search

nextcloud / ldap_write_support

👥🖎 create, edit and delete LDAP users and groups from Nextcloud
https://apps.nextcloud.com/apps/ldap_write_support
GNU Affero General Public License v3.0
29 stars 10 forks source link

LDAP sambaNTPassword not set by password change #690

Open klodner opened 7 months ago

klodner commented 7 months ago

This plugin does not handle LDAP Samba extensions, when used by LDAP server (which is often used)

So I have to modify the code of the plugin to this to work:


 public function setPassword($uid, $password) {

                $possible = '0123456789'.
                'abcdefghijklmnopqrstuvwxyz'.
                'ABCDEFGHIJKLMNOPQRSTUVWXYZ'.
                './';
                $salt = '';
                $userdata=array();
                while (strlen($salt) < 16)
                $salt .= substr($possible, (rand() % strlen($possible)), 1);
                // Convert the password from UTF8 to UTF16 (little endian)
                $MD4Hash=hash('md4',iconv('UTF-8','UTF-16LE',$password));
                // Make it uppercase, not necessary, but it's common to do so with NTLM hashes
                $NTLMHash=strtoupper($MD4Hash);
                $now = time();

                try {
                        $cr = $this->ldapProvider->getLDAPConnection($uid);
                        $userDN = $this->getUserDN($uid);

                        // TODO: check if LDAP contains sambaNTpassword
                        //$object = ldap_get_attributes($ldap, $entry);
                        //  if (isset($object['sambaNTPassword'])){

                        $userdata['userPassword'] = '{CRYPT}'.crypt($password, '$6$'.$salt.'$');
                        $userdata['sambaNTPassword'] = $NTLMHash;
                        $userdata['sambaPwdLastSet'] = "$now";
                        return ldap_modify($cr, $userDN, $userdata) !== false;
                } catch (\Exception $e) {
                        $this->logger->error($e->getMessage(), ['exception' => $e, 'app' => Application::APP_ID]);
                }
                return false;
        }
susnux commented 7 months ago

I really would not encourage using NTLM, instead Kerberos would be a more safer authentication. But nevertheless this would be a good follow up on #536

techadmin-localbit commented 2 months ago

I would like to have this fixed as well. Our nextcloud users are not able to change their LDAP-SAMBA password over nextcloud.