use crate::State; use ldap3::exop::PasswordModify; use ldap3::{LdapConn, Mod, Scope, SearchEntry}; use std::collections::HashSet; use tide::prelude::{json, Deserialize}; use tide::Request; #[derive(Debug, Deserialize)] pub struct LdapUpdate { user: String, pass: String, field: String, value: String, } /// Handles updating a single field with the users own password pub async fn post_update_ldap(mut req: Request) -> tide::Result { let LdapUpdate { user, pass, field, value, } = req.body_json().await?; let config = &req.state().config; // easier to give each request its own connection let mut ldap = LdapConn::new(&config.ldap_host)?; let dn = format!("uid={},ou=users,dc=skynet,dc=ie", user); ldap.simple_bind(&dn, &pass)?.success()?; // always assume insecure let mut pw_keep_same = false; let mut pw_secure = false; // get the users current password hash let (rs, _res) = ldap.search(&dn, Scope::Base, "(objectClass=*)", vec!["userPassword"])?.success()?; if !rs.is_empty() { let tmp = SearchEntry::construct(rs[0].clone()); if !tmp.attrs["userPassword"].is_empty() && tmp.attrs["userPassword"][0].starts_with("{SSHA512}") { pw_keep_same = true; pw_secure = true; } if !tmp.attrs["skSecure"].is_empty() && tmp.attrs["skSecure"][0] == "1" { pw_secure = true; } } // check if the password field itself is being updated let (pass_old, pass_new) = if &field != "userPassword" { // if password is not being updated then just update the required field let mut mods = vec![ // main value we are updating Mod::Replace(field, HashSet::from([value])), ]; // if teh password is changing then its inherentrly secure, same if its currently an empty field if !pw_keep_same || !pw_secure { mods.push(Mod::Replace(String::from("skSecure"), HashSet::from([String::from("1")]))); } ldap.modify(&dn, mods)?.success()?; // pass back the "old" and "new" passwords (pass.clone(), pass.clone()) } else { // password is going to be updated, even if the old value is not starting with "{SSHA512}" pw_keep_same = false; (pass.clone(), value) }; if !pw_keep_same { // really easy to update password once ye know how let tmp = PasswordModify { // none as we are staying on the same connection user_id: None, old_pass: Some(&pass_old), new_pass: Some(&pass_new), }; ldap.extended(tmp)?.success()?; }; ldap.unbind()?; Ok(json!({"result": "success"}).into()) }