.jp";
$basedn = "dc=kushiro-ct,dc=ac,dc=jp";
$userdn = "ou=People,$basedn";

# $masterPw = "";
# $masterDN = "cn=Manager,$basedn";
# $ldap_path = "/usr/bin";
# $ldap_opts = "-x ";
# $ldappasswd = "$ldap_path/ldappasswd $ldap_opts -h $masterLDAP ";
# END CONFIGURATION

# DONT EDIT ANYTHING BELOW THIS LINE
$logtag =  "Target UID:";
$npasstag1 = "Target New password:";
$npasstag2 = "Retype New password:";
$logtag2 = "Manager UID:";
$passtag = "Manager password:";
$error = "";
$color = "<FONT color='red'>";
$stopcolor = "</FONT>";

if(param()){
        nologin() unless ($username = param('login'));
        nologin2() unless ($username2 = param('login2'));
        nopass() unless ($oldpass = param('oldpass'));
        nonewpass(1) unless ($newpass1 = param('newpass'));
        nonewpass(2) unless ($newpass2 = param('newpass2'));
        verifyuser($username) or die "bad user";
        verifyuser2($username,$username2,$oldpass) or die "bad manager";
#       verifypass($username, $oldpass) or die "bad pass";
        testnewpass($newpass1, $newpass2) or die "bad new pass";
        changepassadm($username,$username2,$oldpass,$newpass1) or die "couldn't change pass";
        printsuccess();
}else{
        printpage();
}
exit(0);

sub changepassadm{
        local $user = shift;
        local $manager = shift;
        local $bindpass = shift;
        local $newpass = shift;

        local $dn = "uid=$user,$userdn";
        my $bindDN = "uid=$manager,$userdn" ;

        my $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@";
        my $res1 = $ldap->bind($bindDN, password => $bindpass)-> code ;
        if (0 < $res1) {
                $passtag = $color . $logtag2 . $color;
                $error = "Wrong Manager Password ";
                printpage();
                return 0;
        }
    
        my $cpass ;
        my $lmpassword ;
        my $ntpassword ;
 
        $cpass = "{crypt}" . crypt($newpass,$user) ;

        ntlmgen $newpass,$lmpassword,$ntpassword ;

        $mesg = $ldap->modify( $dn,
              changes => [
                replace => [  'userpassword' => $cpass],
                replace => [  'lmPassword' => $lmpassword],
                replace => [  'ntPassword' => $ntpassword]
              ]
            );

        return 1;

# exit(1);
}


sub verifyuser{
        local $user = shift;
        $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@";
        $ldap->bind();
        if (0 < $ldap->search(base => $basedn, filter => "(uid=$user)")->count){
                return 1;
        }
        $logtag = $color . $logtag . $color;
        $error = "No such user";
        printpage();
        return 0;
}


sub verifyuser2{
        local $user = shift;
        local $manager = shift;
        local $bindpass = shift;

        my $bindDN = "uid=$manager,$userdn" ;
        my $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@";
        my $res1 = $ldap->bind($bindDN, password => $bindpass)-> code ;

        if (0 < $res1) {
                $passtag = $color . $logtag2 . $color;
                $error = "Wrong Manager Password ";
                printpage();
                return 0;
        }

        my $mesg = $ldap->search(
                      base   => "$userdn",
                      filter => "uid=$user",
                      );

        my $entry = $mesg->entry($index);
        my $res2 = $entry->get_value( 'userPassword' );
        if ($res2 eq "" ) {
                $logtag2 = $color . $logtag2 . $color;
                $error = "$user cannot change password";
                printpage();
                return 0;
        } 
        return 1;
}

