passwdmodify.go 5.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149
  1. // This file contains the password modify extended operation as specified in rfc 3062
  2. //
  3. // https://tools.ietf.org/html/rfc3062
  4. //
  5. package ldap
  6. import (
  7. "errors"
  8. "fmt"
  9. "gopkg.in/asn1-ber.v1"
  10. )
  11. const (
  12. passwordModifyOID = "1.3.6.1.4.1.4203.1.11.1"
  13. )
  14. // PasswordModifyRequest implements the Password Modify Extended Operation as defined in https://www.ietf.org/rfc/rfc3062.txt
  15. type PasswordModifyRequest struct {
  16. // UserIdentity is an optional string representation of the user associated with the request.
  17. // This string may or may not be an LDAPDN [RFC2253].
  18. // If no UserIdentity field is present, the request acts up upon the password of the user currently associated with the LDAP session
  19. UserIdentity string
  20. // OldPassword, if present, contains the user's current password
  21. OldPassword string
  22. // NewPassword, if present, contains the desired password for this user
  23. NewPassword string
  24. }
  25. // PasswordModifyResult holds the server response to a PasswordModifyRequest
  26. type PasswordModifyResult struct {
  27. // GeneratedPassword holds a password generated by the server, if present
  28. GeneratedPassword string
  29. }
  30. func (r *PasswordModifyRequest) encode() (*ber.Packet, error) {
  31. request := ber.Encode(ber.ClassApplication, ber.TypeConstructed, ApplicationExtendedRequest, nil, "Password Modify Extended Operation")
  32. request.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, passwordModifyOID, "Extended Request Name: Password Modify OID"))
  33. extendedRequestValue := ber.Encode(ber.ClassContext, ber.TypePrimitive, 1, nil, "Extended Request Value: Password Modify Request")
  34. passwordModifyRequestValue := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "Password Modify Request")
  35. if r.UserIdentity != "" {
  36. passwordModifyRequestValue.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 0, r.UserIdentity, "User Identity"))
  37. }
  38. if r.OldPassword != "" {
  39. passwordModifyRequestValue.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 1, r.OldPassword, "Old Password"))
  40. }
  41. if r.NewPassword != "" {
  42. passwordModifyRequestValue.AppendChild(ber.NewString(ber.ClassContext, ber.TypePrimitive, 2, r.NewPassword, "New Password"))
  43. }
  44. extendedRequestValue.AppendChild(passwordModifyRequestValue)
  45. request.AppendChild(extendedRequestValue)
  46. return request, nil
  47. }
  48. // NewPasswordModifyRequest creates a new PasswordModifyRequest
  49. //
  50. // According to the RFC 3602:
  51. // userIdentity is a string representing the user associated with the request.
  52. // This string may or may not be an LDAPDN (RFC 2253).
  53. // If userIdentity is empty then the operation will act on the user associated
  54. // with the session.
  55. //
  56. // oldPassword is the current user's password, it can be empty or it can be
  57. // needed depending on the session user access rights (usually an administrator
  58. // can change a user's password without knowing the current one) and the
  59. // password policy (see pwdSafeModify password policy's attribute)
  60. //
  61. // newPassword is the desired user's password. If empty the server can return
  62. // an error or generate a new password that will be available in the
  63. // PasswordModifyResult.GeneratedPassword
  64. //
  65. func NewPasswordModifyRequest(userIdentity string, oldPassword string, newPassword string) *PasswordModifyRequest {
  66. return &PasswordModifyRequest{
  67. UserIdentity: userIdentity,
  68. OldPassword: oldPassword,
  69. NewPassword: newPassword,
  70. }
  71. }
  72. // PasswordModify performs the modification request
  73. func (l *Conn) PasswordModify(passwordModifyRequest *PasswordModifyRequest) (*PasswordModifyResult, error) {
  74. packet := ber.Encode(ber.ClassUniversal, ber.TypeConstructed, ber.TagSequence, nil, "LDAP Request")
  75. packet.AppendChild(ber.NewInteger(ber.ClassUniversal, ber.TypePrimitive, ber.TagInteger, l.nextMessageID(), "MessageID"))
  76. encodedPasswordModifyRequest, err := passwordModifyRequest.encode()
  77. if err != nil {
  78. return nil, err
  79. }
  80. packet.AppendChild(encodedPasswordModifyRequest)
  81. l.Debug.PrintPacket(packet)
  82. msgCtx, err := l.sendMessage(packet)
  83. if err != nil {
  84. return nil, err
  85. }
  86. defer l.finishMessage(msgCtx)
  87. result := &PasswordModifyResult{}
  88. l.Debug.Printf("%d: waiting for response", msgCtx.id)
  89. packetResponse, ok := <-msgCtx.responses
  90. if !ok {
  91. return nil, NewError(ErrorNetwork, errors.New("ldap: response channel closed"))
  92. }
  93. packet, err = packetResponse.ReadPacket()
  94. l.Debug.Printf("%d: got response %p", msgCtx.id, packet)
  95. if err != nil {
  96. return nil, err
  97. }
  98. if packet == nil {
  99. return nil, NewError(ErrorNetwork, errors.New("ldap: could not retrieve message"))
  100. }
  101. if l.Debug {
  102. if err := addLDAPDescriptions(packet); err != nil {
  103. return nil, err
  104. }
  105. ber.PrintPacket(packet)
  106. }
  107. if packet.Children[1].Tag == ApplicationExtendedResponse {
  108. resultCode, resultDescription := getLDAPResultCode(packet)
  109. if resultCode != 0 {
  110. return nil, NewError(resultCode, errors.New(resultDescription))
  111. }
  112. } else {
  113. return nil, NewError(ErrorUnexpectedResponse, fmt.Errorf("Unexpected Response: %d", packet.Children[1].Tag))
  114. }
  115. extendedResponse := packet.Children[1]
  116. for _, child := range extendedResponse.Children {
  117. if child.Tag == 11 {
  118. passwordModifyReponseValue := ber.DecodePacket(child.Data.Bytes())
  119. if len(passwordModifyReponseValue.Children) == 1 {
  120. if passwordModifyReponseValue.Children[0].Tag == 0 {
  121. result.GeneratedPassword = ber.DecodeString(passwordModifyReponseValue.Children[0].Data.Bytes())
  122. }
  123. }
  124. }
  125. }
  126. return result, nil
  127. }