diff --git a/src/methods/account_new.rs b/src/methods/account_new.rs index 0a424cd..31dca32 100644 --- a/src/methods/account_new.rs +++ b/src/methods/account_new.rs @@ -296,6 +296,8 @@ async fn account_verification_new_account(ldap: &mut LdapConn, user_details: &Ac // need to get this from wolves //("skID", HashSet::from(["12345678"])), ("skCreated", HashSet::from([sk_created.as_str()])), + // 1 = secure, automatic since its a new account + ("skSecure", HashSet::from(["1"])), ], )? .success()?; diff --git a/src/methods/account_update.rs b/src/methods/account_update.rs index 1474f64..cb092ca 100644 --- a/src/methods/account_update.rs +++ b/src/methods/account_update.rs @@ -32,6 +32,7 @@ pub async fn post_update_ldap(mut req: Request) -> tide::Result { // always assume insecure let mut pw_keep_same = false; + let mut pw_secure = false; // get the users current password hash let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?; @@ -39,13 +40,26 @@ pub async fn post_update_ldap(mut req: Request) -> tide::Result { let tmp = SearchEntry::construct(rs[0].clone()); if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") { pw_keep_same = true; + pw_secure = true; + } + if !tmp.attrs["skSecure"].is_empty() && tmp.attrs["skSecure"][0] == "1" { + pw_secure = true; } } // check if the password field itself is being updated let (pass_old, pass_new) = if &field != "userPassword" { // if password is not being updated then just update the required field - let mods = vec![Mod::Replace(field, HashSet::from([value]))]; + let mut mods = vec![ + // main value we are updating + Mod::Replace(field, HashSet::from([value])), + ]; + + // if teh password is changing then its inherentrly secure, same if its currently an empty field + if !pw_keep_same || !pw_secure { + mods.push(Mod::Replace(String::from("skSecure"), HashSet::from([String::from("1")]))); + } + ldap.modify(&dn, mods)?.success()?; // pass back the "old" and "new" passwords