#sub verifypass{
#        $uid = shift;
#        $pass = shift;
#        $ldap = Net::LDAP->new($masterLDAP) or die "can't make new LDAP object: $@";
#        $binddn = "uid=$uid,ou=People,$basedn";
#        return 1 if( $ldap->bind($binddn, password => $pass) ->code == 0);
#        if($ldap->bind()){
#                $passtag = $color . $passtag . $color;
#                $error = "Incorrect password";
#                printpage();
#                return 0;
#        }else{
#                print header, start_html(-title=>"LDAP dead");
#                print h2("<CENTER>The LDAP server is temporarily unavailable."),
#                        p,"Please try again later</CENTER>";
#                return 0;
#        } die "Something (or someone) is defective, contact your friendly Systems Administrator";
#}

sub testnewpass{
        $p1 = shift; $p2 = shift;
        if ($p1 ne $p2){
                $npasstag1 = $color . $npasstag1 . $color;
                $npasstag2 = $color . $npasstag2 . $color;
                $error = "Passwords don't match ($p1 vs $p2)";
                printpage();
                return 0;
        }
        if ($p1 =~ /"/ ){
                $npasstag1 = $color . $npasstag1 . $color;
                $npasstag2 = $color . $npasstag2 . $color;
                $error = "Passwords cannot contain double quotes. Sorry";
                printpage();
                return 0;
        }
        if ($p1 =~ /'/ ){
                $npasstag1 = $color . $npasstag1 . $color;
                $npasstag2 = $color . $npasstag2 . $color;
                $error = "Passwords cannot contain single quotes. Sorry";
                printpage();
                return 0;
        }
        return 1;
}

sub nologin{
        $logtag = $color . $logtag . $color;
        $error = "You need to enter a Target Login Name";
        printpage();
        exit(1);
}

sub nologin2{
        $logtag = $color . $logtag2 . $color;
        $error = "You need to enter a Your Login Name";
        printpage();
        exit(1);
}

sub nopass{
        $passtag = $color . $passtag . $color;
        $error = "Please enter Your  password";
        printpage();
        exit(1);
}

sub nonewpass{
        $f=shift;
        $npasstag1 = $color . $npasstag1 . $color if($f==1);
        $npasstag2 = $color . $npasstag2 . $color if($f==2);
        $error = "You need to enter your new password twice" if($f==2);
        printpage();
        exit(1);
}

sub printpage{
        print header,
              start_html(-title=> "Password Change For Manager",
                         -author=> 'tdavis\@birddog.com,akira\@kushiro-ct.ac.jp',
                         -BGCOLOR=> 'WHITE'),
              h3('Password Change For Manager'),
                "<HR>",
              startform(-method=>'POST'),
              "<TABLE BORDER=0 WIDTH=50%>",
              "<font size=2>",
              "<TR><TD>",
              $logtag,
              "</TD><TD>",
              textfield(-name=>'login', -default=>$login, -size=>15, -maxlength=>20),
              "</TD></TR><TR><TD>",
              $npasstag1,
              "</TD><TD>",
              password_field(-name=>'newpass', -size=>15, -maxlength=>25),
              "</TD></TR><TR><TD>",
              $npasstag2,
              "</TD><TD>",
              password_field(-name=>'newpass2', -size=>15, -maxlength=>25),
              "</TD></TR></TABLE><HR><TABLE BORDER=0 WIDTH=50%><TR><TD>",
              $logtag2,
              "</TD><TD>",
              textfield(-name=>'login2', -default=>$login2, 
                        -size=>15, -maxlength=>20),
              "</TD></TR><TR><TD>",
              $passtag,
              "</TD><TD>",
              password_field(-name=>'oldpass', -size=>15, -maxlength=>25),
              "</TD></TR></TABLE><HR><TABLE BORDER=0 WIDTH=50%><TR><TD></TD><TD>",
              submit(-name=>"CHANGE"),reset(-name=>"RESET"),
              "</TD></TR></TABLE>",
              "</font>",
              endform(),
              "<FONT color='red'>$error</FONT>",
              end_html;
}


sub printsuccess(){
        print header,
              start_html(-title=> "Success",
                             -BGCOLOR=> 'WHITE'),
                  h2("Password Succesfully Changed"),
                  "<br>",
                  end_html;
}